GSoC2012 – Accepted ProposalImplement the W3C XML Digital Signatures for WidgetsSpecification in Apache WookieBy: Pushpala...
Implementation:(1) Signing -This should be done by the authors of the widget and/or distributors of the widget. Justbefore...
<!-- Comment before –><apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1"xmlns:foo="http://example.org/#foo"...
</ds:X509Data><ds:KeyValue><ds:DSAKeyValue><ds:P>/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXg...
(2) Verification -This needs to be done at Wookie. First step is to locate the signature files. After identifyingthe signa...
Project Schedule:I propose the following schedule for the project after considering the GSoC timeline.Until April 23:     ...
Wookie mailing list have gone through the code identifying where verification can beimplemented and understanding the proj...
[11]”Implementing SAML to XACML” [Online].Available:http://pushpalankajaya.blogspot.com/2012/02/implementing-saml-to-xacml...
Upcoming SlideShare
Loading in …5
×

GSoC2012 – Accepted Proposal Implement the W3C XML Digital Signatures for Widgets Specification in Apache Wookie

640 views

Published on

Apache Wookie is a Java server application in the incubation status at ASF. It allows administrators to upload and deploy Widgets packaged according to the W3C Widgets specification. This GSoC project aims to implement the W3C XML Digital Signatures for Widgets specification, in Wookie. With this feature, organizations can automate the installation and updating process of widgets, verifying the signature.xml of the widget to be deployed or updated.

Published in: Technology, News & Politics
2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total views
640
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
13
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

GSoC2012 – Accepted Proposal Implement the W3C XML Digital Signatures for Widgets Specification in Apache Wookie

