Hi Scott, Thanks a lot for the valuable opinions.
- I asked in the list [email protected] and got a reply from Marcos Caceres saying that OpenSSL will help, which is used in the W3C test suite for XML Digital Signatures for widgets<http://dev.w3.org/2006/waf/widgets-digsig/test-suite/tools/>. But OpenSSL is implemented in C and need some workaround to use here. Apache Sanuario <http://santuario.apache.org/> seems a better option which includes the standard JSR 105 (Java XML Digital Signature) API and implemented in Java. This library has been used in several other Apache projects like Rampart and WSS4J. - In allowing authors and distributors to sign their widgets, I think you meant having '.sh' and '.bat' files. I'm glad to know your opinion on signing via an executable jar which will have it's own simple user interface. That way it won't be dependent on the platform. On Fri, Mar 23, 2012 at 7:36 PM, Scott Wilson < [email protected]> wrote: > On 23 Mar 2012, at 13:25, Pushpalanka Jayawardhana wrote: > > > Hi Scott, > > > > I tried to debug the Wookie code and convince myself the factors you > > highlighted. > > > > (1). It was evident that 'W3CWidgetFactory' can have the validating > > methods for the passed in zip file. Hope 'Java XML Digital Signature API' > > which can be applied to data of any type, XML or binary will be a good > > candidate to use and like to know any opinion on that. > > It should be OK, though it may be best to ask on the > [email protected] list to be sure. > > > > > (2). As far as I understood, we can have trusted key stores for the > > servers in such a way that a configuration file in each server has the > path > > to relevant key store and when signing and validating it can be referred > as > > preferred. > > Yes, that sounds right. > > > > > (3). I still could not identify any place where signing can be > > implemented(I looked for some place where packaging is done, as signing > has > > to be done just before packaging.) > > Thats right - Wookie principally consumes widgets that have already been > packaged and distributed, rather than builds them. However, it may be > useful to have a command-line utility to help authors sign their widgets. > > > > > I'm so thankful if you can correct me, if I am wrong and any hint on > > somewhere I can start to look on, to check possibility of implement > > signing. > > > > On Mon, Mar 19, 2012 at 7:28 PM, Pushpalanka Jayawardhana < > > [email protected]> wrote: > > > >> Hi Scott, > >> > >> This helps a lot. > >> Thank you! > >> > >> > >> On Sun, Mar 18, 2012 at 2:35 PM, Scott Wilson < > >> [email protected]> wrote: > >> > >>> On 18 Mar 2012, at 06:55, Pushpalanka Jayawardhana wrote: > >>> > >>> Hi Pushpalanka, > >>> > >>> > >>>> Hi, > >>>> > >>>> I am Pushpalanka Jayawardhana, and I am willing to complete this new > >>>> feature, WOOKIE-139 as my GSoC project this year. > >>> > >>> Great! > >>> > >>>> I have experience related to WS-security in my internship period and I > >>> love > >>>> to sharpen knowledge in the field. I have worked with digital > signatures > >>>> using > >>>> OpenSAML library in implementing SAML for XACML. But new to Wookie > >>> widgets. > >>>> > >>>> Currently I am going through this > >>>> spec<http://dev.w3.org/2006/waf/widgets-digsig/>and having hands on > >>>> experience with Wookie according to this > >>>> guidance < > >>> http://incubator.apache.org/wookie/docs/developer/running.html>in > >>>> standalone mode. > >>>> I am thankful for any guidance on how should I proceed. > >>> > >>> > >>> This is definitely the place to start. The DigSig spec is clearly the > >>> main source of official information, and to understand how it fits with > >>> Wookie the main thing is to get familiar with Wookie - both in terms > of how > >>> it works and also the general structure of the project. > >>> > >>> There is also a basic test suite at W3C for the DigSig spec that > includes > >>> lots of sample widgets for testing signature validation: > >>> > >>> http://dev.w3.org/2006/waf/widgets-digsig/test-suite/ > >>> > >>> I can think of two areas where you might want to look at implementing > >>> digsig in Wookie: > >>> > >>> 1. Wookie has a generic W3C Widget Parser library (in /parser) that > >>> builds as a standalone jar that can be used in other Java-based W3C > Widget > >>> implementations as well as the Wookie server itself. DigSig > functionality > >>> could be added to the parser itself, so that when a .wgt package is > sent to > >>> the parser, it can also optionally validate signatures. The entry > point for > >>> this is the W3CWidgetFactory class: > >>> > >>> > >>> > http://svn.apache.org/viewvc/incubator/wookie/trunk/parser/java/src/org/apache/wookie/w3c/W3CWidgetFactory.java?view=markup > >>> > >>> 2. In the main Wookie server there are various points where signatures > >>> might be implemented. For example, we may want to store a list of > trusted > >>> authors and distributors for each server - this could then be passed > to the > >>> Parser factory when asking it to check a .wgt. Metadata about > signatories > >>> and validation results could also be included in the XML returned to > >>> connectors about widgets. > >>> > >>> Hope this helps - good luck with your GSoC application! > >>> > >>> S > >>> > >>>> > >>>> Thank you! > >>>> Best Regards, > >>>> > >>>> Pushpalanka Jayawardhana | Undergraduate | Computer Science and > >>> Engineering > >>>> University of Moratuwa > >>>> > >>>> +94779716248 > >>>> [image: Facebook] <https://www.facebook.com/pushpalanka> [image: > >>>> Twitter]<http://twitter.com/Pushpalanka> [image: > >>>> Blogger] <http://pushpalankajaya.blogspot.com/> [image: > >>>> SlideShare]<http://www.slideshare.net/Pushpalanka> [image: > >>>> LinkedIn] < > >>> http://lk.linkedin.com/pub/pushpalanka-jayawardhana/21/214/50a> > >>>> Contact me: [image: Google Talk] Pushpalanka [image: Y! > >>> Messenger]Pushpalanka > >>> > >>> > >> > >> > >> -- > >> Pushpalanka Jayawardhana | Undergraduate | Computer Science and > Engineering > >> University of Moratuwa > >> > >> +94779716248 | http://pushpalankajaya.blogspot.com > >> > >> Twitter: http://twitter.com/Pushpalanka | Slideshare: > >> http://www.slideshare.net/Pushpalanka > >> > >> > >> > > > > Best Regards, > > -- > > Pushpalanka Jayawardhana | Undergraduate | Computer Science and > Engineering > > University of Moratuwa > > > > +94779716248 | http://pushpalankajaya.blogspot.com > > > > Twitter: http://twitter.com/Pushpalanka | Slideshare: > > http://www.slideshare.net/Pushpalanka > > Thank You and Best Regards, -- Pushpalanka Jayawardhana | Undergraduate | Computer Science and Engineering University of Moratuwa +94779716248 | http://pushpalankajaya.blogspot.com Twitter: http://twitter.com/Pushpalanka | Slideshare: http://www.slideshare.net/Pushpalanka
