{"id":13440055,"url":"https://github.com/crocs-muni/roca","last_synced_at":"2026-01-14T07:01:27.201Z","repository":{"id":57462501,"uuid":"106841732","full_name":"crocs-muni/roca","owner":"crocs-muni","description":"ROCA: Infineon RSA key vulnerability","archived":false,"fork":false,"pushed_at":"2023-10-19T11:55:34.000Z","size":416,"stargazers_count":491,"open_issues_count":8,"forks_count":94,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-11-27T19:54:51.426Z","etag":null,"topics":["detector","discrete-logarithm","fingerprinting","infineon","python","roca","roca-detec","roca-detector","rsa","rsa-keys"],"latest_commit_sha":null,"homepage":"https://roca.crocs.fi.muni.cz","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/crocs-muni.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-10-13T15:28:41.000Z","updated_at":"2025-11-23T05:38:24.000Z","dependencies_parsed_at":"2024-01-07T10:50:59.914Z","dependency_job_id":"35bb8241-d7bb-4efe-8df4-c9ad22e72b6f","html_url":"https://github.com/crocs-muni/roca","commit_stats":{"total_commits":167,"total_committers":14,"mean_commits":"11.928571428571429","dds":"0.13173652694610782","last_synced_commit":"df6071d502f68701427f8b1d409cab22055ad1b7"},"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/crocs-muni/roca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crocs-muni%2Froca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crocs-muni%2Froca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crocs-muni%2Froca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crocs-muni%2Froca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/crocs-muni","download_url":"https://codeload.github.com/crocs-muni/roca/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crocs-muni%2Froca/sbom","scorecard":{"id":309199,"data":{"date":"2025-08-11","repo":{"name":"github.com/crocs-muni/roca","commit":"df6071d502f68701427f8b1d409cab22055ad1b7"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.9,"checks":[{"name":"Code-Review","score":0,"reason":"Found 2/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/crocs-muni/roca/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/crocs-muni/roca/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/crocs-muni/roca/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/crocs-muni/roca/codeql-analysis.yml/master?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 4 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T22:50:15.651Z","repository_id":57462501,"created_at":"2025-08-17T22:50:15.651Z","updated_at":"2025-08-17T22:50:15.651Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28412480,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T05:26:33.345Z","status":"ssl_error","status_checked_at":"2026-01-14T05:21:57.251Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detector","discrete-logarithm","fingerprinting","infineon","python","roca","roca-detec","roca-detector","rsa","rsa-keys"],"created_at":"2024-07-31T03:01:19.405Z","updated_at":"2026-01-14T07:01:27.194Z","avatar_url":"https://github.com/crocs-muni.png","language":"Python","readme":"# ROCA detection tool\n\n[![Build Status](https://travis-ci.org/crocs-muni/roca.svg?branch=master)](https://travis-ci.org/crocs-muni/roca)\n\n\nThis tool is related to [ACM CCS 2017 conference paper #124 Return of the Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli](https://crocs.fi.muni.cz/public/papers/rsa_ccs17).\n\nIt enables you to test public RSA keys for a presence of the described vulnerability.\n\n*Update 4.11.2017*: Python 2.7, 3.4+ supported.\n\n*Update 30.10.2017*: The [paper](https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf) of the attack is already online,\n [ACM version](https://dl.acm.org/citation.cfm?id=3133969).\n\n*Update 30.10.2017*: The discrete logarithm detector is now implemented in the Python and used as a default. It detects the structure\nin the primes exploited by the factorizing algorithm.