You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by GitBox <gi...@apache.org> on 2021/09/24 13:56:14 UTC
[GitHub] [ws-wss4j] free-ice opened a new pull request #41: Add wfc compat for 2 3 x
free-ice opened a new pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41
Comments: Not sure why there is a merge conflict, I rebased with 9/20 changes before pushing to the free-ice repo.
Still need to perform additional testing once I modify spring-ws to expose new options hence the draft state.
**Overview**
Add ISSUER_SERIAL_QUOTE_FORMAT option output a format that is compatiable with both Microsoft's WCF stack and Java.
This is achieved by using quotes to delimit unicode characters as opposed to a backslash.
This solves the :
**The EncryptedKey clause was not wrapped with the required encryption token 'System.IdentityModel.Tokens.X509SecurityToken'**
error seen in IIS and which dates back to at least 2007.
Example, minimal diff:
```
ISSUER_SERIAL OU=Sales,CN=J. Smith
ISSUER_SERIAL_QUOTE_FORMAT OU=Sales, CN=J. Smith
```
Example which prompted this change:
```
ISSUER_SERIAL: CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US
ISSUER_SERIAL_QUOTE_FORMAT: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
```
**Details**
RFC 2253 seems to provide two approaches for escaping characters.
WCF seems to only support the use of using "".
Java seems to support both approaches using \ or using "".
This claim is supported by Unit tests by testing against all CA in Java's keystore used to test wss4j and also a fixed set of CA.
This patch changes the Issuers X509Principal name format to the "" delimited
format. It has simple unit tests and also another test that uses the JDK
truststore and test that Java interprets the Comma delimted RDN the
same as the \ delimited format.
This patch was originally against the 2_3_x-fixes , ~ August 2021 and has mainly been tested under Java 8,
and against both a test and production WCF system.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] coheigea merged pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
coheigea merged pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] coheigea merged pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
coheigea merged pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717611144
##########
File path: ws-security-common/src/test/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253NameTest.java
##########
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class CommaDelimiterRfc2253NameTest {
+
+ private static final String TYPICAL_CA ="CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\\, Inc.,C=US";
+ private static final String QUOTES_TYPICAL_CA ="CN=Entrust Certification Authority - L1K, OU=\"(c) 2012 Entrust, Inc. - for authorized use only\", OU=See www.entrust.net/legal-terms, O=\"Entrust, Inc.\", C=US";
+
+ private CommaDelimiterRfc2253Name subject = new CommaDelimiterRfc2253Name();
+
+
+ @Test
+ void whenMultipleAttributesArePresentThenSpaceIsPlacedAfterComma() {
+ String actual = new CommaDelimiterRfc2253Name().execute("CN=EOIR,OU=Some Unit,DC=Another place");
+ assertEquals("CN=EOIR, OU=Some Unit, DC=Another place",actual);
+ }
+ @Test
+ void whenRdnContainsACommaThenTheRdnIsSurroundedByDoubleQuotes() {
+ String actual = new CommaDelimiterRfc2253Name().execute(TYPICAL_CA);
+ assertEquals(QUOTES_TYPICAL_CA,actual);
+ }
+
+ @Test
+ void whenRdnIsInvalidThenExpectException() {
+ Assertions.assertThrows(IllegalArgumentException.class, () -> {
+ subject.execute("invalid");
+ });
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringNoEscapesThenNoChangesAreMade() throws Exception {
+ String input = "This is a string with (c) no escaped! sStrings $";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(input,actual,"Expect that string is unchanged");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringThenItUnescapesAppropiateCharacters() throws Exception {
+ String input = "This is a string with escapes \\,\\; \\\\ and \\< then \\> \\\"Copyright Apache\\\" ";
+ String expected = "This is a string with escapes ,; \\ and < then > \"Copyright Apache\" ";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringWithMultiValueRdnThenItUnescapesAppropriateCharacters() throws Exception {
+ String input = "OU=Sales\\+CN=J. Smith\\,O=Widget Inc.\\,C=US";
+ String expected = "OU=Sales+CN=J. Smith,O=Widget Inc.,C=US";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509PrincipalUsingDefaultTruststore()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadDefaultKeyStore();
+ assertAllCaTransformsAreEquivalent(keystore);
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509Principal()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadKeyStore("keys/cacerts-openjdk.jks", "changeit");
