Code Monkey home page Code Monkey logo

crypt-openssl-rsa's Introduction

Build Status


Crypt::OpenSSL::RSA - RSA encoding and decoding, using the openSSL libraries


use Crypt::OpenSSL::Random;
use Crypt::OpenSSL::RSA;

# not necessary if we have /dev/random:
$rsa_pub = Crypt::OpenSSL::RSA->new_public_key($key_string);
$ciphertext = $rsa->encrypt($plaintext);

$rsa_priv = Crypt::OpenSSL::RSA->new_private_key($key_string);
$plaintext = $rsa->encrypt($ciphertext);

$rsa = Crypt::OpenSSL::RSA->generate_key(1024); # or
$rsa = Crypt::OpenSSL::RSA->generate_key(1024, $prime);

print "private key is:\n", $rsa->get_private_key_string();
print "public key (in PKCS1 format) is:\n",
print "public key (in X509 format) is:\n",

$rsa_priv->use_md5_hash(); # insecure. use_sha256_hash or use_sha1_hash are the default
$signature = $rsa_priv->sign($plaintext);
print "Signed correctly\n" if ($rsa->verify($plaintext, $signature));


Crypt::OpenSSL::RSA provides the ability to RSA encrypt strings which are somewhat shorter than the block size of a key. It also allows for decryption, signatures and signature verification.

NOTE: Many of the methods in this package can croak, so use eval, or's try/catch mechanism to capture errors. Also, while some methods from earlier versions of this package return true on success, this (never documented) behavior is no longer the case.

Class Methods

  • new_public_key

    Create a new Crypt::OpenSSL::RSA object by loading a public key in from a string containing Base64/DER-encoding of either the PKCS1 or X.509 representation of the key. The string should include the -----BEGIN...----- and -----END...----- lines.

    The padding is set to PKCS1_OAEP, but can be changed with the use_xxx_padding methods.

  • new_private_key

    Create a new Crypt::OpenSSL::RSA object by loading a private key in from an string containing the Base64/DER encoding of the PKCS1 representation of the key. The string should include the -----BEGIN...----- and -----END...----- lines. The padding is set to PKCS1_OAEP, but can be changed with use_xxx_padding.

    An optional parameter can be passed for passphase protected private key:

    • passphase

      The passphase which protects the private key.

  • generate_key

    Create a new Crypt::OpenSSL::RSA object by constructing a private/public key pair. The first (mandatory) argument is the key size, while the second optional argument specifies the public exponent (the default public exponent is 65537). The padding is set to PKCS1_OAEP, but can be changed with use_xxx_padding methods.

  • new_key_from_parameters

    Given Crypt::OpenSSL::Bignum objects for n, e, and optionally d, p, and q, where p and q are the prime factors of n, e is the public exponent and d is the private exponent, create a new Crypt::OpenSSL::RSA object using these values. If p and q are provided and d is undef, d is computed. Note that while p and q are not necessary for a private key, their presence will speed up computation.

  • import_random_seed

    Import a random seed from Crypt::OpenSSL::Random, since the OpenSSL libraries won't allow sharing of random structures across perl XS modules.

Instance Methods


    Clean up after ourselves. In particular, erase and free the memory occupied by the RSA key structure.

  • get_public_key_string

    Return the Base64/DER-encoded PKCS1 representation of the public key. This string has header and footer lines:

      -----BEGIN RSA PUBLIC KEY------
      -----END RSA PUBLIC KEY------
  • get_public_key_x509_string

    Return the Base64/DER-encoded representation of the "subject public key", suitable for use in X509 certificates. This string has header and footer lines:

      -----BEGIN PUBLIC KEY------
      -----END PUBLIC KEY------

    and is the format that is produced by running openssl rsa -pubout.

  • get_private_key_string

    Return the Base64/DER-encoded PKCS1 representation of the private key. This string has header and footer lines:

      -----BEGIN RSA PRIVATE KEY------
      -----END RSA PRIVATE KEY------

    2 optional parameters can be passed for passphase protected private key string:

    • passphase

      The passphase which protects the private key.

    • cipher name

      The cipher algorithm used to protect the private key. Default to 'des3'.

  • encrypt

    Encrypt a binary "string" using the public (portion of the) key.

  • decrypt

    Decrypt a binary "string". Croaks if the key is public only.

  • private_encrypt

    Encrypt a binary "string" using the private key. Croaks if the key is public only.

  • public_decrypt

    Decrypt a binary "string" using the public (portion of the) key.

  • sign

    Sign a string using the secret (portion of the) key.

  • verify

    Check the signature on a text.

  • use_no_padding

    Use raw RSA encryption. This mode should only be used to implement cryptographically sound padding modes in the application code. Encrypting user data directly with RSA is insecure.

  • use_pkcs1_padding

    Use PKCS #1 v1.5 padding. This currently is the most widely used mode of padding.

  • use_pkcs1_oaep_padding

    Use EME-OAEP padding as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding parameter. This mode of padding is recommended for all new applications. It is the default mode used by Crypt::OpenSSL::RSA.

  • use_sslv23_padding

    Use PKCS #1 v1.5 padding with an SSL-specific modification that denotes that the server is SSL3 capable.

