/ 
Crypt-Perl-0.032
/ Crypt::Perl::ECDSA::PublicKey
Security Advisories (2)
CVE-2020-17478 (2020-08-10)

ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.

CVE-2020-13895 (2020-06-07)

Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail.

NAME

Crypt::Perl::ECDSA::PublicKey - object representation of ECDSA public key

SYNOPSIS

#Use Parse.pm or a private key’s get_public_key()
#rather #than instantiating this class directly.

#This works even if the object came from a key file that doesn’t
#contain the curve name.
$pbkey->get_curve_name();

if ($payload > ($pbkey->max_sign_bits() / 8)) {
    die "Payload too long!";
}

$pbkey->verify($payload, $sig) or die "Invalid signature!";

#For JSON Web Algorithms (JWT et al.), cf. RFC 7518 page 8
#This verifies against the appropriate SHA digest rather than
#against the original message.
$pbkey->verify_jwa($payload, $sig) or die "Invalid signature!";

#Corresponding “der” methods exist as well.
my $cn_pem = $pbkey->to_pem_with_curve_name();
my $expc_pem = $pbkey->to_pem_with_explicit_curve();

#----------------------------------------------------------------------

#Includes “kty”, “crv”, “x”, and “y”.
#Add in whatever else your application needs afterward.
#
#This will die() if you try to run it with a curve that
#doesn’t have a known JWK “crv” value.
#
my $pub_jwk = $pbkey->get_struct_for_public_jwk();

#Useful for JWTs
my $jwt_alg = $pbkey->get_jwa_alg();

DISCUSSION

The SYNOPSIS above should be illustration enough of how to use this class.