Jacob WIlder created PIRK-23:
--------------------------------
Summary: Provide integrity and verification of serialized objects
Key: PIRK-23
URL: https://issues.apache.org/jira/browse/PIRK-23
Project: PIRK
Issue Type: New Feature
Components: Querier, Responder
Reporter: Jacob WIlder
Assignee: Jacob WIlder
Provide a way to sign and verify serialized output using OpenPGP through
BouncyCastle's OpenPGP API. BouncyCastle is licensed under the MIT license.
Mailing list message:
Given that [deserialization attacks are a ripe attack
surface|https://www.owasp.org/index.php/Deserialization_of_untrusted_data] it's
a good idea to make it possible to authenticate serialized objects whenever
possible. In the case of Pirk—where systems which hold sensitive data will be
deserializing objects received from other entities—offering users the option to
sign/verify objects before loading them is valuable. If our users were not
dealing with sensitive information of some sort, they wouldn't be using Pirk.
I have written some code that uses BouncyCastle to OpenPGP clearsign base64
encoded Java objects. I'm going to see how cleanly I can integrate it with
Tim's new Serialization code so that it's automatically available to anything
that uses the serialization tools.
Where things get complicated is in how to expose it to users. Below is my
current thinking. I'd appreciate any feedback.
By default, all InputStreams used to read data will be checked to see if they
start with the line "-----BEGIN PGP SIGNED MESSAGE-----". If it does, we'll
pull the PGP public keyring from a path specified by property
serialization.openPGPPublicKeyRing and verify the signature. Failed signature
verifications result in an exit.
Property serialization.requireSignedInput will reject any input that is not
signed with a valid signature.
Property serialization.signOutgoingObjects will sign all outgoing Serialized
Java objects.
Properties serialization.openPGPPrivateKey,
serialization.openPGPPrivateKeyPassword, and serialization.openPGPPublicKeyRing
will indicate the location of the private key, the password used to decrypt it,
and the location of the public key ring respectively.
I had considered using SignedObjects but decided to give OpenPGP a shot because
it's easier to hand-verify signatures or integrate verification of signed data
into automated data flow (say, between two distinct entities sharing data using
Pirk).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