    Not available since OpenSSL 3.

  • use_md5_hash

    Use the RFC 1321 MD5 hashing algorithm by Ron Rivest when signing and verifying messages.

    Note that this is considered insecure.

  • use_sha1_hash

    Use the RFC 3174 Secure Hashing Algorithm (FIPS 180-1) when signing and verifying messages. This is the default, when use_sha256_hash is not available.

  • use_sha224_hash, use_sha256_hash, use_sha384_hash, use_sha512_hash

    These FIPS 180-2 hash algorithms, for use when signing and verifying messages, are only available with newer openssl versions (>= 0.9.8).

    use_sha256_hash is the default hash mode when available.

  • use_ripemd160_hash

    Dobbertin, Bosselaers and Preneel's RIPEMD hashing algorithm when signing and verifying messages.

  • use_whirlpool_hash

    Vincent Rijmen und Paulo S. L. M. Barreto ISO/IEC 10118-3:2004 WHIRLPOOL hashing algorithm when signing and verifying messages.

  • size

    Returns the size, in bytes, of the key. All encrypted text will be of this size, and depending on the padding mode used, the length of the text to be encrypted should be:

    • pkcs1_oaep_padding

      at most 42 bytes less than this size.

    • pkcs1_padding or sslv23_padding

      at most 11 bytes less than this size.

    • no_padding

      exactly this size.

  • check_key

    This function validates the RSA key, returning a true value if the key is valid, and a false value otherwise. Croaks if the key is public only.

  • get_key_parameters

    Return Crypt::OpenSSL::Bignum objects representing the values of n, e, d, p, q, d mod (p-1), d mod (q-1), and 1/q mod p, where p and q are the prime factors of n, e is the public exponent and d is the private exponent. Some of these values may return as undef; only n and e will be defined for a public key. The Crypt::OpenSSL::Bignum module must be installed for this to work.

  • is_private

    Return true if this is a private key, and false if it is private only.


There is a small memory leak when generating new keys of more than 512 bits.


Ian Robertson, [email protected]. For support, please email [email protected].



Copyright (c) 2001-2011 Ian Robertson. Crypt::OpenSSL::RSA is free software; you may redistribute it and/or modify it under the same terms as Perl itself.


perl(1), Crypt::OpenSSL::Random, Crypt::OpenSSL::Bignum, rsa(3), RSA_new(3), RSA_public_encrypt(3), RSA_size(3), RSA_generate_key(3), RSA_check_key(3)

crypt-openssl-rsa's People


akiym avatar atoomic avatar davehodg avatar dsteinbrunner avatar dur-randir avatar dxma avatar fany avatar guest20 avatar hugmeir avatar jberger avatar kambe-mikb avatar manwar avatar michal-josef-spacek avatar monken avatar paultcochrane avatar ppisar avatar toddr avatar vishwin avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar

crypt-openssl-rsa's Issues

Add static compatibiltiy between COR and Net::SSLeay [ #123936]

Migrated from (status was 'new')



From [email protected] on 2017-12-23 20:58:51:

The Net::SSLeay module is already using in XS the function name "bn2sv", resulting in compiling error, at least if you try to compile statically. (See attached linkerror.txt)

The following short patch fixes this issue:

--- failing/Crypt-OpenSSL-RSA-0.28/RSA.xs	2011-08-24 22:57:35.000000000 +0000
+++ working/Crypt-OpenSSL-RSA-0.28/RSA.xs	2017-12-23 20:44:17.182419988 +0000
@@ -136,7 +136,7 @@
-SV* bn2sv(BIGNUM* p_bn)
+SV* cor_bn2sv(BIGNUM* p_bn)
     return p_bn != NULL
         ? sv_2mortal(newSViv((IV) BN_dup(p_bn)))
@@ -387,14 +387,14 @@
     RSA* rsa;
     rsa = p_rsa->rsa;
-    XPUSHs(bn2sv(rsa->n));
-    XPUSHs(bn2sv(rsa->e));
-    XPUSHs(bn2sv(rsa->d));
-    XPUSHs(bn2sv(rsa->p));
-    XPUSHs(bn2sv(rsa->q));
-    XPUSHs(bn2sv(rsa->dmp1));
-    XPUSHs(bn2sv(rsa->dmq1));
-    XPUSHs(bn2sv(rsa->iqmp));
+    XPUSHs(cor_bn2sv(rsa->n));
+    XPUSHs(cor_bn2sv(rsa->e));
+    XPUSHs(cor_bn2sv(rsa->d));
+    XPUSHs(cor_bn2sv(rsa->p));
+    XPUSHs(cor_bn2sv(rsa->q));
+    XPUSHs(cor_bn2sv(rsa->dmp1));
+    XPUSHs(cor_bn2sv(rsa->dmq1));
+    XPUSHs(cor_bn2sv(rsa->iqmp));

Errors building on Mac OSX 10.12.1 [ #119018]

Migrated from (status was 'open')


From [email protected] on 2016-11-28 19:06:34:

