Mailing List Archive

On 20.11.2019 10:26, Tillman Peng wrote:
> hello
>
> My client post the data body which is encrypted with public-key.
> the private key is deployed in web server,powered by mp2.
> How can I correctly decrypt the data with private key from within modperl handler?
>

Hi.
Do you have a separate command-line program on the server which can decrypt that content ?
If yes : if you do not find an appropriate perl module to do this decryption, your
mod_perl handler can always execute that external program using the system() function.
(See : https://perldoc.perl.org/5.30.0/functions/system.html)

General idea :
- get the encrypted content from the request
- write this encrypted content to a file in some appropriate work directory on the server
- compose the external command that reads the encrypted data, and writes the decrypted
content to a file
- execute that command with system()
- check for errors
- read the decrypted results file
- clean up

If you end up using this method, and you are doing this from within an Apache/mod_perl
handler, you have to be extra careful about many aspects, such as :
- catching any errors which may happen in the external program, and interpret them
correctly in the calling module.
- logging the errors properly, so that if "it doesn't work", you can find out why
- taking into account that your webserver may receive several simultaneous requests for
such content, and thus that there may be several instances of that external command
running at the same time (think about the temporary files that you may need, and make sure
that each instance uses its own unique files)
- cleaning up after succesfully running the command
- maybe selectively "not cleaning up" if there were any problems, so that you can inspect
what happened
- check permissions (the external program will run under the same user-id as the
webserver, so whatever it writes, must be in a directory writeable by the webserver)
- verify that the external command cannot be running for too long, causing the client to
time-out waiting for a response, and closing the connection to the webserver
- make extra sure that the client cannot, through some malicious use of the parameters
that it sends to the server (e.g. filenames), result in damage on your server
(e.g. system("program > /etc/passwd"))
- etc.

If you prefer to use a perl module to do the decryption, you will have to look at what is
available on CPAN. Most modules that relate to encryption/decryption are in the "Crypt"
namespace, such as : https://metacpan.org/search?q=crypt%3A%3A

You may want to consider using $r->spawn_proc_prog() instead of the
system() function to spawn external processes -- I've had really good
success with this in my projects:

Apache2::SubProcess -- Executing SubProcesses under mod_perl
https://perl.apache.org/docs/2.0/api/Apache2/SubProcess.html

This will essentially do the same thing as system() for you, but
it's part of mod_perl2. It also conveniently returns a set of file
handles that are immediately useful:

my ($in_fh, $out_fh, $err_fh) = $r->spawn_proc_prog($command);

Please also check the documentation (linked above) for variations on
what can be returned, and details for adding command-line arguments.

I hope this helps.

> On 20.11.2019 10:26, Tillman Peng wrote:
> > hello
> >
> > My client post the data body which is encrypted with public-key.
> > the private key is deployed in web server,powered by mp2.
> > How can I correctly decrypt the data with private key from within modperl handler?
> >
>
> Hi.
> Do you have a separate command-line program on the server which can decrypt that content ?
> If yes : if you do not find an appropriate perl module to do this decryption, your
> mod_perl handler can always execute that external program using the system() function.
> (See : https://perldoc.perl.org/5.30.0/functions/system.html)
>
> General idea :
> - get the encrypted content from the request
> - write this encrypted content to a file in some appropriate work directory on the server
> - compose the external command that reads the encrypted data, and writes the decrypted
> content to a file
> - execute that command with system()
> - check for errors
> - read the decrypted results file
> - clean up
>
> If you end up using this method, and you are doing this from within an Apache/mod_perl
> handler, you have to be extra careful about many aspects, such as :
> - catching any errors which may happen in the external program, and interpret them
> correctly in the calling module.
> - logging the errors properly, so that if "it doesn't work", you can find out why
> - taking into account that your webserver may receive several simultaneous requests for
> such content, and thus that there may be several instances of that external command
> running at the same time (think about the temporary files that you may need, and make sure
> that each instance uses its own unique files)
> - cleaning up after succesfully running the command
> - maybe selectively "not cleaning up" if there were any problems, so that you can inspect
> what happened
> - check permissions (the external program will run under the same user-id as the
> webserver, so whatever it writes, must be in a directory writeable by the webserver)
> - verify that the external command cannot be running for too long, causing the client to
> time-out waiting for a response, and closing the connection to the webserver
> - make extra sure that the client cannot, through some malicious use of the parameters
> that it sends to the server (e.g. filenames), result in damage on your server
> (e.g. system("program > /etc/passwd"))
> - etc.
>
> If you prefer to use a perl module to do the decryption, you will have to look at what is
> available on CPAN. Most modules that relate to encryption/decryption are in the "Crypt"
> namespace, such as : https://metacpan.org/search?q=crypt%3A%3A
>
>
>


Randolf Richardson - randolf@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/