Hi Scott, I tried to debug the Wookie code and convince myself the factors you highlighted.
(1). It was evident that 'W3CWidgetFactory' can have the validating methods for the passed in zip file. Hope 'Java XML Digital Signature API' which can be applied to data of any type, XML or binary will be a good candidate to use and like to know any opinion on that. (2). As far as I understood, we can have trusted key stores for the servers in such a way that a configuration file in each server has the path to relevant key store and when signing and validating it can be referred as preferred. (3). I still could not identify any place where signing can be implemented(I looked for some place where packaging is done, as signing has to be done just before packaging.) I'm so thankful if you can correct me, if I am wrong and any hint on somewhere I can start to look on, to check possibility of implement signing. On Mon, Mar 19, 2012 at 7:28 PM, Pushpalanka Jayawardhana < [email protected]> wrote: > Hi Scott, > > This helps a lot. > Thank you! > > > On Sun, Mar 18, 2012 at 2:35 PM, Scott Wilson < > [email protected]> wrote: > >> On 18 Mar 2012, at 06:55, Pushpalanka Jayawardhana wrote: >> >> Hi Pushpalanka, >> >> >> > Hi, >> > >> > I am Pushpalanka Jayawardhana, and I am willing to complete this new >> > feature, WOOKIE-139 as my GSoC project this year. >> >> Great! >> >> > I have experience related to WS-security in my internship period and I >> love >> > to sharpen knowledge in the field. I have worked with digital signatures >> > using >> > OpenSAML library in implementing SAML for XACML. But new to Wookie >> widgets. >> > >> > Currently I am going through this >> > spec<http://dev.w3.org/2006/waf/widgets-digsig/>and having hands on >> > experience with Wookie according to this >> > guidance < >> http://incubator.apache.org/wookie/docs/developer/running.html>in >> > standalone mode. >> > I am thankful for any guidance on how should I proceed. >> >> >> This is definitely the place to start. The DigSig spec is clearly the >> main source of official information, and to understand how it fits with >> Wookie the main thing is to get familiar with Wookie - both in terms of how >> it works and also the general structure of the project. >> >> There is also a basic test suite at W3C for the DigSig spec that includes >> lots of sample widgets for testing signature validation: >> >> http://dev.w3.org/2006/waf/widgets-digsig/test-suite/ >> >> I can think of two areas where you might want to look at implementing >> digsig in Wookie: >> >> 1. Wookie has a generic W3C Widget Parser library (in /parser) that >> builds as a standalone jar that can be used in other Java-based W3C Widget >> implementations as well as the Wookie server itself. DigSig functionality >> could be added to the parser itself, so that when a .wgt package is sent to >> the parser, it can also optionally validate signatures. The entry point for >> this is the W3CWidgetFactory class: >> >> >> http://svn.apache.org/viewvc/incubator/wookie/trunk/parser/java/src/org/apache/wookie/w3c/W3CWidgetFactory.java?view=markup >> >> 2. In the main Wookie server there are various points where signatures >> might be implemented. For example, we may want to store a list of trusted >> authors and distributors for each server - this could then be passed to the >> Parser factory when asking it to check a .wgt. Metadata about signatories >> and validation results could also be included in the XML returned to >> connectors about widgets. >> >> Hope this helps - good luck with your GSoC application! >> >> S >> >> > >> > Thank you! >> > Best Regards, >> > >> > Pushpalanka Jayawardhana | Undergraduate | Computer Science and >> Engineering >> > University of Moratuwa >> > >> > +94779716248 >> > [image: Facebook] <https://www.facebook.com/pushpalanka> [image: >> > Twitter]<http://twitter.com/Pushpalanka> [image: >> > Blogger] <http://pushpalankajaya.blogspot.com/> [image: >> > SlideShare]<http://www.slideshare.net/Pushpalanka> [image: >> > LinkedIn] < >> http://lk.linkedin.com/pub/pushpalanka-jayawardhana/21/214/50a> >> > Contact me: [image: Google Talk] Pushpalanka [image: Y! >> Messenger]Pushpalanka >> >> > > > -- > Pushpalanka Jayawardhana | Undergraduate | Computer Science and Engineering > University of Moratuwa > > +94779716248 | http://pushpalankajaya.blogspot.com > > Twitter: http://twitter.com/Pushpalanka | Slideshare: > http://www.slideshare.net/Pushpalanka > > > Best Regards, -- Pushpalanka Jayawardhana | Undergraduate | Computer Science and Engineering University of Moratuwa +94779716248 | http://pushpalankajaya.blogspot.com Twitter: http://twitter.com/Pushpalanka | Slideshare: http://www.slideshare.net/Pushpalanka
