MvPGP

************ t r u X o f t M v P G P L i b r a r y ********************* | copyright (c) 2001+ truXoft. Free for non-commercial use. http://mivo.truxoft.com | write to mvpgp@truxoft.com for commercial licenses | changelog at http://mivo.truxoft.com/changelogs/mvpgp.txt | | Succesfull installation of MvPGP requires: | - Miva Empresa on a Unix system | - Installed and working PGP or GnuPG on your server | - Private cgi-bin directory accessible and writable by Miva | - Working shell accesible by Miva. | Installation: place this script somewhere in your Miva script directory, | run it from a browser and follow instructions. MvPGP attempts to create two files: | 1. /mvpgp/mvpgp.conf in your Miva data directory, containing MvPGP settings | 2. /cgi-bin/mvpgp.sh in your private cgi-bin directory. It is a shell script | used as an interface between Miva and PGP or GnuPG | | Detailed information at http://mivo.truxoft.com/art0038.htm *************************************************************************** MvPGP

MvPGP - Miva PGP/GnuPG function library

Copyright © 2001 Ivo Truxa, truXoft. All copyrights reserved
Explanation, updates and more information on http://mivo.truxoft.com/art0038.htm
Free for non-commercial use. Contact me for commercial licenses.

Insecure Miva version! MvPGP Halted.

You are using Miva version . MvPGP can work with older Miva versions too, but because there are serious security flaws in older versions, we strongly recommend updating your Miva engine!

If you want to continue on your own risk, remove the first <MvEXIT> tag in the mvpgp.mv script.
Introduction

MvPGP library attempts to find the GnuPG or PGP binary, your private cgi-bin and the Miva data directory. If it does not succeed, it asks you to enter the paths manually. MvPGP was developed and tested with PGP 2.6.2 (an old but free version), PGP 5.0 and with GnuPG 1.0.4. It should work with newer versions as well.

Most usually, you will have a PGP freeware 6.x or 7.x on the client side. There is also GnuPG for DOS/Windows, but as for now it has just a command line interface in contrary to PGP that integrates nicely with common e-mail clients. GnuPG is an Open Source application, with much more relaxed license then PGP and I suppose that in long term it may get much more popular then recently. Both applications can work fine together, but if you are using older versions of PGP, you may need some effort to find key types that are accepted by both (for copyright reasons there are some algorithms that are not available by default in GnuPG and older version of PGP do not use some modern algorithms used in GnuPG). I'll try to show work-arounds for most common problems on http://mivo.truxoft.com as soon as I find some time for it.

Please keep on mind that you should never use the same secret private keyrings and same pass phrases on your remote server as you use for yourself! For encrypting text and sending PGP e-mail you do not need any private key and in fact, for security reasons, you may remove it from your server. You only need a public key for each of the target users (recipients). Please visit PGP oriented web sites and news groups to get more information on PGP, GnuPGP, OpenPGP, cryptography and security.

Calling Examples

Sending encrypted e-mail: the text may be a string or a variable containing multiple lines. Please note, that the e-mail address must be present in your public keyring on the server. Check the PGP/GnuPG documentation to see how to add new public keys to your keyring.
<MvDO FILE="mvpgp.mv" NAME="ret" VALUE="{pgpSend('friend@some.com','Text to encrypt')}"> <MvDO FILE="mvpgp.mv" NAME="ret" VALUE="{pgpSend(g.email,g.LongText)}">
The same function accepts also filenames. If the second argument of the function is an existing filename in your Miva Data directory, it will be encrypted and sent by e-mail to the address (if present in the keyring).
<MvDO FILE="mvpgp.mv" NAME="ret" VALUE="{pgpSend(g.email,'/Merchant/install.log')}">
pgpEncrypt() function returns encrypted text or the content of a file passed in the 3rd argument. Public key of the target user (2nd argument) is used for the encryption. The first argument determines if the output comes with or without a PGP header.
<MvDO FILE="mvpgp.mv" NAME="ret" VALUE="{pgpEncrypt(1,'friend@some.com','Text to encrypt')}"> <MvDO FILE="mvpgp.mv" NAME="ret" VALUE="{pgpEncrypt(0,g.email,'/Merchant/install.log')}">
pgpListKeys() function returns a list of e-mail addresses extracted from public keys present in your keyring. If the first argument is empty or 0, pgpListKeys returns a pipe delimited list. If the argument is non-empty, the function returns OPTION list for a SELECT form element (drop-down box), containing the available recipients' addresses. If the argument is equal to one of these addresses, the appropriate option is selected.
<MvDO FILE="mvpgp.mv" NAME="ret" VALUE="{pgpListKeys('')}"> <MvDO FILE="mvpgp.mv" NAME="ret" VALUE="{pgpListKeys('friend@some.com')}">
Please review the code of the test below in this script to see practical examples of use of the mentioned functions. I will add more functions for decrypting, managing key rings and other as time allows.

