From 2ad0e14c8141949312b494c04d781bc796b6f948 Mon Sep 17 00:00:00 2001 From: Timothy Legge Date: Mon, 9 Oct 2023 21:56:19 -0300 Subject: [PATCH 1/2] Fix MGF support Requires CryptX >= 0.081 which include the require rsa-oaep support for MGF --- Makefile.PL | 6 +- README | 33 ++++++- cpanfile | 3 +- lib/XML/Enc.pm | 153 +++++++++++++++++++++++++++++---- t/06-test-encryption-methods.t | 59 +++++++++---- t/lib/Test/XML/Enc/Util.pm | 30 +++++++ 6 files changed, 244 insertions(+), 40 deletions(-) diff --git a/Makefile.PL b/Makefile.PL index 71f1702..1550fa5 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -20,7 +20,7 @@ my %WriteMakefileArgs = ( "Crypt::AuthEnc::GCM" => "0.062", "Crypt::Mode::CBC" => 0, "Crypt::OpenSSL::X509" => 0, - "Crypt::PK::RSA" => 0, + "Crypt::PK::RSA" => "0.081", "Crypt::PRNG" => 0, "MIME::Base64" => 0, "XML::LibXML" => 0, @@ -31,6 +31,7 @@ my %WriteMakefileArgs = ( }, "TEST_REQUIRES" => { "Crypt::OpenSSL::Guess" => 0, + "CryptX" => 0, "Exporter" => 0, "File::Slurper" => 0, "File::Which" => 0, @@ -53,8 +54,9 @@ my %FallbackPrereqs = ( "Crypt::Mode::CBC" => 0, "Crypt::OpenSSL::Guess" => 0, "Crypt::OpenSSL::X509" => 0, - "Crypt::PK::RSA" => 0, + "Crypt::PK::RSA" => "0.081", "Crypt::PRNG" => 0, + "CryptX" => 0, "Exporter" => 0, "File::Slurper" => 0, "File::Which" => 0, diff --git a/README b/README index 9b880b3..706cf92 100644 --- a/README +++ b/README @@ -103,6 +103,37 @@ METHODS * mgf1sha512 + oaep_params + Specify the OAEPparams value to use as part of the mask generation + function (MGF). It is optional but can be specified for rsa-oaep and + rsa-oaep-mgf1p EncryptionMethods. + + It is base64 encoded and stored in the XML as OAEPparams. + + If specified you MAY specify the oaep_label_hash that should be + used. You should note that not all implementations support an + oaep_label_hash that differs from that of the MGF specified in the + xenc11:MGF element or the default MGF1 with SHA1. + + The oaep_label_hash is stored in the DigestMethod child element of + the EncryptionMethod. + + oaep_label_hash + Specify the Hash Algorithm to use for the rsa-oaep label as + specified by oaep_params. + + The default is sha1. Supported algorithms are: + + * sha1 + + * sha224 + + * sha256 + + * sha384 + + * sha512 + decrypt( ... ) Main decryption function. @@ -121,7 +152,7 @@ AUTHOR Timothy Legge COPYRIGHT AND LICENSE - This software is copyright (c) 2023 by TImothy Legge. + This software is copyright (c) 2024 by TImothy Legge. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. diff --git a/cpanfile b/cpanfile index c00da5d..c288e4c 100644 --- a/cpanfile +++ b/cpanfile @@ -4,7 +4,7 @@ requires "Carp" => "0"; requires "Crypt::AuthEnc::GCM" => "0.062"; requires "Crypt::Mode::CBC" => "0"; requires "Crypt::OpenSSL::X509" => "0"; -requires "Crypt::PK::RSA" => "0"; +requires "Crypt::PK::RSA" => "0.081"; requires "Crypt::PRNG" => "0"; requires "MIME::Base64" => "0"; requires "XML::LibXML" => "0"; @@ -16,6 +16,7 @@ requires "warnings" => "0"; on 'test' => sub { requires "Crypt::OpenSSL::Guess" => "0"; + requires "CryptX" => "0"; requires "Exporter" => "0"; requires "File::Slurper" => "0"; requires "File::Which" => "0"; diff --git a/lib/XML/Enc.pm b/lib/XML/Enc.pm index 26aadf5..4aebe33 100644 --- a/lib/XML/Enc.pm +++ b/lib/XML/Enc.pm @@ -9,7 +9,7 @@ package XML::Enc; use Carp; use Crypt::AuthEnc::GCM 0.062; use Crypt::Mode::CBC; -use