\n\nCurrently the tool supports the following key formats:\n\n- X509 Certificate, DER encoded, one per file, `*.der`, `*.crt`\n- X509 Certificate, PEM encoded, more per file, `*.pem`\n- X509 Certificate Signing Request, PEM encoded, more per file, `*.pem`\n- RSA PEM encoded private key, public key, more per file, `*.pem` (has to have correct header `-----BEGIN RSA...`)\n- SSH public key, `*.pub`, starting with \"ssh-rsa\", one per line\n- ASC encoded PGP key, `*.pgp`, `*.asc`. More per file, has to have correct header `-----BEGIN PGP...`\n- APK android application, `*.apk`\n- one modulus per line text file `*.txt`, modulus can be\n    a) base64 encoded number, b) hex coded number, c) decimal coded number\n- JSON file with moduli, one record per line, record with modulus has\n    key \"mod\" (int, base64, hex, dec encoding supported)\n    certificate(s) with key \"cert\" / array of certificates with key \"certs\" are supported, base64 encoded DER.\n- LDIFF file - LDAP database dump. Any field ending with `;binary::` is attempted to decode as X509 certificate\n- Java Key Store file (JKS). Tries empty password \u0026 some common, specify more with `--jks-pass-file`\n- PKCS7 signature with user certificate\n\nThe detection tool is intentionally one-file implementation for easy integration / manipulation.\n\n## False positive\n\nFalse positive detection rates:\n\n * Moduli detector: 2^-27\n * Discrete logarithm detector: 2^-154\n\nDiscrete logarithm detector is implemented only in the Python code, used as the default detection method.\n\nJava and C# code ports are unmaintained since the original publication and we don't plan to upgrade these\ndetectors to the more precise method. However PR are welcome!\n\n## Online checker\n\nhttps://keychest.net/roca\n\nThe online checker is using the discrete logarithm detector algorithm.\n\n## Install with pip\n\nInstall the detector library + tool with `pip` (installs all dependencies):\n\n```\npip install roca-detect\n```\n\n## Local install\n\nExecute in the root folder of the package:\n\n```\npip install --upgrade --find-links=. .\n```\n\n## Dependencies\n\nIt may be required to install additional dependencies so `pip` can install e.g. cryptography package.\n\nCentOS / RHEL:\n\n```\nsudo yum install python-devel python-pip gcc gcc-c++ make automake autoreconf libtool openssl-devel libffi-devel dialog\n```\n\nUbuntu:\n```\nsudo apt-get install python-pip python-dev build-essential libssl-dev libffi-dev swig\n```\n\n## Usage\n\nTo print the basic usage:\n\n```\n# If installed with pip / manually\nroca-detect --help\n\n# Without installation (can miss dependencies)\npython roca/detect.py\n```\n\nThe testing tool accepts multiple file names / directories as the input argument.\nIt returns the report showing how many files has been fingerprinted (and which are those).\n\n**Example (no vulnerabilities found):**\n\nRunning recursively on all my SSH keys and known_hosts:\n\n```\n$\u003e roca-detect ~/.ssh\n2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################\n2017-10-16 13:39:21 [51272] INFO Records tested: 92\n2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16\n2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0\n2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0\n2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76\n2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0\n2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0\n2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0\n2017-10-16 13:39:21 [51272] INFO No fingerprinted keys found (OK)\n2017-10-16 13:39:21 [51272] INFO ################################\n```\n\n**Example (vulnerabilities found):**\n\nRunning recursively on all my SSH keys and known_hosts:\n\n```\n$\u003e roca-detect ~/.ssh\n\u003cb\u003e2017-10-16 13:39:21 [51272] WARNING Fingerprint found in the Certificate\u003c/b\u003e\n...\n2017-10-16 13:39:21 [51272] INFO ### SUMMARY ####################\n2017-10-16 13:39:21 [51272] INFO Records tested: 92\n2017-10-16 13:39:21 [51272] INFO .. PEM certs: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. DER certs: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. RSA key files: . 