/Authen-ModAuthPubTkt

Perl Module for mod_auth_pubtkt

Primary LanguagePerl

NAME
    Authen::ModAuthPubTkt - Generate Tickets (Signed HTTP Cookies) for
    mod_auth_pubtkt protected websites.

VERSION
    version 0.1.1

SYNOPSIS
    On the command-line, generate the public + private keys: (More details
    available at <https://neon1.net/mod_auth_pubtkt/install.html>)

            $ openssl genrsa -out key.priv.pem 1024
            $ openssl rsa -in key.priv.pem -out key.pub.pem -pubout

    Then in your perl script (which is probably the your custom login
    website), use the following code to issue tickets:

            use Authen::ModAuthPubTkt;

            my $ticket = pubtkt_generate(
                    privatekey => "key.priv.pem",
                    keytype    => "rsa",
                    clientip   => undef,  # or a valid IP address
                    userid     => "102",  # or any ID that makes sense to your application, e.g. email
                    validuntil => time() + 86400, # valid for one day
                    graceperiod=> 3600,   # grace period of an hour
                    tokens     => undef,  # comma separated string of tokens.
                    userdata   => undef   # any application specific data to pass.
            );

            ## $ticket string will look something like:
            ## "uid=102;validuntil=1337899939;graceperiod=1337896339;tokens=;udata=;sig=h5qR" \
            ## "yZZDl8PfW8wNxPYkcOMlAxtWuEyU5bNAwEFT9lztN3I7V13SaGOHl+U6wB+aMkvvLQiaAfD2xF/Hl" \
            ## "+QmLDEvpywp98+5nRS+GeihXTvEMRaA4YVyxb4NnZujCZgX8IBhP6XBlw3s7180jxE9I8DoDV8bDV" \
            ## "k/2em7yMEzLns="

    To verify a ticket, use the following code:

            my $ok = pubtkt_verify (
                    publickey => "key.pub.pem",
                    keytype   => "rsa",
                    ticket    => $ticket
            );
            die "Ticket verification failed.\n" if not $ok;

    To extract items from a ticket, use the following code:

            my %items = pubtkt_parse($ticket);

            ## %items will be something like:
            ## {
            ##    'uid' => 102,
            ##    'validuntil' => 1337899939,
            ##    'graceperiod => 1337896339,
            ##    'tokens' => "",
            ##    'udata'  => "",
            ##    'sig'    => 'h5qRyZZDl8PfW8wNxPYkcOMlAxtWuEyU5bNAwEFT9lztN3 (....)'
            ## }

    Also, a command-line utility ("mod_auth_pubtkt.pl") will be installed,
    and can be used to generate/verify keys:

            $ mod_auth_pubtkt.pl --generate --private-key key.priv.pem --rsa
            $ mod_auth_pubtkt.pl --verify --public-key key.pub.pem --rsa
            $ mod_autH_pubtkt.pl --help

DESCRIPTION
    This module generates and verify a mod_auth_pubtkt-compatible ticket
    string, which should be used as a cookie with the rest of the
    mod_auth_pubtkt ( <https://neon1.net/mod_auth_pubtkt/> ) system.

   Common scenario:
    1. On the login server side, write perl code to authenticate users
    (using Apache's authenetication, LDAP, DB, etc.).
    2. Once the user is authenticated, call "pubtkt_generate" to generate a
    ticket, and send it back to the user as a cookie.
    3. Redirect the user back to the server he/she came from.

Working Example
    A working (but minimal) perl login example is available at
    <https://github.com/manuelkasper/mod_auth_pubtkt/blob/master/perl-login/
    minimal_cgi/login.pl>

METHODS
  pubtkt_generate
    Generates a signed ticket.

    If successful, returns a signed ticket string (to be sent back to the
    user as a cookie).

    On any failure (bad key, failure to run "openssl", etc.) returns
    "undef".

    Accepts a hash of parameters:

    privatekey
        String containing the private key filename (full path). The key can
        be either DSA or RSA key (see keytype).

    keytype
        either "rsa" or "dsa" - depending on how you created the
        private/public key files.

    userid
        String containing the user ID. No specific format is enforced: can
        by a number, a string, an email address, etc. It will be encoded as
        "uid=XXXX" in the signed ticket.

    validuntil
        Numeric value, containing the validity period, in seconds since
        epoch (use "time()" function).

    graceperiod
        Optional. Numeric value. If given, will be added to the signed
        ticket string.

    clientip
        Optional. A string with an IP address. If given. will be added to
        the signed ticket string.

    token
        Optional. Any textual string. If given. will be added to the signed
        ticket string.

    userdata
        Optional. Any textual string. If given. will be added to the signed
        ticket string.

  pubtkt_verify
    Verifies a signed ticket string.

    If successful (i.e. the ticket's signature is valid), returns TRUE (=1).

    On any failure (bad key, failure to run "openssl", etc.) returns
    "undef".

    NOTE: This function checks ONLY THE SIGNATURE, based on the public key
    file. It is the caller's resposibility to check the expiration date.
    That is: The function will return TRUE if the ticket is properly signed,
    but possibly expired.

    Accepts a hash of parameters:

    publickey
        String containing the public key filename (full path). The key can
        be either DSA or RSA key (see keytype).

    keytype
        either "rsa" or "dsa" - depending on how you created the
        private/public key files.

    ticket
        The string of the ticket (such as returned by "pubtkt_generate").

  pubtkt_parse($ticket)
    Utility function to parse a ticket string into a Perl hash.

    NOTE: No validation is performed. The given ticket might be expired, or
    even forged.

PREREQUISITES
    openssl must be installed (and available on the $PATH).

    IPC::Run3 is required to run the openssl executables.

BUGS
    Probably many.

TODO
    Use Perl's Crypt::OpenSSL::RSA and Crypt::OpenSSL::DSA instead of the
    running "openssl" executable.

    Don't assume "openssl" binary is on the $PATH.

    Refactor into OO interface.

LICENSE
    Copyright (C) 2012,2022 A. Gordon ( assafgordon at gmail dot com ).
    All rights reserved. This module is free software;
    you can redistribute it and/or modify it under the same terms as Perl itself.


AUTHORS
    A. Gordon, heavily based on the PHP code from mod_auth_pubtkt.

SEE ALSO
    ModAuthPubTkt main website: <https://neon1.net/mod_auth_pubtkt/>

    ModAuthPubTkt github repository:
    <https://github.com/manuelkasper/mod_auth_pubtkt>

    This module's github repository:
    <https://github.com/agordon/Authen-ModAuthPubTkt>

    Examples in the "./eg" directory:

    generate_rsa_keys.sh
        Generates a pair of RSA key files.

    generate_dsa_keys.sh
        Generates a pair of DSA key files.

    mod_auth_pubtkt.pl
        A command-line utility to generate/verify tickets.