feat: add check=>1 validation to new_key_from_parameters()#111
Merged
atoomic merged 1 commit intocpan-authors:mainfrom Mar 17, 2026
Merged
Conversation
When check=>1 is passed, check_key() is called after key reconstruction. Inconsistent parameters (e.g. wrong CRT values, mismatched n/e/d/p/q) now fail at construction time with a clear error instead of silently producing a broken key. The check is skipped for public-only keys since they cannot be validated. New test file t/check_param.t with 7 tests covering valid params, public-only keys, bad parameters, and default (no-check) behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an optional
check => 1parameter tonew_key_from_parameters()that validates key consistency at construction time.Why
Keys built from raw BIGNUM parameters can silently carry inconsistent values (wrong CRT params, mismatched n/e/d/p/q). Without validation, these broken keys only fail at first use — sign, encrypt, etc. — with cryptic OpenSSL errors far from the construction site.
With
check => 1, the caller gets an immediate, clear croak at construction if parameters don't form a valid RSA key.How
Pure Perl change in RSA.pm — after
_new_key_from_parameters()returns the XS object, callscheck_key()whencheck => 1is passed and the key is private. Public-only keys (n, e only) skip the check since OpenSSL can't validate them.Testing
New
t/check_param.twith 7 tests:check => 1— succeedscheck => 1— succeeds (check skipped)dwithcheck => 1— croaks with clear errorAll 290 core tests pass on OpenSSL 3.6.1.
🤖 Generated with Claude Code