You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "George Stanchev (JIRA)" <ji...@apache.org> on 2008/04/08 15:11:24 UTC
[jira] Created: (WSS-107) X509NameTokenizer.java contains Bouncy
Castle JCE copyright code
X509NameTokenizer.java contains Bouncy Castle JCE copyright code
----------------------------------------------------------------
Key: WSS-107
URL: https://issues.apache.org/jira/browse/WSS-107
Project: WSS4J
Issue Type: Improvement
Environment: N/A
Reporter: George Stanchev
Assignee: Ruchith Udayanga Fernando
The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in its projects because of this file (found under
src\org\apache\ws\security\components\crypto) contains a comment:
/*
* This source is a plain copy from bouncycastle software.
* Thus:
* Copyright (c) 2000 The Legion Of The Bouncy Castle
(http://www.bouncycastle.org)
*/
Apparently there are some legal issues with BC - they are being sued somewhere in Europe for inclusion of a patented algorithm and Eclipse Legal wants to stay away from anything BC. They noted the ripoff code comment and alarms started ringing. However that stops us of including WSS4J in an Eclipse project I am comitter of and makes things complicated for our users.
Besides all that, the X509Tokenizer included in wss4j is very simple and rudimentary and doesn't conform to RFC2253. In fact in X509 certs with more complex DNs it would give incorrect results.
So in light of all this, and with the fact that Apache XML-Security 1.4.x already has a nice RFC2253 parser, can we replace the file in question with the version assigned to this email? It uses the XML-Security DN parser and just creates a wrapper with same WSS4J interface already implemented and consumed now. I copied 2 utility functions (trim() and countQuotes() from there locally and based the constructor on the RFC2253Parser normalize() method (same logic).
Instead of lazily evaluating the DN, I construct an ArrayList with to hold the tokenized OIDs).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-107) X509NameTokenizer.java contains Bouncy
Castle JCE copyright code
Posted by "George Stanchev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
George Stanchev updated WSS-107:
--------------------------------
Attachment: X509NameTokenizer.java
Attached file replaces the tokenizer parser with calls to XML-Security's implementation of RFC2253 DN parser. 2 utility functions are copied verbatim, third (the constructor) is based on the normalize() code there which provides a template on how to loop through the DN's RDNs.
> X509NameTokenizer.java contains Bouncy Castle JCE copyright code
> ----------------------------------------------------------------
>
> Key: WSS-107
> URL: https://issues.apache.org/jira/browse/WSS-107
> Project: WSS4J
> Issue Type: Improvement
> Environment: N/A
> Reporter: George Stanchev
> Assignee: Ruchith Udayanga Fernando
> Attachments: X509NameTokenizer.java
>
>
> The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in its projects because of this file (found under
> src\org\apache\ws\security\components\crypto) contains a comment:
> /*
> * This source is a plain copy from bouncycastle software.
> * Thus:
> * Copyright (c) 2000 The Legion Of The Bouncy Castle
> (http://www.bouncycastle.org)
> */
> Apparently there are some legal issues with BC - they are being sued somewhere in Europe for inclusion of a patented algorithm and Eclipse Legal wants to stay away from anything BC. They noted the ripoff code comment and alarms started ringing. However that stops us of including WSS4J in an Eclipse project I am comitter of and makes things complicated for our users.
> Besides all that, the X509Tokenizer included in wss4j is very simple and rudimentary and doesn't conform to RFC2253. In fact in X509 certs with more complex DNs it would give incorrect results.
> So in light of all this, and with the fact that Apache XML-Security 1.4.x already has a nice RFC2253 parser, can we replace the file in question with the version assigned to this email? It uses the XML-Security DN parser and just creates a wrapper with same WSS4J interface already implemented and consumed now. I copied 2 utility functions (trim() and countQuotes() from there locally and based the constructor on the RFC2253Parser normalize() method (same logic).
> Instead of lazily evaluating the DN, I construct an ArrayList with to hold the tokenized OIDs).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-107) X509NameTokenizer.java contains Bouncy
Castle JCE copyright code
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin resolved WSS-107.
-----------------------------
Resolution: Fixed
> X509NameTokenizer.java contains Bouncy Castle JCE copyright code
> ----------------------------------------------------------------
>
> Key: WSS-107
> URL: https://issues.apache.org/jira/browse/WSS-107
> Project: WSS4J
> Issue Type: Improvement
> Environment: N/A
> Reporter: George Stanchev
> Assignee: Ruchith Udayanga Fernando
> Attachments: X509NameTokenizer.java
>
>
> The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in its projects because of this file (found under
> src\org\apache\ws\security\components\crypto) contains a comment:
> /*
> * This source is a plain copy from bouncycastle software.
> * Thus:
> * Copyright (c) 2000 The Legion Of The Bouncy Castle
> (http://www.bouncycastle.org)
> */
> Apparently there are some legal issues with BC - they are being sued somewhere in Europe for inclusion of a patented algorithm and Eclipse Legal wants to stay away from anything BC. They noted the ripoff code comment and alarms started ringing. However that stops us of including WSS4J in an Eclipse project I am comitter of and makes things complicated for our users.
> Besides all that, the X509Tokenizer included in wss4j is very simple and rudimentary and doesn't conform to RFC2253. In fact in X509 certs with more complex DNs it would give incorrect results.
> So in light of all this, and with the fact that Apache XML-Security 1.4.x already has a nice RFC2253 parser, can we replace the file in question with the version assigned to this email? It uses the XML-Security DN parser and just creates a wrapper with same WSS4J interface already implemented and consumed now. I copied 2 utility functions (trim() and countQuotes() from there locally and based the constructor on the RFC2253Parser normalize() method (same logic).
> Instead of lazily evaluating the DN, I construct an ArrayList with to hold the tokenized OIDs).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-107) X509NameTokenizer.java contains Bouncy
Castle JCE copyright code
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12587714#action_12587714 ]
Fred Dushin commented on WSS-107:
---------------------------------
Committed George's fix, and added a unit test
> X509NameTokenizer.java contains Bouncy Castle JCE copyright code
> ----------------------------------------------------------------
>
> Key: WSS-107
> URL: https://issues.apache.org/jira/browse/WSS-107
> Project: WSS4J
> Issue Type: Improvement
> Environment: N/A
> Reporter: George Stanchev
> Assignee: Ruchith Udayanga Fernando
> Attachments: X509NameTokenizer.java
>
>
> The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in its projects because of this file (found under
> src\org\apache\ws\security\components\crypto) contains a comment:
> /*
> * This source is a plain copy from bouncycastle software.
> * Thus:
> * Copyright (c) 2000 The Legion Of The Bouncy Castle
> (http://www.bouncycastle.org)
> */
> Apparently there are some legal issues with BC - they are being sued somewhere in Europe for inclusion of a patented algorithm and Eclipse Legal wants to stay away from anything BC. They noted the ripoff code comment and alarms started ringing. However that stops us of including WSS4J in an Eclipse project I am comitter of and makes things complicated for our users.
> Besides all that, the X509Tokenizer included in wss4j is very simple and rudimentary and doesn't conform to RFC2253. In fact in X509 certs with more complex DNs it would give incorrect results.
> So in light of all this, and with the fact that Apache XML-Security 1.4.x already has a nice RFC2253 parser, can we replace the file in question with the version assigned to this email? It uses the XML-Security DN parser and just creates a wrapper with same WSS4J interface already implemented and consumed now. I copied 2 utility functions (trim() and countQuotes() from there locally and based the constructor on the RFC2253Parser normalize() method (same logic).
> Instead of lazily evaluating the DN, I construct an ArrayList with to hold the tokenized OIDs).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org