[jira] Created: (WSS-107) X509NameTokenizer.java contains Bouncy Castle JCE copyright code

Tue, 08 Apr 2008 06:14:23 -0700 

X509NameTokenizer.java contains Bouncy Castle JCE copyright code
----------------------------------------------------------------

                 Key: WSS-107
                 URL: https://issues.apache.org/jira/browse/WSS-107
             Project: WSS4J
          Issue Type: Improvement
         Environment: N/A
            Reporter: George Stanchev
            Assignee: Ruchith Udayanga Fernando


The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in its 
projects because of this file (found under
src\org\apache\ws\security\components\crypto) contains a comment:

/*
 * This source is a plain copy from bouncycastle software.
 * Thus:
 * Copyright (c) 2000 The Legion Of The Bouncy Castle
(http://www.bouncycastle.org)
 */

Apparently there are some legal issues with BC - they are being sued somewhere 
in Europe for inclusion of a patented algorithm and Eclipse Legal wants to stay 
away from anything BC. They noted the ripoff code comment and alarms started 
ringing. However that stops us of including WSS4J in an Eclipse project I am 
comitter of and makes things complicated for our users.

Besides all that, the X509Tokenizer included in wss4j is very simple and 
rudimentary and doesn't conform to RFC2253. In fact in X509 certs with more 
complex DNs it would give incorrect results. 

So in light of all this, and with the fact that Apache XML-Security 1.4.x 
already has a nice RFC2253 parser, can we replace the file in question with the 
version assigned to this email? It uses the XML-Security DN parser and just 
creates a wrapper with same WSS4J interface already implemented and consumed 
now. I copied 2 utility functions (trim() and countQuotes() from there locally 
and based the constructor on the RFC2253Parser normalize() method (same logic).
Instead of lazily evaluating the DN, I construct an ArrayList with to hold the 
tokenized OIDs).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to