Uploaded image for project: 'Wookie'
  1. Wookie
  2. WOOKIE-139

Implement the W3C XML Digital Signatures for Widgets specification in Wookie

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.12.0
    • Component/s: None
    • Labels:

      Description

      W3C XML Digital Signatures for Widgets specifies how both authors and distributors of widgets can digitally sign a Widget package:

      The spec is here: http://dev.w3.org/2006/waf/widgets-digsig/

      This means that an organisation can choose to automatically install and update widgets that carry recognised signatures - for example from a reputable online widget store (distributor) or from an approved widget author rather than require admin intervention to approve them.

      For Wookie this means implementing the mechanism for locating and verifying W3C signature.xml files in Widgets, and providing signature management options.

      For example, we may want to have a configuration property set for requiring signatures be checked, and a file where trusted signatories are listed for checking against when a new widget is uploaded, or a new version is detected online using Widget Updates.

      We may also want to look at how Wookie can delegate upwards decisions based on signature verification, for example to let an Apache Rave admin choose to allow automatic publishing of signed widgets from trusted sources provided that Wookie has verified the signature and returned this information to Rave. This could be handled in the response to uploading a widget to Wookie using the REST API, e.g. adding <signature verified="true" type="author"/> to the metadata returned in the response body.

      1. logo.png
        6 kB
        Pushpalanka Jayawardhana
      2. Signer_W3C_widget_digisg.patch
        59 kB
        Pushpalanka Jayawardhana
      3. verifying_digital_signatures_v2.patch
        46 kB
        Pushpalanka Jayawardhana
      4. Wookie_Widget_Signer_Guide
        2 kB
        Pushpalanka Jayawardhana
      5. wookie-digsig-v1.patch
        14 kB
        Paul Sharples

        Activity

        Hide
        scottbw Scott Wilson added a comment -

        Assigning to fix in 0.8.2

        Show
        scottbw Scott Wilson added a comment - Assigning to fix in 0.8.2
        Hide
        scottbw Scott Wilson added a comment -

        This could be a big task, so moving to a new feature for 0.9.2

        Show
        scottbw Scott Wilson added a comment - This could be a big task, so moving to a new feature for 0.9.2
        Hide
        psharples Paul Sharples added a comment -

        I've got the UI running but can you provide a quick explanation of the values one would enter into each field? (i.e. a short guide on its usage?)

        Show
        psharples Paul Sharples added a comment - I've got the UI running but can you provide a quick explanation of the values one would enter into each field? (i.e. a short guide on its usage?)
        Hide
        pushpalanka Pushpalanka Jayawardhana added a comment -

        Here attached a small guide on the usage of widget signer.

        Show
        pushpalanka Pushpalanka Jayawardhana added a comment - Here attached a small guide on the usage of widget signer.
        Hide
        psharples Paul Sharples added a comment -

        Just an update. I've finally been able to get it working. I applied the patch to the wookie codebase locally on my machine.

        Some things of note...

        The wookiekeystore.jks file seems to have been corrupted and won't load into the application (possibly it was mangled when the patch was created)
        I generated another one using the java keytool and the application got further, but failed when I tried to sign the resources...

        Exception in thread "AWT-EventQueue-0" java.lang.AbstractMethodError: org.apache.xerces.dom.ElementNSImpl.setIdAttributeNS(Ljava/lang/String;Ljava/lang/String;Z)V
        at org.apache.xml.security.signature.XMLSignature.setId(XMLSignature.java:422)
        at org.apache.wookie.digsig.ui.SignWidgets.sign(SignWidgets.java:148)

        A google search on this message seems to point to a possible issue with the xerces library.
        (An old version of xerces (2.0.2) is added to the wookie classpath in ivy as a dependency of ddlutils)
        When I removed the ddlutils ivy reference, the digsig application ran without errors.

        I'm interested to know if you had the digsig code as part of the wookie code in your IDE or was it setup as a separate project?
        If it was part of the existing wookie code, what version of 'XercesImpl' is on the classpath? (retrieved by ivy)

        thanks

        Show
        psharples Paul Sharples added a comment - Just an update. I've finally been able to get it working. I applied the patch to the wookie codebase locally on my machine. Some things of note... The wookiekeystore.jks file seems to have been corrupted and won't load into the application (possibly it was mangled when the patch was created) I generated another one using the java keytool and the application got further, but failed when I tried to sign the resources... Exception in thread "AWT-EventQueue-0" java.lang.AbstractMethodError: org.apache.xerces.dom.ElementNSImpl.setIdAttributeNS(Ljava/lang/String;Ljava/lang/String;Z)V at org.apache.xml.security.signature.XMLSignature.setId(XMLSignature.java:422) at org.apache.wookie.digsig.ui.SignWidgets.sign(SignWidgets.java:148) A google search on this message seems to point to a possible issue with the xerces library. (An old version of xerces (2.0.2) is added to the wookie classpath in ivy as a dependency of ddlutils) When I removed the ddlutils ivy reference, the digsig application ran without errors. I'm interested to know if you had the digsig code as part of the wookie code in your IDE or was it setup as a separate project? If it was part of the existing wookie code, what version of 'XercesImpl' is on the classpath? (retrieved by ivy) thanks
        Hide
        pushpalanka Pushpalanka Jayawardhana added a comment -

        I have developed the digsig code as part of Wookie in the IDE. xercesImpl 2.0.2 jar is in the classpath. I will try to apply the patch in my local machine and check.

