diff options
| author | Matthias Benkard <matthias.benkard@egym.de> | 2015-04-14 08:39:27 +0000 |
|---|---|---|
| committer | Matthias Andreas Benkard <code@mail.matthias.benkard.de> | 2015-04-23 21:55:02 +0200 |
| commit | ba65cc50b7b468f0738398312a468ea413727bdc (patch) | |
| tree | 19749bd8803a2f718013cf8901c04ea658f98731 /www/common.pl | |
| parent | faea34e5c94922645b337bdeb5db32871eb1fde9 (diff) | |
QT-1900 Add a CSRF token to the OIDC login flow.
This improves security by generating a CSRF token, passing it to the
OIDC IdP, and validating it afterwards. The token is stored in
a cookie reverse-encrypted with MulkyID's private key.
Diffstat (limited to 'www/common.pl')
| -rw-r--r-- | www/common.pl | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/www/common.pl b/www/common.pl index 63b8d0f..eb965f3 100644 --- a/www/common.pl +++ b/www/common.pl @@ -5,9 +5,12 @@ use common::sense; #use Modern::Perl 2011; use Modern::Perl; +use File::Slurp; use Mail::ExpandAliases; use URI; use MIME::Base64 qw(encode_base64 decode_base64); +use Crypt::OpenSSL::RSA; +use CGI::Cookie; sub load_config() { $::MULKONF = { }; @@ -54,3 +57,27 @@ sub encode_base64_url($) { $s =~ s/\n//g; return $s; } + +sub acquire_private_key() { + my $key = Crypt::OpenSSL::RSA->new_private_key(scalar read_file($::MULKONF->{pemfile})); + $key->use_pkcs1_padding(); + $key->use_sha256_hash(); + return $key; +} + +sub make_cookie($$) { + my ($name, $value) = @_; + my $key = acquire_private_key; + my $reverse_encrypted_value = $key->private_encrypt($value); + my $cookie = CGI::Cookie->new(-name => $name, -value =>encode_base64_url($reverse_encrypted_value)); +} + +sub read_cookie($$) { + my ($cgi, $name) = @_; + my $cookie = $cgi->cookie($name); + return unless ($cookie); + my $key = acquire_private_key; + my $value = $key->public_decrypt(decode_base64_url($cookie)); + warn "cookie `$name` was forged!" unless $value; + return $value; +} |