From ccdf02dfd48be0656f3b33ded45e629296344db5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= <contact@lsferreira.net>
Date: Sat, 2 Oct 2021 20:33:35 +0100
Subject: [PATCH 1/2] detect_private_key: add textual version of `PKCS #8`
 encrypted private keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As described by RFC7468 and RFC5958, keys that are encoded using the "ENCRYPTED
PRIVATE KEY" label are described as private key information and therefore can
contain secrets, even though encrypted.

Signed-off-by: Luís Ferreira <contact@lsferreira.net>
---
 pre_commit_hooks/detect_private_key.py | 1 +
 tests/detect_private_key_test.py       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py
index 7bbc2f9..bd1f296 100644
--- a/pre_commit_hooks/detect_private_key.py
+++ b/pre_commit_hooks/detect_private_key.py
@@ -11,6 +11,7 @@ BLACKLIST = [
     b'PuTTY-User-Key-File-2',
     b'BEGIN SSH2 ENCRYPTED PRIVATE KEY',
     b'BEGIN PGP PRIVATE KEY BLOCK',
+    b'BEGIN ENCRYPTED PRIVATE KEY',
 ]
 
 
diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py
index 7281000..9495047 100644
--- a/tests/detect_private_key_test.py
+++ b/tests/detect_private_key_test.py
@@ -10,6 +10,7 @@ TESTS = (
     (b'-----BEGIN OPENSSH PRIVATE KEY-----', 1),
     (b'PuTTY-User-Key-File-2: ssh-rsa', 1),
     (b'---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----', 1),
+    (b'-----BEGIN ENCRYPTED PRIVATE KEY-----', 1),
     (b'ssh-rsa DATA', 0),
     (b'ssh-dsa DATA', 0),
     # Some arbitrary binary data

From 1b4e30e9aaebad246088f2493b3fdbbc04991686 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lu=C3=ADs=20Ferreira?= <contact@lsferreira.net>
Date: Sat, 2 Oct 2021 20:42:15 +0100
Subject: [PATCH 2/2] detect_private_key: add OpenVPN shared-secret key block
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

'OpenVPN Static key V1' label is often used by OpenVPN for providing hardening
security with additional HMAC signatures to the SSL/TLS handshake packets. They
are shared secrets and should be kept private.

Signed-off-by: Luís Ferreira <contact@lsferreira.net>
---
 pre_commit_hooks/detect_private_key.py | 1 +
 tests/detect_private_key_test.py       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py
index bd1f296..3a6027d 100644
--- a/pre_commit_hooks/detect_private_key.py
+++ b/pre_commit_hooks/detect_private_key.py
@@ -12,6 +12,7 @@ BLACKLIST = [
     b'BEGIN SSH2 ENCRYPTED PRIVATE KEY',
     b'BEGIN PGP PRIVATE KEY BLOCK',
     b'BEGIN ENCRYPTED PRIVATE KEY',
+    b'BEGIN OpenVPN Static key V1',
 ]
 
 
diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py
index 9495047..d2c724f 100644
--- a/tests/detect_private_key_test.py
+++ b/tests/detect_private_key_test.py
@@ -11,6 +11,7 @@ TESTS = (
     (b'PuTTY-User-Key-File-2: ssh-rsa', 1),
     (b'---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----', 1),
     (b'-----BEGIN ENCRYPTED PRIVATE KEY-----', 1),
+    (b'-----BEGIN OpenVPN Static key V1-----', 1),
     (b'ssh-rsa DATA', 0),
     (b'ssh-dsa DATA', 0),
     # Some arbitrary binary data