Add ROCA weak key checking (#3189)

Thanks to @titanous for the library!
letsencrypt · Nov 2, 2017 · 5df083a · 5df083a
1 parent 2f263f8
commit 5df083a
Show file tree

Hide file tree

Showing 10 changed files with 116 additions and 2 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/features/featureflag_string.go b/features/featureflag_string.go
diff --git a/features/features.go b/features/features.go
@@ -29,6 +29,7 @@ const (
 	RecheckCAA
 	LegacyCAA
 	UDPDNS
+	ROCACheck
 )
 
 // List of features and their default value, protected by fMu
@@ -49,6 +50,7 @@ var features = map[FeatureFlag]bool{
 	RecheckCAA:               false,
 	LegacyCAA:                false,
 	UDPDNS:                   false,
+	ROCACheck:                false,
 }
 
 var fMu = new(sync.RWMutex)

diff --git a/goodkey/good_key.go b/goodkey/good_key.go
@@ -10,6 +10,8 @@ import (
 	"sync"
 
 	berrors "github.com/letsencrypt/boulder/errors"
+	"github.com/letsencrypt/boulder/features"
+	"github.com/titanous/rocacheck"
 )
 
 // To generate, run: primes 2 752 | tr '\n' ,
@@ -233,6 +235,11 @@ func (policy *KeyPolicy) goodKeyRSA(key rsa.PublicKey) (err error) {
 	if checkSmallPrimes(modulus) {
 		return berrors.MalformedError("key divisible by small prime")
 	}
+	// Check for weak keys generated by Infineon hardware
+	// (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
+	if features.Enabled(features.ROCACheck) && rocacheck.IsWeak(&key) {
+		return berrors.MalformedError("key generated by vulnerable Infineon-based hardware")
+	}
 
 	return nil
 }

diff --git a/goodkey/good_key_test.go b/goodkey/good_key_test.go
@@ -5,9 +5,11 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"log"
 	"math/big"
 	"testing"
 
+	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/test"
 )
 
@@ -84,6 +86,22 @@ func TestModulusDivisibleBy752(t *testing.T) {
 	test.AssertError(t, testingPolicy.GoodKey(&key), "Should have rejected modulus divisible by 751.")
 }
 
+func TestROCA(t *testing.T) {
+	err := features.Set(map[string]bool{"ROCACheck": true})
+	if err != nil {
+		log.Fatal(err)
+	}
+	n, ok := big.NewInt(1).SetString("19089470491547632015867380494603366846979936677899040455785311493700173635637619562546319438505971838982429681121352968394792665704951454132311441831732124044135181992768774222852895664400681270897445415599851900461316070972022018317962889565731866601557238345786316235456299813772607869009873279585912430769332375239444892105064608255089298943707214066350230292124208314161171265468111771687514518823144499250339825049199688099820304852696380797616737008621384107235756455735861506433065173933123259184114000282435500939123478591192413006994709825840573671701120771013072419520134975733578923370992644987545261926257", 10)
+	if !ok {
+		t.Fatal("failed to parse")
+	}
+	key := rsa.PublicKey{
+		N: n,
+		E: 65537,
+	}
+	test.AssertError(t, testingPolicy.GoodKey(&key), "Should have rejected ROCA-weak key.")
+}
+
 func TestGoodKey(t *testing.T) {
 	private, err := rsa.GenerateKey(rand.Reader, 2048)
 	test.AssertNotError(t, err, "Error generating key")

diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -42,6 +42,7 @@
       ]
     },
     "features": {
+      "ROCACheck": true,
       "UDPDNS": true,
       "AllowKeyRollover": true,
       "AllowTLS02Challenges": true,

diff --git a/test/config-next/wfe.json b/test/config-next/wfe.json
@@ -29,6 +29,7 @@
       "timeout": "15s"
     },
     "features": {
+      "ROCACheck": true,
       "AllowAccountDeactivation": true,
       "AllowKeyRollover": true,
       "UseAIAIssuerURL": true,

diff --git a/vendor/github.com/titanous/rocacheck/LICENSE b/vendor/github.com/titanous/rocacheck/LICENSE
diff --git a/vendor/github.com/titanous/rocacheck/README.md b/vendor/github.com/titanous/rocacheck/README.md
diff --git a/vendor/github.com/titanous/rocacheck/rocacheck.go b/vendor/github.com/titanous/rocacheck/rocacheck.go