commit da32a75f2634de9ae364c9e228091a2474bf7f29
Author: David Fifield <david(a)bamsoftware.com>
Date: Tue Sep 18 21:58:36 2012 -0700
Encrypt the registrations using a public key belonging to the facilitator.
This is to provide client addresses some protection against Google or
anyone who manages to gain access to the registration account.
---
flashproxy-reg-email | 25 ++++++++++++++++++++++---
1 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/flashproxy-reg-email b/flashproxy-reg-email
index a8f3130..bd5095a 100755
--- a/flashproxy-reg-email
+++ b/flashproxy-reg-email
@@ -12,7 +12,7 @@ import tempfile
from hashlib import sha1
try:
- from M2Crypto import X509
+ from M2Crypto import BIO, RSA, X509
except ImportError:
# Defer the error reporting so that --help works even without M2Crypto.
X509 = None
@@ -61,6 +61,20 @@ A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
# hashing the public key, not the entire certificate.
PUBKEY_SHA1 = "e341556ff3fd18e155ce30971fc93e740aa4b185".decode("hex")
+# openssl genrsa reg-email 2048
+# openssl rsa -pubout < reg-email > reg-email.pub
+FACILITATOR_PUBKEY_PEM = """\
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArzOJ0Ya0fVp6pcgIf2GW
+CBanFAyDygMFm9WfSwgQMf9XmMoHmI39bM4MftLjnhfmN75IT1DESFprmxca+vNA
+SYuN5rnCLcV5hcCFIHgDWRxQkDuRnQfYCZN7/lWgYUiMpU92vdlyYnP+XNVat7qw
+06tSHey2FS417zmIsNTcKUk9XhWb/uVHzOw/oCwG1wuxdUXKXLHjgwR5V17NbNwc
+FJ1qCmQeswQk44wfJHuXJiIxMgDWF6p4LH07hBrP68L1vtlOVpqVAAoi/wLUhBgZ
+WG0m/agJiktYR1qkLRNSH0afmpQn/v8kQg3T/5d0+HLECMfuBqoWEuJBACPSlA06
+5wIDAQAB
+-----END PUBLIC KEY-----
+"""
+
class options(object):
remote_addr = None
email_addr = None
@@ -224,6 +238,11 @@ try:
spec = "[" + spec + "]"
options.remote_addr = parse_addr_spec(spec, *options.remote_addr)
+ body_plain = "client=%s" % format_addr(options.remote_addr)
+ rsa = RSA.load_pub_key_bio(BIO.MemoryBuffer(FACILITATOR_PUBKEY_PEM))
+ body_crypt = rsa.public_encrypt(body_plain, RSA.pkcs1_oaep_padding)
+ body = body_crypt.encode("base64")
+
# Add a random subject to keep Gmail from threading everything.
rand_string = os.urandom(5).encode("hex")
smtp.sendmail(options.email_addr, options.email_addr, """\
@@ -231,12 +250,12 @@ To: %(to_addr)s\r
From: %(from_addr)s\r
Subject: client reg %(rand_string)s\r
\r
-client=%(client_spec)s
+%(body)s
""" % {
"to_addr": options.email_addr,
"from_addr": FROM_EMAIL_ADDRESS,
"rand_string": rand_string,
- "client_spec": format_addr(options.remote_addr),
+ "body": body,
})
smtp.quit()
except Exception, e: