-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear group,
As some of you already know, I'm working on OpenPGP extensions to the HTTP protocol. I've created the Enigform firefox extension, and it's Apache counterpart, mod_auth_openpgp (which will be renamed to mod_openpgp in the near future). I've already implemented the "sign" openpgp operation in Enigform, and the "verify" operation in mod_auth_openpgp, along with methods to import a public key from client to server. The next step is server-side signing and both-sides encryption and decryption. For this I will be needing to input the passphrase to unlock the private key at the server side, but I will use mod_ssl's approach. So, before implementing encryption at the browser-side, I've crafted an "OpenPGP encrypted http request", which looks like this (OpenPGP header modified for this email on purpose, so it does not trigger your PGP/GPG plugin) =- cut here -= POST /HTTP_OPENPGP_DECRYPT Host: localhost - -----BEGIN*PGP*MESSAGE----- Version: GnuPG v1.4.7 (GNU/Linux) hQIOA9YKl/p/3dcgEAf/erCrgwG8kB35bKerk3gMNqh0N2IUh2iPk3qgWsFurvOW 26nA4WU2ZmB3i5ZP4aaZwKZulsBhBA7IyX+lKbf6IyewLIaw0N/sgcoMBCOW0DmN hfJ0mgGFIGwl+uFyQoCwXk33H5j1lJidnC/AvRyqMHwxSOOXcFBuDoCVNXLiQAx8 lqKlLHtccLuG4fAAYfviqLmuK8vpFcbVURw96rh+KmWpMCY70U9JGiD/9jlcLKlo oYYkiLgJ+fDDxDwGAZ/6ryAN3tlPUyq2vLClqzbd/fgtAnTcnjhGeI3HzDUDr1aG TDPOAzpQM0ho385J4xv1ZfQRajSRY8AOcGz0s0pggggAgLX6wFy47IUKrsQeNMBy a/YBe4SGJyjyvDXxpUMhbftZMKDMLCL3qjfyy+v6S86i3dEI16/0a3J4ms4T7Zk5 3E08dzok+uvoLVDBJ7wpFhYACcguXogqQgkanwytW/CIzaXz43BEJnrRXXzPuzx4 N1cR2yQFqiuR+S6ycEo/qEL2XNM3rJc0ReQEPyMHzTwZhNPDXl1Zc2hjE/HjNeQy sQ70D1+KQHwFWK1w+PDNamoAM30bRmaE+HcpcowHiOi/uGMOxi5RcYRi7Ap+6yps 5inK/AGWMFGx4+zdsO+uSpmShR44O+SX6WOOBajgHHNLqZLvn1YnPdtsNkhmeLLA BNLpAT5uSv0sMBSnRq//0HhcgjRlQX9JiZzJdr1PxM7x061wTYwuWRLwWepuALG6 23Ywtmdsm+TKSn5MdDYFJFzmVKBP8lEB9yy8KeFgAWupqlm0/aXlz47ZEAds+5wi vkO5Oujm5kfR4E+hUbd0OQtvzvUnTGeh959g5P29UjR25bKWa2vgbj5ecZmE50+t QEHJYojLqZIK2JaG7E+IF5xJzZsnSJMm/UL7xrYE8rqLMHe+oz7Uj+1Ue0Nv/jOp xMFZSF/rLZsOzB4HAmLTN/RiW2K/M5YpFPmRxWHnJOeLxKgmAMY4ZG6m5/40ePlQ lKN64J6b/dOAYnEJYp/DvjZXX0t379QNzgTcsI3tQhIEsM/Dgcqe6Y3Za2JFPx74 KdvjhdpWBLCYSlnyLe5Dp69aLQMmMSNzSnj0BfWAQvKq/N4YNXk8nPo8G3oTO3hv yTcdpPVTZzTKNdUkmmC2dsEO6AXf7gdhHQrPTLXWeMfSED2O3L1p4AoQZi+cnWQI OxUklg8KoGuwKgJFIIi1aGo7aINbgfn12It9ovQA7yO459Yu6Ksd5W66cBbJbeyf pAiQTz4hu/7Hh1WOm7sIzOsglxI3C/gtG6xFBq9S6Nc13shGfY9WojVVGMUKRPt5 hmcD4bE595UcunoBb8VAKloZ15jD149fqc/evzgeMZIEpVloqd2dj98E6d0m5LPR +7NBnqaKrn+Z5lTA8z1mhMMv17pSi0XxczA/3Vs2Vn+/zpuupR7fdXZY1uiu6vGr 3SwZkRx6hJHdVA6y+J7OC5YOtBKUxTGc1N4oa1uUhhPmViwFURCuZqxqRbE= =OPnL - -----END*PGP*MESSAGE----- =- cut here -= When the "localhost" virtualhost gets that request, an input filter should be called by a handler I've setup for location /HTTP_OPENPGP_DECRYPT withing mod_openpgp. The "host" header must not be encrypted, so server-wide openpgp decryption shouldn't be needed. The encrypted text, is the following HTTP request: =- cut here -= POST /pba/test.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (example) Accept: text/html, blahblah Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/pba/index.html X-OpenPGP-Type: S X-OpenPGP-Sig-Fields: body X-OpenPGP-Sig: iD8DBQFGflnpw7MFlotPrwCeKb0qqa5Vt6eaPVaqHuUG2SVHz/c==B/eo X-OpenPGP-Digest-Algo: SHA1 X-OpenPGP-Version: GnuPG v1.4.7 (GNU/Linux) X-OpenPGP-Agent: Enigform 0.8.1 for Mozilla Firefox Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 15 variable=dsadas =- cut here -= As you can see, it is also an OpenPGP-signed request, with the same Host: line, but with a different request line, headers and body. That's the REAL request, that should be input into Apache, the response be obtained and returned (encrypted, but we can work on that once decryption is ready) to the browser. So, at first I thought a subrequest would do the job, but then it seemed to me that another approach was better: decrypt, parse cleantext's http headers and add them to r->headers_in, then replace body with the cleantext body (variable=dsadas). As this is BIG stuff, I thought the people at modules_dev would be interested in providing their views, insults, etc. If this is too offtopic or too long a thread, I have a forum to discuss enigform and mod_auth_openpgp development, but I believe this question should be discussed here. In any case, the URL is: http://foros.buanzo.com.ar/viewforum.php?f=35 mod_auth_openpgp: http://freshmeat.net/projects/maopenpgp Enigform: http://freshmeat.net/projects/maopenpgp and http://addons.mozilla.org Sincerely, Buanzo PS: Nick, chapter 8 of your book is definitely GREAT :) - -- Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica Free Music: http://www.buanzo.com.ar/files/buanzo-ultimamente.ogg Consulting and Secure Mail Hosting: http://www.buanzo.com.ar/pro/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGfEyYAlpOsGhXcE0RCu/hAJ4kSclrwZ/VGXjPAq5hg6Ec07aDVwCfahib o40Zc5MSVvXEao9RFVqDnj4= =Tgsw -----END PGP SIGNATURE-----