MvPGP parameters

NOTE: After installing and testing the script, please disable the part below. It is better to hide this sensitive information if the script is publicly accessible.

MvPGP configuration

MvPGP version

SHELL binary

PGP Type

cgi-bin dir.

cgi-bin URL

PGP home dir.

Miva Data dir.

PGP/GPG binary

Hide Level

Debug mode yesno

Edit the file in your Miva data dir, if you want to change the configuration

Test

For security reasons, the test was disabled. The owner can unlock it in the file.

NOTE: Please disable this test after installing the script. Some sensitive information could be revealed through the form if the script is publicly accessible.

Import a new target public key

Text message or a filename in your Miva Data directoty:
<MvEVAL EXPR="{g.text}">

Encrypt for (e-mail addr):
<## security ##>
Warnings/Messages:

Result:

Sorry, server-side DECRYPT is currently not yet supported in MvPGP!

MvPGP configuration
MvPGP version
SHELL binary
PGP Type
cgi-bin dir.
cgi-bin URL
PGP home dir.
Miva Data dir.
PGP/GPG binary
Hide Level
Debug mode	yesno

*************************************************************************** | reading the configuration file *************************************************************************** <## fix for misconfigured Empresas ##> ' $ asciichar(10)}"> <## maximal text length for the GET method ##> *************************************************************************** | checking the environment and installing bridge shell scripts ***************************************************************************
<## checking cgi-bin ##> <## checking shell ##> <## set data dirs temporary world readable to allow test on servers with screwed up ownerships ##> MvPGP Configuration written to:
MvPGP bridge shell script written to: (within Miva scriptdata dir)
*************************************************************************** | checking for existance and executability of an encryption program *************************************************************************** *************************************************************************** | writing a line to a file, allowing backslashes *************************************************************************** *************************************************************************** | displaying an error message *************************************************************************** ' $ l.txt $ ''}"> *************************************************************************** | displaying a form for entering a new parameter *************************************************************************** <## security ##> ' $ l.title $ '

' $ l.txt $ '

'}"> '}"> '}"> *************************************************************************** | creating a bridge shell script for calling the encryption program from Miva *************************************************************************** <## verification/authorization of the caller IP must come here !!! ##> ?[' $ asciichar(92) $ ']^{|}~%'}"> *************************************************************************** | writing the parameters to the configuration file *************************************************************************** *************************************************************************** | displaying a form checkbox *************************************************************************** ' $ l.txt $ '
'}"> *************************************************************************** | hiding a form variable *************************************************************************** '}"> *************************************************************************** | common PGP/GPG calling function *************************************************************************** *************************************************************************** | sending string or a file in Miva data dir via PGP/GPG encrypted e-mail *************************************************************************** *************************************************************************** | encrypting a string or a file in Miva data dir with PGP/GPG *************************************************************************** *************************************************************************** | decrypting a string or a file in Miva data dir with PGP/GPG *************************************************************************** *************************************************************************** | returns a list of available public keys (pipe delimited list or OPTION list) *************************************************************************** *************************************************************************** | receives (imports) a public key from a key server *************************************************************************** Importing a target public key

We need to import at least one public key of a target user (addressee).' $ asciichar(10)}"> Key import failed!' $ asciichar(10)}"> '}"> ' $ asciichar(10)}">
(hexadecimal ID from the key properties - e.g. 0x645C04B9)' $ asciichar(10)}"> ' $ asciichar(10)}">
Or import a local signature key file from your PC:' $ asciichar(10)}"> '}"> *************************************************************************** | sending string or a file in Miva data dir via PGP/GPG encrypted e-mail ***************************************************************************