Decryption through CGI/Perl script

[L. Sassaman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How does this provide the user any security at all? I'm failing to see
this. 

On Tue, 2 May 2000, Mark Malkasian wrote:

> Hi All,
> 
> I'm working on a CGI script in Perl that would allow users to decrypt 
> GnuPG-encrypted files on the web. (I'm trying to avoid the hassle of 
> guiding them through the process of setting up and using PGP on their 
> Windows machines and also to accommodate Mac users.) Users are 
> presented with a web form asking them to submit their passphrase. 
> (Transmission would take place under SSL.) The script then inserts 
> the passphrase into a GnuPG command and executes the command by 
> opening a pipe (or using backticks, or a system call, etc.) to the 
> gpg executable.
> 
> I should note that my web site is being hosted remotely and our 
> sysadm isn't particularly flexible. To get GnuPG working at all, I 
> picked up a copy of the compiled gpg executable from another 
> subscriber to this list, Greg McKean, and uploaded pubring.gpg, 
> secring.gpg, and trustdb.gpg to the server after creating them on my 
> local Windows machine.
> 
>  From browsing the mailing list archive, I cobbled together a 
> bare-bones test script (see below). I have no problem creating an 
> encrypted file. Moreover, I'm able to download the file to my local 
> machine and decrypt it there. However, as you may have guessed, 
> providing the passphrase to gpg has tripped me up. When I run the 
> script below for decryption, I get the following error message:
> 
> gpg: encrypted with 1024-bit ELG-E key, ID E91E3613, created 2000-05-02
>        "test1 (Test) <mark@web-crafter.net>"
> gpg: public key decryption failed: bad passphrase
> gpg: decryption failed: secret key not available
> 
> Is there a way around this, or does it make more sense to retreat and 
> declare victory? (BTW, if I were managing my own server I'd take a 
> look at the GnuPG-Interface module Frank Tobin has put together. See 
> http://GnuPG-Interface.sourceforge.net/ . Very impressive.)
> 
> Best,
> Mark Malkasian
> 
> 
> #!/usr/local/bin/perl
> 
> $| = 1;
> 
> print "Content-type: text/html\n\n";
> 
> $gpg_path = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg/gpg";
> $gpg_config_files = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg";
> $ENV{"GNUPGHOME"} = $gpg_config_files;
> 
> # To encrypt a test file, uncomment the line below.
> # $gpg_command = "$gpg_path -r test1 --output 
> /u/web/myuserid/test.gpg --encrypt /u/web/myuserid/test.txt";
> 
> $gpg_command = "$gpg_path --batch --passphrase-fd 0 --output 
> /u/web/myuserid/decrypt.txt --decrypt /u/web/myuserid/test.gpg < 
> test";
> 
> # Execute command. Capture STDOUT and STDERR and print it to screen.
> open(READ, "$gpg_command 2>&1 |") or die "Failure on open $!\n";
> while (<READ>)
> {
> $output .= $_;
> }
> close (READ) or die "Failure on close $!\n";
> print $output;
> -------------------------
> Mark Malkasian
> mark@web-crafter.net
> http://www.web-crafter.net
> 

__

L. Sassaman

System Administrator                |  
Technology Consultant               | "To hold a pen is to be at war." 
icq.. 10735603                      |  
pgp.. finger://ns.quickie.net/rabbi |                    --Voltaire







-----BEGIN PGP SIGNATURE-----
Comment: OpenPGP Encrypted Email Preferred.

iD8DBQE5D0CdPYrxsgmsCmoRAvnVAJ9mkOsz/YqV+ALTZkpR/UQoiEBdXACfe/We
EQd3h50WUH1ftkmUVCKnr68=
=izRx
-----END PGP SIGNATURE-----