This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Project Information:template OpenSign Server Project"

From OWASP
Jump to: navigation, search
 
(35 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
----
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION'''  
+
  ! colspan="8" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT IDENTIFICATION'''  
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''  
+
  | colspan="7" style="width:85%; background:#cccccc" align="left"|<font color="black">'''OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)'''  
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''  
  | colspan="6" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.  
+
  | colspan="7" style="width:85%; background:#cccccc" align="left"|The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.  
|-
 
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
 
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[mailto:philipp_p(at)gmx.at '''Phil Potisk''']<br>[mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
 
| style="width:14%; background:#cccccc" align="center"|Project Contributors<br>(if applicable)<br>[mailto:to(at)change '''Name&Email''']
 
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Mailing List/Subscribe''']<br>[mailto:[email protected] '''Mailing List/Use''']
 
| style="width:14%; background:#cccccc" align="center"|First Reviewer<br>[mailto:pierre.parrend(at)insa-lyon.fr '''Pierre Parrend''']<br>[http://www.rzo.free.fr/ Curriculum]
 
| style="width:14%; background:#cccccc" align="center"|Second Reviewer<br>[mailto:mark.roxberry(at)owasp.org '''Mark Roxberry''']<br>[http://www.linkedin.com/in/roxberry Profile]
 
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member<br>(if applicable)<br>[mailto:name(at)name '''Name&Email''']
 
|}
 
{| style="width:100%" border="0" align="center"
 
! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''PROJECT MAIN LINKS'''
 
|-
 
| style="width:100%; background:#cccccc" align="center"|
 
* [http://code.google.com/p/opensign-project/ OpenSign Project]
 
* current release: [http://opensign-project.googlecode.com/files/OpenSignServer-0.2-bin.tar.gz OpenSignServer-0.2-bin.tar.gz ]
 
|}
 
{| style="width:100%" border="0" align="center"
 
! colspan="6" align="center" style="background:#4058A0; color:white"|<font color="white">'''SPONSORS & GUIDELINES'''
 
 
  |-
 
  |-
  | style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]  
+
  | style="width:15%; background:#7B8ABD" align="center"|'''Key Project Information'''
  | style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#Online code signing and integrity verification service for open source community (OpenSign Server)|'''Sponsored Project/Guidelines/Roadmap''']]
+
| style="width:14%; background:#cccccc" align="center"|Project Leader<br>[[User:Philipp Potisk|'''Phil Potisk''']]<br>[mailto:techierebel(at)yahoo.co.uk '''Richard Conway''']
 +
| style="width:16%; background:#cccccc" align="center"|Project Contributors<br>(if any)
 +
| style="width:10%; background:#cccccc" align="center"|Mailing list<br>[https://lists.owasp.org/mailman/listinfo/owasp-opensign-server-project '''Subscribe here''']<br>[mailto:Owasp-OpenSign-Server-[email protected] '''Use here''']
 +
| style="width:16%; background:#cccccc" align="center"|
 +
License<br>[http://www.gnu.org/licenses/gpl.html '''GNU General Public License v3''']
 +
| style="width:14%; background:#cccccc" align="center"|
 +
Project Type<br>[https://www.owasp.org/index.php/Category:OWASP_Project#tab=Beta_Status_Projects '''Tool''']
 +
  | style="width:15%; background:#cccccc" align="center"|Sponsor<br>[[OWASP Summer of Code 2008|'''OWASP SoC 08''']]
 
  |}
 
  |}
{| style="width:100%" border="0" align="center"
+
{| style="width:100%" border="0" align="center"  
  ! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
+
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Release Status'''  
|-
+
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Main Links'''
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
+
  ! align="center" style="background:#7B8ABD; color:white"|<font color="black">'''Related Projects'''  
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation'''<br>(applicable for Alpha Quality & further)
 
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer'''<br>(applicable for Alpha Quality & further)
 
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer'''<br>(applicable for Beta Quality & further)
 
  | style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member'''<br>(applicable just for Release Quality)
 
|-
 
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
 
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>[[Project Information:template OpenSign Server Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
 
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>[[Project Information:template OpenSign Server Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
 
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>[[Project Information:template OpenSign Server Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
 
  | style="width:22%; background:#C2C2C2" align="center"|X
 
|-
 
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
 
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Season of Code''' - (To update)<br>---------<br>[[Project Information:template OpenSign Server Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
 
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Season of Code''' - (To update)<br>---------<br>[[Project Information:template OpenSign Server Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
 
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached?<br>'''Yes/No''' (To update)<br>---------<br>Which status has been reached?<br>'''Season of Code''' - (To update)<br>---------<br>[[Project Information:template OpenSign Server Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
 
| style="width:22%; background:#C2C2C2" align="center"|X
 
 
  |-
 
  |-
 +
| style="width:29%; background:#cccccc" align="center"|
 +
'''[[:Category:OWASP Project Assessment#Beta Quality Tool Criteria|Beta Quality]]'''<br>[[:Category:OWASP OpenSign Server Project - Assessment Frame|Please see here for complete information.]]
 +
| style="width:42%; background:#cccccc" align="center"|
 +
[http://code.google.com/p/opensign-project/ OpenSign Project - code.google.com]<br>[https://www.owasp.org/images/0/04/OpenSign_Server_Demo_oss_0_4_ossjclient_0_9.ppt OpenSign Server Demo - Power Point Presentation]<br>server: [http://opensign-project.googlecode.com/files/OpenSignServer-1.0-bin.tar.gz OpenSignServer-1.0-bin.tar.gz ]<br>client: [http://opensign-project.googlecode.com/files/OSSJClient-1.0-bin.tar.gz OSSJClient-1.0-bin.tar.gz ]
 +
| style="width:29%; background:#cccccc" align="center"|
 +
(if any, add link here)
 
