You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Tillman Peng <yh...@orange.fr> on 2019/11/20 09:26:29 UTC

decrypt the posted content

hello

My client post the data body which is encrypted with public-key.
the private key is deployed in web server,powered by mp2.
How can I correctly decrypt the data with private key from within 
modperl handler?

Thank you.

Re: decrypt the posted content -- shell processes

Posted by Randolf Richardson <ra...@modperl.pl>.

	You may want to consider using $r->spawn_proc_prog() instead of the 
system() function to spawn external processes -- I've had really good 
success with this in my projects:

		Apache2::SubProcess -- Executing SubProcesses under mod_perl
		https://perl.apache.org/docs/2.0/api/Apache2/SubProcess.html

	This will essentially do the same thing as system() for you, but 
it's part of mod_perl2.  It also conveniently returns a set of file 
handles that are immediately useful:

		my ($in_fh, $out_fh, $err_fh) = $r->spawn_proc_prog($command);

	Please also check the documentation (linked above) for variations on 
what can be returned, and details for adding command-line arguments.

	I hope this helps.

> On 20.11.2019 10:26, Tillman Peng wrote:
> > hello
> >
> > My client post the data body which is encrypted with public-key.
> > the private key is deployed in web server,powered by mp2.
> > How can I correctly decrypt the data with private key from within modperl handler?
> >
> 
> Hi.
> Do you have a separate command-line program on the server which can decrypt that content ?
> If yes : if you do not find an appropriate perl module to do this decryption, your 
> mod_perl handler can always execute that external program using the system() function.
> (See : https://perldoc.perl.org/5.30.0/functions/system.html)
> 
> General idea :
> - get the encrypted content from the request
> - write this encrypted content to a file in some appropriate work directory on the server
> - compose the external command that reads the encrypted data, and writes the decrypted 
> content to a file
> - execute that command with system()
> - check for errors
> - read the decrypted results file
> - clean up
> 
> If you end up using this method, and you are doing this from within an Apache/mod_perl 
> handler, you have to be extra careful about many aspects, such as :
> - catching any errors which may happen in the external program, and interpret them 
> correctly in the calling module.
> - logging the errors properly, so that if "it doesn't work", you can find out why
> - taking into account that your webserver may receive several simultaneous requests for 
> such content, and thus that there may be several instances of that external command 
> running at the same time (think about the temporary files that you may need, and make sure 
> that each instance uses its own unique files)
> - cleaning up after succesfully running the command
> - maybe selectively "not cleaning up" if there were any problems, so that you can inspect 
> what happened
> - check permissions (the external program will run under the same user-id as the 
> webserver, so whatever it writes, must be in a directory writeable by the webserver)
> - verify that the external command cannot be running for too long, causing the client to 
> time-out waiting for a response, and closing the connection to the webserver
> - make extra sure that the client cannot, through some malicious use of the parameters 
> that it sends to the server (e.g. filenames), result in damage on your server
> (e.g. system("program > /etc/passwd"))
> - etc.
> 
> If you prefer to use a perl module to do the decryption, you will have to look at what is 
> available on CPAN.  Most modules that relate to encryption/decryption are in the "Crypt" 
> namespace, such as : https://metacpan.org/search?q=crypt%3A%3A
> 
> 
> 


Randolf Richardson - randolf@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Beautiful British Columbia, Canada
https://www.inter-corporate.com/

Re: decrypt the posted content

Posted by "André Warnier (tomcat/perl)" <aw...@ice-sa.com>.

On 20.11.2019 10:26, Tillman Peng wrote:
> hello
>
> My client post the data body which is encrypted with public-key.
> the private key is deployed in web server,powered by mp2.
> How can I correctly decrypt the data with private key from within modperl handler?
>

Hi.
Do you have a separate command-line program on the server which can decrypt that content ?
If yes : if you do not find an appropriate perl module to do this decryption, your 
mod_perl handler can always execute that external program using the system() function.
(See : https://perldoc.perl.org/5.30.0/functions/system.html)

General idea :
- get the encrypted content from the request
- write this encrypted content to a file in some appropriate work directory on the server
- compose the external command that reads the encrypted data, and writes the decrypted 
content to a file
- execute that command with system()
- check for errors
- read the decrypted results file
- clean up

If you end up using this method, and you are doing this from within an Apache/mod_perl 
handler, you have to be extra careful about many aspects, such as :
- catching any errors which may happen in the external program, and interpret them 
correctly in the calling module.
- logging the errors properly, so that if "it doesn't work", you can find out why
- taking into account that your webserver may receive several simultaneous requests for 
such content, and thus that there may be several instances of that external command 
running at the same time (think about the temporary files that you may need, and make sure 
that each instance uses its own unique files)
- cleaning up after succesfully running the command
- maybe selectively "not cleaning up" if there were any problems, so that you can inspect 
what happened
- check permissions (the external program will run under the same user-id as the 
webserver, so whatever it writes, must be in a directory writeable by the webserver)
- verify that the external command cannot be running for too long, causing the client to 
time-out waiting for a response, and closing the connection to the webserver
- make extra sure that the client cannot, through some malicious use of the parameters 
that it sends to the server (e.g. filenames), result in damage on your server
(e.g. system("program > /etc/passwd"))
- etc.

If you prefer to use a perl module to do the decryption, you will have to look at what is 
available on CPAN.  Most modules that relate to encryption/decryption are in the "Crypt" 
namespace, such as : https://metacpan.org/search?q=crypt%3A%3A