// Package rocacheck checks if a key was generated by broken Infineon code and/

1. // Package rocacheck checks if a key was generated by broken Infineon code and
2. // is vulnerable to factorization via the Return of Coppersmith's Attack (ROCA)
3. // / CVE-2017-15361.
4. package main
5.  
6. import (
7. "crypto/rand"
8. "crypto/rsa"
9. "fmt"
10. "math/big"
11. )
12.  
13. const printCount = 38
14.  
15. var primes = make([]*big.Int, printCount)
16. var prints = make([]*big.Int, printCount)
17. var bigZero = big.NewInt(0)
18. var bigOne = big.NewInt(1)
19.  
20. func init() {
21. for i, s := range []string{
22. "6",
23. "30",
24. "126",
25. "1026",
26. "5658",
27. "107286",
28. "199410",
29. "8388606",
30. "536870910",
31. "2147483646",
32. "67109890",
33. "2199023255550",
34. "8796093022206",
35. "140737488355326",
36. "5310023542746834",
37. "576460752303423486",
38. "1455791217086302986",
39. "147573952589676412926",
40. "20052041432995567486",
41. "6041388139249378920330",
42. "207530445072488465666",
43. "9671406556917033397649406",
44. "618970019642690137449562110",
45. "79228162521181866724264247298",
46. "2535301200456458802993406410750",
47. "1760368345969468176824550810518",
48. "50079290986288516948354744811034",
49. "473022961816146413042658758988474",
50. "10384593717069655257060992658440190",
51. "144390480366845522447407333004847678774",
52. "2722258935367507707706996859454145691646",
53. "174224571863520493293247799005065324265470",
54. "696898287454081973172991196020261297061886",
55. "713623846352979940529142984724747568191373310",
56. "1800793591454480341970779146165214289059119882",
57. "126304807362733370595828809000324029340048915994",
58. "11692013098647223345629478661730264157247460343806",
59. "187072209578355573530071658587684226515959365500926",
60. } {
61. bi := &big.Int{}
62. bi.SetString(s, 10)
63. prints[i] = bi
64. }
65. for i, p := range []int64{
66. 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
67. 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149,
68. 151, 157, 163, 167,
69. } {
70. primes[i] = big.NewInt(p)
71. }
72. }
73.  
74. // IsWeak returns true if a RSA public key is vulnerable to Return of
75. // Coppersmith's Attack (ROCA).
76. func IsWeak(k *rsa.PublicKey) bool {
77. for i, print := range prints {
78. n := &big.Int{}
79. n.Mod(k.N, primes[i])
80. n.Lsh(bigOne, uint(n.Uint64()))
81. n.And(n, print)
82. if n.Cmp(bigZero) == 0 {
83. return false
84. }
85. }
86. return true
87. }
88.  
89. func main() {
90. key, err := rsa.GenerateKey(rand.Reader, 4096)
91. if err != nil {
92. panic(err)
93. }
94.  
95. pubkey := key.Public()
96. fmt.Println(IsWeak(pubkey.(*rsa.PublicKey)))
97. }