Version 0.35 and 0.37 have broken several CPAN dependents

[andk]

Just to let you know, we have at least three distros on CPAN that have turned from PASS to FAIL with the appearance of Crypt-OpenSSL-RSA-0.35.

• Google-SAML-Response: Tests for Google-SAML-Response-0.14 have started to fail with Crypt::OpenSSL::RSA 0.35 mannih/Google-SAML-Response#3
• Net-ACME2: Tests for Net-ACME2-0.35 have started to fail with Crypt::OpenSSL::RSA 0.35 FGasper/p5-Net-ACME2#13
• WWW-LetsEncrypt: Tests for WWW-LetsEncrypt-0.002 have started to fail with TODDR/Crypt-OpenSSL-RSA-0.35.tar.gz dreamhost/perl-www-letsencrypt#2

I do not have any suggestion what should be done, but maybe somebody else can imagine some improvement?

[andk]

Also affected Crypt-LE-0.39; tracked in issue https://rt.cpan.org/Ticket/Display.html?id=167308

[guest20]

@andk There are workarounds discussed on the github repo for Crypt::LE:

do-know/Crypt-LE#102 PKCS#1 1.5 is disabled as it is known to be vulnerable to marvin attacks #102

Obviously pinning to a lower version that lacks the croak Insecure line isn't ideal...

[toddr]

I've released 0.37 to CPAN with support for use_pkcs1_pss_padding as an alternative to use_pkcs1_padding however, Crypt::LE and Net::ACME2 will need to adjust their code to use this. it's not as simple as just switching the call. You need to update the JWT header to indicate the encoding.

[toddr]

Crypt-OpenSSL-RSA/RSA.pm

Lines 258 to 261 in 4951e30

	B<Note:> while C<pkcs1-pss> is the effective replacement for <pkcs1> your
	use case may require some additional steps. JSON Web Tokens (JWT) for
	instance require the algorithm to be changed from "RS256" for "pkcs1"
	(SHA1256) to "PS256" for "pkcs1-pss" (SHA-256 and MGF1 with SHA-256)

[lemrouch]

Hi, my 2 cents: Authen::HTTP::Signature is broken after upgrade from 0.35 to 0.37 too.
https://rt.cpan.org/Public/Bug/Display.html?id=171915

[timlegge]

So is JSON::WebToken. I have reached out to the maintainer

[andk]

Also affected:

• Amazon-CloudFront-SignedURL-0.03 as reported in Test is failing with recent version of Crypt::OpenSSL::RSA zoncoen/Amazon-CloudFront-SignedURL#1
• XML-Sig-OO-0.010 -- https://rt.cpan.org/Ticket/Display.html?id=172407
• MARKOV/XML-Compile-WSS-Signature-2.04.tar.gz -- mentioning @markov2

[andk]

MANNI/Google-SAML-Response-0.15.tar.gz is also affected by the upgrade from 0.35 to 0.37: https://www.cpantesters.org/cpan/report/0b5cd79a-e346-11f0-a3e0-ad84c3bd3df5