roca_scanner is a command line program that can scan all certificates in a Smart ID Certificate Manager (CM) database, to find any RSA keys that are affected by the ROCA cryptographic RSA-key weakness. The key weakness was seen in Infineon Technologies AG library RSALib, which produced RSA keys that might have been used in CM. See CVE-2017-15361 for description of the vulnerability.
While CM does not use the affected library for RSA key generation, there could still be a risk that such keys have been handled by CM when created by an external source, for example, smartcards that produce such keys.
The program scans all active and non-expired certificates in the CM database for such RSA keys. The database connection details are read from cm.conf in an existing CM installation.
The program is located in the <install_root>/tools directory relative to where CM is installed.
This is an example of how to scan all certificates with roca_scanner:
$ ./roca_scanner.sh -log output.txt
Will save results to output.txt
Scanning 120 certificates...
Found affected certificate: sernr=10119, cardSerNr=MJ1050,
serNrInCert=1ece1a65aaa503b17c5dba10c5f751bb, subjectDN=cn=Weak Infineon Rsa Key
Done. Found 1 scanned keys that are affected by the ROCA vulnerability.
$ cat output.txt
#certSerNr cardSerNr serNrInCert subjectDN
10119 MJ1050 1ece1a65aaa503b17c5dba10c5f751bb cn=Weak Infineon Rsa Key
The optional output logfile is a tab-separated file. This file can be loaded by, for example, CM Certificate Controller to allow further action on any found certificates.
roca_scanner can be configured using the following environment variable:
(optional) Specifies a directory where CM configuration is installed, usually referred to as <configuration_root>. Specifying this environment variable allows the program to use database connection details from cm.conf if placed in a non-standard location.
This environment variable is optional. If this environment variable is not specified, and roca_scanner is placed in the default directory <install_root>/tools, roca_scanner will automatically find the CM configuration and the database connection details.