        Show
        pushpalanka Pushpalanka Jayawardhana added a comment - I have developed the digsig code as part of Wookie in the IDE. xercesImpl 2.0.2 jar is in the classpath. I will try to apply the patch in my local machine and check.
        Hide
        psharples Paul Sharples added a comment -

        I think I got to the bottom of the problem by excluding xerces from the ddlutils dependency in ivy.xml. I've done a few tests and everything seems to be working okay, but we will have to keep an eye on it in case it now causes other problems elsewhere in wookie. (we'll have to put it back as it was & try something else if thats the case)

        I've just committed the code to svn, with minor changes. Although its not quite configured as a wookie subproject yet, I've laid it out as if it will be in the future. (i.e. it could have its own ivy, build tasks etc so that we could automate building an executable jar for example).

        Please take a look at the source code and let me know if there are any ommissions or errors. I've named it digsig-client - thinking that the dig-sig server part will eventually live inside the root src folder, when done.

        thanks!

        Show
        psharples Paul Sharples added a comment - I think I got to the bottom of the problem by excluding xerces from the ddlutils dependency in ivy.xml. I've done a few tests and everything seems to be working okay, but we will have to keep an eye on it in case it now causes other problems elsewhere in wookie. (we'll have to put it back as it was & try something else if thats the case) I've just committed the code to svn, with minor changes. Although its not quite configured as a wookie subproject yet, I've laid it out as if it will be in the future. (i.e. it could have its own ivy, build tasks etc so that we could automate building an executable jar for example). Please take a look at the source code and let me know if there are any ommissions or errors. I've named it digsig-client - thinking that the dig-sig server part will eventually live inside the root src folder, when done. thanks!
        Hide
        pushpalanka Pushpalanka Jayawardhana added a comment -

        Thanks a lot Paul!

        For optional verification of signatures at deployment, following is the plan from the feed backs got from Scott.

        Introduce following in widgetserver.properties file in root src directory.
        widget.deployment.verifysignature = true
        widget.deployment.trustedkeystore=/(path to a configuration file that has a set of fingerprints as a whiltelist for trusted parties.)

        I have developed code for basic verifying and looking for integration of it to Wookie. It will be great if I can have some guidance on where should I look to read the above properties and integrate validation at deployment. The validation method can be placed inside W3CWidgetFactory class of parser, easily accessing the unzipped widget. But I'm doubtful on how the flow should happen to reach there.

        Show
        pushpalanka Pushpalanka Jayawardhana added a comment - Thanks a lot Paul! For optional verification of signatures at deployment, following is the plan from the feed backs got from Scott. Introduce following in widgetserver.properties file in root src directory. widget.deployment.verifysignature = true widget.deployment.trustedkeystore=/(path to a configuration file that has a set of fingerprints as a whiltelist for trusted parties.) I have developed code for basic verifying and looking for integration of it to Wookie. It will be great if I can have some guidance on where should I look to read the above properties and integrate validation at deployment. The validation method can be placed inside W3CWidgetFactory class of parser, easily accessing the unzipped widget. But I'm doubtful on how the flow should happen to reach there.
        Hide
        psharples Paul Sharples added a comment - - edited

        Hi, I've uploaded a patch which should help you.

        W3CWidgetFactory now has a reference to a IDigitalSignatureProcessor (which was set in the WidgetsController class). The instantiation of this is DigitalSignatureProcessor, which has loaded the property settings as private variables.

        This works in a similar fashion to the IStartPageProcessor also found in W3CWidgetFactory.

        Note: wookiekeystore.jks at the root of the /src folder will have to be replaced with a real one.

        Feel free to modify anything.

        Show
        psharples Paul Sharples added a comment - - edited Hi, I've uploaded a patch which should help you. W3CWidgetFactory now has a reference to a IDigitalSignatureProcessor (which was set in the WidgetsController class). The instantiation of this is DigitalSignatureProcessor, which has loaded the property settings as private variables. This works in a similar fashion to the IStartPageProcessor also found in W3CWidgetFactory. Note: wookiekeystore.jks at the root of the /src folder will have to be replaced with a real one. Feel free to modify anything.
        Hide
        pushpalanka Pushpalanka Jayawardhana added a comment -

        "verifying_digital_signatures_v2.patch" file includes the implementation to verify signatures included inside widgets according to W3C widget digsig spec. The widgetserver.properties file can be used to set different levels of security to be considered at deployment level.

        Show
        pushpalanka Pushpalanka Jayawardhana added a comment - "verifying_digital_signatures_v2.patch" file includes the implementation to verify signatures included inside widgets according to W3C widget digsig spec. The widgetserver.properties file can be used to set different levels of security to be considered at deployment level.
        Hide
        scottbw Scott Wilson added a comment -

        Thanks! I've applied the patch - all seems to work fine for me

        Show
        scottbw Scott Wilson added a comment - Thanks! I've applied the patch - all seems to work fine for me
        Hide
        scottbw Scott Wilson added a comment -

        Feature implemented

        Show
        scottbw Scott Wilson added a comment - Feature implemented

          People

          • Assignee:
            Unassigned
            Reporter:
            scottbw Scott Wilson
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development