16\n2017-10-16 13:39:21 [51272] INFO .. PGP master keys: 0\n2017-10-16 13:39:21 [51272] INFO .. PGP total keys:  0\n2017-10-16 13:39:21 [51272] INFO .. SSH keys:  . . . 76\n2017-10-16 13:39:21 [51272] INFO .. APK keys:  . . . 0\n2017-10-16 13:39:21 [51272] INFO .. JSON keys: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. LDIFF certs: . . 0\n2017-10-16 13:39:21 [51272] INFO .. JKS certs: . . . 0\n2017-10-16 13:39:21 [51272] INFO .. PKCS7: . . . . . 0\n2017-10-16 13:39:21 [51272] INFO Fingerprinted keys found: 1\n2017-10-16 13:39:21 [51272] INFO WARNING: Potential vulnerability\n2017-10-16 13:39:21 [51272] INFO ################################\n```\n\n## PGP key\n\nIn order to test your PGP key you can export it from your email client or download it from the PGP key server such as\nhttps://pgp.mit.edu/\n\nYou can also use `gpg` command line utility to export your public key:\n\n```bash\ngpg --armor --export your@email.com \u003e mykey.asc\n```\n\n## Advanced use case\n\nDetection tool extracts information about the key which can be displayed:\n\n```\nroca-detect.py --dump --flatten --indent  ~/.ssh/\n```\n\n## TLS/SSL detection\nThe `roca-detect-tls` detects certificates from remote TLS/SSL ports. Provide a file with a newline-delimited list of `address:port` entries and use that file as input.\n\nExample file: tls_list.txt\n```\ngithub.com:443\ngoogle.com:443\ninternal.example.com:8080\n```\n\nThen run:\n\n`roca-detect-tls tls_list.txt`\n\n## Fake moduli\n\nIt is possible to generate moduli that passes the moduli fingerprinting test but actually do not contain structure\nthe factorization algorithm is using. Dlog moduli test do not mark those as positive.\n\n## Advanced installation methods\n\n### Virtual environment\n\nIt is usually recommended to create a new python virtual environment for the project:\n\n```\nvirtualenv ~/pyenv\nsource ~/pyenv/bin/activate\npip install --upgrade pip\npip install --upgrade --find-links=. .\n```\n\n### Separate Python 2.7.13\n\nWe tested tool with Python 2.7.13 and it works (see Travis for more info).\nWe have reports saying lower versions (\u003c=2.6) do not work properly so we highly recommend using up to date Python 2.7\n\nUse `pyenv` to install a new Python version locally if you cannot / don't want to update system Python.\n\nIt internally downloads Python sources and installs it to `~/.pyenv`.\n\n```\ngit clone https://github.com/pyenv/pyenv.git ~/.pyenv\necho 'export PYENV_ROOT=\"$HOME/.pyenv\"' \u003e\u003e ~/.bashrc\necho 'export PATH=\"$PYENV_ROOT/bin:$PATH\"' \u003e\u003e ~/.bashrc\necho 'eval \"$(pyenv init -)\"' \u003e\u003e ~/.bashrc\nexec $SHELL\npyenv install 2.7.13\npyenv local 2.7.13\n```\n\n### Python 3\n\nDetection tools works also with Python 3.4+\n\n### Docker container\n\nRun via Docker container to avoid environment inconsistency. Dockerfile source can be audited at https://hub.docker.com/r/unnawut/roca-detect/.\n\n```\ndocker run --rm -v /path/to/your/keys:/keys --network none unnawut/roca-detect\n```\n\nMake sure to use `--rm` and `--network none` flags to disable container's network connection and delete the container after running.\n\n\n## Licensing\n\nCode is licensed under permissive MIT license.\n\nAs there were requests on dual licensing under Apache 2.0 license (due to some doubts on compatibility) we are licensing\nthe code also under Apache 2.0 license.\n\nPick license that suits you better, either MIT or Apache 2.0.\n\n## Language ports\n\nThis section contains links to different GIT repositories with language ports\n\n- [Go](https://github.com/titanous/rocacheck)\n\n","funding_links":[],"categories":["Python","\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"9d1ce4a40c660c0ce15aec6daf7f56dd\"\u003e\u003c/a\u003e未分类-Vul"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrocs-muni%2Froca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrocs-muni%2Froca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrocs-muni%2Froca/lists"}