pseudorandom hashing algorithm as per rfc5246
Latest commit 7cce430 Nov 13, 2016 @FROGGS committed on GitHub trigger travis build
Failed to load latest commit information.
lib/Digest Add unit declarator to module declarations May 21, 2015
t initial Aug 24, 2014
.travis.yml Add Travis-CI configuration Oct 28, 2016
LICENSE initial Aug 24, 2014 Add mandatory "perl" META field Oct 26, 2016 trigger travis build Nov 13, 2016


Calculates Pseudorandom SHA1 as defined in (5. HMAC and the Pseudorandom Function)

This algorithm is used for signing XML documents when the RequestedProofToken is either or

Thanks to Leandro Boffi ( for the nodejs version and a great blog.


    use Digest::PSHA1;
    use MIME::Base64;

    # Extract base64'd binary secret of a RequestSecurityToken request and a
    # RequestSecurityTokenResponse, like from such a structure:
    # <Entropy>
    #     <BinarySecret Type="">
    #         grrlUUfhuNwlvQzQ4bV6TT3wA8ieZPltIf4+H7nIvCE=
    #     </BinarySecret>
    # </Entropy>

    # Obtain the decoded versions
    my $client-secret = MIME::Base64.decode-str($client-binary-secret);
    my $server-secret = MIME::Base64.decode-str($server-binary-secret);

    # Build the key to sign an XML document
    my $key     = psha1($client-secret, $server-secret);
    my $key-b64 = MIME::Base64.encode($key, :oneline);
    #  ^--- you usually do not need the Base64 version of the key

    # To actually use this key to sign a document, do something like this
    use Digest::HMAC;
    use Digest;

    my $canonicalized-data  = '<SignedInfo xmlns="...">...</SignedInfo>';
    #  ^--- use the correct c14n version according to your XML document
    my $signature-value     = hmac($key, $canonicalized-data, &sha1);
    my $signature-value-b64 = MIME::Base64.encode($signature-value, :oneline);
    #  ^--- this is what you would add to your XML document


  • sub psha1-hex($secret, $seed, $blocksize = 256 --> Str)

    Returns the hex stringified output of psha1.

  • sub psha1($secret, $seed, $blocksize = 256 --> Buf)

    Computes the PSHA1 of the passed information.

    $secret and $seed can either be Str or Blob objects; if they are Str they will be encoded as ascii.