Trying to cpanm install on Mac OSX 10.12.1 to 5.24.0 (using plenv). Here's
the build log:
cpanm (App::cpanminus) 1.7042 on perl 5.024000 built for darwin-2level
Work directory is /Users/squinlan/.cpanm/work/1480359360.88921
You have make /usr/bin/make
You have LWP 6.15
You have /usr/bin/tar: bsdtar 2.8.3 - libarchive 2.8.3
You have /usr/bin/unzip
Searching Crypt::OpenSSL::RSA on mirror ...
Downloading index file
--> Working on Crypt::OpenSSL::RSA
-> OK
Unpacking Crypt-OpenSSL-RSA-0.28.tar.gz
Entering Crypt-OpenSSL-RSA-0.28
Checking configure dependencies from META.json
Checking if you have ExtUtils::MakeMaker 6.58 ... Yes (7.24)
Configuring Crypt-OpenSSL-RSA-0.28
Running Makefile.PL
Checking if your kit is complete...
Looks good
Generating a Unix-style Makefile
Writing Makefile for Crypt::OpenSSL::RSA
Writing MYMETA.yml and MYMETA.json
-> OK
Checking dependencies from MYMETA.json ...
Checking if you have Test 0 ... Yes (1.28)
Checking if you have ExtUtils::MakeMaker 0 ... Yes (7.24)
Checking if you have Crypt::OpenSSL::Random 0 ... Yes (0.11)
Building and testing Crypt-OpenSSL-RSA-0.28
cp blib/lib/Crypt/OpenSSL/
AutoSplitting blib/lib/Crypt/OpenSSL/
Running Mkbootstrap for RSA ()
chmod 644 ""
-MExtUtils::Command::MM -e 'cp_nonempty' --
blib/arch/auto/Crypt/OpenSSL/RSA/ 644
 RSA.xs > RSA.xsc
mv RSA.xsc RSA.c
cc -c   -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib -O3
-DVERSION=\"0.28\" -DXS_VERSION=\"0.28\"
clang: warning: argument unused during compilation:
rm -f blib/arch/auto/Crypt/OpenSSL/RSA/RSA.bundle
LD_RUN_PATH="/usr/lib" cc  -mmacosx-version-min=10.12 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector-strong RSA.o  -o
blib/arch/auto/Crypt/OpenSSL/RSA/RSA.bundle  \
  -lssl -lcrypto   \

chmod 755 blib/arch/auto/Crypt/OpenSSL/RSA/RSA.bundle
Manifying 1 pod document
-MExtUtils::Command::MM -e 'cp_nonempty' --
blib/arch/auto/Crypt/OpenSSL/RSA/ 644
PERL_DL_NONLAZY=1 "/Users/squinlan/.plenv/versions/5.24.0/bin/perl5.24.0"
"-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef
*Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
panic: sv_setpvn called with negative strlen -1152921504606846899 at
t/bignum.t line 66.
t/bignum.t ..
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 53/64 subtests
perl5.24.0(89280,0x7fffdc69c3c0) malloc: ***
mach_vm_map(size=8070450532247932928) failed (error code=3)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
Out of memory!
t/format.t ..
Dubious, test returned 1 (wstat 256, 0x100)
Failed 8/10 subtests
panic: sv_setpvn called with negative strlen -2305843009213693061 at
t/rsa.t line 82.
t/rsa.t .....
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 45/63 subtests

Test Summary Report
t/bignum.t (Wstat: 65280 Tests: 11 Failed: 0)
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 64 tests but ran 11.
t/format.t (Wstat: 256 Tests: 2 Failed: 0)
  Non-zero exit status: 1
  Parse errors: Bad plan.  You planned 10 tests but ran 2.
t/rsa.t   (Wstat: 65280 Tests: 18 Failed: 0)
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 63 tests but ran 18.
Files=3, Tests=31,  0 wallclock secs ( 0.02 usr  0.01 sys +  0.07 cusr
 0.01 csys =  0.11 CPU)
Result: FAIL
Failed 3/3 test programs. 0/31 subtests failed.
make: *** [test_dynamic] Error 255
-> FAIL Installing Crypt::OpenSSL::RSA failed. See
/Users/squinlan/.cpanm/work/1480359360.88921/build.log for details. Retry
with --force to force install it.

Here's my perl -V:
Summary of my perl5 (revision 5 version 24 subversion 0) configuration:

    osname=darwin, osvers=16.1.0, archname=darwin-2level
    uname='darwin bur-squinlan-m.local 16.1.0 darwin kernel version 16.1.0:
thu oct 13 21:26:57 pdt 2016; root:xnu-3789.21.3~60release_x86_64 x86_64 '
    config_args='-Dprefix=/Users/squinlan/.plenv/versions/5.24.0 -de
-Dusedevel -A'eval:scriptdir=/Users/squinlan/.plenv/versions/5.24.0/bin''
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    cc='cc', ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.12
-fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include',
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.12
-fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='4.2.1 Compatible Apple LLVM 8.0.0
(clang-800.0.42.1)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678,
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16,
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -mmacosx-version-min=10.12 -fstack-protector-strong
/Library/Developer/CommandLineTools/usr/lib /usr/lib
    libs=-lpthread -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=, so=dylib, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=bundle, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags=' -mmacosx-version-min=10.12 -bundle
-undefined dynamic_lookup -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl):
                        USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  Locally applied patches:
Devel::PatchPerl 1.40
  Built under darwin
  Compiled at Nov 28 2016 13:06:51


Please let me know if there is any additional information I can supply.


