DEV Community: Timothy Legge

New version of Crypt::OpenPGP released

Timothy Legge — Sat, 05 Oct 2024 03:26:21 +0000

I recently took over maintenance for #Perl's Crypt::OpenPGP module. https://metacpan.org/pod/Crypt::OpenPGP. The latest release merged a significant number of older PRs that had languished on #GitHub for years and fixed a lot of issues. I am currently looking at support for parsing gnupg key box files that now hold public keys.

While reviewing the code I discovered https://metacpan.org/pod/Data::Buffer, an amazingly easy way to parse binary data files. Last released in 2001 and it still works great 23 years later.

That's despite running on completely different Linux distributions. Version 5.6.x Perl was at of the art in 2001. It still runs fine in 5.40 Perl - No changes needed.

What other Programming language provides that level of backward compatibility.

Dist::Zilla::Plugin::GitHub::CreateRelease

Timothy Legge — Tue, 22 Aug 2023 01:29:38 +0000

I released an initial version of Dist::Zilla::Plugin::GitHub::CreateRelease.

It creates a GitHub Release complete with release notes (per options) and attaches the #cpan archive to the release.

Its great for ensuring that you create a GitHub Release when you release a new #perl module version to cpan.

It is likely rough so pull requests are welcome.

It supports:

Draft Releases
Obtaining release notes from the Change Log file, a specified file, the output of Dist::Zilla::Plugin::SignReleaseNotes or a generic release note generated by the module.
Attaching the cpan archive
Adding a checksum for the cpan archive to the release notes
specifying that the notes should be a code block (verbatim text)

Hope its useful...

Crypt::OpenSSL::SignCSR released

Timothy Legge — Sun, 02 Jul 2023 02:17:06 +0000

I released a new version of https://metacpan.org/pod/Crypt::OpenSSL::SignCSR a #perl module to allow you to sign a Certificate Signing Request (CSR) from perl. I was looking for a module to allow me to create a self signed certificate from perl directly and was not able to find one. I could have called the openssl command to create one but that seemed like cheating.

It's a XS based module which is a Frankenstein merger of #perl and #c that is fun to work with. Basically I grabbed the parts of OpenSSL C code that I needed and married it to #perl. It went very well and was a lot easier than I expected. I did have to spend some time tracking down issues with different OpenSSL versions but it does what I want.

Net::SAML2 0.60 TRIAL Released

Timothy Legge — Mon, 19 Sep 2022 15:31:47 +0000

The Perl Net::SAML2 module has been around a long time and although there have been some significant updates over the last several years, the last couple of releases have seen significant changes thanks to Wesley Schwengle.

With Net::SAML2 0.60-TRIAL however, there are multiple potentially BREAKING CHANGES depending on how you have written your application. Your application may need updates for this version.

Perl has always promoted test scripts to ensure that new versions were automatically tested with the same tests as old versions. In most cases a module will not ship if it breaks one of the existing test scripts. In this case, the changes serve to improve the functionality and the consistency of the functions.

BREAKING CHANGES

Support multiple signing keys in the metadata. This version attempts to ensure compatibility but the call to Net::SAML2::IdP->cert will return an array of certs for each $use. It is, however, likely that there will only be one cert in the array.
Net::SAML2::Binding::SOAP was improved. The call to Net::SAML2::Binding::SOAP->handle_request() now returns the XML whereas in the past it returned the certificate's subject and the xml as an array. This make it consistent with the Redirect and POST Bindings.
Net::SAML2::Binding::POST was also improved. Previously the call to Net::SAML2::Binding::POST->handle_response() returned inconsistent results depending on whether a cacert was provided. This version returns the XML of the decoded request.

Other Changes of note

Redirects now validate the raw URI that is passed to the call. It is assumed that the URI that your application has sent is unmodified from the response that the web server received. lighttpd in particular normalises the response and will break Redirects from Microsoft Azure.
SAML trust anchors were implemented and the verification of the SAML response was improved. It is possible to validate the response with subject, issuer or issuer_hash as anchors in addition to the cacert. Neither cacert nor anchors are required as long as the signature of the response is valid. The cacert has not been required for the Redirect or SOAP binding so this treats SOAP the same.

Required Application Updates

There were several changes to the test suite that will likely need to be made in your application:

To support metadata.xml containing multiple KeyDescriptors the call to Net::SAML2::IdP->cert($use) now returns an ARRAY.
As this is an helper function that is meant to allow you to pass the cert to another Net::SAML2 call it was deemed low risk. Your code may be unaffected.
The call to Net::SAML2::Binding::SOAP->handle_request() needs to be updated to reflect that it returns only the decoded XML not an array of the certificate Subject and XML.
The call to Net::SAML2::Binding::POST->handle_response() returned inconsistent results depending on whether a cacert was provided. This version returns the XML of the decoded request. Previously it returned either 1 for success or if a cacert was used either "(verified) and the certificate Subject" or 0 if the certificate verification failed.
The lighttpd.conf for the testapp did require a change to prevent it from "normalizing" a SAML Logout Redirect. There are contradictory RFCs concerning SAML and the "normalising" URIs. If you use lighttpd in a SAML application with AZURE as your SAML IdP see lighttpd.conf

Possible Impacts

It is worth noting that the testapp (that implements a rudimentary Service Provider) included in the git repo did not require any code changes to the application for this version.

While my setup tests against multiple IdPs I do not have a working SOAP IdP at present.

Net::SAML2 version 0.55 Released

Timothy Legge — Sat, 16 Apr 2022 01:11:58 +0000

Net::SAML2 is a Perl module that implements the SAML2 protocol for Perl Applications.

This release adds support for EncryptedAssertions via the XML::Enc module.

Support for EncryptedAssertions is automatic if an EncryptedAssertion is received but the call to Net::SAML2::Protocol::Assertion must provide a key_file and a cacert to decrypt the EncryptedAssertion and verify the Signature on the decrypted Assertion (if it is signed).

No changes are required for existing applications that do not use EncryptedAssertions.

If you have never implemented SAML2 in a Perl web application, there is an extensive tutorial that discusses how to implement Net::SAML2 using Foswiki's SamlLoginContrib as an example.

In addition, the git repo includes a testapp that makes it easy to test against multiple IdPs by simply adding a directory, named for the IdP, containing valid metadata.xml and cacert.pem files.

XML::Sig 0.57 Released

Timothy Legge — Fri, 15 Apr 2022 23:50:24 +0000

XML::Sig is a perl module to sign and verify XML Digital Signatures

This is a fairly minor release that addresses some test failures caused by the OpenSSL project choosing to "not load” the Legacy provider by default in version 3.

This effectively drops support for a number of very old and broken algorithms (at least by default) and that is a very good thing despite the negative impact on their users.

It does however make one wonder if it is not time for the XML Security Working Group to spin up and update the specifications for the changes from the last ten years.

XML::Enc 0.06 Released

Timothy Legge — Sun, 10 Apr 2022 14:46:28 +0000

XML::Enc is written to be a generic Encryption/Decryption module for XML. While it does not currently support all of the requirements of https://www.w3.org/TR/xmlenc-core/ it supports enough to encrypt and decrypt XML documents.

The trial version of Net::SAML2 0.54 uses XML:Enc to decrypt an EncryptedAssertion.

The latest version 0.06 is a minor version that simply increased the minimum required version of Crypt::AuthEnc::GCM to 0.062.

XML::Enc supports the following data encryption methods:

tripledes-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-gcm
aes192-gcm
aes256-gcm

XML::Enc supports the following Key Transport encryption methods:

rsa-1_5
rsa-oaep-mgf1p

Dist::Zilla::Plugin::SignReleaseNotes version 0.0006

Timothy Legge — Sun, 06 Feb 2022 15:52:05 +0000

Dist::Zilla::Plugin::SignReleaseNotes is a perl module to automatically create and gpg sign release notes as part of a Dist::Zilla release flow.

The release notes include all of the commits between the most recent tags in your git repository. It assumes that your Dist::Zilla flow is tagging the repo as part of the release process.

The produced Release-{version} file is created in the root of the module directory and includes the sha-256 hash of the file that is released to CPAN.

The use case is to simplify creating release notes on github and similar and to have a developer certified (via a gpg signature) sha256 hash of the file as it was uploaded to cpan. There has been more attention being paid to ensuring the authenticity of releases and this module is my way of helping that (but mostly simplifying my release process).

The following is a sample of the release notes created:

`
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Dist::Zilla::Plugin::SignReleaseNotes

Release 0.0006

Change Log

1e5d7ed v0.0006
dd458e2 Update version
3249fd6 Fix typo in sample

SHA256 hash of CPAN release

0266e366e2c975adc03a4de9109d80cb9aac8fc897419e8f3a72d54c60fb3a0b *Dist-Zilla-Plugin-SignReleaseNotes-0.0006.tar.gz