From ccdf02dfd48be0656f3b33ded45e629296344db5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= <contact@lsferreira.net>
Date: Sat, 2 Oct 2021 20:33:35 +0100
Subject: [PATCH] detect_private_key: add textual version of `PKCS #8`
 encrypted private keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As described by RFC7468 and RFC5958, keys that are encoded using the "ENCRYPTED
PRIVATE KEY" label are described as private key information and therefore can
contain secrets, even though encrypted.

Signed-off-by: Luís Ferreira <contact@lsferreira.net>
---
 pre_commit_hooks/detect_private_key.py | 1 +
 tests/detect_private_key_test.py       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py
index 7bbc2f9..bd1f296 100644
--- a/pre_commit_hooks/detect_private_key.py
+++ b/pre_commit_hooks/detect_private_key.py
@@ -11,6 +11,7 @@ BLACKLIST = [
     b'PuTTY-User-Key-File-2',
     b'BEGIN SSH2 ENCRYPTED PRIVATE KEY',
     b'BEGIN PGP PRIVATE KEY BLOCK',
+    b'BEGIN ENCRYPTED PRIVATE KEY',
 ]
 
 
diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py
index 7281000..9495047 100644
--- a/tests/detect_private_key_test.py
+++ b/tests/detect_private_key_test.py
@@ -10,6 +10,7 @@ TESTS = (
     (b'-----BEGIN OPENSSH PRIVATE KEY-----', 1),
     (b'PuTTY-User-Key-File-2: ssh-rsa', 1),
     (b'---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----', 1),
+    (b'-----BEGIN ENCRYPTED PRIVATE KEY-----', 1),
     (b'ssh-rsa DATA', 0),
     (b'ssh-dsa DATA', 0),
     # Some arbitrary binary data