From [email protected] on 2016-12-02 23:24:58:

On Mon Nov 28 14:06:34 2016, [email protected] wrote:
> Trying to cpanm install on Mac OSX 10.12.1 to 5.24.0 (using plenv).

Do you perhaps have homebrew installed? And OpenSSL installed from homebrew? What version do you get when you do "openssl version"?

OS X comes installed with 0.9.8zh, but it doesn't provide the headers. If you install openssl via homebrew, you get the headers for 1.0.2j. These are incompatible, and though the compiling and linking succeeds, running fails due to integer differences (that's why it tries to allocate 3-4 exabytes of memory, which is kind of difficult to do).

I solved this by downloading the right version of OpenSSL from Then extracting it, running `./config` which populates the `include` directory, and then running `cp -LR include/openssl /usr/local/include`.

From [email protected] on 2016-12-05 17:02:47:

Yes indeed, homebrew for openssl installs. Version is OpenSSL 0.9.8zh 14
Jan 2016

FYI I use the following to get Net::SSLeay etc to install:
export PERL_MM_OPT='CCFLAGS="-I/usr/local/opt/openssl/include

But that didn't seem to be sufficient for Crypt::OpenSSL::RSA?

(interestingly I had to unset that to get DBD::Pg to compile)

I will try your suggestion after I next backup. Thank you!


On Fri, Dec 2, 2016 at 6:24 PM, Doug Bell via RT <
[email protected]> wrote:

> <URL: >
> On Mon Nov 28 14:06:34 2016, [email protected] wrote:
> > Trying to cpanm install on Mac OSX 10.12.1 to 5.24.0 (using plenv).
> Do you perhaps have homebrew installed? And OpenSSL installed from
> homebrew? What version do you get when you do "openssl version"?
> OS X comes installed with 0.9.8zh, but it doesn't provide the headers. If
> you install openssl via homebrew, you get the headers for 1.0.2j. These are
> incompatible, and though the compiling and linking succeeds, running fails
> due to integer differences (that's why it tries to allocate 3-4 exabytes of
> memory, which is kind of difficult to do).
> I solved this by downloading the right version of OpenSSL from
> Then extracting it, running
> `./config` which populates the `include` directory, and then running `cp
> -LR include/openssl /usr/local/include`.

From [email protected] on 2016-12-14 18:08:33:

Doug, finally got to installing a new perl version and re-building these
modules after installing the matching header per your suggestion appears to
have completely solved the problem. Thanks!


On Mon, Dec 5, 2016 at 12:01 PM, Sean Quinlan <[email protected]>

> Yes indeed, homebrew for openssl installs. Version is OpenSSL 0.9.8zh 14
> Jan 2016
> FYI I use the following to get Net::SSLeay etc to install:
> export PERL_MM_OPT='CCFLAGS="-I/usr/local/opt/openssl/include
> -L/usr/local/opt/openssl/lib"'
> But that didn't seem to be sufficient for Crypt::OpenSSL::RSA?
> (interestingly I had to unset that to get DBD::Pg to compile)
> I will try your suggestion after I next backup. Thank you!
> -Cheers,
> Sean
> On Fri, Dec 2, 2016 at 6:24 PM, Doug Bell via RT <
> [email protected]> wrote:
>> <URL: >
>> On Mon Nov 28 14:06:34 2016, [email protected] wrote:
>> > Trying to cpanm install on Mac OSX 10.12.1 to 5.24.0 (using plenv).
>> Do you perhaps have homebrew installed? And OpenSSL installed from
>> homebrew? What version do you get when you do "openssl version"?
>> OS X comes installed with 0.9.8zh, but it doesn't provide the headers. If
>> you install openssl via homebrew, you get the headers for 1.0.2j. These are
>> incompatible, and though the compiling and linking succeeds, running fails
>> due to integer differences (that's why it tries to allocate 3-4 exabytes of
>> memory, which is kind of difficult to do).
>> I solved this by downloading the right version of OpenSSL from
>> Then extracting it, running
>> `./config` which populates the `include` directory, and then running `cp
>> -LR include/openssl /usr/local/include`.

From [email protected] on 2017-02-24 09:17:40:

I have to remove `-lssl -lcrypto` from Line 22, then it works.

