This year for the first time we had a Google Summer of Code project in Apache Wookie – Pushpalanka Jayawardhana took on the challenge of implementing the W3C XML Digital Signatures for Widgets specification, which describes how to sign and verify a W3C Widget.
Of course, actually implementing the specification in Wookie required a lot more than just the signing and verification routines, but a complete workflow, including how to sign a widget as an author, how to configure the verification options for the Wookie server application, and how to establish whether to trust a widget that contains a valid digital signature. So rather than just following a published specification, the project also involved a lot of design challenges.
The end result is a suite of components and enhancements for Wookie: Pushpalanka created a standalone application to help authors sign their widgets, added signature verification capabilities to the Wookie W3C Widget parser library, and implemented a configurable verification workflow in the server code itself. You can read a detailed description of the design and implementation over on Pushpalanka’s blog.
As a result, a Wookie server administrator can now choose whether to check whether widgets added to Wookie have digital signatures, whether to reject widgets that have invalid signatures or just log a warning, and whether to require widgets to be signed by a trusted party whose certificate is included in the server keystore.
Thanks Pushpalanka for adding this great set of features to Wookie, and thank you Google for sponsoring this effort through Google Summer of Code!