X509NameTokenizer.java

[George Stanchev <Gs...@serena.com>]

Hi,

Since you're starting to talk about cutting a new release, I decided to
throw this isssue in. I already raised this problem in an earlier
email.The Eclipse Foundation IP review rejected wss4j 1.5.latest for
aproval in its projects because of this file (found under
src\org\apache\ws\security\components\crypto) contains a comment:

/*
 * This source is a plain copy from bouncycastle software.
 * Thus:
 * Copyright (c) 2000 The Legion Of The Bouncy Castle
(http://www.bouncycastle.org)
 */

Apparently there are some legal issues with BC - they are being sued
somewhere in Europe for inclusion of a patented algorithm and Eclipse
Legal wants to stay away from anything BC. They noted the ripoff code
comment and alarms started ringing. However that stops us of including
WSS4J in an Eclipse project I am commiter of and makes things
complicated for our users.

Besides all that, the X509Tokenizer included in wss4j is very simple and
rudamentary and doesn't conform to RFC2253. In fact in X509 certs with
more complex DNs it would give incorrect results. 

So in light of all this, and with the fact that Apache XML-Security
1.4.x already has a nice RFC2253 parser, can we replace the file in
question with the version assigned to this email? It uses the
XML-Security DN parser and just creates a wrapper with same WSS4J
interface already implemented and consumed now. I copied 2 utility
functions (trim() and countQuotes() from there locally and based the
constructor on the RFC2253Parser normalize() method (same logic).
Instead of lazily evaluating the DN, I construct an ArrayList with to
hold the tokenized OIDs).

If a WSS4J commiter can take a look at it and people think its OK, I
will open a JIRA and attach the file to it. Please let me know, and if
we can fix this issue, it would be really nice. 

Thanks in advance,

George Stanchev

**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. 
**********************************************************************

RE: X509NameTokenizer.java

[George Stanchev <Gs...@serena.com>]

Yeah, that was funny. I used the existing class' shell and forgot to
delete it. Now, it's removed it in the attachment assigned to the JIRA
issue:

https://issues.apache.org/jira/browse/WSS-107  

Thx!

Best Regards,
George

-----Original Message-----
From: Ruchith Fernando [mailto:ruchith.fernando@gmail.com] 
Sent: Monday, April 07, 2008 10:40 PM
To: George Stanchev
Cc: wss4j-dev
Subject: Re: X509NameTokenizer.java

Also I noticed that you still have the afore mentioned comment in
question in the file you attached ... we can safely take it off right?
:-)

Thanks,
Ruchith

On Tue, Apr 8, 2008 at 10:05 AM, Ruchith Fernando
<ru...@gmail.com> wrote:
> Hi,
>
>  Can you please create a JIRA on this and attach the changes as a
patch to it.
>  Please make sure you select the option : "Grant license to ASF for  
> inclusion in ASF works ..."
>
>  Thanks,
>  Ruchith
>
>
>
>  On Tue, Apr 8, 2008 at 6:16 AM, George Stanchev
<Gs...@serena.com> wrote:
>  > Hi,
>  >
>  >  Since you're starting to talk about cutting a new release, I 
> decided to  >  throw this isssue in. I already raised this problem in 
> an earlier  >  email.The Eclipse Foundation IP review rejected wss4j 
> 1.5.latest for  >  aproval in its projects because of this file (found

> under  >  src\org\apache\ws\security\components\crypto) contains a
comment:
>  >
>  >  /*
>  >   * This source is a plain copy from bouncycastle software.
>  >   * Thus:
>  >   * Copyright (c) 2000 The Legion Of The Bouncy Castle
>  >  (http://www.bouncycastle.org)
>  >   */
>  >
>  >  Apparently there are some legal issues with BC - they are being 
> sued  >  somewhere in Europe for inclusion of a patented algorithm and

> Eclipse  >  Legal wants to stay away from anything BC. They noted the 
> ripoff code  >  comment and alarms started ringing. However that stops

> us of including  >  WSS4J in an Eclipse project I am commiter of and 
> makes things  >  complicated for our users.
>  >
>  >  Besides all that, the X509Tokenizer included in wss4j is very 
> simple and  >  rudamentary and doesn't conform to RFC2253. In fact in 
> X509 certs with  >  more complex DNs it would give incorrect results.
>  >
>  >  So in light of all this, and with the fact that Apache 
> XML-Security  >  1.4.x already has a nice RFC2253 parser, can we 
> replace the file in  >  question with the version assigned to this 
> email? It uses the  >  XML-Security DN parser and just creates a 
> wrapper with same WSS4J  >  interface already implemented and consumed

> now. I copied 2 utility  >  functions (trim() and countQuotes() from 
> there locally and based the  >  constructor on the RFC2253Parser
normalize() method (same logic).
>  >  Instead of lazily evaluating the DN, I construct an ArrayList with

> to  >  hold the tokenized OIDs).
>  >
>  >  If a WSS4J commiter can take a look at it and people think its OK,

> I  >  will open a JIRA and attach the file to it. Please let me know, 
> and if  >  we can fix this issue, it would be really nice.
>  >
>  >  Thanks in advance,
>  >
>  >  George Stanchev
>  >
>  >  
> **********************************************************************
>  >  This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
>  >  
> **********************************************************************
>  >
>  >
>  > 
> ---------------------------------------------------------------------
>  >  To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>  >  For additional commands, e-mail: wss4j-dev-help@ws.apache.org  >
>
>
>
>  --
>  http://blog.ruchith.org
>  http://wso2.org
>



--
http://blog.ruchith.org
http://wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: X509NameTokenizer.java