Crypt::PK::RSA; +use Crypt::PK::RSA 0.081; use Crypt::PRNG qw( random_bytes ); use MIME::Base64 qw/decode_base64 encode_base64/; use XML::LibXML; @@ -107,8 +107,10 @@ sub _assert_encryption_digest { state $ENC_DIGEST = { 'http://www.w3.org/2000/09/xmldsig#sha1' => 'SHA1', 'http://www.w3.org/2001/04/xmlenc#sha256' => 'SHA256', + 'http://www.w3.org/2001/04/xmldsig-more#sha224' => 'SHA224', + 'http://www.w3.org/2001/04/xmldsig-more#sha384' => 'SHA384', + 'http://www.w3.org/2001/04/xmlenc#sha512' => 'SHA512', }; - die "Unsupported encryption digest algo $algo" unless $ENC_DIGEST->{ $algo }; return $ENC_DIGEST->{ $algo }; } @@ -196,6 +198,37 @@ Used in encryption. Optional. Default method: mgf1sha1 =back +=item B + +Specify the OAEPparams value to use as part of the mask generation function (MGF). +It is optional but can be specified for rsa-oaep and rsa-oaep-mgf1p EncryptionMethods. + +It is base64 encoded and stored in the XML as OAEPparams. + +If specified you MAY specify the oaep_label_hash that should be used. You should note +that not all implementations support an oaep_label_hash that differs from that of the +MGF specified in the xenc11:MGF element or the default MGF1 with SHA1. + +The oaep_label_hash is stored in the DigestMethod child element of the EncryptionMethod. + +=item B + +Specify the Hash Algorithm to use for the rsa-oaep label as specified by oaep_params. + +The default is sha1. Supported algorithms are: + +=over + +=item * L + +=item * L + +=item * L + +=item * L + +=item * L + =back =cut @@ -225,8 +258,12 @@ sub new { my $key_method = exists($params->{'key_transport'}) ? $params->{'key_transport'} : 'rsa-oaep-mgf1p '; $self->{'key_transport'} = $self->_setKeyEncryptionMethod($key_method); - my $oaep_mgf_alg = exists($params->{'oaep_mgf_alg'}) ? $params->{'oaep_mgf_alg'} : 'http://www.w3.org/2009/xmlenc11#mgf1sha1'; - $self->{'oaep_mgf_alg'} = $self->_setOAEPAlgorithm($oaep_mgf_alg); + if (exists $params->{'oaep_mgf_alg'}) { + $self->{'oaep_mgf_alg'} = $self->_setOAEPAlgorithm($params->{'oaep_mgf_alg'}); + } + if (exists $params->{'oaep_label_hash'} ) { + $self->{'oaep_label_hash'} = $self->_setOAEPDigest($params->{'oaep_label_hash'}); + } $self->{'oaep_params'} = exists($params->{'oaep_params'}) ? $params->{'oaep_params'} : ''; @@ -576,6 +613,36 @@ sub _getOAEPAlgorithm { return $OAEPAlgorithm->{$method} // 'SHA1'; } +sub _setOAEPDigest { + my $self = shift; + my $method = shift; + + state $OAEPDigest = { + 'sha1' => 'http://www.w3.org/2000/09/xmldsig#sha1', + 'sha224' => 'http://www.w3.org/2001/04/xmldsig-more#sha224', + 'sha256' => 'http://www.w3.org/2001/04/xmlenc#sha256', + 'sha384' => 'http://www.w3.org/2001/04/xmldsig-more#sha384', + 'sha512' => 'http://www.w3.org/2001/04/xmlenc#sha512', + }; + + return $OAEPDigest->{$method} // $OAEPDigest->{'sha256'}; +} + +sub _getParamsAlgorithm { + my $self = shift; + my $method = shift; + + state $ParamsAlgorithm = { + 'http://www.w3.org/2000/09/xmldsig#sha1' => 'SHA1', + 'http://www.w3.org/2001/04/xmldsig-more#sha224' => 'SHA224', + 'http://www.w3.org/2001/04/xmlenc#sha256' => 'SHA256', + 'http://www.w3.org/2001/04/xmldsig-more#sha384' => 'SHA384', + 'http://www.w3.org/2001/04/xmlenc#sha512' => 'SHA512', + }; + + return $ParamsAlgorithm->{$method} // $ParamsAlgorithm->{'http://www.w3.org/2000/09/xmldsig#sha1'}; +} + sub _setKeyEncryptionMethod { my $self = shift; my $method = shift; @@ -681,11 +748,24 @@ sub _decrypt_key { if ($algo eq 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p') { return _decrypt( sub { - $self->{key_obj}->decrypt( - $key, 'oaep', - $digest_name // 'SHA1', - $oaep // '' - ); + if ($CryptX::VERSION le 0.081) { + #print "Caller: _decrypt_key rsa-oaep-mgf1p\n"; + $self->{key_obj}->decrypt( + $key, 'oaep', + #$self->_getOAEPAlgorithm($mgf), + $digest_name // 'SHA1', + $oaep // '', + ); + } else { + #print "Caller: _decrypt_key rsa-oaep-mgf1p\n"; + #print "digest_name: ", $digest_name, "\n"; + $self->{key_obj}->decrypt( + $key, 'oaep', + $mgf // 'SHA1', + $oaep // '', + $digest_name // 'SHA1', + ); + } } ); } @@ -693,11 +773,20 @@ sub _decrypt_key { if ($algo eq 'http://www.w3.org/2009/xmlenc11#rsa-oaep') { return _decrypt( sub { - $self->{key_obj}->decrypt( - $key, 'oaep', - $self->_getOAEPAlgorithm($mgf), - $oaep // '', - ); + if ($CryptX::VERSION le 0.081) { + $self->{key_obj}->decrypt( + $key, 'oaep', + $self->_getOAEPAlgorithm($mgf), + $oaep // '', + ); + } else { + $self->{key_obj}->decrypt( + $key, 'oaep', + $self->_getOAEPAlgorithm($mgf), + $oaep // '', + $digest_name // '', + ); + } } ); } @@ -712,14 +801,29 @@ sub _EncryptKey { my $rsa_pub = $self->{cert_obj}; + # FIXME: this could use some refactoring and some simplfication if ($keymethod eq 'http://www.w3.org/2001/04/xmlenc#rsa-1_5') { ${$key} = $rsa_pub->encrypt(${$key}, 'v1.5'); } elsif ($keymethod eq 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p') { - ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', 'SHA1', $self->{oaep_params}); + if ($CryptX::VERSION le 0.081) { + ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', 'SHA1', $self->{oaep_params}); + } else { + my $oaep_label_hash = (defined $self->{oaep_label_hash} && $self->{oaep_label_hash} ne '') ? + $self->_getParamsAlgorithm($self->{oaep_label_hash}) : 'SHA1'; + ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', 'SHA1', $self->{oaep_params}, $oaep_label_hash); + } } elsif ($keymethod eq 'http://www.w3.org/2009/xmlenc11#rsa-oaep') { - ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', $self->_getOAEPAlgorithm($self->{oaep_mgf_alg}), $self->{oaep_params}); + my $mgf_hash = defined $self->{oaep_mgf_alg} ? + $self->_getOAEPAlgorithm($self->{oaep_mgf_alg}) : undef; + if ($CryptX::VERSION le 0.081) { + ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', $mgf_hash, $self->{oaep_params}); + } else { + my $oaep_label_hash = (defined $self->{oaep_label_hash} && $self->{oaep_label_hash} ne '') ? + $self->_getParamsAlgorithm($self->{oaep_label_hash}) : $mgf_hash; + ${$key} = $rsa_pub->encrypt(${$key}, 'oaep', $mgf_hash, $self->{oaep_params}, $oaep_label_hash); + } } else { die "Unsupported algorithm for key encyption $keymethod}"; } @@ -1030,6 +1134,20 @@ sub _create_encrypted_data_xml { } ); + if ($self->{key_transport} eq 'http://www.w3.org/2009/xmlenc11#rsa-oaep' || + $self->{key_transport} eq 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' && + $self->{oaep_label_hash}) { + my $digestmethod = $self->_create_node( + $doc, + $dsigns, + $kencmethod, + 'dsig:DigestMethod', + { + Algorithm => $self->{oaep_label_hash}, + } + ); + }; + if ($self->{'oaep_params'} ne '') { my $oaep_params = $self->_create_node( $doc, @@ -1039,7 +1157,8 @@ sub _create_encrypted_data_xml { ); }; - if ($self->{key_transport} eq 'http://www.w3.org/2009/xmlenc11#rsa-oaep') { + if ($self->{key_transport} eq 'http://www.w3.org/2009/xmlenc11#rsa-oaep' && + $self->{oaep_mgf_alg}) { my $oaepmethod = $self->_create_node( $doc, $xenc11ns, diff --git a/t/06-test-encryption-methods.t b/t/06-test-encryption-methods.t index a1b922f..2dd3b48 100644 --- a/t/06-test-encryption-methods.t +++ b/t/06-test-encryption-methods.t @@ -1,6 +1,6 @@ use strict; use warnings; -use Test::More tests => 126; +use Test::More tests => 896; use Test::Lib; use Test::XML::Enc; use XML::Enc; @@ -15,10 +15,12 @@ XML my @key_methods = qw/rsa-1_5 rsa-oaep-mgf1p/; my @data_methods = qw/aes128-cbc aes192-cbc aes256-cbc tripledes-cbc aes128-gcm aes192-gcm aes256-gcm/; -my @oaep_mgf_algs = qw/mgf1sha1 mgf1sha224 mgf1sha256 mgf1sha384 mgf1sha512/; +my @oaep_mgf_algs = qw/rsa-oaep-mgf1p mgf1sha1 mgf1sha224 mgf1sha256 mgf1sha384 mgf1sha512/; +my @oaep_label_hashes = qw/sha1 sha224 sha256 sha384 sha512/; my $xmlsec = get_xmlsec_features(); my $lax_key_search = $xmlsec->{lax_key_search} ? '--lax-key-search': ''; +my $cryptx = get_cryptx_features(); foreach my $km (@key_methods) { foreach my $dm (@data_methods) { @@ -39,10 +41,6 @@ foreach my $km (@key_methods) { SKIP: { skip "xmlsec1 not installed", 2 unless $xmlsec->{installed}; - my $version; - if (`xmlsec1 version` =~ m/(\d+\.\d+\.\d+)/) { - $version = $1; - }; skip "xmlsec version 1.2.27 minimum for GCM", 2 if ! $xmlsec->{aes_gcm}; ok( open XML, '>', 'tmp.xml' ); print XML $encrypted; @@ -56,22 +54,45 @@ foreach my $km (@key_methods) { } foreach my $om (@oaep_mgf_algs) { - foreach my $dm (@data_methods) { - my $encrypter = XML::Enc->new( - { - key => 't/sign-private.pem', - cert => 't/sign-certonly.pem', - data_enc_method => $dm, - key_transport => 'rsa-oaep', - oaep_mgf_alg => $om, - no_xml_declaration => 1 + foreach my $omdig (@oaep_label_hashes) { + SKIP: { + if (! $cryptx->{oaem_mgf_digest} && ($om ne $omdig)) { + my $skip = (scalar @data_methods) * 4; + skip "CryptX $cryptx->{version} does not support rsa-oaep MGF: $om and digest $omdig", $skip; } - ); - my $encrypted = $encrypter->encrypt($xml); - like($encrypted, qr/EncryptedData/, "Successfully Encrypted: Key Method 'rsa-oaep' with $om Data Method $dm"); + my $km = ( $om eq 'rsa-oaep-mgf1p') ? 'rsa-oaep-mgf1p' : 'rsa-oaep'; + foreach my $dm (@data_methods) { + my $encrypter = XML::Enc->new( + { + key => 't/sign-private.pem', + cert => 't/sign-certonly.pem', + data_enc_method => $dm, + key_transport => $km, + oaep_mgf_alg => $om, + oaep_label_hash => $omdig, + oaep_params => 'encrypt', + no_xml_declaration => 1, + } + ); - like($encrypter->decrypt($encrypted), qr/XML-SIG_1/, "Successfully Decrypted with XML::Enc"); + my $encrypted = $encrypter->encrypt($xml); + ok($encrypted =~ /EncryptedData/, "Successful Encrypted: Key Method:$km MGF:$om, param:$omdig Data Method:$dm"); + + SKIP: { + skip "xmlsec1 not installed", 2 unless $xmlsec->{installed}; + skip "xmlsec version 1.2.27 minimum for GCM", 2 if ! $xmlsec->{aes_gcm}; + ok( open XML, '>', "$km-$om-$omdig-$dm-tmp.xml" ); + print XML $encrypted; + close XML; + my $verify_response = `xmlsec1 --decrypt $lax_key_search --privkey-pem t/sign-private.pem $km-$om-$omdig-$dm-tmp.xml 2>&1`; + ok( $verify_response =~ m/XML-SIG_1/, "Successfully decrypted with xmlsec1" ) + or warn "calling xmlsec1 failed: '$verify_response'\n"; + unlink "$km-$om-$omdig-$dm-tmp.xml"; + } + ok($encrypter->decrypt($encrypted) =~ /XML-SIG_1/, "Successfully Decrypted with XML::Enc"); + } + } } } done_testing; diff --git a/t/lib/Test/XML/Enc/Util.pm b/t/lib/Test/XML/Enc/Util.pm index eafe539..bdb1c31 100644 --- a/t/lib/Test/XML/Enc/Util.pm +++ b/t/lib/Test/XML/Enc/Util.pm @@ -9,6 +9,7 @@ our @ISA = qw(Exporter); our @EXPORT = qw( get_xmlsec_features get_openssl_features + get_cryptx_features ); our @EXPORT_OK; @@ -87,6 +88,35 @@ sub get_openssl_features { return \%openssl; } +######################################################################### +# get_cryptx_features +# +# Parameter: none +# +# Returns a hash of the version and any features that are needed +# if proper the version is installed +# +# Response: hash +# +# %features = ( +# version => '0.077', +# oaem_mgf_digest => 0, +# ); +########################################################################## +sub get_cryptx_features { + + require CryptX; + + my $version = $CryptX::VERSION; + + my %cryptx = ( + version => $version, + oaem_mgf_digest => ($version ge '0.081') ? 1 : 0, + ); + + return \%cryptx; +} + 1; __END__ From 8f03f0fec7798145ceace02463fef4c5588ed19d Mon Sep 17 00:00:00 2001 From: Timothy Legge Date: Thu, 26 Dec 2024 23:07:17 -0400 Subject: [PATCH 2/2] Add KeyName to XML if specified --- README | 4 ++++ lib/XML/Enc.pm | 31 ++++++++++++++++++++++++++++++- t/06-test-encryption-methods.t | 17 ++++++++++------- t/lib/Test/XML/Enc/Util.pm | 1 + 4 files changed, 45 insertions(+), 8 deletions(-) diff --git a/README b/README index 706cf92..47ac887 100644 --- a/README +++ b/README @@ -134,6 +134,10 @@ METHODS * sha512 + key_name + Specify a key name to add to the KeyName element. If it is not + specified then no KeyName element is added to the KeyInfo + decrypt( ... ) Main decryption function. diff --git a/lib/XML/Enc.pm b/lib/XML/Enc.pm index 4aebe33..d5616a5 100644 --- a/lib/XML/Enc.pm +++ b/lib/XML/Enc.pm @@ -231,6 +231,13 @@ The default is sha1. Supported algorithms are: =back +=item B + +Specify a key name to add to the KeyName element. If it is not specified then no +KeyName element is added to the KeyInfo + +=back + =cut sub new { @@ -267,6 +274,8 @@ sub new { $self->{'oaep_params'} = exists($params->{'oaep_params'}) ? $params->{'oaep_params'} : ''; + $self->{'key_name'} = $params->{'key_name'} if exists($params->{'key_name'}); + return $self; } @@ -539,6 +548,11 @@ sub encrypt { my $base64_key = encode_base64($key); my $base64_data = encode_base64($encrypteddata); + # Insert KeyName into the XML + if (defined $self->{key_name} and $self->{key_name} ne '') { + $encrypted = $self->_setKeyName($encrypted, $xpc, $self->{key_name}); + } + # Insert OAEPparams into the XML if ($self->{oaep_params} ne '') { $encrypted = $self->_setOAEPparams($encrypted, $xpc, encode_base64($self->{oaep_params})); @@ -570,6 +584,19 @@ sub _setEncryptionMethod { return exists($methods{$method}) ? $methods{$method} : $methods{'aes256-cbc'}; } +sub _setKeyName { + my $self = shift; + my $context = shift; + my $xpc = shift; + my $keyname = shift; + + my $node = $xpc->findnodes('//xenc:EncryptedKey/dsig:KeyInfo/dsig:KeyName', $context); + + $node->[0]->removeChildNodes(); + $node->[0]->appendText(defined $keyname ? $keyname : 'key_name'); + return $context; +} + sub _setOAEPparams { my $self = shift; my $context = shift; @@ -1177,12 +1204,14 @@ sub _create_encrypted_data_xml { 'dsig:KeyInfo', ); - my $keyname = $self->_create_node( + if (defined $self->{key_name}) { + my $keyname = $self->_create_node( $doc, $dsigns, $keyinfo2, 'dsig:KeyName', ); + }; my $keycipherdata = $self->_create_node( $doc, diff --git a/t/06-test-encryption-methods.t b/t/06-test-encryption-methods.t index 2dd3b48..017aff3 100644 --- a/t/06-test-encryption-methods.t +++ b/t/06-test-encryption-methods.t @@ -13,6 +13,7 @@ my $xml = <<'XML'; XML +my $key_name = 'mykey'; my @key_methods = qw/rsa-1_5 rsa-oaep-mgf1p/; my @data_methods = qw/aes128-cbc aes192-cbc aes256-cbc tripledes-cbc aes128-gcm aes192-gcm aes256-gcm/; my @oaep_mgf_algs = qw/rsa-oaep-mgf1p mgf1sha1 mgf1sha224 mgf1sha256 mgf1sha384 mgf1sha512/; @@ -28,6 +29,7 @@ foreach my $km (@key_methods) { { key => 't/sign-private.pem', cert => 't/sign-certonly.pem', + key_name => $key_name, data_enc_method => $dm, key_transport => $km, no_xml_declaration => 1 @@ -42,17 +44,16 @@ foreach my $km (@key_methods) { SKIP: { skip "xmlsec1 not installed", 2 unless $xmlsec->{installed}; skip "xmlsec version 1.2.27 minimum for GCM", 2 if ! $xmlsec->{aes_gcm}; - ok( open XML, '>', 'tmp.xml' ); + ok( open XML, '>', "enc-xml-$km-$dm.xml" ); print XML $encrypted; close XML; - my $verify_response = `xmlsec1 --decrypt $lax_key_search --privkey-pem t/sign-private.pem tmp.xml 2>&1`; + my $verify_response = `xmlsec1 --decrypt $lax_key_search --privkey-pem:$key_name t/sign-private.pem,t/sign-certonly.pem enc-xml-$km-$dm.xml 2>&1`; like($verify_response, qr/XML-SIG_1/, "Successfully decrypted with xmlsec1" ) or warn "calling xmlsec1 failed: '$verify_response'\n"; - unlink 'tmp.xml'; + unlink "enc-xml-$km-$dm.xml"; } } } - foreach my $om (@oaep_mgf_algs) { foreach my $omdig (@oaep_label_hashes) { SKIP: { @@ -67,6 +68,7 @@ foreach my $om (@oaep_mgf_algs) { { key => 't/sign-private.pem', cert => 't/sign-certonly.pem', + key_name => $key_name, data_enc_method => $dm, key_transport => $km, oaep_mgf_alg => $om, @@ -82,13 +84,14 @@ foreach my $om (@oaep_mgf_algs) { SKIP: { skip "xmlsec1 not installed", 2 unless $xmlsec->{installed}; skip "xmlsec version 1.2.27 minimum for GCM", 2 if ! $xmlsec->{aes_gcm}; - ok( open XML, '>', "$km-$om-$omdig-$dm-tmp.xml" ); + skip "xmlsec version 1.3.00 minimum for rsa-oeap", 2 if ! $xmlsec->{rsa_oaep}; + ok( open XML, '>', "enc-xml-$km-$om-$omdig-$dm.xml" ); print XML $encrypted; close XML; - my $verify_response = `xmlsec1 --decrypt $lax_key_search --privkey-pem t/sign-private.pem $km-$om-$omdig-$dm-tmp.xml 2>&1`; + my $verify_response = `xmlsec1 --decrypt $lax_key_search --privkey-pem:$key_name t/sign-private.pem,t/sign-certonly.pem enc-xml-$km-$om-$omdig-$dm.xml 2>&1`; ok( $verify_response =~ m/XML-SIG_1/, "Successfully decrypted with xmlsec1" ) or warn "calling xmlsec1 failed: '$verify_response'\n"; - unlink "$km-$om-$omdig-$dm-tmp.xml"; + unlink "enc-xml-$km-$om-$omdig-$dm.xml"; } ok($encrypter->decrypt($encrypted) =~ /XML-SIG_1/, "Successfully Decrypted with XML::Enc"); } diff --git a/t/lib/Test/XML/Enc/Util.pm b/t/lib/Test/XML/Enc/Util.pm index bdb1c31..e3d478a 100644 --- a/t/lib/Test/XML/Enc/Util.pm +++ b/t/lib/Test/XML/Enc/Util.pm @@ -54,6 +54,7 @@ sub get_xmlsec_features { ripemd160 => ($major >= 1 and $minor >= 3) ? 1 : 0, aes_gcm => ($major <= 1 and $minor <= 2 and $patch <= 27) ? 0 : 1, lax_key_search => ($major >= 1 and $minor >= 3) ? 1 : 0, + rsa_oaep => ($major >= 1 and $minor >= 3) ? 1 : 0, ); return \%xmlsec; }