[
https://issues.apache.org/jira/browse/WSS-107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fred Dushin resolved WSS-107.
-----------------------------
Resolution: Fixed
> X509NameTokenizer.java contains Bouncy Castle JCE copyright code
> ----------------------------------------------------------------
>
> Key: WSS-107
> URL: https://issues.apache.org/jira/browse/WSS-107
> Project: WSS4J
> Issue Type: Improvement
> Environment: N/A
> Reporter: George Stanchev
> Assignee: Ruchith Udayanga Fernando
> Attachments: X509NameTokenizer.java
>
>
> The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in
> its projects because of this file (found under
> src\org\apache\ws\security\components\crypto) contains a comment:
> /*
> * This source is a plain copy from bouncycastle software.
> * Thus:
> * Copyright (c) 2000 The Legion Of The Bouncy Castle
> (http://www.bouncycastle.org)
> */
> Apparently there are some legal issues with BC - they are being sued
> somewhere in Europe for inclusion of a patented algorithm and Eclipse Legal
> wants to stay away from anything BC. They noted the ripoff code comment and
> alarms started ringing. However that stops us of including WSS4J in an
> Eclipse project I am comitter of and makes things complicated for our users.
> Besides all that, the X509Tokenizer included in wss4j is very simple and
> rudimentary and doesn't conform to RFC2253. In fact in X509 certs with more
> complex DNs it would give incorrect results.
> So in light of all this, and with the fact that Apache XML-Security 1.4.x
> already has a nice RFC2253 parser, can we replace the file in question with
> the version assigned to this email? It uses the XML-Security DN parser and
> just creates a wrapper with same WSS4J interface already implemented and
> consumed now. I copied 2 utility functions (trim() and countQuotes() from
> there locally and based the constructor on the RFC2253Parser normalize()
> method (same logic).
> Instead of lazily evaluating the DN, I construct an ArrayList with to hold
> the tokenized OIDs).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
