bad idea: cgi authentication with gpg and cert

2025-02-20 15:39:15 +08:00 · 2023-07-02 15:13:44 +08:00 · 2023-07-02 15:13:44 +08:00 · 480a29ce98
commit 480a29ce98
parent 7af610fad6
2 changed files with 40 additions and 10 deletions
--- a/gmi/docker/README.gmi
+++ b/gmi/docker/README.gmi
@ -12,16 +12,12 @@ alpine linux
 * gmid.conf reload

 ## TODO
-CGI script:
-* inform the server to update git
+I want to write CGI script to:
 * check the log
+* upload dynamic file

-both need authentication, idea:
-* 6x (CLIENT CERTIFICATE REQUIRED)
-=> gemini://gemini.circumlunar.space/docs/tls-tutorial.gmi doc: TLS
-=> https://adnano.co/2021/03/06/gemini-tls/ TLS recommendations for Gemini
-=> gemini://caseyrichins.online/logs/2023-06-09_gemini-client-certificates.gmi Client Certificates in Gemini
+First I need to get my client cert hash uploaded, so I came up an idea:
+upload a pgp-signed message contains: HOSTNAME:CERTHASH, then use that client cert hash

-* GPG in 1x (INPUT)
-client: date -u +%Y%m%dT%H | gpg -as
-server: verify time then signature
+But later I thought it makes my server too complicated.
+I just need a static site server, these are bloated.
--- a/gmi/docker/cgi/auth.cgi
+++ b/gmi/docker/cgi/auth.cgi
@ -0,0 +1,34 @@
+#! /usr/bin/python
+
+# nobody write perl right?
+
+from os import environ
+import sys
+import subprocess
+import re
+
+
+if "GEMINI_SEARCH_STRING" not in environ:
+    print("11 signed message",end="\r\n")
+    sys.exit()
+
+query = environ["GEMINI_SEARCH_STRING"]
+host = environ["SERVER_NAME"]
+
+p = subprocess.Popen(["gpgv", "--keyring", "./keyring"], stdin=subprocess.PIPE)
+p.communicate(input=query.encode())
+
+if p.returncode != 0:
+    print("gpg failed")
+    sys.exit()
+
+pattern = "^{}:([0-9a-z]+)$".format(host)
+line = query.splitlines()[3]
+match = re.match(pattern, line)
+
+if match == None:
+    print("bad hash")
+    sys.exit()
+
+print("20 text/gemini",end="\r\n")
+print(match.group(1),end="\r\n")