On 23 Mar 2012, at 13:25, Pushpalanka Jayawardhana wrote: > Hi Scott, > > I tried to debug the Wookie code and convince myself the factors you > highlighted. > > (1). It was evident that 'W3CWidgetFactory' can have the validating > methods for the passed in zip file. Hope 'Java XML Digital Signature API' > which can be applied to data of any type, XML or binary will be a good > candidate to use and like to know any opinion on that.
It should be OK, though it may be best to ask on the [email protected] list to be sure. > > (2). As far as I understood, we can have trusted key stores for the > servers in such a way that a configuration file in each server has the path > to relevant key store and when signing and validating it can be referred as > preferred. Yes, that sounds right. > > (3). I still could not identify any place where signing can be > implemented(I looked for some place where packaging is done, as signing has > to be done just before packaging.) Thats right - Wookie principally consumes widgets that have already been packaged and distributed, rather than builds them. However, it may be useful to have a command-line utility to help authors sign their widgets. > > I'm so thankful if you can correct me, if I am wrong and any hint on > somewhere I can start to look on, to check possibility of implement > signing. > > On Mon, Mar 19, 2012 at 7:28 PM, Pushpalanka Jayawardhana < > [email protected]> wrote: > >> Hi Scott, >> >> This helps a lot. >> Thank you! >> >> >> On Sun, Mar 18, 2012 at 2:35 PM, Scott Wilson < >> [email protected]> wrote: >> >>> On 18 Mar 2012, at 06:55, Pushpalanka Jayawardhana wrote: >>> >>> Hi Pushpalanka, >>> >>> >>>> Hi, >>>> >>>> I am Pushpalanka Jayawardhana, and I am willing to complete this new >>>> feature, WOOKIE-139 as my GSoC project this year. >>> >>> Great! >>> >>>> I have experience related to WS-security in my internship period and I >>> love >>>> to sharpen knowledge in the field. I have worked with digital signatures >>>> using >>>> OpenSAML library in implementing SAML for XACML. But new to Wookie >>> widgets. >>>> >>>> Currently I am going through this >>>> spec<http://dev.w3.org/2006/waf/widgets-digsig/>and having hands on >>>> experience with Wookie according to this >>>> guidance < >>> http://incubator.apache.org/wookie/docs/developer/running.html>in >>>> standalone mode. >>>> I am thankful for any guidance on how should I proceed. >>> >>> >>> This is definitely the place to start. The DigSig spec is clearly the >>> main source of official information, and to understand how it fits with >>> Wookie the main thing is to get familiar with Wookie - both in terms of how >>> it works and also the general structure of the project. >>> >>> There is also a basic test suite at W3C for the DigSig spec that includes >>> lots of sample widgets for testing signature validation: >>> >>> http://dev.w3.org/2006/waf/widgets-digsig/test-suite/ >>> >>> I can think of two areas where you might want to look at implementing >>> digsig in Wookie: >>> >>> 1. Wookie has a generic W3C Widget Parser library (in /parser) that >>> builds as a standalone jar that can be used in other Java-based W3C Widget >>> implementations as well as the Wookie server itself. DigSig functionality >>> could be added to the parser itself, so that when a .wgt package is sent to >>> the parser, it can also optionally validate signatures. The entry point for >>> this is the W3CWidgetFactory class: >>> >>> >>> http://svn.apache.org/viewvc/incubator/wookie/trunk/parser/java/src/org/apache/wookie/w3c/W3CWidgetFactory.java?view=markup >>> >>> 2. In the main Wookie server there are various points where signatures >>> might be implemented. For example, we may want to store a list of trusted >>> authors and distributors for each server - this could then be passed to the >>> Parser factory when asking it to check a .wgt. Metadata about signatories >>> and validation results could also be included in the XML returned to >>> connectors about widgets. >>> >>> Hope this helps - good luck with your GSoC application! >>> >>> S >>> >>>> >>>> Thank you! >>>> Best Regards, >>>> >>>> Pushpalanka Jayawardhana | Undergraduate | Computer Science and >>> Engineering >>>> University of Moratuwa >>>> >>>> +94779716248 >>>> [image: Facebook] <https://www.facebook.com/pushpalanka> [image: >>>> Twitter]<http://twitter.com/Pushpalanka> [image: >>>> Blogger] <http://pushpalankajaya.blogspot.com/> [image: >>>> SlideShare]<http://www.slideshare.net/Pushpalanka> [image: >>>> LinkedIn] < >>> http://lk.linkedin.com/pub/pushpalanka-jayawardhana/21/214/50a> >>>> Contact me: [image: Google Talk] Pushpalanka [image: Y! >>> Messenger]Pushpalanka >>> >>> >> >> >> -- >> Pushpalanka Jayawardhana | Undergraduate | Computer Science and Engineering >> University of Moratuwa >> >> +94779716248 | http://pushpalankajaya.blogspot.com >> >> Twitter: http://twitter.com/Pushpalanka | Slideshare: >> http://www.slideshare.net/Pushpalanka >> >> >> > > Best Regards, > -- > Pushpalanka Jayawardhana | Undergraduate | Computer Science and Engineering > University of Moratuwa > > +94779716248 | http://pushpalankajaya.blogspot.com > > Twitter: http://twitter.com/Pushpalanka | Slideshare: > http://www.slideshare.net/Pushpalanka