Review comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717710678
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
```
That is why I wrapped the Exception so it would remain compatable which existing behavour. Since that has not changed there is nothing to test as far as I can see.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717611144
##########
File path: ws-security-common/src/test/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253NameTest.java
##########
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class CommaDelimiterRfc2253NameTest {
+
+ private static final String TYPICAL_CA ="CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\\, Inc.,C=US";
+ private static final String QUOTES_TYPICAL_CA ="CN=Entrust Certification Authority - L1K, OU=\"(c) 2012 Entrust, Inc. - for authorized use only\", OU=See www.entrust.net/legal-terms, O=\"Entrust, Inc.\", C=US";
+
+ private CommaDelimiterRfc2253Name subject = new CommaDelimiterRfc2253Name();
+
+
+ @Test
+ void whenMultipleAttributesArePresentThenSpaceIsPlacedAfterComma() {
+ String actual = new CommaDelimiterRfc2253Name().execute("CN=EOIR,OU=Some Unit,DC=Another place");
+ assertEquals("CN=EOIR, OU=Some Unit, DC=Another place",actual);
+ }
+ @Test
+ void whenRdnContainsACommaThenTheRdnIsSurroundedByDoubleQuotes() {
+ String actual = new CommaDelimiterRfc2253Name().execute(TYPICAL_CA);
+ assertEquals(QUOTES_TYPICAL_CA,actual);
+ }
+
+ @Test
+ void whenRdnIsInvalidThenExpectException() {
+ Assertions.assertThrows(IllegalArgumentException.class, () -> {
+ subject.execute("invalid");
+ });
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringNoEscapesThenNoChangesAreMade() throws Exception {
+ String input = "This is a string with (c) no escaped! sStrings $";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(input,actual,"Expect that string is unchanged");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringThenItUnescapesAppropiateCharacters() throws Exception {
+ String input = "This is a string with escapes \\,\\; \\\\ and \\< then \\> \\\"Copyright Apache\\\" ";
+ String expected = "This is a string with escapes ,; \\ and < then > \"Copyright Apache\" ";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringWithMultiValueRdnThenItUnescapesAppropriateCharacters() throws Exception {
+ String input = "OU=Sales\\+CN=J. Smith\\,O=Widget Inc.\\,C=US";
+ String expected = "OU=Sales+CN=J. Smith,O=Widget Inc.,C=US";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509PrincipalUsingDefaultTruststore()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadDefaultKeyStore();
+ assertAllCaTransformsAreEquivalent(keystore);
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509Principal()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadKeyStore("keys/cacerts-openjdk.jks", "changeit");
Review comment:
Done
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
👍
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
##########
@@ -87,6 +87,8 @@ private WSHandlerConstants() {
* </li>
* <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
* </li>
+ * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL_QUOTE_FORMAT}
Review comment:
👍
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -191,17 +191,21 @@
/**
* Sets the {@link
- * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
- * } or the {@link
- * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
+ *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
+ *} or the {@link
+ *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
* } method to send the issuer name and the serial number of a certificate to
* the receiver.
* <p/>
* In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
* and the serial number of the signing certificate are sent to the
* receiver. This reduces the amount of data being sent. The encryption
* method uses the public key associated with this certificate to encrypt
- * the symmetric key used to encrypt data.
+ * the symmetric key used to encrypt data.
+ * The name format will
+ * delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
Review comment:
👍
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
👍
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -191,17 +191,21 @@
/**
* Sets the {@link
- * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
- * } or the {@link
- * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
+ *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
+ *} or the {@link
+ *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
* } method to send the issuer name and the serial number of a certificate to
* the receiver.
* <p/>
* In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
* and the serial number of the signing certificate are sent to the
* receiver. This reduces the amount of data being sent. The encryption
* method uses the public key associated with this certificate to encrypt
- * the symmetric key used to encrypt data.
+ * the symmetric key used to encrypt data.
+ * The name format will
+ * delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
Review comment:
Done
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
Done
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
##########
@@ -87,6 +87,8 @@ private WSHandlerConstants() {
* </li>
* <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
* </li>
+ * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL_QUOTE_FORMAT}
Review comment:
Done
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X509Principal.getName() so from an possible thrown Exception prespective that has not changed.
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
}
```
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
```
That is why I wrapped the Exception so it woudl remain compatable which existing behavour. Since that has not changed there is nothing to test as far as I can see,
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
```
That is why I wrapped the Exception so it would remain compatable which existing behavour. Since that has not changed there is nothing to test as far as I can see.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice edited a comment on pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice edited a comment on pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#issuecomment-929295253
It Looks like the comment about handling exception was removed, or at least I don't see it now ?
The execute() method throws the same exception as the X509Principal.getName() so from an Exception prespective that has not changed. If you want to to still make a change or add a test for this let me know.
All other comments have been addressed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717710678
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X509Principal.getName() so from an possible thrown Exception prespective that has not changed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717645145
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -191,17 +191,21 @@
/**
* Sets the {@link
- * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
- * } or the {@link
- * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
+ *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
+ *} or the {@link
+ *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
* } method to send the issuer name and the serial number of a certificate to
* the receiver.
* <p/>
* In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
* and the serial number of the signing certificate are sent to the
* receiver. This reduces the amount of data being sent. The encryption
* method uses the public key associated with this certificate to encrypt
- * the symmetric key used to encrypt data.
+ * the symmetric key used to encrypt data.
+ * The name format will
+ * delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
Review comment:
Done
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
Done
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
##########
@@ -87,6 +87,8 @@ private WSHandlerConstants() {
* </li>
* <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
* </li>
+ * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL_QUOTE_FORMAT}
Review comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717710678
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] coheigea commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
coheigea commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717319663
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
We need to make sure this runtime exception is caught and handled properly in the calling code.
##########
File path: ws-security-common/src/test/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253NameTest.java
##########
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class CommaDelimiterRfc2253NameTest {
+
+ private static final String TYPICAL_CA ="CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\\, Inc.,C=US";
+ private static final String QUOTES_TYPICAL_CA ="CN=Entrust Certification Authority - L1K, OU=\"(c) 2012 Entrust, Inc. - for authorized use only\", OU=See www.entrust.net/legal-terms, O=\"Entrust, Inc.\", C=US";
+
+ private CommaDelimiterRfc2253Name subject = new CommaDelimiterRfc2253Name();
+
+
+ @Test
+ void whenMultipleAttributesArePresentThenSpaceIsPlacedAfterComma() {
+ String actual = new CommaDelimiterRfc2253Name().execute("CN=EOIR,OU=Some Unit,DC=Another place");
+ assertEquals("CN=EOIR, OU=Some Unit, DC=Another place",actual);
+ }
+ @Test
+ void whenRdnContainsACommaThenTheRdnIsSurroundedByDoubleQuotes() {
+ String actual = new CommaDelimiterRfc2253Name().execute(TYPICAL_CA);
+ assertEquals(QUOTES_TYPICAL_CA,actual);
+ }
+
+ @Test
+ void whenRdnIsInvalidThenExpectException() {
+ Assertions.assertThrows(IllegalArgumentException.class, () -> {
+ subject.execute("invalid");
+ });
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringNoEscapesThenNoChangesAreMade() throws Exception {
+ String input = "This is a string with (c) no escaped! sStrings $";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(input,actual,"Expect that string is unchanged");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringThenItUnescapesAppropiateCharacters() throws Exception {
+ String input = "This is a string with escapes \\,\\; \\\\ and \\< then \\> \\\"Copyright Apache\\\" ";
+ String expected = "This is a string with escapes ,; \\ and < then > \"Copyright Apache\" ";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringWithMultiValueRdnThenItUnescapesAppropriateCharacters() throws Exception {
+ String input = "OU=Sales\\+CN=J. Smith\\,O=Widget Inc.\\,C=US";
+ String expected = "OU=Sales+CN=J. Smith,O=Widget Inc.,C=US";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509PrincipalUsingDefaultTruststore()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadDefaultKeyStore();
+ assertAllCaTransformsAreEquivalent(keystore);
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509Principal()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadKeyStore("keys/cacerts-openjdk.jks", "changeit");
Review comment:
Can we remove this test? We can't put the cacerts into source control due to licensing issues.
##########
File path: ws-security-policy-stax/pom.xml
##########
@@ -52,6 +52,13 @@
<scope>compile</scope>
<optional>true</optional>
</dependency>
+ <dependency>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-ws-security-common</artifactId>
+ <version>${project.version}</version>
+ <classifier>tests</classifier>
+ <scope>test</scope>
+ </dependency>
Review comment:
This change is not needed.
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -191,17 +191,21 @@
/**
* Sets the {@link
- * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
- * } or the {@link
- * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
+ *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
+ *} or the {@link
+ *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
* } method to send the issuer name and the serial number of a certificate to
* the receiver.
* <p/>
* In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
* and the serial number of the signing certificate are sent to the
* receiver. This reduces the amount of data being sent. The encryption
* method uses the public key associated with this certificate to encrypt
- * the symmetric key used to encrypt data.
+ * the symmetric key used to encrypt data.
+ * The name format will
+ * delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
Review comment:
Can we merge these two lines?
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
##########
@@ -87,6 +87,8 @@ private WSHandlerConstants() {
* </li>
* <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
* </li>
+ * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL_QUOTE_FORMAT}
Review comment:
Should be IssuerSerialQuoteFormat here
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
Merge this with the previous line
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#issuecomment-929295253
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#issuecomment-926803045
@coheigea Sorry about noise, rebased change has been tested against two systems , (spring-ws) didn't require and update afterall since string was passed (Flexiable interface design!).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717710678
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
```
That is why I wrapped the Exception so it woudl remain compatable which existing behavour. Since that has not changed there is nothing to test as far as I can see,
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice edited a comment on pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice edited a comment on pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#issuecomment-926803045
@coheigea Sorry about noise, rebased change has been tested against two systems , (spring-ws) didn't require an update afterall since string was passed (Flexiable interface design!).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#issuecomment-929313385
Also I just created a PR against spring-ws and was impressed that they have a webhook to check a CLA status and automates the process of signing it. Full process only took 1 minutes. Though I had filled one out for Apache 20 years ago when I was a committer, I downloaded a new one and the PDF is cubmersome.... I looked around to see if I could find the Pivotal CLA webhook code but was unsuccessfull.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717612647
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
👍
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717710678
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
```
That is why I wrapped the Exception so it would remain compatable which existing behavour. Since that has not changed there is nothing to test as far as I can see.
One suggestion, this doesn't address the exception concern but
We could change the interface from:
CommaDelimiterRfc2253Name .execute(String)
to
CommaDelimiterRfc2253Name.execute(X500Principal).
This would constrain its use in Wss4j to this specific use case.
For my money based on how long this code has been around the case of an LdapName not being able to parse a X500Principle name just isn't going to happen.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] coheigea commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
coheigea commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717319663
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
We need to make sure this runtime exception is caught and handled properly in the calling code.
##########
File path: ws-security-common/src/test/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253NameTest.java
##########
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class CommaDelimiterRfc2253NameTest {
+
+ private static final String TYPICAL_CA ="CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\\, Inc.,C=US";
+ private static final String QUOTES_TYPICAL_CA ="CN=Entrust Certification Authority - L1K, OU=\"(c) 2012 Entrust, Inc. - for authorized use only\", OU=See www.entrust.net/legal-terms, O=\"Entrust, Inc.\", C=US";
+
+ private CommaDelimiterRfc2253Name subject = new CommaDelimiterRfc2253Name();
+
+
+ @Test
+ void whenMultipleAttributesArePresentThenSpaceIsPlacedAfterComma() {
+ String actual = new CommaDelimiterRfc2253Name().execute("CN=EOIR,OU=Some Unit,DC=Another place");
+ assertEquals("CN=EOIR, OU=Some Unit, DC=Another place",actual);
+ }
+ @Test
+ void whenRdnContainsACommaThenTheRdnIsSurroundedByDoubleQuotes() {
+ String actual = new CommaDelimiterRfc2253Name().execute(TYPICAL_CA);
+ assertEquals(QUOTES_TYPICAL_CA,actual);
+ }
+
+ @Test
+ void whenRdnIsInvalidThenExpectException() {
+ Assertions.assertThrows(IllegalArgumentException.class, () -> {
+ subject.execute("invalid");
+ });
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringNoEscapesThenNoChangesAreMade() throws Exception {
+ String input = "This is a string with (c) no escaped! sStrings $";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(input,actual,"Expect that string is unchanged");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringThenItUnescapesAppropiateCharacters() throws Exception {
+ String input = "This is a string with escapes \\,\\; \\\\ and \\< then \\> \\\"Copyright Apache\\\" ";
+ String expected = "This is a string with escapes ,; \\ and < then > \"Copyright Apache\" ";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+
+ @Test
+ void whenCallingUnescapeWithStringWithMultiValueRdnThenItUnescapesAppropriateCharacters() throws Exception {
+ String input = "OU=Sales\\+CN=J. Smith\\,O=Widget Inc.\\,C=US";
+ String expected = "OU=Sales+CN=J. Smith,O=Widget Inc.,C=US";
+ String actual = subject.unEscapeRfc2253RdnSubPart(input);
+ assertEquals(expected,actual,"Expect that string is unescaped");
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509PrincipalUsingDefaultTruststore()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadDefaultKeyStore();
+ assertAllCaTransformsAreEquivalent(keystore);
+ }
+
+ @Test
+ public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509Principal()
+ throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException {
+ KeyStore keystore = loadKeyStore("keys/cacerts-openjdk.jks", "changeit");
Review comment:
Can we remove this test? We can't put the cacerts into source control due to licensing issues.
##########
File path: ws-security-policy-stax/pom.xml
##########
@@ -52,6 +52,13 @@
<scope>compile</scope>
<optional>true</optional>
</dependency>
+ <dependency>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-ws-security-common</artifactId>
+ <version>${project.version}</version>
+ <classifier>tests</classifier>
+ <scope>test</scope>
+ </dependency>
Review comment:
This change is not needed.
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -191,17 +191,21 @@
/**
* Sets the {@link
- * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
- * } or the {@link
- * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
+ *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
+ *} or the {@link
+ *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
* } method to send the issuer name and the serial number of a certificate to
* the receiver.
* <p/>
* In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
* and the serial number of the signing certificate are sent to the
* receiver. This reduces the amount of data being sent. The encryption
* method uses the public key associated with this certificate to encrypt
- * the symmetric key used to encrypt data.
+ * the symmetric key used to encrypt data.
+ * The name format will
+ * delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
Review comment:
Can we merge these two lines?
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
##########
@@ -87,6 +87,8 @@ private WSHandlerConstants() {
* </li>
* <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
* </li>
+ * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL_QUOTE_FORMAT}
Review comment:
Should be IssuerSerialQuoteFormat here
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
Merge this with the previous line
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717710678
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
```
That is why I wrapped the Exception so it would remain compatable which existing behavour. Since that has not changed there is nothing to test as far as I can see.
One suggestion, this doesn't address the exception concern but
We could change the interface from:
CommaDelimiterRfc2253Name .execute(String)
to
CommaDelimiterRfc2253Name.execute(X500Principal).
This would constrain its use in Wss4j to this specific use case.
For my money based on how long this code has been around the case of an LdapName not being able to parse a X500Principle name just isn't going to happen.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice edited a comment on pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice edited a comment on pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#issuecomment-929295253
It Looks like the comment about handling exception was removed, or at least I don't see it now ?
