cpan-authors · toddr-bot · Apr 23, 2026
diff --git a/RSA.pm b/RSA.pm
@@ -62,7 +62,8 @@ sub new_private_key {
         return $proto->_new_private_key_pem($p_key_string, @rest);
     }
     elsif ( substr($p_key_string, 0, 1) eq "\x30" ) {
-        # ASN.1 SEQUENCE tag detected — likely DER-encoded private key.
+        croak "passphrase argument not supported for DER-encoded keys"
+            if @rest;
         return $proto->_new_private_key_der($p_key_string);
     }
     else {

diff --git a/t/der.t b/t/der.t
@@ -4,7 +4,7 @@ use Test::More;
 use MIME::Base64;
 use Crypt::OpenSSL::RSA;
 
-BEGIN { plan tests => 22 }
+BEGIN { plan tests => 23 }
 
 # --- Generate a key pair for testing ---
 
@@ -93,6 +93,11 @@ my $sig2 = $priv_from_der->sign($plaintext);
 ok( $pub_from_x509_der->verify($plaintext, $sig2),
     "signature from DER-loaded private key verifies" );
 
+# Error: passphrase with DER key
+eval { Crypt::OpenSSL::RSA->new_private_key($priv_der, "secret") };
+like( $@, qr/passphrase.*not supported.*DER/,
+    "new_private_key croaks when passphrase given with DER key" );
+
 # Error: DER-like data for private key
 eval { Crypt::OpenSSL::RSA->new_private_key("\x30\x00") };
 ok( $@, "new_private_key croaks on truncated DER data" );