Skip to main content
Skip table of contents

ROCA scanner command-line tool in Certificate Manager

roca_scanner is a command line program that can scan all certificates in a Smart ID Certificate Manager (CM) database, to find any RSA keys that are affected by the ROCA cryptographic RSA-key weakness. 

The key weakness was seen in Infineon Technologies AG library RSALib, which produced RSA keys that might have been used in CM. See CVE-2017-15361 for description of the vulnerability.

While CM does not use the affected library for RSA key generation, there could still be a risk that such keys have been handled by CM when created by an external source, for example, smartcards that produce such keys.

The program scans all active and non-expired certificates in the CM database for such RSA keys. The database connection details are read from cm.conf in an existing CM installation.

The program is located in the <install_root>/tools directory relative to where CM is installed.

Example: Scan all certificates

This is an example of how to scan all certificates with roca_scanner:

CODE 
$ ./roca_scanner.sh -log output.txt
Will save results to output.txt
Scanning 120 certificates...
Found affected certificate: sernr=10119, cardSerNr=MJ1050,
serNrInCert=1ece1a65aaa503b17c5dba10c5f751bb, subjectDN=cn=Weak Infineon Rsa Key
Done. Found 1 scanned keys that are affected by the ROCA vulnerability.
$ cat output.txt
#certSerNr cardSerNr serNrInCert subjectDN
10119 MJ1050 1ece1a65aaa503b17c5dba10c5f751bb cn=Weak Infineon Rsa Key

The optional output logfile is a tab-separated file. This file can be loaded by, for example, CM Certificate Controller to allow further action on any found certificates.

Configure roca_scanner

roca_scanner can be configured using the following environment variable:

Environment variableDescription
CM_HOME

(optional) Specifies a directory where CM configuration is installed, usually referred to as <configuration_root>. Specifying this environment variable allows the program to use database connection details from cm.conf if placed in a non-standard location.

This environment variable is optional. If this environment variable is not specified, and roca_scanner is placed in the default directory <install_root>/tools, roca_scanner will automatically find the CM configuration and the database connection details.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close