From ba65cc50b7b468f0738398312a468ea413727bdc Mon Sep 17 00:00:00 2001 From: Matthias Benkard Date: Tue, 14 Apr 2015 08:39:27 +0000 Subject: QT-1900 Add a CSRF token to the OIDC login flow. This improves security by generating a CSRF token, passing it to the OIDC IdP, and validating it afterwards. The token is stored in a cookie reverse-encrypted with MulkyID's private key. --- www/common.pl | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'www/common.pl') diff --git a/www/common.pl b/www/common.pl index 63b8d0f..eb965f3 100644 --- a/www/common.pl +++ b/www/common.pl @@ -5,9 +5,12 @@ use common::sense; #use Modern::Perl 2011; use Modern::Perl; +use File::Slurp; use Mail::ExpandAliases; use URI; use MIME::Base64 qw(encode_base64 decode_base64); +use Crypt::OpenSSL::RSA; +use CGI::Cookie; sub load_config() { $::MULKONF = { }; @@ -54,3 +57,27 @@ sub encode_base64_url($) { $s =~ s/\n//g; return $s; } + +sub acquire_private_key() { + my $key = Crypt::OpenSSL::RSA->new_private_key(scalar read_file($::MULKONF->{pemfile})); + $key->use_pkcs1_padding(); + $key->use_sha256_hash(); + return $key; +} + +sub make_cookie($$) { + my ($name, $value) = @_; + my $key = acquire_private_key; + my $reverse_encrypted_value = $key->private_encrypt($value); + my $cookie = CGI::Cookie->new(-name => $name, -value =>encode_base64_url($reverse_encrypted_value)); +} + +sub read_cookie($$) { + my ($cgi, $name) = @_; + my $cookie = $cgi->cookie($name); + return unless ($cookie); + my $key = acquire_private_key; + my $value = $key->public_decrypt(decode_base64_url($cookie)); + warn "cookie `$name` was forged!" unless $value; + return $value; +} -- cgit v1.2.3