Merge pull request #240 from timlegge/rsa

Migrate from Crypt::OpenSSL::RSA to Crypt::PK::RSA

Author: timlegge

LICENSE

@@ -22,7 +22,7 @@ This is free software, licensed under:
                      Version 1, February 1989
 
  Copyright (C) 1989 Free Software Foundation, Inc.
- 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+                    <https://fsf.org/>
 
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
@@ -236,8 +236,7 @@ the exclusion of warranty; and each file should have at least the
     GNU General Public License for more details.
 
     You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA  02110-1301 USA
+    along with this program; if not, see <https://www.gnu.org/licenses/>.
 
 
 Also add information on how to contact you by electronic and paper mail.
@@ -264,8 +263,8 @@ necessary.  Here a sample; alter the names:
   program `Gnomovision' (a program to direct compilers to make passes
   at assemblers) written by James Hacker.
 
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
+  <signature of Moe Ghoul>, 1 April 1989
+  Moe Ghoul, President of Vice
 
 That's all there is to it!
 

Makefile.PL

@@ -17,11 +17,10 @@ my %WriteMakefileArgs = (
   "NAME" => "Net::SAML2",
   "PREREQ_PM" => {
     "Carp" => 0,
-    "Crypt::OpenSSL::Bignum" => 0,
-    "Crypt::OpenSSL::RSA" => 0,
     "Crypt::OpenSSL::Random" => 0,
     "Crypt::OpenSSL::Verify" => 0,
     "Crypt::OpenSSL::X509" => 0,
+    "Crypt::PK::RSA" => 0,
     "DateTime" => 0,
     "DateTime::Format::XSD" => 0,
     "DateTime::HiRes" => 0,
@@ -53,7 +52,7 @@ my %WriteMakefileArgs = (
     "XML::Generator" => "1.13",
     "XML::LibXML" => 0,
     "XML::LibXML::XPathContext" => 0,
-    "XML::Sig" => "0.66",
+    "XML::Sig" => "0.67",
     "namespace::autoclean" => 0
   },
   "TEST_REQUIRES" => {
@@ -71,7 +70,7 @@ my %WriteMakefileArgs = (
     "Test::Pod" => "1.14",
     "Test::Pod::Coverage" => "1.04"
   },
-  "VERSION" => "0.82",
+  "VERSION" => "0.83",
   "test" => {
     "TESTS" => "t/*.t t/author/*.t"
   }
@@ -80,11 +79,10 @@ my %WriteMakefileArgs = (
 
 my %FallbackPrereqs = (
   "Carp" => 0,
-  "Crypt::OpenSSL::Bignum" => 0,
-  "Crypt::OpenSSL::RSA" => 0,
   "Crypt::OpenSSL::Random" => 0,
   "Crypt::OpenSSL::Verify" => 0,
   "Crypt::OpenSSL::X509" => 0,
+  "Crypt::PK::RSA" => 0,
   "DateTime" => 0,
   "DateTime::Format::XSD" => 0,
   "DateTime::HiRes" => 0,
@@ -129,7 +127,7 @@ my %FallbackPrereqs = (
   "XML::Generator" => "1.13",
   "XML::LibXML" => 0,
   "XML::LibXML::XPathContext" => 0,
-  "XML::Sig" => "0.66",
+  "XML::Sig" => "0.67",
   "namespace::autoclean" => 0
 );
 

README

@@ -2,7 +2,7 @@ NAME
     Net::SAML2 - SAML2 bindings and protocol implementation
 
 VERSION
-    version 0.82
+    version 0.83
 
 SYNOPSIS
       See TUTORIAL.md for implementation documentation and
@@ -72,12 +72,12 @@ SYNOPSIS
 DESCRIPTION
     Support for the Web Browser SSO profile of SAML2.
 
-    Net::SAML2 correctly perform the SSO process against numerous SAML
-    Identity Providers (IdPs). It has been tested against:
-
     Version 0.54 and newer support EncryptedAssertions. No changes required
     to existing SP applications if EncryptedAssertions are not in use.
 