  |}
 
  |}
 
----
 
 
=Releases=
 
==OpenSign Server==
 
===Version 0.2 (14th of July 08)===
 
 
* Demo-wise set up of an X.509 hierarchy intending to provide code siging certificates. This involves one root issuer, an unlimited number of sub-issuers and end-users.   
 
* End-users may issue a certificate sign request and obtain the certificate in return.
 
* Demo accounts of to end-users ("user1", "user2") and two issuers ("root", "user3") each with password "123".   
 
* Possibility for registering new end-users and issuers.
 
* Session handling - login, logout of users   
 
* Storage of issuer key-pair's and all certificates in server side key store.
 
* Public access of all certificates in the system, with support of binary and PEM format. Eg.: Certificate from root issuer may be retrieved
 
*:  - in binary format (default): http://localhost:8080/root?property=cert
 
*:  - or PEM formatted: http://localhost:8080/root?property=cert&responseFormat=PEM   
 
* User/resource profile, which is accessible at the resource path without further parameters, eg.: http://localhost:8080/root/user1
 
 
===Version 0.2 (1st of July 08)===
 
 
* Access of root certificate via HTTP-GET http://localhost:8080/ca
 
* Certificate issuing by sending a Certificate Signing Request (PEM-formatted PKCS#10 structure) via HTTP-POST to http://localhost:8080/ca/csr
 
 
==OpenSign Client==
 
 
----
 
----
 
=Roadmap=
 
=OpenSign Server=
 
 
'''Goal'''
 
 
The goal of the Opensign Server (OSS) is to serve as trusted third party in order to prove the integrity and authenticity of binaries. To meet this goal following roadmap will be implemented:
 
 
'''Version 0.1'''
 
 
This version is a proof of concept implementation, which shows that processing a Certificate Signing Request (CSR) and issuing a X.509 certificate is working in an efficient way. Furthermore the generation and distributing of the root certificate is also supported.
 
 
'''Version 0.2'''
 
 
The server is enhanced by the possibility to support certificate issuing for multiple users. In this case users must be authenticated before generating a certificate.
 
 
'''Version 0.3'''
 
 
User management is done through the persistence layer, where Hibernate is the technology of choice. It is now possible to dynamically add users through the web-interface.
 
 
'''Version 0.4'''
 
 
The role of the Review is introduced. Users must be associated with a Reviewer before being able to generate a certificate.
 
 
'''Version 0.5'''
 
 
The web-interface is enriched with dynamically generated sites which allows the maintenance of the system depending of the user role.
 
 
'''Version 1.0'''
 
 
Well tested and documented system which is running online at: www.???.com. '''This is the goal for Summer of Code 2008!'''
 
 
'''Version 2.0'''
 
 
The second version of the OSS allows the server side code signing. Code modules are uploaded, virus scanned and signed by a corresponding key. No client side key management is required. Furthermore, this service has a downloading area where anybody can download the signed modules.
 
 
==OpenSign Client==
 

Latest revision as of 19:09, 9 March 2009


PROJECT IDENTIFICATION
Project Name OWASP OpenSign Server Project (Online code signing and integrity verification service for open source community)
Short Project Description The purpose of this project would be to build and host a feature-rich server and suite of client utilities with adequate secure hardware to ensure the integrity of code modules. - The service will allow all .NET and Java code modules to be uploaded to the service to be signed by a community code signing key. Each community (such as OWASP) will have a key and corresponding Software Publishing Certificate (SPC) which can optionally be embedded in the code module itself. Generally, however, the service is intended for developers and the wider community of concerned users that want to ensure that their downloaded portable executable is exactly what it purports to be. The root key will be stored in an HSM and will sign an SPC from a locally generated key-pair of which the public key will be sent to the service. Key pair generation can be made and submitted using standard .NET delay signing and jar signing tools distributed with the SDKs, however, the project remit will ensure that a client-side graphical tool for each environment is available to generate the keys pairs needed to sign code with and allow submission to the code signing service for signing and generation of SPC by the server's proprietary CA. Anonymity will not be allowed so the project will include a database of users which will be the basis of directory for SPCs. There will be a web and web services interface using an online login and WS-Security respectively which will allow the code to be uploaded on demand and signed by a code signing key with the option to embed the certificate or not.
Key Project Information Project Leader
Phil Potisk
Richard Conway
Project Contributors
(if any)
Mailing list
Subscribe here
Use here

License
GNU General Public License v3

Project Type
Tool

Sponsor
OWASP SoC 08
Release Status Main Links Related Projects

Beta Quality
Please see here for complete information.

OpenSign Project - code.google.com
OpenSign Server Demo - Power Point Presentation
server: OpenSignServer-1.0-bin.tar.gz
client: OSSJClient-1.0-bin.tar.gz

(if any, add link here)