On 20.11.2019 10:26, Tillman Peng wrote:
helloMy client post the data body which is encrypted with public-key. the private key is deployed in web server,powered by mp2. How can I correctly decrypt the data with private key from within modperl handler?
Hi. Do you have a separate command-line program on the server which can decrypt that content ?If yes : if you do not find an appropriate perl module to do this decryption, your mod_perl handler can always execute that external program using the system() function.
(See : https://perldoc.perl.org/5.30.0/functions/system.html) General idea : - get the encrypted content from the request - write this encrypted content to a file in some appropriate work directory on the server- compose the external command that reads the encrypted data, and writes the decrypted content to a file
- execute that command with system() - check for errors - read the decrypted results file - clean upIf you end up using this method, and you are doing this from within an Apache/mod_perl handler, you have to be extra careful about many aspects, such as : - catching any errors which may happen in the external program, and interpret them correctly in the calling module.
- logging the errors properly, so that if "it doesn't work", you can find out why- taking into account that your webserver may receive several simultaneous requests for such content, and thus that there may be several instances of that external command running at the same time (think about the temporary files that you may need, and make sure that each instance uses its own unique files)
- cleaning up after succesfully running the command- maybe selectively "not cleaning up" if there were any problems, so that you can inspect what happened - check permissions (the external program will run under the same user-id as the webserver, so whatever it writes, must be in a directory writeable by the webserver) - verify that the external command cannot be running for too long, causing the client to time-out waiting for a response, and closing the connection to the webserver - make extra sure that the client cannot, through some malicious use of the parameters that it sends to the server (e.g. filenames), result in damage on your server
(e.g. system("program > /etc/passwd"))
- etc.
If you prefer to use a perl module to do the decryption, you will have to look at what is
available on CPAN. Most modules that relate to encryption/decryption are in the "Crypt"
namespace, such as : https://metacpan.org/search?q=crypt%3A%3A