+    Net::SAML2 correctly perform the SSO process against numerous SAML
+    Identity Providers (IdPs). It has been tested against:
+
     Auth0 (requires Net::SAML2 >=0.39)
     Azure (Microsoft Office 365)
     GSuite (Google)

cpanfile

@@ -1,11 +1,10 @@
 # Do not edit this file directly. To change prereqs, edit the `dist.ini` file.
 
 requires "Carp" => "0";
-requires "Crypt::OpenSSL::Bignum" => "0";
-requires "Crypt::OpenSSL::RSA" => "0";
 requires "Crypt::OpenSSL::Random" => "0";
 requires "Crypt::OpenSSL::Verify" => "0";
 requires "Crypt::OpenSSL::X509" => "0";
+requires "Crypt::PK::RSA" => "0";
 requires "DateTime" => "0";
 requires "DateTime::Format::XSD" => "0";
 requires "DateTime::HiRes" => "0";
@@ -37,7 +36,7 @@ requires "XML::Enc" => "0.13";
 requires "XML::Generator" => "1.13";
 requires "XML::LibXML" => "0";
 requires "XML::LibXML::XPathContext" => "0";
-requires "XML::Sig" => "0.66";
+requires "XML::Sig" => "0.67";
 requires "namespace::autoclean" => "0";
 requires "perl" => "5.014";
 

dist.ini

@@ -57,9 +57,7 @@ skip = feature
 [Prereqs / RuntimeRequires]
 perl = 5.014
 XML::Enc = 0.13
-XML::Sig = 0.66
-; Here because it isn't provided by Crypt::OpenSSL::RSA
-Crypt::OpenSSL::Bignum = 0
+XML::Sig = 0.67
 URN::OASIS::SAML2 = 0.007
 XML::Generator = 1.13
 

lib/Net/SAML2/Binding/Redirect.pm

@@ -4,7 +4,7 @@ use Moose;
 # VERSION
 
 use Carp qw(croak);
-use Crypt::OpenSSL::RSA;
+use Crypt::PK::RSA;
 use Crypt::OpenSSL::X509;
 use File::Slurper qw/ read_text /;
 use IO::Compress::RawDeflate qw/ rawdeflate /;
@@ -197,18 +197,16 @@ sub _sign_redirect_uri {
     my $uri  = shift;
 
     my $key_string = read_text($self->key);
-    my $rsa_priv = Crypt::OpenSSL::RSA->new_private_key($key_string);
-
-    my $method = "use_" . $self->sig_hash . "_hash";
-    $rsa_priv->$method;
+    my $pk = Crypt::PK::RSA->new();
+    my $rsa_priv = $pk->import_key(\$key_string);
 
     $uri->query_param('SigAlg',
         $self->sig_hash eq 'sha1'
         ? 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
         : 'http://www.w3.org/2001/04/xmldsig-more#rsa-' . $self->sig_hash);
 
     my $to_sign = $uri->query;
-    my $sig = encode_base64($rsa_priv->sign($to_sign), '');
+    my $sig = encode_base64($rsa_priv->sign_message($to_sign, uc($self->sig_hash), 'v1.5'), '');
     $uri->query_param('Signature', $sig);
     return $uri->as_string;
 }
@@ -289,24 +287,26 @@ sub _verify {
 
     foreach my $crt (@{$self->cert}) {
         my $cert = Crypt::OpenSSL::X509->new_from_string($crt);
-        my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($cert->pubkey);
+        my $pk = Crypt::PK::RSA->new();
+        my $rsa_pub = $pk->import_key(\$cert->pubkey);
 
+        my $hash_name;
         if ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256') {
-            $rsa_pub->use_sha256_hash;
+            $hash_name = 'SHA256';
         } elsif ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha224') {
-            $rsa_pub->use_sha224_hash;
+            $hash_name = 'SHA224';
         } elsif ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384') {
-            $rsa_pub->use_sha384_hash;
+            $hash_name = 'SHA384';
         } elsif ($sigalg eq 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512') {
-            $rsa_pub->use_sha512_hash;
+            $hash_name = 'SHA512';
         } elsif ($sigalg eq 'http://www.w3.org/2000/09/xmldsig#rsa-sha1') {
-            $rsa_pub->use_sha1_hash;
+            $hash_name = 'SHA1';
         }
         else {
             warn "Unsupported Signature Algorithim: $sigalg, defaulting to sha256" if $self->debug;
         }
 
-        return 1 if $rsa_pub->verify($signed, $sig);
+        return 1 if $rsa_pub->verify_message($sig, $signed, $hash_name, 'v1.5');
 
         warn "Unable to verify with " . $cert->subject if $self->debug;
     }