From 9c21224959b431aa02b4f173cecfa408e6d031be Mon Sep 17 00:00:00 2001
From: Timothy Legge <timlegge@gmail.com>
Date: Thu, 22 Jun 2023 10:16:08 -0300
Subject: [PATCH 1/2] OpenSSL changes for version differences

---
 Makefile.PL                  |  8 ++++---
 SignCSR.xs                   | 45 +++++++++++++++++++++++++++++++++++-
 cpanfile                     | 22 ++++++++++++++++++
 lib/Crypt/OpenSSL/SignCSR.pm |  4 ++--
 maint/Makefile_header.PL     |  6 +++--
 5 files changed, 77 insertions(+), 8 deletions(-)
 create mode 100644 cpanfile

diff --git a/Makefile.PL b/Makefile.PL
index 61f26cf..fc31b3b 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -10,9 +10,11 @@ use ExtUtils::MakeMaker;
 
 use Config;
 use File::Spec;
-
+use Crypt::OpenSSL::Guess;
 my %args;
 
+my ($major, $minor, $patch) = openssl_version();
+print "Installed OpenSSL: $major.$minor.$patch\n";
 if ($^O ne 'MSWin32' and my $prefix = `brew --prefix --installed openssl\@1.1 2>@{[File::Spec->devnull]}`) {
   chomp $prefix;
   $args{INC} = "-I$prefix/include";
@@ -32,7 +34,7 @@ if ($^O eq 'MSWin32') {
   }
 }
 
-my $cc_option_flags = ' -DOPENSSL_API_COMPAT=0x10100000L';
+my $cc_option_flags = $major ge 3 ? ' -DOPENSSL_API_COMPAT=30000' : ' -DOPENSSL_API_COMPAT=10100';
 
 if ($Config::Config{cc} =~ /gcc/i) {
   $cc_option_flags .= $ENV{AUTHOR_TESTING} ? ' -Wall -Werror' : ' -Wall';
@@ -79,7 +81,7 @@ my %WriteMakefileArgs = (
     "File::Slurper" => "0.012",
     "File::Which" => 0
   },
-  "VERSION" => "0.03",
+  "VERSION" => "0.04",
   "test" => {
     "TESTS" => "t/*.t"
   }
diff --git a/SignCSR.xs b/SignCSR.xs
index 8cfafe0..1251687 100644
--- a/SignCSR.xs
+++ b/SignCSR.xs
@@ -31,7 +31,9 @@
 # define SERIAL_RAND_BITS 159
 
 BIO *bio_err;
+#if OPENSSL_API_COMPAT >= 30000
 OSSL_LIB_CTX *libctx = NULL;
+#endif
 static const char *propq = NULL;
 static unsigned long nmflag = 0;
 static char nmflag_set = 0;
@@ -165,7 +167,11 @@ int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vf
     int rv = 0;
 
     if (do_x509_req_init(x, vfyopts) > 0){
+#if OPENSSL_API_COMPAT <= 10100
+        rv = X509_REQ_verify(x, pkey);
+#else
         rv = X509_REQ_verify_ex(x, pkey, libctx, propq);
+#endif
     }
     else
         rv = -1;
@@ -242,10 +248,18 @@ unsigned long get_nameopt(void)
         nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT;
 }
 
+#if OPENSSL_API_COMPAT >= 30000
 static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const char *md, STACK_OF(OPENSSL_STRING) *sigopts)
+#else
+static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
+#endif
 {
     EVP_PKEY_CTX *pkctx = NULL;
+#if OPENSSL_API_COMPAT >= 30000
     char def_md[80];
+#else
+    int def_nid;
+#endif
 
     if (ctx == NULL)
         return 0;
@@ -253,14 +267,23 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const char *md, STACK_O
      * EVP_PKEY_get_default_digest_name() returns 2 if the digest is mandatory
      * for this algorithm.
      */
+#if OPENSSL_API_COMPAT >= 30000
     if (EVP_PKEY_get_default_digest_name(pkey, def_md, sizeof(def_md)) == 2
             && strcmp(def_md, "UNDEF") == 0) {
+#else
+    if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) == 2
+        && def_nid == NID_undef) {
+#endif
         /* The signing algorithm requires there to be no digest */
         md = NULL;
     }
 
