Documentation
¶
Overview ¶
Package badkeys implements DNSKEY vulnerability checks and blocklist management.
Index ¶
Constants ¶
const (
// UpdateURL is the upstream badkeys metadata endpoint.
UpdateURL = "https://update.badkeys.info/v0/badkeysdata.json"
)
Variables ¶
This section is empty.
Functions ¶
func BKHASH120 ¶
BKHASH120 computes the badkeys truncated hash for a key's numeric value. The value is encoded as big-endian bytes without leading zeros, SHA-256 hashed, and truncated to 15 bytes (120 bits).
func DefaultDataDir ¶
func DefaultDataDir() string
DefaultDataDir returns the default user data directory for badkeys files. On Linux/macOS: ~/.local/share/gonemaster/badkeys On other platforms: ~/.gonemaster/badkeys
Types ¶
type Blocklist ¶
type Blocklist struct {
Data []byte // raw blocklist.dat content (sorted 16-byte blocks)
Sources map[int]string // source ID → blocklist name
Entries int // number of 16-byte blocks
}
Blocklist holds the loaded blocklist data and metadata.
func LoadBlocklist ¶
LoadBlocklist finds and loads the blocklist using the search path:
- profilePath (from badkeys.path profile key / --badkeys-path CLI flag)
- XDG user data directory (~/.local/share/gonemaster/badkeys/)
- Embedded data (if compiled with badkeys_embed build tag)
Returns nil, nil if no blocklist is available anywhere.
type BlocklistError ¶
type BlocklistError struct {
// contains filtered or unexported fields
}
BlocklistError is returned for blocklist format issues.
func (*BlocklistError) Error ¶
func (e *BlocklistError) Error() string
type CheckResult ¶
CheckResult holds the result of a blocklist lookup.
type Finding ¶
type Finding struct {
// Check is the check name: "fermat", "pattern", "roca", "rsainvalid",
// "smallfactors", "smalld", or "blocklist".
Check string
// BlocklistName is the blocklist source name (only for "blocklist" check).
BlocklistName string
}
Finding represents a single detected vulnerability or blocklist match.
func CheckDNSKEY ¶
CheckDNSKEY parses a DNSKEY record and runs all applicable badkeys checks.
algo is the DNSKEY algorithm number. keyData is the raw public key bytes (after the 4-byte DNSKEY RDATA header: flags, protocol, algorithm). bl is the loaded blocklist (may be nil to skip blocklist checks).
Returns a list of findings (empty if the key passes all checks).
type Metadata ¶
type Metadata struct {
BKFormat int `json:"bkformat"`
Deprecated any `json:"deprecated,omitempty"`
BlocklistURL string `json:"blocklist_url"`
BlocklistSHA256 string `json:"blocklist_sha256"`
}
Metadata is the subset of badkeysdata.json needed for blocklist management.
type ParsedKey ¶
type ParsedKey struct {
Type KeyType
// N is the RSA modulus (RSA only).
N *big.Int
// E is the RSA public exponent (RSA only).
E *big.Int
// Val is the primary numeric value used for BKHASH and blocklist checks:
// RSA: N, DSA: Y, ECDSA: X coordinate, EdDSA: raw key as integer.
Val *big.Int
// Bits is the key size in bits (RSA: N.BitLen(), DSA: 512+t*64).
Bits int
}
ParsedKey holds the extracted numeric values from a DNSKEY wire-format key.
func ParseDNSKEY ¶
ParseDNSKEY parses the DNSKEY RDATA key material (the public key bytes after the 4-byte DNSKEY header: flags, protocol, algorithm).
algo is the DNSKEY algorithm number. keyData is the raw public key bytes.
Wire format references:
Source Files