The ROCA vulnerability has been discovered by researchers at Masaryk University (Brno, Czech Republic). As two of the researchers are also affiliated with Enigma Bridge we subsequently integrated a ROCA detection tool within this test suite. It allows users of affected products to verify security of their encryption keys.
This test suite provides information about the ROCA vulnerability, which is caused by an error in RSA key generation in Infineon security chips.
Currently the tool supports the following key formats:
+ X509 Certificate, DER encoded, one per file, *.der, *.crt
+ X509 Certificate, PEM encoded, more per file, *.pem
+ RSA PEM encoded private key, public key, more per file, *.pem (has to have correct header —–BEGIN RSA…)
+ SSH public key, *.pub, starting with “ssh-rsa”, one per line
+ ASC encoded PGP key, *.pgp, *.asc. More per file, has to have correct header —–BEGIN PGP…
+ APK android application, *.apk
+ one modulus per line text file *.txt, modulus can be a) base64 encoded number, b) hex coded number, c) decimal coded number
+ JSON file with moduli, one record per line, record with modulus has key “mod” (int, base64, hex, dec encoding supported) certificate(s) with key “cert” / array of certificates with key “certs” are supported, base64 encoded DER.
+ LDIFF file – LDAP database dump. Any field ending with ;binary:: is attempted to decode as X509 certificate
+ Java Key Store file (JKS). Tries empty password & some common, specify more with –jks-pass-file
+ PKCS7 signature with user certificate
The detection tool is intentionally one-file implementation for easy integration / manipulation.
Install Dependencies CentOS/RHEL:
sudo yum install python-devel python-pip gcc gcc-c++ make automake autoreconf libtool openssl-devel libffi-devel dialog
Install Dependencies Debian/Ubuntu:
sudo apt-get install python-pip python-dev build-essential libssl-dev libffi-dev swig
git clone https://github.com/crocs-muni/roca && cd roca
python setup.py install
python roca/detect.py --help
Detection tool extracts information about the key which can be displayed:
python roca/detect.py --dump --flatten --indent ~/.ssh/
docker run --rm -v /path/to/your/keys:/keys --network none unnawut/roca-detect