File Coverage

lib/Crypt/Perl/PKCS10.pm

Criterion	Covered	Total	%
statement	74	79	93.6
branch	10	14	71.4
condition	2	6	33.3
subroutine	15	15	100.0
pod	1	2	50.0
total	102	116	87.9

line	stmt	bran	cond	sub	pod	time	code
1							package Crypt::Perl::PKCS10;
2
3	1			1		415	use strict;
	1					2
	1					22
4	1			1		4	use warnings;
	1					2
	1					29
5
6							=encoding utf-8
7
8							=head1 NAME
9
10							Crypt::Perl::PKCS10 - Certificate Signing Request (CSR) creation
11
12							=head1 SYNOPSIS
13
14							my $pkcs10 = Crypt::Perl::PKCS10->new(
15
16							key => $private_key_obj,
17
18							subject => [
19							commonName => 'foo.com',
20							localityName => 'somewhere',
21							#...
22							],
23							attributes => [
24							[ 'extensionRequest',
25							[ 'subjectAltName',
26							[ dNSName => 'foo.com' ],
27							[ dNSName => 'bar.com' ],
28							],
29							],
30							],
31							);
32
33							my $der = $pkcs10->to_der();
34							my $pem = $pkcs10->to_pem();
35
36							=head1 DESCRIPTION
37
38							This module is for creation of (PKCS #10) certificate signing requests (CSRs).
39							Right now it supports only a
40							subset of what L can create; however, it’s
41							useful enough for use with many certificate authorities, including
42							L services like
43							L.
44
45							It’s also a good deal easier to use!
46
47							I believe this is the only L module that
48							can create CSRs for RSA, ECDSA, and Ed25519 keys. Other encryption schemes
49							would not be difficult to integrate—but do any CAs accept them?
50
51							=head1 ECDSA KEY FORMAT
52
53							After a brief flirtation (cf. v0.13) with producing ECDSA-signed CSRs using
54							explicit curve parameters, this module produces CSRs using B curves.
55							Certificate authorities seem to prefer this format—which makes sense since
56							they only allow certain curves in the first place.
57
58							=head1 SIGNATURE DIGEST ALGORITHMS
59
60							The signature digest algorithm is
61							determined based on the passed-in key: for RSA it’s always SHA-512, and for
62							ECDSA it’s the strongest SHA digest algorithm that the key allows
63							(e.g., SHA-224 for a 239-bit key, etc.)
64
65							If you need additional flexibility, let me know.
66
67							(Note that Ed25519 signs an entire document rather than a digest.)
68
69							=head1 CLASS METHODS
70
71							=head2 new( NAME => VALUE, ... );
72
73							Create an instance of this class. Parameters are:
74
75							=over 4
76
77							=item * C - An instance of C,
78							C, or C.
79							If you’ve got a DER- or PEM-encoded key string, use L
80							(included in this distribution) to create an appropriate object.
81
82							=item * C - An array reference of arguments into
83							L’s constructor.
84
85							=item * C - An array reference of arguments into
86							L’s constructor.
87
88							=back
89
90							=head1 TODO
91
92							Let me know what features you would find useful, ideally with
93							a representative sample CSR that demonstrates the requested feature.
94							(Or, better yet, send me a pull request!)
95
96							=head1 SEE ALSO
97
98							=over 4
99
100							=item * L - Parse CSRs, in pure Perl.
101
102							=item * L - Create CSRs using OpenSSL via XS.
103							Currently this only seems to support RSA.
104
105							=back
106
107							=cut
108
109	1			1		4	use Crypt::Perl::ASN1 ();
	1					2
	1					10
110	1			1		329	use Crypt::Perl::ASN1::Signatures ();
	1					2
	1					17
111	1			1		326	use Crypt::Perl::PKCS10::Attributes ();
	1					2
	1					16
112	1			1		5	use Crypt::Perl::PKCS10::Attributes ();
	1					2
	1					10
113	1			1		4	use Crypt::Perl::X509::Name ();
	1					2
	1					10
114	1			1		4	use Crypt::Perl::X ();
	1					1
	1					15
115
116	1			1		3	use parent qw( Crypt::Perl::ASN1::Encodee );
	1					1
	1					4
117
118							*to_der = __PACKAGE__->can('encode');
119
120							sub to_pem {
121	9			9	0	7054	my ($self) = @_;
122
123	9					77	require Crypt::Format;
124	9					117	return Crypt::Format::der2pem( $self->to_der(), 'CERTIFICATE REQUEST' );
125							}
126
127	1			1		116	use constant ASN1 => <
	1					2
	1					50
128							AlgorithmIdentifier ::= SEQUENCE {
129							algorithm OBJECT IDENTIFIER,
130							parameters ANY
131							}
132
133							CertificationRequestInfo ::= SEQUENCE {
