ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George Stanchev (JIRA)" <>
Subject [jira] [Commented] (WSS-107) contains Bouncy Castle JCE copyright code
Date Sun, 20 Nov 2016 02:51:59 GMT


George Stanchev commented on WSS-107:

Since I am the one that opened that CR, I can recall the issue was with the IDEA algorithm
and it's patent. I really don't recall where did the "they are being sued somewhere in Europe"
comment came from - it has been a while and it is possible it was mentioned to me, or perhaps
i just pulled it our of my a... At the time we were advised by Eclipse's legal team to be
extremely careful and any hint of legal troubles would disqualify a 3rd party dependency.
Sorry if my comment was misinformational.

> contains Bouncy Castle JCE copyright code
> ----------------------------------------------------------------
>                 Key: WSS-107
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>         Environment: N/A
>            Reporter: George Stanchev
>            Assignee: Ruchith Udayanga Fernando
>             Fix For: 1.5.4
>         Attachments:
> The Eclipse Foundation IP review rejected wss4j 1.5.latest for approval in its projects
because of this file (found under
> src\org\apache\ws\security\components\crypto) contains a comment:
> /*
>  * This source is a plain copy from bouncycastle software.
>  * Thus:
>  * Copyright (c) 2000 The Legion Of The Bouncy Castle
> (
>  */
> Apparently there are some legal issues with BC - they are being sued somewhere in Europe
for inclusion of a patented algorithm and Eclipse Legal wants to stay away from anything BC.
They noted the ripoff code comment and alarms started ringing. However that stops us of including
WSS4J in an Eclipse project I am comitter of and makes things complicated for our users.
> Besides all that, the X509Tokenizer included in wss4j is very simple and rudimentary
and doesn't conform to RFC2253. In fact in X509 certs with more complex DNs it would give
incorrect results. 
> So in light of all this, and with the fact that Apache XML-Security 1.4.x already has
a nice RFC2253 parser, can we replace the file in question with the version assigned to this
email? It uses the XML-Security DN parser and just creates a wrapper with same WSS4J interface
already implemented and consumed now. I copied 2 utility functions (trim() and countQuotes()
from there locally and based the constructor on the RFC2253Parser normalize() method (same
> Instead of lazily evaluating the DN, I construct an ArrayList with to hold the tokenized

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message