[jira] Commented: (WSS-107) X509NameTokenizer.java contains Bouncy Castle JCE copyright code

[Fred Dushin (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WSS-107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12587714#action_12587714
 ] 

Fred Dushin commented on WSS-107:
---------------------------------

Committed George's fix, and added a unit test

> X509NameTokenizer.java contains Bouncy Castle JCE copyright code
> ----------------------------------------------------------------
>
>                 Key: WSS-107
>                 URL: https://issues.apache.org/jira/browse/WSS-107
>             Project: WSS4J
>          Issue Type: Improvement
>         Environment: N/A
>            Reporter: George Stanchev
>            Assignee: Ruchith Udayanga Fernando
>         Attachments: X509NameTokenizer.java
>
>
> The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in 
> its projects because of this file (found under
> src\org\apache\ws\security\components\crypto) contains a comment:
> /*
>  * This source is a plain copy from bouncycastle software.
>  * Thus:
>  * Copyright (c) 2000 The Legion Of The Bouncy Castle
> (http://www.bouncycastle.org)
>  */
> Apparently there are some legal issues with BC - they are being sued 
> somewhere in Europe for inclusion of a patented algorithm and Eclipse Legal 
> wants to stay away from anything BC. They noted the ripoff code comment and 
> alarms started ringing. However that stops us of including WSS4J in an 
> Eclipse project I am comitter of and makes things complicated for our users.
> Besides all that, the X509Tokenizer included in wss4j is very simple and 
> rudimentary and doesn't conform to RFC2253. In fact in X509 certs with more 
> complex DNs it would give incorrect results. 
> So in light of all this, and with the fact that Apache XML-Security 1.4.x 
> already has a nice RFC2253 parser, can we replace the file in question with 
> the version assigned to this email? It uses the XML-Security DN parser and 
> just creates a wrapper with same WSS4J interface already implemented and 
> consumed now. I copied 2 utility functions (trim() and countQuotes() from 
> there locally and based the constructor on the RFC2253Parser normalize() 
> method (same logic).
> Instead of lazily evaluating the DN, I construct an ArrayList with to hold 
> the tokenized OIDs).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]