+#if OPENSSL_API_COMPAT >= 30000
     int val = EVP_DigestSignInit_ex(ctx, &pkctx, md, libctx,
                                  propq, pkey, NULL);
+#else
+    int val = EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey);
+#endif
     return val
         && do_pkey_ctx_init(pkctx, sigopts);
 }
@@ -412,7 +435,11 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts)
 
         // Create a new certificate store
         X509 * x;
+#if OPENSSL_API_COMPAT <= 10100
+        if ((x = X509_new()) == NULL)
+#else
         if ((x = X509_new_ex(libctx, propq)) == NULL)
+#endif
             croak("X509_new_ex failed ...\n");
 
         // FIXME need to look at this
@@ -460,18 +487,30 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts)
 
         // Create the X509 v3 extensions for the certificate
         X509V3_CTX ext_ctx;
-        X509V3_set_ctx(&ext_ctx, issuer_cert, x, csr /*NULL*/, NULL, X509V3_CTX_REPLACE);
 
         // Set the certificate issuer from the private key
+#if OPENSSL_API_COMPAT >= 30000
+        X509V3_set_ctx(&ext_ctx, issuer_cert, x, NULL, NULL, X509V3_CTX_REPLACE);
         if (!X509V3_set_issuer_pkey(&ext_ctx, private_key))
             croak("X509V3_set_issuer_pkey cannot set issuer private key\n");
+#else
+        X509V3_set_ctx(&ext_ctx, issuer_cert, x, csr, NULL, X509V3_CTX_REPLACE);
+#endif
 
         // Set the X509 version of the certificate
+#if OPENSSL_API_COMPAT >= 30000
         if (!X509_set_version(x, X509_VERSION_3))
+#else
+        if (!X509_set_version(x, 2))
+#endif
             croak("X509_set_version cannot set version 3\n");
 
         // Get digestname parameter - verify that it is valid
+#if OPENSSL_API_COMPAT >= 30300
+        const EVP_MD *dgst;
+#else
         EVP_MD * md;
+#endif
         digestname = (unsigned char*) SvPV(name_SV, digestname_length);
         md = (EVP_MD *)EVP_get_digestbyname(digestname);
         if (md != NULL)
@@ -483,7 +522,11 @@ SV * sign(self, request_SV, days, name_SV, text, sigopts)
         mctx = EVP_MD_CTX_new();
 
         // Sign the new certificate
+#if OPENSSL_API_COMPAT >= 30000
         if (mctx != NULL && do_sign_init(mctx, private_key, digestname, NULL /*sigopts*/) > 0)
+#else
+        if (mctx != NULL && do_sign_init(mctx, private_key, md, NULL /*sigopts*/) > 0)
+#endif
             rv = (X509_sign_ctx(x, mctx) > 0);
 
         if (rv == 0)
diff --git a/cpanfile b/cpanfile
new file mode 100644
index 0000000..1250982
--- /dev/null
+++ b/cpanfile
@@ -0,0 +1,22 @@
+# This file is generated by Dist::Zilla::Plugin::CPANFile v6.030
+# Do not edit this file directly. To change prereqs, edit the `dist.ini` file.
+
+requires "perl" => "5.008";
+
+on 'test' => sub {
+  requires "Crypt::OpenSSL::PKCS10" => "0.19";
+  requires "Crypt::OpenSSL::RSA" => "0";
+  requires "File::Slurper" => "0.012";
+  requires "File::Which" => "0";
+};
+
+on 'configure' => sub {
+  requires "ExtUtils::MakeMaker" => "0";
+};
+
+on 'develop' => sub {
+  requires "Test::CPAN::Meta::JSON" => "0.16";
+  requires "Test::Kwalitee" => "1.21";
+  requires "Test::Pod" => "1.41";
+  requires "Test::Spelling" => "0.12";
+};
diff --git a/lib/Crypt/OpenSSL/SignCSR.pm b/lib/Crypt/OpenSSL/SignCSR.pm
index 6e65e0a..f31f36c 100644
--- a/lib/Crypt/OpenSSL/SignCSR.pm
+++ b/lib/Crypt/OpenSSL/SignCSR.pm
@@ -1,13 +1,13 @@
 # ABSTRACT OpenSSL Self Sign a Certificate Signing Request in XS.
 package Crypt::OpenSSL::SignCSR;
 
-use 5.036001;
+use 5.008;
 use strict;
 use warnings;
 
 require Exporter;
 
-our $VERSION  = "0.03";
+our $VERSION  = "0.04";
 
 our @ISA = qw(Exporter);
 
diff --git a/maint/Makefile_header.PL b/maint/Makefile_header.PL
index f4456e1..8c7f9cb 100644
--- a/maint/Makefile_header.PL
+++ b/maint/Makefile_header.PL
@@ -1,8 +1,10 @@
 use Config;
 use File::Spec;
-
+use Crypt::OpenSSL::Guess;
 my %args;
 
+my ($major, $minor, $patch) = openssl_version();
+print "Installed OpenSSL: $major.$minor.$patch\n";
 if ($^O ne 'MSWin32' and my $prefix = `brew --prefix --installed openssl\@1.1 2>@{[File::Spec->devnull]}`) {
   chomp $prefix;
   $args{INC} = "-I$prefix/include";
@@ -22,7 +24,7 @@ if ($^O eq 'MSWin32') {
   }
 }
 
-my $cc_option_flags = ' -DOPENSSL_API_COMPAT=0x10100000L';
+my $cc_option_flags = $major ge 3 ? ' -DOPENSSL_API_COMPAT=30000' : ' -DOPENSSL_API_COMPAT=10100';
 
 if ($Config::Config{cc} =~ /gcc/i) {
   $cc_option_flags .= $ENV{AUTHOR_TESTING} ? ' -Wall -Werror' : ' -Wall';

From 4ce436907a155d412b9eab85689e155e6986953b Mon Sep 17 00:00:00 2001
From: Timothy Legge <timlegge@gmail.com>
Date: Sun, 25 Jun 2023 14:36:36 -0300
Subject: [PATCH 2/2] Increase minimum perl version to 5.14

---
 .github/workflows/linux.yml  | 4 ++--
 Makefile.PL                  | 4 ++--
 dist.ini                     | 2 +-
 lib/Crypt/OpenSSL/SignCSR.pm | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index ec3344f..5b2f3be 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -9,8 +9,6 @@ jobs:
     strategy:
       matrix:
         perl-version:
-          - '5.10-buster'
-          - '5.12-buster'
           - '5.14-buster'
           - '5.16-buster'
           - '5.18-buster'
@@ -21,6 +19,8 @@ jobs:
           - '5.28'
           - '5.30'
           - '5.32'
+          - '5.34'
+          - '5.36'
     container:
       image: perl:${{ matrix.perl-version }}
     steps:
diff --git a/Makefile.PL b/Makefile.PL
index fc31b3b..2b581bb 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -5,7 +5,7 @@
 use strict;
 use warnings;
 
-use 5.008;
+use 5.014;
 use ExtUtils::MakeMaker;
 
 use Config;
@@ -72,7 +72,7 @@ my %WriteMakefileArgs = (
   },
   "DISTNAME" => "Crypt-OpenSSL-SignCSR",
   "LICENSE" => "apache",
-  "MIN_PERL_VERSION" => "5.008",
+  "MIN_PERL_VERSION" => "5.014",
   "NAME" => "Crypt::OpenSSL::SignCSR",
   "PREREQ_PM" => {},
   "TEST_REQUIRES" => {
diff --git a/dist.ini b/dist.ini
index 5f8dce9..4ca1e0e 100644
--- a/dist.ini
+++ b/dist.ini
@@ -15,7 +15,7 @@ maintainer = Timothy Legge <timlegge@cpan.org>
 -remove = Readme
 
 [Prereqs / RuntimeRequires]
-perl = 5.008
+perl = 5.014
 
 [Prereqs / TestRequires]
 File::Slurper = 0.012
diff --git a/lib/Crypt/OpenSSL/SignCSR.pm b/lib/Crypt/OpenSSL/SignCSR.pm
index f31f36c..f745c60 100644
--- a/lib/Crypt/OpenSSL/SignCSR.pm
+++ b/lib/Crypt/OpenSSL/SignCSR.pm
@@ -1,7 +1,7 @@
 # ABSTRACT OpenSSL Self Sign a Certificate Signing Request in XS.
 package Crypt::OpenSSL::SignCSR;
 
-use 5.008;
+use 5.014;
 use strict;
 use warnings;