On Wed Dec 14 13:08:33 2016, [email protected] wrote:
> Doug, finally got to installing a new perl version and re-building
> these
> modules after installing the matching header per your suggestion
> appears to
> have completely solved the problem. Thanks!
> -Cheers,
> Sean
> On Mon, Dec 5, 2016 at 12:01 PM, Sean Quinlan
> <[email protected]>
> wrote:
> > Yes indeed, homebrew for openssl installs. Version is OpenSSL 0.9.8zh
> > 14
> > Jan 2016
> >
> > FYI I use the following to get Net::SSLeay etc to install:
> > export PERL_MM_OPT='CCFLAGS="-I/usr/local/opt/openssl/include
> > -L/usr/local/opt/openssl/lib"'
> >
> > But that didn't seem to be sufficient for Crypt::OpenSSL::RSA?
> >
> > (interestingly I had to unset that to get DBD::Pg to compile)
> >
> > I will try your suggestion after I next backup. Thank you!
> >
> > -Cheers,
> > Sean
> >
> >
> >
> > On Fri, Dec 2, 2016 at 6:24 PM, Doug Bell via RT <
> > [email protected]> wrote:
> >
> >> <URL: >
> >>
> >> On Mon Nov 28 14:06:34 2016, [email protected] wrote:
> >> > Trying to cpanm install on Mac OSX 10.12.1 to 5.24.0 (using
> >> > plenv).
> >>
> >> Do you perhaps have homebrew installed? And OpenSSL installed from
> >> homebrew? What version do you get when you do "openssl version"?
> >>
> >> OS X comes installed with 0.9.8zh, but it doesn't provide the
> >> headers. If
> >> you install openssl via homebrew, you get the headers for 1.0.2j.
> >> These are
> >> incompatible, and though the compiling and linking succeeds, running
> >> fails
> >> due to integer differences (that's why it tries to allocate 3-4
> >> exabytes of
> >> memory, which is kind of difficult to do).
> >>
> >> I solved this by downloading the right version of OpenSSL from
> >> Then extracting it,
> >> running
> >> `./config` which populates the `include` directory, and then running
> >> `cp
> >> -LR include/openssl /usr/local/include`.
> >>
> >
> >

Does not install on Mac OS 12 (Monetery)

With a brew perl 5.34, you can get this:

--> Working on Crypt::OpenSSL::RSA
-> OK
Unpacking Crypt-OpenSSL-RSA-0.31.tar.gz
Copying Crypt-OpenSSL-RSA-0.31.tar.gz to [...]
Entering Crypt-OpenSSL-RSA-0.31
Checking configure dependencies from META.json
Checking if you have Crypt::OpenSSL::Guess 0.11 ... No
Checking if you have ExtUtils::MakeMaker 7.20 ... Yes (7.62)
==> Found dependencies: Crypt::OpenSSL::Guess
Configuring Crypt-OpenSSL-RSA-0.31
Running Makefile.PL
Warning: prerequisite Crypt::OpenSSL::Random 0 not found.
Checking if your kit is complete...
Looks good
WARNING: /opt/homebrew/Cellar/perl/5.34.0/bin/perl is loading libcrypto in an unsafe way
-> N/A
-> FAIL No MYMETA file is found after configure. Your toolchain is too old?
-> FAIL Configure failed for Crypt-OpenSSL-RSA-0.31. [...]

The issue appears to be trying to load an unversioned libcrypto causes it to now deliberately crash.

Someone at MacPorts has proposed this fix for Net::SSLeay: macports/macports-ports#12704 (based on this ticket ), and if that was correct then an equivalent change could be made to in Crypt::OpenSSL::Guess, I think?

Net::SSLeay 'fixed' apparently in radiator-software/p5-net-ssleay#292 (unneeded in Guess, I think, as that uses brew prefix) but radiator-software/p5-net-ssleay#268 (comment) said you also needed to symlink in files, so did it actually fix it? Not sure.

I don't have a Monterey machine myself, this is second hand from someone trying to install something. I'm not sure at present if they had openssl installed via brew or not, and whether that would have resolved this, will try and get them to try it.

Out of memory on openssl 1.1.1w hpux

Just testing the current code on hpux before testing the opensslv3 updates and noticed that after #51 is fixed we have an out of memory issue.

It appears the the call to BIO_get_mem_ptr result in an invalid length in bptr->length or maybe the data there is just incorrect.

The following fixes the issue but I am awaiting some feedback from the openssl people to see if there is any reason not to make this the default...

diff --git a/RSA.xs b/RSA.xs
index 5f5cfae..b6c0509 100644
--- a/RSA.xs
+++ b/RSA.xs
@@ -165,11 +165,13 @@ SV* cor_bn2sv(const BIGNUM* p_bn)

 SV* extractBioString(BIO* p_stringBio)
     SV* sv;
-    BUF_MEM* bptr;
+    char *datap;
+    long datasize = 0;
     CHECK_OPEN_SSL(BIO_flush(p_stringBio) == 1);
-    BIO_get_mem_ptr(p_stringBio, &bptr);
-    sv = newSVpv(bptr->data, bptr->length);
+    datasize = BIO_get_mem_data(p_stringBio, &datap);
+    sv = newSVpv(datap, datasize);
     CHECK_OPEN_SSL(BIO_set_close(p_stringBio, BIO_CLOSE) == 1);

Missing dependency Crypt::OpenSSL::Guess

Crypt::OpenSSL::Guess has probably to be specified in configure_requires:

Output from '/usr/perl5.26.0p/bin/perl5.26.0 Makefile.PL':

Can't locate Crypt/OpenSSL/ in @INC (you may need to install the Crypt::OpenSSL::Guess module) (@INC contains: /var/tmp/cpansmoker-1023/2018041415/CPAN-Reporter-lib-lhtS /usr/perl5.26.0p/lib/site_perl/5.26.0/amd64-freebsd /usr/perl5.26.0p/lib/site_perl/5.26.0 /usr/perl5.26.0p/lib/5.26.0/amd64-freebsd /usr/perl5.26.0p/lib/5.26.0 .) at Makefile.PL line 6.
BEGIN failed--compilation aborted at Makefile.PL line 6.

