On 26 Mar 2012, at 11:08, Pushpalanka Jayawardhana wrote: > Hi Scott, > > Thanks a lot for the valuable opinions. > > - I asked in the list [email protected] and got a reply from > Marcos Caceres saying that OpenSSL will help, which is used in the W3C > test suite for XML Digital Signatures for > widgets<http://dev.w3.org/2006/waf/widgets-digsig/test-suite/tools/>. > But OpenSSL is implemented in C and need some workaround to use here. Apache > Sanuario <http://santuario.apache.org/> seems a better option which > includes the standard JSR 105 (Java XML Digital Signature) API and > implemented in Java. This library has been used in several other Apache > projects like Rampart and WSS4J.
Looks good! > > > - In allowing authors and distributors to sign their widgets, I think > you meant having '.sh' and '.bat' files. I'm glad to know your opinion on > signing via an executable jar which will have it's own simple user > interface. That way it won't be dependent on the platform. Yes, that was what I meant, but I think your idea is better :) (I was discussing widgets-digsig on the Mozilla lists as well this week, and a nice easy tool for signing widgets would be welcome there too.) > > On Fri, Mar 23, 2012 at 7:36 PM, Scott Wilson < > [email protected]> wrote: > >> On 23 Mar 2012, at 13:25, Pushpalanka Jayawardhana wrote: >> >>> Hi Scott, >>> >>> I tried to debug the Wookie code and convince myself the factors you >>> highlighted. >>> >>> (1). It was evident that 'W3CWidgetFactory' can have the validating >>> methods for the passed in zip file. Hope 'Java XML Digital Signature API' >>> which can be applied to data of any type, XML or binary will be a good >>> candidate to use and like to know any opinion on that. >> >> It should be OK, though it may be best to ask on the >> [email protected] list to be sure. >> >>> >>> (2). As far as I understood, we can have trusted key stores for the >>> servers in such a way that a configuration file in each server has the >> path >>> to relevant key store and when signing and validating it can be referred >> as >>> preferred. >> >> Yes, that sounds right. >> >>> >>> (3). I still could not identify any place where signing can be >>> implemented(I looked for some place where packaging is done, as signing >> has >>> to be done just before packaging.) >> >> Thats right - Wookie principally consumes widgets that have already been >> packaged and distributed, rather than builds them. However, it may be >> useful to have a command-line utility to help authors sign their widgets. >> >>> >>> I'm so thankful if you can correct me, if I am wrong and any hint on >>> somewhere I can start to look on, to check possibility of implement >>> signing. >>> >>> On Mon, Mar 19, 2012 at 7:28 PM, Pushpalanka Jayawardhana < >>> [email protected]> wrote: >>> >>>> Hi Scott, >>>> >>>> This helps a lot. >>>> Thank you! >>>> >>>> >>>> On Sun, Mar 18, 2012 at 2:35 PM, Scott Wilson < >>>> [email protected]> wrote: >>>> >>>>> On 18 Mar 2012, at 06:55, Pushpalanka Jayawardhana wrote: >>>>> >>>>> Hi Pushpalanka, >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> I am Pushpalanka Jayawardhana, and I am willing to complete this new >>>>>> feature, WOOKIE-139 as my GSoC project this year. >>>>> >>>>> Great! >>>>> >>>>>> I have experience related to WS-security in my internship period and I >>>>> love >>>>>> to sharpen knowledge in the field. I have worked with digital >> signatures >>>>>> using >>>>>> OpenSAML library in implementing SAML for XACML. But new to Wookie >>>>> widgets. >>>>>> >>>>>> Currently I am going through this >>>>>> spec<http://dev.w3.org/2006/waf/widgets-digsig/>and having hands on >>>>>> experience with Wookie according to this >>>>>> guidance < >>>>> http://incubator.apache.org/wookie/docs/developer/running.html>in >>>>>> standalone mode. >>>>>> I am thankful for any guidance on how should I proceed. >>>>> >>>>> >>>>> This is definitely the place to start. The DigSig spec is clearly the >>>>> main source of official information, and to understand how it fits with >>>>> Wookie the main thing is to get familiar with Wookie - both in terms >> of how >>>>> it works and also the general structure of the project. >>>>> >>>>> There is also a basic test suite at W3C for the DigSig spec that >> includes >>>>> lots of sample widgets for testing signature validation: >>>>> >>>>> http://dev.w3.org/2006/waf/widgets-digsig/test-suite/ >>>>> >>>>> I can think of two areas where you might want to look at implementing >>>>> digsig in Wookie: >>>>> >>>>> 1. Wookie has a generic W3C Widget Parser library (in /parser) that >>>>> builds as a standalone jar that can be used in other Java-based W3C >> Widget >>>>> implementations as well as the Wookie server itself. DigSig >> functionality >>>>> could be added to the parser itself, so that when a .wgt package is >> sent to >>>>> the parser, it can also optionally validate signatures. The entry >> point for >>>>> this is the W3CWidgetFactory class: >>>>> >>>>> >>>>> >> http://svn.apache.org/viewvc/incubator/wookie/trunk/parser/java/src/org/apache/wookie/w3c/W3CWidgetFactory.java?view=markup >>>>> >>>>> 2. In the main Wookie server there are various points where signatures >>>>> might be implemented. For example, we may want to store a list of >> trusted >>>>> authors and distributors for each server - this could then be passed >> to the >>>>> Parser factory when asking it to check a .wgt. Metadata about >> signatories >>>>> and validation results could also be included in the XML returned to >>>>> connectors about widgets. >>>>> >>>>> Hope this helps - good luck with your GSoC application! >>>>> >>>>> S >>>>> >>>>>> >>>>>> Thank you! >>>>>> Best Regards, >>>>>> >>>>>> Pushpalanka Jayawardhana | Undergraduate | Computer Science and >>>>> Engineering >>>>>> University of Moratuwa >>>>>> >>>>>> +94779716248 >>>>>> [image: Facebook] <https://www.facebook.com/pushpalanka> [image: >>>>>> Twitter]<http://twitter.com/Pushpalanka> [image: >>>>>> Blogger] <http://pushpalankajaya.blogspot.com/> [image: >>>>>> SlideShare]<http://www.slideshare.net/Pushpalanka> [image: >>>>>> LinkedIn] < >>>>> http://lk.linkedin.com/pub/pushpalanka-jayawardhana/21/214/50a> >>>>>> Contact me: [image: Google Talk] Pushpalanka [image: Y! >>>>> Messenger]Pushpalanka >>>>> >>>>> >>>> >>>> >>>> -- >>>> Pushpalanka Jayawardhana | Undergraduate | Computer Science and >> Engineering >>>> University of Moratuwa >>>> >>>> +94779716248 | http://pushpalankajaya.blogspot.com >>>> >>>> Twitter: http://twitter.com/Pushpalanka | Slideshare: >>>> http://www.slideshare.net/Pushpalanka >>>> >>>> >>>> >>> >>> Best Regards, >>> -- >>> Pushpalanka Jayawardhana | Undergraduate | Computer Science and >> Engineering >>> University of Moratuwa >>> >>> +94779716248 | http://pushpalankajaya.blogspot.com >>> >>> Twitter: http://twitter.com/Pushpalanka | Slideshare: >>> http://www.slideshare.net/Pushpalanka >> >> > > Thank You and Best Regards, > -- > Pushpalanka Jayawardhana | Undergraduate | Computer Science and Engineering > University of Moratuwa > > +94779716248 | http://pushpalankajaya.blogspot.com > > Twitter: http://twitter.com/Pushpalanka | Slideshare: > http://www.slideshare.net/Pushpalanka