  1. 1. GSoC2012 – Accepted ProposalImplement the W3C XML Digital Signatures for WidgetsSpecification in Apache WookieBy: Pushpalanka JayawardhanaDepartment of Computer Science and EngineeringUniversity of MoratuwaShort description:Apache Wookie is a Java server application in the incubation status at ASF. It allowsadministrators to upload and deploy Widgets packaged according to the W3C Widgetsspecification. These widgets are then hosted in container applications which connects withWookie server and let it users to pick widgets to be added to their pages. This GSoC projectaims to implement the W3C XML Digital Signatures for Widgets specification, in Wookie.With this feature, organizations can automate the installation and updating process ofwidgets, verifying the signature.xml of the widget to be deployed or updated.Project Description:New Feature:With this new feature a widget can submit a digital signature in order to under go anautomated process of updating and deployment. According to Widget Packaging and XMLConfiguration [1] a widget can have zero or more digital signatures located at the root ofthe widget package. The specification of XML digital signatures for widgets, by W3C as at30 March 2012 [2], can be referred in implementing the feature into Apache Wookieproviding automation over trusted widget installation and updating at containerapplications. The authors and distributors can sign the widgets and at Wookie they will beverified against a trusted key store.As W3C XML signatures for widgets is also mentioned under proposals of MozillaWiki[3]this implementation will be useful for many parties.
  2. 2. Implementation:(1) Signing -This should be done by the authors of the widget and/or distributors of the widget. Justbefore packaging the widget into a zip file. According to the specification [2] author shouldsign all the non-signature files of the widget package (e.g., images, sounds, HTML files, andCSS files). A distributor should sign authors signature.xml and all other non-signature files.A distributor should not sign another distributor’s signature.xml.The authors and distributors will be given the option to use an executable jar with a simpleGUI to point to the files to be signed and set other properties for signing. Thesignature.xml will be added to the widget root, after generating according to the read inproperties and files. Then the author or distributor can make it into a .wgt file.The signature will be generated with the following properties being satisfied asrecommended in the specifications [2].  Signature algorithm - is RSA using the RSAwithSHA256  Key length - for RSA is 4096 bits.  Digest method - SHA-256.  Canonicalization algorithm - Canonical XML Version 1.1 (omits comments)  Certificate format - X.509 version 3With research done so far, Apache Santuario [4] seems a better option to use whichincludes the standard JSR 105 (Java XML Digital Signature) API. This library has been usedin several other Apache projects like Rampart and WSS4J too.Following is my first attempt to sign simple text with Apache Santuario.
  3. 3. <!-- Comment before –><apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1"xmlns:foo="http://example.org/#foo" attr1="test1" attr2="test2" foo:attr1="foostest">Some simple text<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"></ds:SignatureMethod><ds:Reference URI=""><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform></ds:Transforms><ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>f+pDsT3LzyKV9Sg6rdK5bBrQlbo=</ds:DigestValue></ds:Reference><ds:Reference URI="http://www.w3.org/TR/xml-stylesheet"><ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>iFzAxy5gZ3Z9LhSXqPhzFILiY9U=</ds:DigestValue></ds:Reference><ds:Reference URI="http://www.nue.et-inf.uni-siegen.de/index.html"><ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>Hpg+6h1k1jYY5yr3TRzDZzw23CQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>GovQY6sXC6Pup7MH/xtpCjbTNd1gOib8gwj8khwMUwmZ9aEC5g58rQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC9jCCArQCBDruqiowCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkRFMR0wGwYDVQQKExRVbml2.............. FA9ab72kKuB5geYGeckbBrcgPnZk</ds:X509Certificate>
  4. 4. </ds:X509Data><ds:KeyValue><ds:DSAKeyValue><ds:P>/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAcc=</ds:P><ds:Q>l2BQjxUjC8yykrmCouuEC/BYHPU=</ds:Q><ds:G>9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSo=</ds:G><ds:Y>Eln5/htZP51p7Y/Y1+zZOSSmoi2fQS0deniScan3990xy33RrPfF5odqEVmVYfTzFfKEz94aUXEYqY2VGVRCKrAZThk1SwoOB+UyfNSVjoqa4fppIQpTalK/JeR7uxQUr0Aeop68nr2u49GijYiLyvL3x04lGaZ8jUYZL3gZTNI=</ds:Y></ds:DSAKeyValue></ds:KeyValue></ds:KeyInfo></ds:Signature></apache:RootElement><!-- Comment after -->This needs following modifications to be used for Apache Wookie.  DSA is the used signature algorithm where recommended algorithm is RSA  This is a signature enveloped by the document and what is needed is separate signature files(detached).  The signatures for widgets need to consider images, sounds files and have to check the behavior
  5. 5. (2) Verification -This needs to be done at Wookie. First step is to locate the signature files. After identifyingthe signature files of the distributor(s) and author, validation needs to be done on eachsignature separately considering the role.The verification can be implemented in W3CWidgetFactory class as another functiongiving the option for the administrators to automate the installation and updating aftersignature verification. The same library of Apache Santuario will be used here.A trusted key store will be located inside Wookie where the flexibility will be given toadministrator to point to a preferred key store via a configuration file giving the path.(3)Testing –Junit test cases will be written to check the intended functionality. As this is a securityimplementation more attention will be given on testing and W3C Test Suite for XML DigitalSignatures for Widgets [5] will be used in evaluation. With final tests and modifications willtry to achieve 100% conformance level in implementation report [6].Deliverable:  An executable jar with a simple GUI allowing authors and distributors of widgets to digitally sign the content  Wookie implemented with verification functions for signed widgets  Documentation on usage and implementation
  6. 6. Project Schedule:I propose the following schedule for the project after considering the GSoC timeline.Until April 23: Background researchApril 23 – May 21: Develop code to sign widgets under W3C specification - Verify signatures within WookieMay 21 – July 12: Write Junit test cases - Identify conformation level with W3C specification test suiteJuly13 – August 13: - Try to reach 100% conformation level with W3C test suite and do any improvements needed - Package signing functions into an executable jar with a simple GUI - Finish documenting the guidance for users and implementation details for Wookie contributors who will look into the code in the futureAdditional Information:About Me:I am Pushpalanka Jayawardhana, a fourth year undergraduate student from theDepartment of Computer Science and Engineering at University of Moratuwa, Sri Lanka. Ihave a good knowledge in Java related technologies for about 3 years mainly with studiesrelated work and security concepts, XACML (eXtensible Access Control Markup Language),SAML(Security Assertion Markup Language) and digital signatures mainly with industrialexperience at my internship.I have a good understanding and familiarization withtechnologies like Apache Axis2 and CASE tools such as Apache Ant, Apache Maven2 andSubversion.I highly appreciate free and open source software and eager to increase my contribution. Ihave contributed to Apache Axis2 project by fixing three documentation issues [7-9]. I havedeveloped an Entitlement module[10] for Apache Axis2 to provide XACML based finegrained authorization and have implemented SAML for XACML for WSO2 IdentityServer[11] which is open source, using OpenSAML library.I have managed to learn about Wookie recently learning fast, checked out the source code,built on Linux, and tried out the two Wookie tutorials attached with distribution onbuilding widgets. I’ve also discussed about this project with the community in Apache
  7. 7. Wookie mailing list have gone through the code identifying where verification can beimplemented and understanding the project structure.Considering my skills and my exposure to open source world and web securitytechnologies which is my favoured field, I’m confident that I will be able to successfullycomplete this as my GSoC project.References:[1] “Widget Packaging and XML Configuration.” [Online].Available: http://www.w3.org/TR/widgets/#digital-signatures. [Accessed: 30-Mar-2012].[2] “XML Digital Signatures for Widgets.” [Online].Available: http://dev.w3.org/2006/waf/widgets-digsig/. [Accessed: 30-Mar-2012].[3] “Mozillawiki” [Online].Available: https://wiki.mozilla.org/Apps/Security/Distribution#W3C_XML_Digital_Signatures_for_Widgets [Accessed: 4-April-2012].[4] “Apache Santuario” [Online]. Available: http://santuario.apache.org/ [Accessed: 30-Mar-2012].[5] “Test Suite for Widget Interface.” [Online].Available: http://dev.w3.org/2006/waf/widgets-digsig/test-suite/. [Accessed: 31-Mar-2012].[6] “Implementation Report.” [Online]. Available: http://dev.w3.org/2006/waf/widgets-digsig/imp-report/. [Accessed: 31-Mar-2012].[7] “AXIS2-4655-Client.java in User Guide has syntax errors”[Online].Available:http://issues.apache.org/jira/browse/AXIS2-4655[8] “AXIS2-5069 - Configuration guide should clearly state the root elements and locationsfor axis2.xml services.xml and module.xml” [Online].Available: http://issues.apache.org/jira/browse/AXIS2-5069[9] “AXIS2-5138 - RESTClient documentation example differs from RESTClient.java sourcefile” [Online]. Available: http://issues.apache.org/jira/browse/AXIS2-5138[10] “Using Entitlement Handler in WSO2 AppServer with Identity Server” [Online].Available:http://pushpalankajaya.blogspot.com/2011/05/using-entitlement-handler-in-wso2.html[Accessed: 30-Mar-2012].
  8. 8. [11]”Implementing SAML to XACML” [Online].Available:http://pushpalankajaya.blogspot.com/2012/02/implementing-saml-to-xacml.html [Accessed: 30-Mar-2012].

×