You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modules-dev@httpd.apache.org by Arturo 'Buanzo' Busleiman <bu...@buanzo.com.ar> on 2007/04/07 18:56:19 UTC
Introducing mod_enigform.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi group,
I'm the author of a Mozilla Firefox extension called "Enigform" (http://enigform.mozdev.org), which
enhances HTTP by adding a set of OpenPGP-* headers to outgoing requests, providing
OpenPGP-compatible digital signing of them. This allows web applications to authenticate data and
identity.
Currently, I provide a simple PHP function to check all that from the server side, but I'm starting
the development of an apache auth module, and that's why I'm here.
So, if anyone is interested in collaborating with me to make this goal, just let me know!
So, as this authentication module will not ask for a username and password, just validate against
the request's OpenPGP headers, request payload, and local gpg keyring via gpgme. Anything you think
of I should be previewing?
Sincerely,
Buanzo
- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Foros GNU/Buanzo: Respeto, Soluciones y Buena Onda: http://foros.buanzo.com.ar
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGF80hAlpOsGhXcE0RCie+AJ4ydncF62u16ghvfPM0yJTsQRZUDgCfdZuo
5RDQkr65YPYuV0q1ygTV1VQ=
=uFg4
-----END PGP SIGNATURE-----
Re: Introducing mod_enigform.
Posted by Arturo 'Buanzo' Busleiman <bu...@buanzo.com.ar>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
William A. Rowe, Jr. wrote:
> It's non-trivial but is the best example, I'd point you to FakeBasicAuth
> in mod_ssl.
It's a GREAT example. I'm now there: ssl_engine_kernel.c line 1149:
/*
* Auth Handler:
* Fake a Basic authentication from the X509 client certificate.
*
* This must be run fairly early on to prevent a real authentication from
* occuring, in particular it must be run before anything else that
* authenticates a user. This means that the Module statement for this
* module should be LAST in the Configuration file.
*/
It even fakes a password :P
Thanks Will!
- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Foros GNU/Buanzo: Respeto, Soluciones y Buena Onda: http://foros.buanzo.com.ar
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGGB2mAlpOsGhXcE0RCtdNAJ9OGXZUFSjZ/dcolqcqibP5pa44wQCfYusr
YASK+KG6GkQ5FYtjfivwT0A=
=FGJX
-----END PGP SIGNATURE-----
Re: Introducing mod_enigform.
Posted by Arturo 'Buanzo' Busleiman <bu...@buanzo.com.ar>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Karl, thanks for your input:
Karl Southern wrote:
> This might be off at a bit of a tangent, but I'd love to test this out
> and I'd be interested in seeing some sort of provision for redirection
> or something, if the signing isn't available. Possibly a little out of
> scope as this is achievable through mod_rewrite.
Well, I guess it wouldn't be difficult to add a parameter to specify a redirection
url for certain cases. Like, an url to redirect when request is not signed, another when
verification fails, but in any case I'm adding some headers to the request, that can
tell a web application (or other modules) verification status, etc. Of course, my module remove
any of those headers from incoming requests, to avoid spoofing.
> What I'd really love to see is support for mod_dbd, etc. so that keys
> could be stored in a database and yanked from there.
Never heard of it. Could you contact me offlist, or onlist if appropaite, so we can discuss it?
> Also off at a giant tangent, is there any plans for a signed response in
> the specs (I assume this would require a fully buffered response, which
> would be rather "expensive")? If so, any plans on this module supporting
> that?
Signing responses it's a matter of adding the required headers to the outgoing reply, so, as long as
they're added before any other output, no buffering seems necessary (at least from an 'outside
modules' perspective. I guess that would probably fall into another module, or in a PHP Class, or
similar.
- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Foros GNU/Buanzo: Respeto, Soluciones y Buena Onda: http://foros.buanzo.com.ar
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGG6GAAlpOsGhXcE0RClINAJ9H+NVAYd/xxqnZq+KjadZatrvh5ACeMDhx
BIoXOTkfcWunlFUQZ1oMQjw=
=UANe
-----END PGP SIGNATURE-----
mod_auth_openpgp alpha (was Re: Introducing mod_enigform.)
