Major Description
Provide a way to sign and verify serialized output using OpenPGP through BouncyCastle's OpenPGP API. BouncyCastle is licensed under the MIT license.
Mailing list message:
Given that deserialization attacks are a ripe attack surface it's a good idea to make it possible to authenticate serialized objects whenever possible. In the case of Pirk—where systems which hold sensitive data will be deserializing objects received from other entities—offering users the option to sign/verify objects before loading them is valuable. If our users were not dealing with sensitive information of some sort, they wouldn't be using Pirk.
I have written some code that uses BouncyCastle to OpenPGP clearsign base64 encoded Java objects. I'm going to see how cleanly I can integrate it with Tim's new Serialization code so that it's automatically available to anything that uses the serialization tools.
Where things get complicated is in how to expose it to users. Below is my current thinking. I'd appreciate any feedback.
By default, all InputStreams used to read data will be checked to see if they start with the line "----BEGIN PGP SIGNED MESSAGE----". If it does, we'll pull the PGP public keyring from a path specified by property serialization.openPGPPublicKeyRing and verify the signature. Failed signature verifications result in an exit.
Property serialization.requireSignedInput will reject any input that is not signed with a valid signature.
Property serialization.signOutgoingObjects will sign all outgoing Serialized Java objects.
Properties serialization.openPGPPrivateKey, serialization.openPGPPrivateKeyPassword, and serialization.openPGPPublicKeyRing will indicate the location of the private key, the password used to decrypt it, and the location of the public key ring respectively.
I had considered using SignedObjects but decided to give OpenPGP a shot because it's easier to hand-verify signatures or integrate verification of signed data into automated data flow (say, between two distinct entities sharing data using Pirk).