Key storage detecting

[babenek]

Description

Please include a summary of the change and which is fixed.

based on #441

• Add JKS and PKCS12 storages detection in --doc mode
• 3 default passwords are used: empty, "changeit" and "changeme" to open a storage

How has this been tested?

Please describe the tests that you ran to verify your changes.

• UnitTest
• Benchmark - does not impact
• fuzzing

[codecov-commenter]

Codecov Report

Attention: 6 lines in your changes are missing coverage. Please review.

Comparison is base (105e296) 90.82% compared to head (6f3f832) 90.89%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #438      +/-   ##
==========================================
+ Coverage   90.82%   90.89%   +0.06%     
==========================================
  Files         126      128       +2     
  Lines        4209     4283      +74     
  Branches      666      678      +12     
==========================================
+ Hits         3823     3893      +70     
- Misses        251      254       +3     
- Partials      135      136       +1     

Files	Coverage Δ
credsweeper/deep_scanner/deep_scanner.py	95.27% <100.00%> (+0.19%)	⬆️
credsweeper/deep_scanner/jks_scanner.py	100.00% <100.00%> (ø)
credsweeper/deep_scanner/pkcs12_scanner.py	90.47% <90.47%> (ø)
credsweeper/utils/util.py	87.92% <84.61%> (+0.34%)	⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[csh519]

Thank you for adding jks and pkcs12 scanner.

LGTM 👍

[kmnls]

This part is not clear.
You check for private keys in the keystore. They are returned in encrypted form (if your password guess is wrong) or decrypted format (if password matches). This is the first part of IF.
Then ELSE section is used for cases when there are no private keys at all. But you marked jks as candidate as well.
It seems there is a trouble out here. 4 cases should be checked independently:

• pkey present, default password, issue.
• pkey present, unknown password, no issue.
• no pkey, default password, no issue (?)
• no pkey, unknown password, no issue.

[babenek]

In any case - a storage with default password should not appear.
IF-ELSE block just decide which text will be in info for user.

Unknown password will raise an exception and no issue is created.

[kmnls]

https://pyjks.readthedocs.io/en/latest/_modules/jks/jks.html#KeyStore.loads
if try_decrypt_keys:
try:
entry.decrypt(store_password)
except DecryptionFailureException:
pass # ok, let user call decrypt() manually

No exception

[babenek]

In common (wrong) case the password of keys is the same like for the storage.
Suppose, if the key has good encryption - else branch will be taken.
Anyway, the scanner finds unencrypted(weak password) storage.

[kmnls]

Whether it is used? Cannot see traces in the code.

[babenek]

in tests/data/doc.json above - the storage is encrypted with different password, so it is not found

[kmnls]

See comment.
The code does not match jks source code behavior https://pyjks.readthedocs.io/en/latest/_modules/jks/jks.html#KeyStore.loads

[xDizzix]