RSA.xs:218: OpenSSL error: sslv3 rollback attack

Code that has worked for years is now getting an error when decrypting a string. Is there something new that I need to do to support the latest openssl?

$rsa = Crypt::OpenSSL::RSA->new_private_key($privkeytext);
$clrText = $rsa->decrypt($encString);

The private key is id_rsa.pem format
Text encrypted using a public key in format

Unrecognized key format

I am trying to use the following pem key but I get the error message: unrecognized key format. I believe the key is valid. Please tell me how to load it into Crypt::OpenSSL::RSA ? Thanks!

use warnings FATAL => qw(all);
use strict;
use Crypt::OpenSSL::RSA;

my $pub = Crypt::OpenSSL::RSA->new_public_key(&pub);                # unrecognized key format.

sub pub{<<END}

0.30 breaks other CPAN modules

I already opened an issue for a new failure of Authen-NZRealMe (catalyst/Authen-NZRealMe#5) and now stumbled over the next failure: RIZEN/AWS-SNS-Verify-0.0102.tar.gz fails, according to statistical analysis also because of Crypt::OpenSSL::RSA 0.30.

Crypt-OpenSSL-RSA will not compile with OpenSSL 3.0.0 due to deprecated code

In OpenSSL 3.0.0's file, there is this entry:

Removed RSA padding mode for SSLv23 (which was only used for SSLv2). This includes the functionsRSA_padding_check_SSLv23() and RSA_padding_add_SSLv23() and the -ssl option in the deprecated rsautl command.

RSA.xs fails to compile due to the removal of the definition of RSA_SSLV23_PADDING as a part of this change.

verify() doesn't clear underlying OpenSSL errors on failure

Consider the following perl program

use Crypt::OpenSSL::X509;
use Crypt::OpenSSL::RSA;
use Net::SSLeay;

my $cert = Crypt::OpenSSL::RSA->new_public_key(Crypt::OpenSSL::X509->new_from_string(<<"EOF")->pubkey());

warn 'ERR: '.Net::SSLeay::ERR_get_error()."\n";
unless ($cert->verify('payload', 'abc')) {
   warn "failed\n";
warn 'ERR: '.Net::SSLeay::ERR_get_error()."\n";

After the failed verify() call internal OpenSSL error stack is left non-empty with errors in it. That's a problem for end user, since that stack is global and isn't cleared by OpenSSL itself. So if someone peeks into it after the next openssl call, he'll find errors in it, but will assume that it's from theirs call, while in fact they're from verify().

In RSA.xs there's the following block

        case 0:

which should presumably handle this situation, but CHECK_OPEN_SSL macro unwraps into

#define CHECK_OPEN_SSL(p_result) if (!(p_result)) croakSsl(__FILE__, __LINE__);
void croakSsl(char* p_file, int p_line)
    const char* errorReason;
    /* Just return the top error on the stack */
    errorReason = ERR_reason_error_string(ERR_get_error());
    croak("%s:%d: OpenSSL error: %s", p_file, p_line, errorReason);

but ERR_peek_error() returns a positive error code, which makes (!p_result) condition to fail, in turn making croakSelf() and thus ERR_clear_error() to not get called.

I propose two possible solutions for this:

  • change CHECK_OPEN_SSL invocation to CHECK_OPEN_SSL(ERR_peek_error() == 0), making verify() croak on errors instead of returning false
  • remove CHECK_OPEN_SSL invocation (as it's effectively a no-op here) and call ERR_clear_error() unconditionally instead, retaining return value of verify()

Whirlpool is missing the header

Noticed that the whirlpool was missing the header file. Not sure if that is intentional as it effectively disables the digest. Enabling it also changes the number of tests.

I will send a PR shortly and enable whirlpool on openssl < 3.0. There seems to be some issues with whirlpool support on OpenSSL 3.0+ for signing which I will look at.

Crypt-OpenSSL-RSA vulnerable to the Marvin Attack

I've tried contacting the maintainer directly over the email twice, but received no reply for two weeks now, as such, I'm filing a public issue.

I've tested the rsa->decrypt() API with PKCS#1v1.5 padding and have verified that it is vulnerable to the Marvin Attack.

There is a clear side-channel that depends on the correctness of the PKCS#1 v1.5 padding.

