Add passphrase support for DER-encoded private keys#180
Merged
timlegge merged 1 commit intocpan-authors:mainfrom Apr 23, 2026
Merged
Conversation
timlegge
approved these changes
Apr 23, 2026
Member
There was a problem hiding this comment.
Looks fin2 @toddr-bot we can fix the @rest to $passphrase later
Member
|
@toddr-bot please rebase |
_new_private_key_der() now accepts an optional passphrase to decrypt encrypted PKCS#8 DER (EncryptedPrivateKeyInfo) private keys. On OpenSSL 3.x, sets OSSL_DECODER_CTX_set_passphrase() on the existing decoder context. On pre-3.x, uses d2i_PKCS8PrivateKey_bio() via a helper placed before the EVP_PKEY->RSA compatibility macros. Addresses review feedback on PR cpan-authors#176 — rather than croaking when a passphrase is provided for DER keys, we now support the use case. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
toddr-bot
force-pushed
the
koan.toddr.bot/der-passphrase-support
branch
from
0698084 to
2283c75
Compare
timlegge
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
new_private_key()now accepts a passphrase for encrypted PKCS#8 DER keys, matching the existing PEM passphrase support.Why
PR #176 croaked when a passphrase was provided with DER keys. timlegge's review pointed out that implementing passphrase support is better than rejecting it — encrypted PKCS#8 DER (
EncryptedPrivateKeyInfo) is a valid format that OpenSSL supports on all versions.How
OSSL_DECODER_CTX_set_passphrase()on the existing decoder context before callingOSSL_DECODER_from_bio(). The decoder chain auto-detects both encrypted and unencrypted PKCS#8 DER._load_pkcs8_der_key()helper (placed beforeEVP_PKEY→RSAcompatibility macros) that callsd2i_PKCS8PrivateKey_bio()and extracts theRSA*viaEVP_PKEY_get1_RSA(). Used when a passphrase is provided; otherwise falls back tod2i_RSAPrivateKey_bio()for traditional PKCS#1 DER.Testing
t/der.t: encrypted PKCS#8 DER round-trip, key validation, sign/verify, wrong-passphrase rejectionSupersedes #176 — adds the feature instead of rejecting the use case.
🤖 Generated with Claude Code
Quality Report
Changes: 3 files changed, 72 insertions(+), 7 deletions(-)
Code scan: clean
Tests: passed (OK)
Branch hygiene: clean
Generated by Kōan post-mission quality pipeline