From 74608b4bb2b0e9669f2ff5b1bf8f316af3ddc4f1 Mon Sep 17 00:00:00 2001 From: Toddr Bot Date: Thu, 26 Mar 2026 02:34:35 +0000 Subject: [PATCH] fix: validate private key before export in get_private_key_string() Every other private-key operation (decrypt, sign, private_encrypt, check_key) validates _is_private() first. get_private_key_string() was the only one missing this check, leading to version-dependent behavior: silent garbage PEM on pre-3.x, cryptic OpenSSL error on 3.x. Now croaks with a clear message on all versions. Co-Authored-By: Claude Opus 4.6 --- RSA.xs | 4 ++++ t/format.t | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/RSA.xs b/RSA.xs index 7e1ddc6..fde7314 100644 --- a/RSA.xs +++ b/RSA.xs @@ -472,6 +472,10 @@ get_private_key_string(p_rsa, passphase_SV=&PL_sv_undef, cipher_name_SV=&PL_sv_u char* cipher_name; const EVP_CIPHER* enc = NULL; CODE: + if (!_is_private(p_rsa)) + { + croak("Public keys cannot export private key strings"); + } if (SvPOK(cipher_name_SV) && !SvPOK(passphase_SV)) { croak("Passphrase is required for cipher"); } diff --git a/t/format.t b/t/format.t index 0f4f516..667c93e 100644 --- a/t/format.t +++ b/t/format.t @@ -122,9 +122,9 @@ like($@, qr/Unsupported cipher/, "get_private_key_string croaks on unsupported c # --- Error: export private key from public-only key --- my $pub_only = Crypt::OpenSSL::RSA->new_public_key($PUBLIC_KEY_PKCS1_STRING); -# Behavior varies: OpenSSL 3.x may croak, 1.x/LibreSSL returns a PEM eval { $pub_only->get_private_key_string() }; -pass("get_private_key_string on public-only key does not crash"); +like($@, qr/Public keys cannot export private key strings/, + "get_private_key_string croaks on public-only key"); # --- Error: wrong passphrase on re-import ---