Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Decryption through CGI/Perl script
mark at web-crafter
May 2, 2000, 1:37 PM
Post #1 of 5 (1303 views)
Permalink
Hi All,

I'm working on a CGI script in Perl that would allow users to decrypt
GnuPG-encrypted files on the web. (I'm trying to avoid the hassle of
guiding them through the process of setting up and using PGP on their
Windows machines and also to accommodate Mac users.) Users are
presented with a web form asking them to submit their passphrase.
(Transmission would take place under SSL.) The script then inserts
the passphrase into a GnuPG command and executes the command by
opening a pipe (or using backticks, or a system call, etc.) to the
gpg executable.

I should note that my web site is being hosted remotely and our
sysadm isn't particularly flexible. To get GnuPG working at all, I
picked up a copy of the compiled gpg executable from another
subscriber to this list, Greg McKean, and uploaded pubring.gpg,
secring.gpg, and trustdb.gpg to the server after creating them on my
local Windows machine.

From browsing the mailing list archive, I cobbled together a
bare-bones test script (see below). I have no problem creating an
encrypted file. Moreover, I'm able to download the file to my local
machine and decrypt it there. However, as you may have guessed,
providing the passphrase to gpg has tripped me up. When I run the
script below for decryption, I get the following error message:

gpg: encrypted with 1024-bit ELG-E key, ID E91E3613, created 2000-05-02
"test1 (Test) <mark@web-crafter.net>"
gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available

Is there a way around this, or does it make more sense to retreat and
declare victory? (BTW, if I were managing my own server I'd take a
look at the GnuPG-Interface module Frank Tobin has put together. See
http://GnuPG-Interface.sourceforge.net/ . Very impressive.)

Best,
Mark Malkasian


#!/usr/local/bin/perl

$| = 1;

print "Content-type: text/html\n\n";

$gpg_path = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg/gpg";
$gpg_config_files = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg";
$ENV{"GNUPGHOME"} = $gpg_config_files;

# To encrypt a test file, uncomment the line below.
# $gpg_command = "$gpg_path -r test1 --output
/u/web/myuserid/test.gpg --encrypt /u/web/myuserid/test.txt";

$gpg_command = "$gpg_path --batch --passphrase-fd 0 --output
/u/web/myuserid/decrypt.txt --decrypt /u/web/myuserid/test.gpg <
test";

# Execute command. Capture STDOUT and STDERR and print it to screen.
open(READ, "$gpg_command 2>&1 |") or die "Failure on open $!\n";
while (<READ>)
{
$output .= $_;
}
close (READ) or die "Failure on close $!\n";
print $output;
-------------------------
Mark Malkasian
mark@web-crafter.net
http://www.web-crafter.net
Re: Decryption through CGI/Perl script [ In reply to ]
ftobin at uiuc
May 2, 2000, 3:05 PM
Post #2 of 5 (1267 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Malkasian, at 16:37 -0400 on Tue, 2 May 2000, wrote:

> Is there a way around this, or does it make more sense to retreat and
> declare victory? (BTW, if I were managing my own server I'd take a
> look at the GnuPG-Interface module Frank Tobin has put together. See
> http://GnuPG-Interface.sourceforge.net/ . Very impressive.)

<blush/>

Why can't you use this without managing your server? Just install to a
private path, and make sure you 'use lib'.

- --
Frank Tobin http://www.uiuc.edu/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (FreeBSD)
Comment: pgpenvelope 2.8.4 - http://pgpenvelope.sourceforge.net/

iEYEARECAAYFAjkPUSQACgkQVv/RCiYMT6PjDACff3tiOliAErWY70d0AXgz7T3n
3oAAoLC+zttXckhbKNrN4BRvDIIpNT7A
=S4Pi
-----END PGP SIGNATURE-----
Re: Decryption through CGI/Perl script [ In reply to ]
mark at web-crafter
May 2, 2000, 7:04 PM
Post #3 of 5 (1288 views)
Permalink
I'm hoping to apply this to a small online ordering system for
history books (i.e., a low-volume site). When a customer places
his/her order, the info (including credit card details) would be
saved as an encrypted file. (At the same time, an unencrypted e-mail,
without cc details, would be sent to the site administrator informing
him of the order.) Each day, the site administrator would retrieve
the orders through the web form outlined below. The program would be
password-protected and operate under SSL. The decrypted output
wouldn't actually be printed to a file. (That's for testing
purposes.) Rather, it would be displayed on the site administrator's
screen. He would then print a copy on his office printer and delete
the encrypted file. Then, he'd be able to process the credit card
info at his convenience. No, it's not a solution I'd recommend for
Amazon.com, but we're talking about a site that would be very happy
to get 100 orders a month.
Best,
Mark Malkasian