The execute() method throws the same exception as the X509Principal.getName() so from an Exception prespective that has not changed. If you want to to still make a change or add a test for this let me know.
All other comments have been addressed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717619684
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -319,9 +323,31 @@
*/
public static final int ENDPOINT_KEY_IDENTIFIER = 14;
+
+ /**
+ *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)}
+ * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)}
+ * method to send the issuer name and the serial number of a certificate to
+ *the receiver.
Review comment:
👍
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717710678
##########
File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java
##########
@@ -0,0 +1,106 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.util;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import java.util.List;
+
+/**
+ * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible
+ * with Microsoft's WFC and Java.<p><br>
+ *
+ * <strong>Detail:</strong>
+ * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation.
+ * It also places a space before the next RDN. <p> <br>
+ * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\'
+ * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes.
+ * Since implementations may escape any characters and string is already in valid format no knowledge is
+ * required of escapable characters.
+ */
+public class CommaDelimiterRfc2253Name {
+
+ /**
+ * Return rfs2253String that delimits using quotes
+ *
+ * @param rfs2253String a string in rfc 2253 format using a \ as delimiter.
+ * @return Rdn in quoted form if required.
+ */
+ public String execute(String rfs2253String) {
+ StringBuilder commaDNBuilder = new StringBuilder();
+ try {
+ LdapName ldapname = new LdapName(rfs2253String);
+ List<Rdn> rdns = ldapname.getRdns();
+
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ Rdn rdn = rdns.get(i);
+ String rdnString = rdn.toString();
+ String appendString;
+ if (requiresDoubleQuoting(rdnString)) {
+ appendString = convertToDoubleQuotes(rdnString);
+ } else {
+ appendString = rdnString;
+ }
+ if (i == rdns.size() - 1) {
+ commaDNBuilder.append(appendString);
+ } else {
+ commaDNBuilder.append(", ").append(appendString);
+ }
+ }
+ } catch (InvalidNameException e) {
+ throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String);
Review comment:
The execute() method throws the same exception as the X500Principal.getName() so from an possible thrown Exception prespective that has not changed.
From JDK 11:
```
public String getName(String format) {
if (format != null) {
if (format.equalsIgnoreCase(RFC1779)) {
return thisX500Name.getRFC1779Name();
} else if (format.equalsIgnoreCase(RFC2253)) {
return thisX500Name.getRFC2253Name();
} else if (format.equalsIgnoreCase(CANONICAL)) {
return thisX500Name.getRFC2253CanonicalName();
}
}
throw new IllegalArgumentException("invalid format specified");
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717619412
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java
##########
@@ -191,17 +191,21 @@
/**
* Sets the {@link
- * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader)
- * } or the {@link
- * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader)
+ *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)
+ *} or the {@link
+ *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)
* } method to send the issuer name and the serial number of a certificate to
* the receiver.
* <p/>
* In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
* and the serial number of the signing certificate are sent to the
* receiver. This reduces the amount of data being sent. The encryption
* method uses the public key associated with this certificate to encrypt
- * the symmetric key used to encrypt data.
+ * the symmetric key used to encrypt data.
+ * The name format will
+ * delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack.
Review comment:
👍
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#issuecomment-929295253
It Looks like the comment about handling exception was removed, or at least I don't see it now ?
The execute() method throws the same exception as the X509Principal.getName() so from an Exception prespective that has not changed. If you want to to still make a change or ad a test for this let me know.
All other comments have been addressed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[GitHub] [ws-wss4j] free-ice commented on a change in pull request #41: Add wfc compat for 2 3 x
Posted by GitBox <gi...@apache.org>.
free-ice commented on a change in pull request #41:
URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717615054
##########
File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
##########
@@ -87,6 +87,8 @@ private WSHandlerConstants() {
* </li>
* <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL}
* </li>
+ * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL_QUOTE_FORMAT}
Review comment:
👍
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org