Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

- added readme and license

  • Loading branch information...
commit e682c5830a60c05f2a92f0f5228b23fde17e0863 1 parent 91094ef
@koto authored
Showing with 106 additions and 0 deletions.
  1. +21 −0 LICENSE
  2. +82 −0 README
  3. +3 −0  cert/generate.sh
View
21 LICENSE
@@ -0,0 +1,21 @@
+
+ Copyright (c) 2010 Krzysztof Kotowicz <kkotowicz at gmail dot com>
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in
+ all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ THE SOFTWARE.
+
View
82 README
@@ -0,0 +1,82 @@
+Remote-Phar
+===========
+
+Author: Krzysztof Kotowicz <kkotowicz at gmail dot com>
+License: MIT
+
+Remote-Phar library facilitates secure distribution of Phar archives to remote locations.
+
+Introduction
+------------
+Phar archives, though they have many superb features for a PHP developer, have a certain limitation when it comes to their security - although standard Phar file can be signed, the key used to verify the signature is stored alongside the archive. Moreover, the signature verification process is hardcoded and does not allow you to supply the key by yourself.
+
+These problems make it difficult to use Phar archives to distribute a trusted code to
+clients, because both the key and code are stored on the server - attacker could use e.g.
+DNS spoofing to emulate the server and supply the code without any signature or using his own
+pair of keys. Because of that, Standard Phar extension does not allow including remote (e.g. HTTP://) Phar archives to avoid the old security vulnerability of remote code execution (see e.g. allow_url_fopen and allow_url_include discussion).
+
+To mitigate this, the remote-phar library uses a different method:
+ - the key used to verify the signature is stored on a client (shared-secret) and is
+ never transferred over-the-wire
+ - all code is downloaded to the local client cache and is verifed using the stored code
+ - after verification the local cached file could be included and loaded (no allow_url_open
+ restrictions)
+
+Usage scenario
+--------------
+
+Usage scenario is as follows:
+
+On server (publisher):
+
+1. Create public / private keys with Open SSL
+2. On a server build a code (see build.php) and sign it using your private key
+ You may use the code on a server like any other phar archive (see local.php)
+
+On client (consumer):
+
+3. Get a copy of public key for signature verification (may be stored locally)
+4. Download a code (Phar archive) from the server
+5. Verify Phar signature using your copy of public key (to be sure that the code has
+ been generated by trusted entity)
+6. Include and run the Phar archive in your application
+
+4,5,6 - see remote.php.
+
+Disclaimer: For the security of given method, it is critical to never disclose the private key!
+This method also doesn't protect anyone from looking AT the code - the code is not encrypted,
+it is only signed so it cannot be changed by third party.
+
+Installing
+----------
+
+To be able to use the project, you must build the Phar 2.0.0 PHP extension from
+http://PECL.php.net and have a working OpenSSL in PHP.
+
+E.g. under Ubuntu, these steps are required to build and configure the extension:
+
+$ sudo apt-get install php5-dev
+$ sudo pecl install pecl/phar
+$ echo "extension=phar.so" | sudo tee /etc/php5/conf.d/phar.ini
+$ echo "phar.readonly=0" | sudo tee -a /etc/php5/conf.d/phar.ini
+
+(the last line is needed on the server only and for security reasons should NOT be executed on client)
+
+After preparing th PHP engine, refer to cert/README to generate certificates
+
+
+Usage
+-----
+1. Place your files in src/ directory
+2. Use
+ $ php build.php
+ to build a signed phar archive
+3. Copy public key to a client
+4. See code in remote.php to learn how to verify and include the phar archive in your application.
+
+
+Contact
+-------
+Krzysztof Kotowicz <kkotowicz at gmail dot com>
+
+
View
3  cert/generate.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+openssl genrsa -out priv.pem 1024
+openssl rsa -in priv.pem -pubout -out pub.pem
Please sign in to comment.
Something went wrong with that request. Please try again.