From d9759fce52008c36e2327157e509a14cb156c18c Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Thu, 23 Apr 2026 12:37:55 +0000
Subject: [PATCH] Croak when passphrase is passed with DER-encoded private key

new_private_key() accepts @rest (passphrase) but _new_private_key_der()
has no passphrase parameter, so the argument was silently dropped. Users
expecting passphrase-protected DER loading got no indication it was
ignored. Now croaks with a clear message instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 RSA.pm  | 3 ++-
 t/der.t | 7 ++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/RSA.pm b/RSA.pm
index 108f1f8..5b38652 100644
--- a/RSA.pm
+++ b/RSA.pm
@@ -62,7 +62,8 @@ sub new_private_key {
         return $proto->_new_private_key_pem($p_key_string, @rest);
     }
     elsif ( substr($p_key_string, 0, 1) eq "\x30" ) {
-        # ASN.1 SEQUENCE tag detected — likely DER-encoded private key.
+        croak "passphrase argument not supported for DER-encoded keys"
+            if @rest;
         return $proto->_new_private_key_der($p_key_string);
     }
     else {
diff --git a/t/der.t b/t/der.t
index 1d919d5..ed051c3 100644
--- a/t/der.t
+++ b/t/der.t
@@ -4,7 +4,7 @@ use Test::More;
 use MIME::Base64;
 use Crypt::OpenSSL::RSA;
 
-BEGIN { plan tests => 22 }
+BEGIN { plan tests => 23 }
 
 # --- Generate a key pair for testing ---
 
@@ -93,6 +93,11 @@ my $sig2 = $priv_from_der->sign($plaintext);
 ok( $pub_from_x509_der->verify($plaintext, $sig2),
     "signature from DER-loaded private key verifies" );
 
+# Error: passphrase with DER key
+eval { Crypt::OpenSSL::RSA->new_private_key($priv_der, "secret") };
+like( $@, qr/passphrase.*not supported.*DER/,
+    "new_private_key croaks when passphrase given with DER key" );
+
 # Error: DER-like data for private key
 eval { Crypt::OpenSSL::RSA->new_private_key("\x30\x00") };
 ok( $@, "new_private_key croaks on truncated DER data" );