When executing the attached reproducer with current OpenSSL 3.0 branch (openssl-3.0.13), on an i9-12900KS with extensive tuning, analysing 100 thousand decryptions per sample I got the following result:

Sign test mean p-value: 0.2109, median p-value: 0.02162, min p-value: 0.0
Friedman test (chisquare approximation) for all samples
p-value: 0.0
Worst pair: 1(no_header_with_payload_48), 6(valid_48)
Mean of differences: -5.95866e-07s, 95% CI: -8.33062e-07s, -3.422477e-07s (±2.454e-07s)
Median of differences: -3.64000e-07s, 95% CI: -3.67000e-07s, -3.610000e-07s (±3.000e-09s)
Trimmed mean (5%) of differences: -3.63660e-07s, 95% CI: -3.66392e-07s, -3.607752e-07s (±2.808e-09s)
Trimmed mean (25%) of differences: -3.63709e-07s, 95% CI: -3.66622e-07s, -3.608409e-07s (±2.890e-09s)
Trimmed mean (45%) of differences: -3.63951e-07s, 95% CI: -3.67040e-07s, -3.610646e-07s (±2.988e-09s)
Trimean of differences: -3.64000e-07s, 95% CI: -3.66750e-07s, -3.612500e-07s (±2.750e-09s)
Layperson explanation: Definite side-channel detected, implementation is VULNERABLE

The explanation of the ciphertext names are in the marvin-toolkit repo

The issue is most likely caused by the interface raising an exception here:


Lines 221 to 231 in 01fe9b7

to_length = p_crypt(
from_length, from, (unsigned char*) to, p_rsa->rsa, p_rsa->padding);
if (to_length < 0)
sv = newSVpv(to, to_length);
return sv;

Detailed results (explanation how to interpret them):


Correct openssl version may not be found

After successful compiling on hpux the test fail as follows:

t/format.t .................. /usr/lib/hpux64/ Unsatisfied code symbol 'RSA_set0_crt_params' in load module '/data/perl/usr/timlegge/Crypt-OpenSSL-RSA/blib/arch/auto/Crypt/OpenSSL/RSA/'.
/usr/lib/hpux64/ Unsatisfied code symbol 'RSA_get0_crt_params' in load module '/data/perl/usr/timlegge/Crypt-OpenSSL-RSA/blib/arch/auto/Crypt/OpenSSL/RSA/'.
/usr/lib/hpux64/ Unsatisfied code symbol 'RSA_get0_key' in load module '/data/perl/usr/timlegge/Crypt-OpenSSL-RSA/blib/arch/auto/Crypt/OpenSSL/RSA/'.
/usr/lib/hpux64/ Unsatisfied code symbol 'RSA_set0_key' in load module '/data/perl/usr/timlegge/Crypt-OpenSSL-RSA/blib/arch/auto/Crypt/OpenSSL/RSA/'.
/usr/lib/hpux64/ Unsatisfied code symbol 'RSA_get0_factors' in load module '/data/perl/usr/timlegge/Crypt-OpenSSL-RSA/blib/arch/auto/Crypt/OpenSSL/RSA/'.
/usr/lib/hpux64/ Unsatisfied code symbol 'RSA_set0_factors' in load module '/data/perl/usr/timlegge/Crypt-OpenSSL-RSA/blib/arch/auto/Crypt/OpenSSL/RSA/'.
Can't load '/data/perl/usr/timlegge/Crypt-OpenSSL-RSA/blib/arch/auto/Crypt/OpenSSL/RSA/' for module Crypt::OpenSSL::RSA: Unresolved external at /pro/lib/perl5/5.26.2/IA64.ARCHREV_0-thread-multi-LP64-ld/ line 194.
 at t/format.t line 4.

I will send a PR to add the 'LDDLFLAGS' => openssl_lib_paths() . ' ' . $Config{lddlflags}, to the Makefile.PL

Load encrypted private keys by taking $password as an arg [ #47447]

Migrated from (status was 'open')



From @hachi on 2009-06-29 22:37:22:

I'd like to be able to load encrypted private keys using this module. I've implmented at least one way to do this, and the patch is attached. Is it possible for this to get into the released module?

From [email protected] on 2009-11-01 18:23:24:

This looks like a go start, but it seems incomplete. If the module can
read encrypted passwords, it should also be able to write them; this
would also allow for adding unit test coverage of your new methods to
t/rsa.t. Finally, it would be good to add perldoc to

  • Ian

From [email protected] on 2011-04-13 22:21:25:

I just uploaded to CPAN a new Crypt::OpenSSL::Common module.

Among other things, it properly initializes the openssl libraries, that
results in that Crypt::OpenSSL::RSA can now load encrypted private keys
without any code modifications using openssl's default prompting.

Please give it a try, and report to me any success/failures.



From [email protected] on 2015-01-19 06:13:15:

Not relevant to this module.

From [email protected] on 2015-01-19 17:19:02:

Most recent comment in the ticket implies we uploaded a fix in 2011 with no reply.

From [email protected] on 2016-01-02 19:23:02:

On Mon Jan 19 12:19:02 2015, TODDR wrote:

Most recent comment in the ticket implies we uploaded a fix in 2011
with no reply.

I'm not the original reporter, but I thought I'd reopen this bug rather than file a new one.

I agree that it would be useful to be able to read and write encrypted keys.

I disagree with the "implied fix" because the description of Crypt::OpenSSL::Common says:

"For example, the Crypt::OpenSSL::RSA's new_private_key class method now can handle encrypted private keys in the same way the C API does, ie. ** prompting the user** for the pass phrase used to protect the private key"

Crypt::OpenSSL::RSA is useful in CGI scripts and other places where prompting is not possible. Well, I suppose one could redirect stdin & ignore the prompts -- but at that point, one might as well run an "openssl rsa" command in a subprocess.

