Decryption through CGI/Perl script

L. Sassaman
Tue, 2 May 2000 13:54:45 -0700 (PDT)

Hash: SHA1

How does this provide the user any security at all? I'm failing to see

On Tue, 2 May 2000, Mark Malkasian wrote:

> Hi All,
> I'm working on a CGI script in Perl that would allow users to decrypt
> GnuPG-encrypted files on the web. (I'm trying to avoid the hassle of
> guiding them through the process of setting up and using PGP on their
> Windows machines and also to accommodate Mac users.) Users are
> presented with a web form asking them to submit their passphrase.
> (Transmission would take place under SSL.) The script then inserts
> the passphrase into a GnuPG command and executes the command by
> opening a pipe (or using backticks, or a system call, etc.) to the
> gpg executable.
> I should note that my web site is being hosted remotely and our
> sysadm isn't particularly flexible. To get GnuPG working at all, I
> picked up a copy of the compiled gpg executable from another
> subscriber to this list, Greg McKean, and uploaded pubring.gpg,
> secring.gpg, and trustdb.gpg to the server after creating them on my
> local Windows machine.
> From browsing the mailing list archive, I cobbled together a
> bare-bones test script (see below). I have no problem creating an
> encrypted file. Moreover, I'm able to download the file to my local
> machine and decrypt it there. However, as you may have guessed,
> providing the passphrase to gpg has tripped me up. When I run the
> script below for decryption, I get the following error message:
> gpg: encrypted with 1024-bit ELG-E key, ID E91E3613, created 2000-05-02
> "test1 (Test) <>"
> gpg: public key decryption failed: bad passphrase
> gpg: decryption failed: secret key not available
> Is there a way around this, or does it make more sense to retreat and
> declare victory? (BTW, if I were managing my own server I'd take a
> look at the GnuPG-Interface module Frank Tobin has put together. See
> . Very impressive.)
> Best,
> Mark Malkasian
> #!/usr/local/bin/perl
> $| = 1;
> print "Content-type: text/html\n\n";
> $gpg_path = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg/gpg";
> $gpg_config_files = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg";
> $ENV{"GNUPGHOME"} = $gpg_config_files;
> # To encrypt a test file, uncomment the line below.
> # $gpg_command = "$gpg_path -r test1 --output
> /u/web/myuserid/test.gpg --encrypt /u/web/myuserid/test.txt";
> $gpg_command = "$gpg_path --batch --passphrase-fd 0 --output
> /u/web/myuserid/decrypt.txt --decrypt /u/web/myuserid/test.gpg <
> test";
> # Execute command. Capture STDOUT and STDERR and print it to screen.
> open(READ, "$gpg_command 2>&1 |") or die "Failure on open $!\n";
> while (<READ>)
> {
> $output .= $_;
> }
> close (READ) or die "Failure on close $!\n";
> print $output;
> -------------------------
> Mark Malkasian
__ L. Sassaman System Administrator | Technology Consultant | "To hold a pen is to be at war." icq.. 10735603 | pgp.. finger:// | --Voltaire -----BEGIN PGP SIGNATURE----- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE5D0CdPYrxsgmsCmoRAvnVAJ9mkOsz/YqV+ALTZkpR/UQoiEBdXACfe/We EQd3h50WUH1ftkmUVCKnr68= =izRx -----END PGP SIGNATURE-----