Security Advisories (2)

CVE-2020-17478 (2020-08-10)

ECDSA/EC/Point.pm in Crypt::Perl before 0.33 does not properly consider timing attacks against the EC point multiplication algorithm.

https://github.com/FGasper/p5-Crypt-Perl/compare/0.32...0.33

CVE-2020-13895 (2020-06-07)

Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail.

NAME

Crypt::Perl::PKCS10 - Certificate Signing Request (CSR) creation

SYNOPSIS

my $pkcs10 = Crypt::Perl::PKCS10->new(

    key => $key_obj,

    subject => [
        commonName => 'foo.com',
        localityName => 'somewhere',
        #...
    ],
    attributes => [
        [ 'extensionRequest',
            [ 'subjectAltName',
                dNSName => 'foo.com',
                dNSName => 'bar.com',
            ],
        ],
    ],
);

my $der = $pkcs10->to_der();
my $pem = $pkcs10->to_pem();

DESCRIPTION

This module is for creation of (PKCS #10) certificate signing requests (CSRs). Right now it supports only a subset of what OpenSSL can create; however, it’s useful enough for use with many certificate authorities, including ACME services like Let’s Encrypt.

It’s also a good deal easier to use!

I believe this is the only CPAN module that can create CSRs for either RSA or ECDSA keys. Other encryption schemes would not be difficult to integrate—but do any CAs accept them?

ECDSA KEY FORMAT

As of version 0.13, this module produces CSRs with explicit ECDSA curve parameters rather than merely indicating the curve parameters by the name of the curve. This makes the resulting CSR bigger, but it also prevents compatibility issues with ECDSA implementations (e.g., old OpenSSL versions) that don’t know about newer curves.

If you need to produce CSRs with a named curve, let me know.

SIGNATURE DIGEST ALGORITHMS

The signature digest algorithm is determined based on the passed-in key: for RSA it’s always SHA-512, and for ECDSA it’s the strongest SHA digest algorithm that the key allows (e.g., SHA-224 for a 239-bit key, etc.)

If you need additional flexibility, let me know.

CLASS METHODS

new( NAME => VALUE, ... );

Create an instance of this class. Parameters are:

key: An instance of either Crypt::Perl::RSA::PrivateKey or Crypt::Perl::ECDSA::PrivateKey. If you’ve got a DER- or PEM-encoded key string, use Crypt::Perl::PK (included in this distribution) to create an appropriate object.
subject: An array reference of arguments into Crypt::Perl::X509::Name’s constructor.
attributes: An array reference of arguments into Crypt::Perl::PKCS10::Attrbutes’s constructor.

TODO

Let me know what features you would find useful, ideally with a representative sample CSR that demonstrates the requested feature. (Or, better yet, send me a pull request!)

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)