rocacheck.go

Documentation: github.com/titanous/rocacheck

     1  // Package rocacheck checks if a key was generated by broken Infineon code and
     2  // is vulnerable to factorization via the Return of Coppersmith's Attack (ROCA)
     3  // / CVE-2017-15361.
     4  package rocacheck
     5  
     6  import (
     7  	"crypto/rsa"
     8  	"math/big"
     9  )
    10  
    11  type test struct {
    12  	Prime        *big.Int
    13  	Fingerprints map[int64]struct{}
    14  }
    15  
    16  var tests = make([]test, 17)
    17  
    18  func init() {
    19  	bigOne := big.NewInt(1)
    20  	n := &big.Int{}
    21  	// relations table from https://github.com/crocs-muni/roca/pull/40
    22  	for i, r := range [][2]int64{
    23  		{2, 11}, {6, 13}, {8, 17}, {9, 19}, {3, 37}, {26, 53}, {20, 61},
    24  		{35, 71}, {24, 73}, {13, 79}, {6, 97}, {51, 103}, {53, 107},
    25  		{54, 109}, {42, 127}, {50, 151}, {78, 157},
    26  	} {
    27  		fps := make(map[int64]struct{})
    28  		bp := big.NewInt(r[1])
    29  		br := big.NewInt(r[0])
    30  		for j := int64(0); j < r[1]; j++ {
    31  			if n.Exp(big.NewInt(j), br, bp).Cmp(bigOne) == 0 {
    32  				fps[j] = struct{}{}
    33  			}
    34  		}
    35  		tests[i] = test{
    36  			Prime:        big.NewInt(r[1]),
    37  			Fingerprints: fps,
    38  		}
    39  	}
    40  }
    41  
    42  // IsWeak returns true if a RSA public key is vulnerable to Return of
    43  // Coppersmith's Attack (ROCA).
    44  func IsWeak(k *rsa.PublicKey) bool {
    45  	tmp := &big.Int{}
    46  	for _, t := range tests {
    47  		if _, ok := t.Fingerprints[tmp.Mod(k.N, t.Prime).Int64()]; !ok {
    48  			return false
    49  		}
    50  	}
    51  	return true
    52  }
    53
View as plain text