>
>How does this provide the user any security at all? I'm failing to see
>this.
>
>On Tue, 2 May 2000, Mark Malkasian wrote:
>
> > Hi All,
> >
> > I'm working on a CGI script in Perl that would allow users to decrypt
> > GnuPG-encrypted files on the web. (I'm trying to avoid the hassle of
> > guiding them through the process of setting up and using PGP on their
> > Windows machines and also to accommodate Mac users.) Users are
> > presented with a web form asking them to submit their passphrase.
> > (Transmission would take place under SSL.) The script then inserts
> > the passphrase into a GnuPG command and executes the command by
> > opening a pipe (or using backticks, or a system call, etc.) to the
> > gpg executable.
> >
> > I should note that my web site is being hosted remotely and our
> > sysadm isn't particularly flexible. To get GnuPG working at all, I
> > picked up a copy of the compiled gpg executable from another
> > subscriber to this list, Greg McKean, and uploaded pubring.gpg,
> > secring.gpg, and trustdb.gpg to the server after creating them on my
> > local Windows machine.
> >
> > From browsing the mailing list archive, I cobbled together a
> > bare-bones test script (see below). I have no problem creating an
> > encrypted file. Moreover, I'm able to download the file to my local
> > machine and decrypt it there. However, as you may have guessed,
> > providing the passphrase to gpg has tripped me up. When I run the
> > script below for decryption, I get the following error message:
> >
> > gpg: encrypted with 1024-bit ELG-E key, ID E91E3613, created 2000-05-02
> > "test1 (Test) <mark@web-crafter.net>"
> > gpg: public key decryption failed: bad passphrase
> > gpg: decryption failed: secret key not available
> >
> > Is there a way around this, or does it make more sense to retreat and
> > declare victory? (BTW, if I were managing my own server I'd take a
> > look at the GnuPG-Interface module Frank Tobin has put together. See
> > http://GnuPG-Interface.sourceforge.net/ . Very impressive.)
> >
> > Best,
> > Mark Malkasian
> >
> >
> > #!/usr/local/bin/perl
> >
> > $| = 1;
> >
> > print "Content-type: text/html\n\n";
> >
> > $gpg_path = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg/gpg";
> > $gpg_config_files = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg";
> > $ENV{"GNUPGHOME"} = $gpg_config_files;
> >
> > # To encrypt a test file, uncomment the line below.
> > # $gpg_command = "$gpg_path -r test1 --output
> > /u/web/myuserid/test.gpg --encrypt /u/web/myuserid/test.txt";
> >
> > $gpg_command = "$gpg_path --batch --passphrase-fd 0 --output
> > /u/web/myuserid/decrypt.txt --decrypt /u/web/myuserid/test.gpg <
> > test";
> >
> > # Execute command. Capture STDOUT and STDERR and print it to screen.
> > open(READ, "$gpg_command 2>&1 |") or die "Failure on open $!\n";
> > while (<READ>)
> > {
> > $output .= $_;
> > }
> > close (READ) or die "Failure on close $!\n";
> > print $output;
> > -------------------------
> > Mark Malkasian
> > mark@web-crafter.net
> > http://www.web-crafter.net
> >
>
>__
>
>L. Sassaman
>
>System Administrator |
>Technology Consultant | "To hold a pen is to be at war."
>icq.. 10735603 |
>pgp.. finger://ns.quickie.net/rabbi | --Voltaire

-------------------------
Mark Malkasian
mark@web-crafter.net
http://www.web-crafter.net
Re: Decryption through CGI/Perl script [ In reply to ]
mark at web-crafter
May 2, 2000, 7:04 PM
Post #4 of 5 (1266 views)
Permalink
Actually, I'm trying that out right now. The problem is that many of
the modules called by GnuPG-Interface haven't been loaded by our
sysadmin, partly for security reasons, partly from indifference. I
may end up trying to cut away a piece of your work, hopefully without
mangling it too much. To use the entire module is kind of like firing
up a Ferrari to drive to the corner grocery store.
Thanks,
Mark Malkasian

>Mark Malkasian, at 16:37 -0400 on Tue, 2 May 2000, wrote:
>
> > Is there a way around this, or does it make more sense to retreat and
> > declare victory? (BTW, if I were managing my own server I'd take a
> > look at the GnuPG-Interface module Frank Tobin has put together. See
> > http://GnuPG-Interface.sourceforge.net/ . Very impressive.)
>
><blush/>
>
>Why can't you use this without managing your server? Just install to a
>private path, and make sure you 'use lib'.
>
>- --
>Frank Tobin http://www.uiuc.edu/~ftobin/
>
>"To learn what is good and what is to be valued,
>those truths which cannot be shaken or changed." Myst: The Book of Atrus

-------------------------
Mark Malkasian
mark@web-crafter.net
http://www.web-crafter.net
Re: Decryption through CGI/Perl script [ In reply to ]
mark at web-crafter
May 3, 2000, 5:46 AM
Post #5 of 5 (1270 views)
Permalink
We're up to 5.00502 but Class::MethodMaker is not installed, or at
least not available to the web hosting public. Of course, I can
always add it to my local library of modules, but you can see how a
simple job can quickly escalates into a major headache.
Best,
Mark Malkasian

>Mark Malkasian, at 22:02 -0400 on Tue, 2 May 2000, wrote:
>
> > Actually, I'm trying that out right now. The problem is that many of
> > the modules called by GnuPG-Interface haven't been loaded by our
> > sysadmin, partly for security reasons, partly from indifference. I
> > may end up trying to cut away a piece of your work, hopefully without
> > mangling it too much. To use the entire module is kind of like firing
> > up a Ferrari to drive to the corner grocery store.
>
>Hmm, the only module that GnuPG::Interface needs that doesn't come bundled
>with Perl 5.0005 is Class::MethodMaker, which is sorta vital to the whole
>system. Don't tell me your sysadmin isn't using Perl 5.005; that would be
>a shame.
>
>--
>Frank Tobin http://www.uiuc.edu/~ftobin/
>
>"To learn what is good and what is to be valued,
>those truths which cannot be shaken or changed." Myst: The Book of Atrus

-------------------------
Mark Malkasian
mark@web-crafter.net
http://www.web-crafter.net

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal