Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

ROCA scanner command-line tool in Certificate Manager

Owned by Karolin Hemmingsson (Unlicensed)
Last updated: Nov 13, 2023 by Josefin Klang (Deactivated)
2 min read



roca_scanner is a command line program that can scan all certificates in a Smart ID Certificate Manager (CM) database, to find any RSA keys that are affected by the ROCA cryptographic RSA-key weakness. 

The key weakness was seen in Infineon Technologies AG library RSALib, which produced RSA keys that might have been used in CM. See CVE-2017-15361 for description of the vulnerability.

While CM does not use the affected library for RSA key generation, there could still be a risk that such keys have been handled by CM when created by an external source, for example, smartcards that produce such keys.

The program scans all active and non-expired certificates in the CM database for such RSA keys. The database connection details are read from cm.conf in an existing CM installation.

The program is located in the <install_root>/tools directory relative to where CM is installed.

This is an example of how to scan all certificates with roca_scanner:

$ ./roca_scanner.sh -log output.txt Will save results to output.txt Scanning 120 certificates... Found affected certificate: sernr=10119, cardSerNr=MJ1050, serNrInCert=1ece1a65aaa503b17c5dba10c5f751bb, subjectDN=cn=Weak Infineon Rsa Key Done. Found 1 scanned keys that are affected by the ROCA vulnerability. $ cat output.txt #certSerNr cardSerNr serNrInCert subjectDN 10119 MJ1050 1ece1a65aaa503b17c5dba10c5f751bb cn=Weak Infineon Rsa Key

The optional output logfile is a tab-separated file. This file can be loaded by, for example, CM Certificate Controller to allow further action on any found certificates.



roca_scanner can be configured using the following environment variable:

Environment variable

Description

Environment variable

Description

CM_HOME

(optional) Specifies a directory where CM configuration is installed, usually referred to as <configuration_root>. Specifying this environment variable allows the program to use database connection details from cm.conf if placed in a non-standard location.

This environment variable is optional. If this environment variable is not specified, and roca_scanner is placed in the default directory <install_root>/tools, roca_scanner will automatically find the CM configuration and the database connection details.





Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions