/ 
Crypt-OpenSSL-PKCS12-0.1
/ Crypt::OpenSSL::PKCS12
Security Advisories (2)
CVE-2026-8507 (2026-05-17)

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds (OOB) write flaws. When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING) attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-bounds write would be triggered with remote-code-execution potential (RCE) due to a signed integer overflow in the size calculation passed to Renew().

CVE-2026-8721 (2026-05-17)

Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.

NAME

Crypt::OpenSSL::PKCS12 - Perl extension to OpenSSL's PKCS12 API.

SYNOPSIS

  use Crypt::OpenSSL::PKCS12;

  my $pkcs12 = Crypt::OpenSSL::PKCS12->new_from_file('cert.p12');

  print $pkcs12->certificate();

  if ($pkcs12->mac_ok()) {
	....

ABSTRACT

Crypt::OpenSSL::PKCS12 - Perl extension to OpenSSL's PKCS12 API.

DESCRIPTION

This implement a small bit of OpenSSL's PKCS12 API.

EXPORT

None by default.

On request:

NOKEYS NOCERTS INFO CLCERTS CACERTS

SEE ALSO

OpenSSL(1), Crypt::OpenSSL::X509, Crypt::OpenSSL::RSA, Crypt::OpenSSL::Bignum

AUTHOR

Dan Sully, <daniel@cpan.org>

COPYRIGHT AND LICENSE

Copyright 2004 by Daniel Sully

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.