Posted by Arturo 'Buanzo' Busleiman <bu...@buanzo.com.ar>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi guys!
I just wanted to let you know that the first ALPHA release of mod_auth_openpgp is ready.
It has *NO* configuration options, so you need the user under your apache user to have
gpg up and running with a keyring containing all public keys that will be enabled to access the
Apache instance your Enigform-enabled Firefox will connect to.
To download the horrible source tarball, go here:
http://www.buanzo.com.ar/files/mod_auth_openpgp-alpha1.tgz
Check out the included README.
And remember, this is ALPHA! :P
- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Foros GNU/Buanzo: Respeto, Soluciones y Buena Onda: http://foros.buanzo.com.ar
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGHNY/AlpOsGhXcE0RCm7sAJ4lhShQlUcJ0UreiCf1qhlk0fnimgCcCbJ7
hB63k+qGM8RiZ+q+4/nAQIM=
=0paW
-----END PGP SIGNATURE-----
Re: Introducing mod_enigform.
Posted by Karl Southern <th...@blueyonder.co.uk>.
Arturo 'Buanzo' Busleiman wrote:
> I'd appreciatte input on what kind of configuration it would be nice
> to have. So far I thought of
> Order/Allow/Deny, but I'd like it to be more flexible. If there's
> anyone who'd like to get hands on
> the code, let me know. I also don't know if this code should be hsoted
> on apache.org's CVS servers,
> or what, as I plan to release this to the Apache foundation, so Apache
> becomes the first HTTP server
> to support the upcoming IETF Draft that all this is about.
This might be off at a bit of a tangent, but I'd love to test this out
and I'd be interested in seeing some sort of provision for redirection
or something, if the signing isn't available. Possibly a little out of
scope as this is achievable through mod_rewrite.
What I'd really love to see is support for mod_dbd, etc. so that keys
could be stored in a database and yanked from there.
Also off at a giant tangent, is there any plans for a signed response in
the specs (I assume this would require a fully buffered response, which
would be rather "expensive")? If so, any plans on this module supporting
that?
Regards,
Karl
Re: Introducing mod_enigform.
Posted by Arturo 'Buanzo' Busleiman <bu...@buanzo.com.ar>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
William A. Rowe, Jr. wrote:
> It's non-trivial but is the best example, I'd point you to FakeBasicAuth
> in mod_ssl.
Hi group! Although I have not used the FakeBasicAuth approach, I'm now announcing that I already
have a (mostly) working implementation of mod_auth_openpgp. It's modelled after mod_authz_host.
I'd appreciatte input on what kind of configuration it would be nice to have. So far I thought of
Order/Allow/Deny, but I'd like it to be more flexible. If there's anyone who'd like to get hands on
the code, let me know. I also don't know if this code should be hsoted on apache.org's CVS servers,
or what, as I plan to release this to the Apache foundation, so Apache becomes the first HTTP server
to support the upcoming IETF Draft that all this is about.
Any other tips? :)
Sincerely, and in a very happy mood,
Buanzo.
- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Foros GNU/Buanzo: Respeto, Soluciones y Buena Onda: http://foros.buanzo.com.ar
Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGGVOBAlpOsGhXcE0RCujSAJ0TktFIPZQBjcypht8M8z8acoqwmQCfWa9u
KlF7WH/J3OIdfI1stkPY6is=
=URVS
-----END PGP SIGNATURE-----
Re: Introducing mod_enigform.
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Arturo 'Buanzo' Busleiman wrote:
> So, as this authentication module will not ask for a username and password, just validate against
> the request's OpenPGP headers, request payload, and local gpg keyring via gpgme. Anything you think
> of I should be previewing?
It's non-trivial but is the best example, I'd point you to FakeBasicAuth
in mod_ssl.