search

fgrehm / pearfarm

Improves the productivity of the PHP community by making it easy to repeatable produce PEAR packages and post them to a public PEAR server
http://pearfarm.org
12 stars 1 forks source link

Figure out security model. #1

Closed apinstein closed 15 years ago

apinstein commented 15 years ago
  1. Is there anyone expert on this that can help us decide an architecture?
  2. True PKI signing versus a simpler hash algorithm?

We can try to persist decisions here: http://wiki.github.com/fgrehm/pearfarm/pearfarm-security

And discuss them wherever...

xetorthio commented 15 years ago

I think we should do it the github way. That is setting your public key and then using ssh to upload. It seems easy, secure and already proved. Also people are used to this.

apinstein commented 15 years ago

If we use ssh to upload, how to we get our application to respond to it? I think this works well for github since git already runs over ssh...

xetorthio commented 15 years ago

I'm sure there are ways to address this. Maybe a hook to the ssh server or maybe just a cron job that will check for updates asynchronously. We get the new package, read the specs and update it on the server.

apinstein commented 15 years ago

I think using http://us.php.net/manual/en/function.openssl-sign.php would be the easiest, the only downside being that PHP must be installed with openssl. However, at least on Mac and I am sure Linux, adding openssl is trivial. The macports version comes with OpenSSL by default.

apinstein commented 15 years ago

maybe i'll try adding it real quick and see how hard it is.

xetorthio commented 15 years ago

So you want to POST the data with the signature and on the server side verify it with http://us.php.net/manual/en/function.openssl-verify.php . Yes... seems like a good way to go.

apinstein commented 15 years ago

Exactly. Working on it now!

apinstein commented 15 years ago

Ok it works! that was very easy. The client side is now done.

Server side can verify via:

$pubKey = openssl_get_publickey("

-----BEGIN PUBLIC KEY----- MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAurW+d5EKeSv/C73yYYOV PXy1ZPqULmxwTKDVg7MzHRcB9nawFpn6NBYlOhnzzuf9XV44qjB3ItZ1fb57+J6EzDTWrmPpBIB9POC7n0nnuHAG3NJuEO2ljDRtYyFnFLBF9rBCWV8uwWktlgRLHlua8qM9QWMFEeDcr6CEef1dn5xHSe5dYVW5RUrYMoATXiDGu+2LICFH1PStM/bLav0/ yu0/wFdwRFzBwKDOd340fruSK95KxFU3/2yRBKY1w/My9BWS1qY3Ok9T8/kVf/IU IFXxFAGQQcePveXv/upMFR6cNQdY15WV8TPCLR0iYZlKvQ6/GfnAz1xE/jan59lT uQIBIw== -----END PUBLIC KEY----- "); $res = openssl_verify(file_get_contents($pkgTgzPath), base64_decode($signatureBase64), $pubKey, OPENSSL_ALGO_SHA1); switch ($res) { case 1: print 'CORRECT'; break; case 0: print 'INCORRECT'; break; case -1: print 'ERROR'; break; }

apinstein commented 15 years ago

Ok, this is done. We are now using openssl PKI signing for all package uploads to ensure the posters are the authorized users.