134							version INTEGER,
135							subject ANY,
136							subjectPKInfo ANY,
137							attributes ANY OPTIONAL
138							}
139
140							CertificationRequest ::= SEQUENCE {
141							certificationRequestInfo CertificationRequestInfo,
142							signatureAlgorithm AlgorithmIdentifier,
143							signature BIT STRING
144							}
145							END
146
147	1			1		5	use constant asn1_macro => 'CertificationRequest';
	1					2
	1					551
148
149							sub new {
150	9			9	1	517	my ($class, %opts) = @_;
151
152	9					47	my ($key, $attrs, $subject) = @opts{'key', 'attributes', 'subject'};
153
154	9					195	$subject = Crypt::Perl::X509::Name->new( @$subject );
155	9					168	$attrs = Crypt::Perl::PKCS10::Attributes->new( @$attrs );
156
157	9					59	my $self = {
158							_key => $key,
159							_subject => $subject,
160							_attributes => $attrs,
161							};
162
163	9					46	return bless $self, $class;
164							}
165
166							sub _encode_params {
167	9			9		55	my ($self) = @_;
168
169	9					34	my $key = $self->{'_key'};
170
171	9					17	my ($pk_der);
172	9					20	my ($sig_alg, $sig_param, $sig_func);
173
174	9	100				119	if ($key->isa('Crypt::Perl::ECDSA::PrivateKey')) {
		50
		0
175	7					45	require Digest::SHA;
176
177	7					48	my $bits = $key->max_sign_bits();
178
179	7	50				10901	if ($bits < 224) {
		100
		100
		100
180	0					0	die Crypt::Perl::X::create('Generic', "This key is too weak ($bits bits) to make a secure PKCS #10 CSR.");
181							}
182							elsif ($bits < 256) {
183	2					7	$bits = 224;
184							}
185							elsif ($bits < 384) {
186	2					5	$bits = 256;
187							}
188							elsif ($bits < 512) {
189	1					12	$bits = 384;
190							}
191							else {
192	2					25	$bits = 512;
193							}
194
195	7					33	$sig_alg = "ecdsa-with-SHA$bits";
196
197							$sig_func = sub {
198	7			7		30	my ($key, $msg) = @_;
199
200	7					272	return $key->sign( Digest::SHA->can("sha$bits")->($msg) );
201	7					125	};
202
203	7					79	$pk_der = $key->get_public_key()->to_der_with_curve_name();
204							}
205							elsif ($key->isa('Crypt::Perl::RSA::PrivateKey')) {
206	2					13	require Digest::SHA;
207
208	2					11	$sig_alg = 'sha512WithRSAEncryption';
209	2					7	$sig_param = q<>;
210	2					14	$sig_func = $key->can('sign_RS512');
211
212	2					15	$pk_der = $key->to_subject_public_der();
213							}
214							elsif ($key->isa('Crypt::Perl::Ed25519::PrivateKey')) {
215	0					0	$sig_alg = 'ed25519';
216	0					0	$sig_func = $key->can('sign');
217	0					0	$pk_der = $key->get_public_key()->to_der();
218							}
219							else {
220	0					0	die Crypt::Perl::X::create('Generic', "Key ($key) is not a recognized private key class instance!");
221							}
222
223	9		33			3323	$sig_alg = $Crypt::Perl::ASN1::Signatures::OID{$sig_alg} \|\| do {
224							die Crypt::Perl::X::create('Generic', "Unrecognized signature algorithm OID: “$sig_alg”");
225							};
226
227	9					43	my $asn1_reqinfo = Crypt::Perl::ASN1->new()->prepare( $self->ASN1() );
228	9					47	$asn1_reqinfo = $asn1_reqinfo->find('CertificationRequestInfo');
229
230	9					525	my $subj_enc = $self->{'_subject'}->encode();
231
232	9					1143	my $attr_enc = $self->{'_attributes'}->encode();
233
234							#We need the attributes not to be a SET, but CONTEXT [0].
235							#That means the first byte needs to be 0xa0, not 0x31.
236							#This is a detail germane to the PKCS10 structure, not to the
237							#Attributes itself (right??), so it makes sense to do the change here
238							#rather than to put “[0] SET” into the ASN1 template for Attributes.
239							#
240							#“use bytes” is not necessary because we know the first character is
241							#0x31, which came from Convert::ASN1.
242	9					2410	substr($attr_enc, 0, 1) = chr 0xa0;
243
244	9					58	my %reqinfo = (
245							version => 0,
246							subject => $subj_enc,
247							subjectPKInfo => $pk_der,
248							attributes => $attr_enc,
249							);
250
251	9					37	my $reqinfo_enc = $asn1_reqinfo->encode(\%reqinfo);
252
253	9					1346	my $signature = $sig_func->( $key, $reqinfo_enc );
254
255							return {
256	9		33			328634	certificationRequestInfo => \%reqinfo,
257							signatureAlgorithm => {
258							algorithm => $sig_alg,
259							parameters => $sig_param \|\| Crypt::Perl::ASN1::NULL(),
260							},
261							signature => $signature,
262							};
263							}
264
265							1;