A solution to the problem would be of the form:

new_private_key( $pem, [$password] ) and
get_private_key_string( $encryption_method, $password ) (e.g. DES-EDE3-CBC, or perhaps a friendly alias...)

Obviously, undef or omitted arguments should produce unencrypted keys as currently.
(Supplying an un-needed password when reading can be ignored.)

An encrypted private key file looks like:

Proc-Type: 4,ENCRYPTED


I'm not an XS coder, but here are some pointers that ought to be useful: describe the password callback routines.

Crypt::OpenSSL::CA contains Crypt::OpenSSL::CA::PrivateKey, which knows how to read an encrypted PEM key. Unfortunately, it doesn't provide a means to export the key (encrypted or decrypted).

Thanks for your (re-)consideration.

Private key disappears from the object on leaving scope

I'm hoping this is a bug in Crypt::OpenSSL::RSA and not Crypt::OpenSSL::PKCS10 because the latter isn't maintained any more.

Consider this trivial script:

#!/usr/bin/env perl

use strict;
use warnings;
use feature 'say';

use Crypt::OpenSSL::RSA;
use Crypt::OpenSSL::PKCS10;

sub generate_rsa {
    my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
    say "Private key immediately after generating: ",

    # Generate a CSR object, and store the resulting CSR string.
    my $csr = Crypt::OpenSSL::PKCS10->new_from_rsa($rsa);
    say "Private key before returning: ", $rsa->get_private_key_string;
    return $rsa;
my $rsa = generate_rsa();
say "Private key having returned: ", $rsa->get_private_key_string;

If I run it on perl 5.22.3, Crypt::OpenSSL::RSA 0.31, Crypt::OpenSSL::PKCS10 0.16, I get:

Private key immediately after generating: -----BEGIN RSA PRIVATE KEY-----

Private key before returning: -----BEGIN RSA PRIVATE KEY-----

Private key having returned: -----BEGIN RSA PRIVATE KEY-----

Something is happening to the guts of the Crypt::OpenSSL::RSA object as a side-effect of Crypt::OpenSSL::PKCS10 having done... something to it. Crypt::OpenSSL::RSA is XS so that's as far as I could get.

Fails to Compile on OS/X [ #122552]

Migrated from (status was 'new')


From [email protected] on 2017-07-20 17:28:22:

cc -c   -fno-common -DPERL_DARWIN -O2 -W -Wformat=2 -Wswitch -Wshadow -Wwrite-strings -Wuninitialized -Wall -pipe -mtune=native -march=native -fomit-frame-pointer -msse2 -msse -mmmx -D_FORTIFY_SOURCE=2 -I/usr/local/include -O3   -DVERSION=\"0.28\" -DXS_VERSION=\"0.28\"  "-I/Users/hornenj/perl5/perlbrew/perls/perl-5.26.0/lib/5.26.0/darwin-thread-multi-2level/CORE" -DPERL5 -DOPENSSL_NO_KRB5 RSA.c
RSA.xs:52:22: error: incomplete definition of type 'struct rsa_st'
    return(p_rsa->rsa->d != NULL);
/usr/include/openssl/include/openssl/ossl_typ.h:110:16: note: forward
      declaration of 'struct rsa_st'
typedef struct rsa_st RSA;

Smoker failure due to URI::cpan

URI::cpan needs Perl >= 5.12

we are trying to use it, need to determine if it s for unit tests or not

Crypt::OpenSSL::Guess is up to date. (0.15)
--> Working on Test::Kwalitee
Fetching ... OK
Configuring Test-Kwalitee-1.28 ... OK
==> Found dependencies: Module::CPANTS::Analyse
--> Working on Module::CPANTS::Analyse
Fetching ... OK
Configuring Module-CPANTS-Analyse-1.01 ... OK
==> Found dependencies: Perl::PrereqScanner::NotQuiteLite
--> Working on Perl::PrereqScanner::NotQuiteLite
Fetching ... OK
Configuring Perl-PrereqScanner-NotQuiteLite-0.9914 ... OK
==> Found dependencies: URI::cpan
--> Working on URI::cpan
Fetching ... OK
! Configure failed for URI-cpan-1.008. See /github/home/.cpanm/work/1646941824.5444/build.log for details.
! Installing the dependencies failed: Module 'URI::cpan' is not installed
! Bailing out the installation for Perl-PrereqScanner-NotQuiteLite-0.9914.
! Installing the dependencies failed: Module 'Perl::PrereqScanner::NotQuiteLite' is not installed
! Bailing out the installation for Module-CPANTS-Analyse-1.01.
! Installing the dependencies failed: Module 'Module::CPANTS::Analyse' is not installed
! Bailing out the installation for Test-Kwalitee-1.28.
Configuring URI-cpan-1.008 ... N/A
Test::CPAN::Meta is up to date. (0.25)
Perl::MinimumVersion is up to date. (1.40)
Test::Pod::Coverage is up to date. (1.10)
Test::Pod is up to date. (1.52)
Test::MinimumVersion is up to date. (0.101082)
Crypt::OpenSSL::Bignum is up to date. (0.09)
Error: Process completed with exit code 1.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.