[ https://issues.apache.org/jira/browse/PIRK-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ellison Anne Williams updated PIRK-23: -------------------------------------- Fix Version/s: 0.1.0 > Provide integrity and verification of serialized objects > --------------------------------------------------------- > > Key: PIRK-23 > URL: https://issues.apache.org/jira/browse/PIRK-23 > Project: PIRK > Issue Type: New Feature > Components: Querier, Responder > Reporter: Jacob WIlder > Assignee: Jacob WIlder > Fix For: 0.1.0 > > > Provide a way to sign and verify serialized output using OpenPGP through > BouncyCastle's OpenPGP API. BouncyCastle is licensed under the MIT license. > Mailing list message: > Given that [deserialization attacks are a ripe attack > surface|https://www.owasp.org/index.php/Deserialization_of_untrusted_data] > it's a good idea to make it possible to authenticate serialized objects > whenever possible. In the case of Pirk—where systems which hold sensitive > data will be deserializing objects received from other entities—offering > users the option to sign/verify objects before loading them is valuable. If > our users were not dealing with sensitive information of some sort, they > wouldn't be using Pirk. > I have written some code that uses BouncyCastle to OpenPGP clearsign base64 > encoded Java objects. I'm going to see how cleanly I can integrate it with > Tim's new Serialization code so that it's automatically available to anything > that uses the serialization tools. > Where things get complicated is in how to expose it to users. Below is my > current thinking. I'd appreciate any feedback. > By default, all InputStreams used to read data will be checked to see if they > start with the line "-----BEGIN PGP SIGNED MESSAGE-----". If it does, we'll > pull the PGP public keyring from a path specified by property > serialization.openPGPPublicKeyRing and verify the signature. Failed signature > verifications result in an exit. > Property serialization.requireSignedInput will reject any input that is not > signed with a valid signature. > Property serialization.signOutgoingObjects will sign all outgoing Serialized > Java objects. > Properties serialization.openPGPPrivateKey, > serialization.openPGPPrivateKeyPassword, and > serialization.openPGPPublicKeyRing will indicate the location of the private > key, the password used to decrypt it, and the location of the public key ring > respectively. > I had considered using SignedObjects but decided to give OpenPGP a shot > because it's easier to hand-verify signatures or integrate verification of > signed data into automated data flow (say, between two distinct entities > sharing data using Pirk). -- This message was sent by Atlassian JIRA (v6.3.4#6332)