Signing weak RSA Keys? Not on our watch!

I'm sure very few of you have missed the rather crippling flaw found in a widely used code library to generate RSA keys which has been named the Return of Coppersmith's Attack, or ROCA for short.

Fortunately none of PrimeKey's products uses these libraries, nor do any of our supported HSM vendors to the best of our knowledge, so no key pairs produced by EJBCA should be affected by this flaw.

Source: https://crocs.fi.muni.cz/_detail/public/papers/roca_impact.png?id=public%3Apapers%3Arsa_ccs17

Nonetheless, EJBCA does run the risk of signing such keys as part of a Certificate Signing Request. As fears of similar flaws have been lifted to us before, in EJBCA 6.9.0 released in late August of this year we introduced the concept of Validators, among them the RSA Key Validator.

For EJBCA 6.10, slated to be released on the 1st of November, we've added functionality to the RSA Key Validator to reject keys affected by the ROCA flaw.

All you need to do after upgrading to EJBCA 6.10.0 or later is to check this box in your validator, and you're set to go!

Cheers!
Mike Agrenius Kushner,
Product Owner EJBCA