httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arturo 'Buanzo' Busleiman <bua...@buanzo.com.ar>
Subject OpenPGP Input Filter
Date Fri, 22 Jun 2007 22:26:32 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear group,

As some of you already know, I'm working on OpenPGP extensions to the HTTP protocol. I've
created
the Enigform firefox extension, and it's Apache counterpart, mod_auth_openpgp (which will
be renamed
to mod_openpgp in the near future).

I've already implemented the "sign" openpgp operation in Enigform, and the "verify" operation
in
mod_auth_openpgp, along with methods to import a public key from client to server.

The next step is server-side signing and both-sides encryption and decryption. For this I
will be
needing to input the passphrase to unlock the private key at the server side, but I will use
mod_ssl's approach.

So, before implementing encryption at the browser-side, I've crafted an "OpenPGP encrypted
http
request", which looks like this (OpenPGP header modified for this email on purpose, so it
does not
trigger your PGP/GPG plugin)

=- cut here -=
POST /HTTP_OPENPGP_DECRYPT
Host: localhost

- -----BEGIN*PGP*MESSAGE-----
Version: GnuPG v1.4.7 (GNU/Linux)

hQIOA9YKl/p/3dcgEAf/erCrgwG8kB35bKerk3gMNqh0N2IUh2iPk3qgWsFurvOW
26nA4WU2ZmB3i5ZP4aaZwKZulsBhBA7IyX+lKbf6IyewLIaw0N/sgcoMBCOW0DmN
hfJ0mgGFIGwl+uFyQoCwXk33H5j1lJidnC/AvRyqMHwxSOOXcFBuDoCVNXLiQAx8
lqKlLHtccLuG4fAAYfviqLmuK8vpFcbVURw96rh+KmWpMCY70U9JGiD/9jlcLKlo
oYYkiLgJ+fDDxDwGAZ/6ryAN3tlPUyq2vLClqzbd/fgtAnTcnjhGeI3HzDUDr1aG
TDPOAzpQM0ho385J4xv1ZfQRajSRY8AOcGz0s0pggggAgLX6wFy47IUKrsQeNMBy
a/YBe4SGJyjyvDXxpUMhbftZMKDMLCL3qjfyy+v6S86i3dEI16/0a3J4ms4T7Zk5
3E08dzok+uvoLVDBJ7wpFhYACcguXogqQgkanwytW/CIzaXz43BEJnrRXXzPuzx4
N1cR2yQFqiuR+S6ycEo/qEL2XNM3rJc0ReQEPyMHzTwZhNPDXl1Zc2hjE/HjNeQy
sQ70D1+KQHwFWK1w+PDNamoAM30bRmaE+HcpcowHiOi/uGMOxi5RcYRi7Ap+6yps
5inK/AGWMFGx4+zdsO+uSpmShR44O+SX6WOOBajgHHNLqZLvn1YnPdtsNkhmeLLA
BNLpAT5uSv0sMBSnRq//0HhcgjRlQX9JiZzJdr1PxM7x061wTYwuWRLwWepuALG6
23Ywtmdsm+TKSn5MdDYFJFzmVKBP8lEB9yy8KeFgAWupqlm0/aXlz47ZEAds+5wi
vkO5Oujm5kfR4E+hUbd0OQtvzvUnTGeh959g5P29UjR25bKWa2vgbj5ecZmE50+t
QEHJYojLqZIK2JaG7E+IF5xJzZsnSJMm/UL7xrYE8rqLMHe+oz7Uj+1Ue0Nv/jOp
xMFZSF/rLZsOzB4HAmLTN/RiW2K/M5YpFPmRxWHnJOeLxKgmAMY4ZG6m5/40ePlQ
lKN64J6b/dOAYnEJYp/DvjZXX0t379QNzgTcsI3tQhIEsM/Dgcqe6Y3Za2JFPx74
KdvjhdpWBLCYSlnyLe5Dp69aLQMmMSNzSnj0BfWAQvKq/N4YNXk8nPo8G3oTO3hv
yTcdpPVTZzTKNdUkmmC2dsEO6AXf7gdhHQrPTLXWeMfSED2O3L1p4AoQZi+cnWQI
OxUklg8KoGuwKgJFIIi1aGo7aINbgfn12It9ovQA7yO459Yu6Ksd5W66cBbJbeyf
pAiQTz4hu/7Hh1WOm7sIzOsglxI3C/gtG6xFBq9S6Nc13shGfY9WojVVGMUKRPt5
hmcD4bE595UcunoBb8VAKloZ15jD149fqc/evzgeMZIEpVloqd2dj98E6d0m5LPR
+7NBnqaKrn+Z5lTA8z1mhMMv17pSi0XxczA/3Vs2Vn+/zpuupR7fdXZY1uiu6vGr
3SwZkRx6hJHdVA6y+J7OC5YOtBKUxTGc1N4oa1uUhhPmViwFURCuZqxqRbE=
=OPnL
- -----END*PGP*MESSAGE-----
=- cut here -=

When the "localhost" virtualhost gets that request, an input filter
should be called by a handler I've setup for location /HTTP_OPENPGP_DECRYPT
withing mod_openpgp. The "host" header must not be encrypted, so server-wide openpgp
decryption shouldn't be needed. The encrypted text, is the following HTTP request:

=- cut here -=
POST /pba/test.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (example)
Accept: text/html, blahblah
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/pba/index.html
X-OpenPGP-Type: S
X-OpenPGP-Sig-Fields: body
X-OpenPGP-Sig: iD8DBQFGflnpw7MFlotPrwCeKb0qqa5Vt6eaPVaqHuUG2SVHz/c==B/eo
X-OpenPGP-Digest-Algo: SHA1
X-OpenPGP-Version: GnuPG v1.4.7 (GNU/Linux)
X-OpenPGP-Agent: Enigform 0.8.1 for Mozilla Firefox
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 15

variable=dsadas
=- cut here -=

As you can see, it is also an OpenPGP-signed request, with the same Host: line, but with a
different
request line, headers and body. That's the REAL request, that should be input into Apache,
the
response be obtained and returned (encrypted, but we can work on that once decryption is ready)
to
the browser.

So, at first I thought a subrequest would do the job, but then it seemed to me that another
approach
was better: decrypt, parse cleantext's http headers and add them to r->headers_in, then
replace body
with the cleantext body (variable=dsadas).

As this is BIG stuff, I thought the people at modules_dev would be interested in providing
their
views, insults, etc.

If this is too offtopic or too long a thread, I have a forum to discuss enigform and
mod_auth_openpgp development, but I believe this question should be discussed here. In any
case, the
URL is: http://foros.buanzo.com.ar/viewforum.php?f=35

mod_auth_openpgp: http://freshmeat.net/projects/maopenpgp
Enigform: http://freshmeat.net/projects/maopenpgp and http://addons.mozilla.org

Sincerely,
Buanzo

PS: Nick, chapter 8 of your book is definitely GREAT :)

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Free Music: http://www.buanzo.com.ar/files/buanzo-ultimamente.ogg
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGfEyYAlpOsGhXcE0RCu/hAJ4kSclrwZ/VGXjPAq5hg6Ec07aDVwCfahib
o40Zc5MSVvXEao9RFVqDnj4=
=Tgsw
-----END PGP SIGNATURE-----

Mime
View raw message