[Ruchith Fernando <ru...@gmail.com>]

Also I noticed that you still have the afore mentioned comment in
question in the file you attached ... we can safely take it off right?
:-)

Thanks,
Ruchith

On Tue, Apr 8, 2008 at 10:05 AM, Ruchith Fernando
<ru...@gmail.com> wrote:
> Hi,
>
>  Can you please create a JIRA on this and attach the changes as a patch to it.
>  Please make sure you select the option : "Grant license to ASF for
>  inclusion in ASF works ..."
>
>  Thanks,
>  Ruchith
>
>
>
>  On Tue, Apr 8, 2008 at 6:16 AM, George Stanchev <Gs...@serena.com> wrote:
>  > Hi,
>  >
>  >  Since you're starting to talk about cutting a new release, I decided to
>  >  throw this isssue in. I already raised this problem in an earlier
>  >  email.The Eclipse Foundation IP review rejected wss4j 1.5.latest for
>  >  aproval in its projects because of this file (found under
>  >  src\org\apache\ws\security\components\crypto) contains a comment:
>  >
>  >  /*
>  >   * This source is a plain copy from bouncycastle software.
>  >   * Thus:
>  >   * Copyright (c) 2000 The Legion Of The Bouncy Castle
>  >  (http://www.bouncycastle.org)
>  >   */
>  >
>  >  Apparently there are some legal issues with BC - they are being sued
>  >  somewhere in Europe for inclusion of a patented algorithm and Eclipse
>  >  Legal wants to stay away from anything BC. They noted the ripoff code
>  >  comment and alarms started ringing. However that stops us of including
>  >  WSS4J in an Eclipse project I am commiter of and makes things
>  >  complicated for our users.
>  >
>  >  Besides all that, the X509Tokenizer included in wss4j is very simple and
>  >  rudamentary and doesn't conform to RFC2253. In fact in X509 certs with
>  >  more complex DNs it would give incorrect results.
>  >
>  >  So in light of all this, and with the fact that Apache XML-Security
>  >  1.4.x already has a nice RFC2253 parser, can we replace the file in
>  >  question with the version assigned to this email? It uses the
>  >  XML-Security DN parser and just creates a wrapper with same WSS4J
>  >  interface already implemented and consumed now. I copied 2 utility
>  >  functions (trim() and countQuotes() from there locally and based the
>  >  constructor on the RFC2253Parser normalize() method (same logic).
>  >  Instead of lazily evaluating the DN, I construct an ArrayList with to
>  >  hold the tokenized OIDs).
>  >
>  >  If a WSS4J commiter can take a look at it and people think its OK, I
>  >  will open a JIRA and attach the file to it. Please let me know, and if
>  >  we can fix this issue, it would be really nice.
>  >
>  >  Thanks in advance,
>  >
>  >  George Stanchev
>  >
>  >  **********************************************************************
>  >  This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
>  >  **********************************************************************
>  >
>  >
>  > ---------------------------------------------------------------------
>  >  To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>  >  For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>  >
>
>
>
>  --
>  http://blog.ruchith.org
>  http://wso2.org
>



-- 
http://blog.ruchith.org
http://wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org

Re: X509NameTokenizer.java

[Ruchith Fernando <ru...@gmail.com>]

Hi,

Can you please create a JIRA on this and attach the changes as a patch to it.
Please make sure you select the option : "Grant license to ASF for
inclusion in ASF works ..."

Thanks,
Ruchith

On Tue, Apr 8, 2008 at 6:16 AM, George Stanchev <Gs...@serena.com> wrote:
> Hi,
>
>  Since you're starting to talk about cutting a new release, I decided to
>  throw this isssue in. I already raised this problem in an earlier
>  email.The Eclipse Foundation IP review rejected wss4j 1.5.latest for
>  aproval in its projects because of this file (found under
>  src\org\apache\ws\security\components\crypto) contains a comment:
>
>  /*
>   * This source is a plain copy from bouncycastle software.
>   * Thus:
>   * Copyright (c) 2000 The Legion Of The Bouncy Castle
>  (http://www.bouncycastle.org)
>   */
>
>  Apparently there are some legal issues with BC - they are being sued
>  somewhere in Europe for inclusion of a patented algorithm and Eclipse
>  Legal wants to stay away from anything BC. They noted the ripoff code
>  comment and alarms started ringing. However that stops us of including
>  WSS4J in an Eclipse project I am commiter of and makes things
>  complicated for our users.
>
>  Besides all that, the X509Tokenizer included in wss4j is very simple and
>  rudamentary and doesn't conform to RFC2253. In fact in X509 certs with
>  more complex DNs it would give incorrect results.
>
>  So in light of all this, and with the fact that Apache XML-Security
>  1.4.x already has a nice RFC2253 parser, can we replace the file in
>  question with the version assigned to this email? It uses the
>  XML-Security DN parser and just creates a wrapper with same WSS4J
>  interface already implemented and consumed now. I copied 2 utility
>  functions (trim() and countQuotes() from there locally and based the
>  constructor on the RFC2253Parser normalize() method (same logic).
>  Instead of lazily evaluating the DN, I construct an ArrayList with to
>  hold the tokenized OIDs).
>
>  If a WSS4J commiter can take a look at it and people think its OK, I
>  will open a JIRA and attach the file to it. Please let me know, and if
>  we can fix this issue, it would be really nice.
>
>  Thanks in advance,
>
>  George Stanchev
>
>  **********************************************************************
>  This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
>  **********************************************************************
>
>
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>  For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>



-- 
http://blog.ruchith.org
http://wso2.org

---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org