Class OpensslNameUtils

Method Details

• normalize

  public static String normalize(String legacyDN)

  Performs cleaning of the provided openssl legacy DN. The following actions are performed:

  • all strings of the form '/TOKEN=' are converted to the '/NORMALIZED-TOKEN=', where TOKEN and NORMALIZED-TOKEN are taken from the NORMALIZED_LABELS map
  • the string is converted to lower case

  Please note that this normalization is far from being perfect: non-ascii characters encoded in hex are not lower-cased, it may happen that some tokens are not in the map, values containing '/TOKEN=' as a substring will be messed up.

  Parameters:

  legacyDN - legacy DN

  Returns:

  normalized string (hopefully) suitable for the string comparison

• opensslToRfc2253

  @Deprecated public static String opensslToRfc2253(String inputDN)

  Deprecated.

  This method is not planned for removal but it is marked as deprecated as it is highly unreliable and you should update your code not to use openssl style DNs at all

  Parameters:

  inputDN - input DN

  Returns:

  RFC 2253 representation of the input

  Since:

  1.1.0

  See Also:

  • with second arg equal to false

• opensslToRfc2253

  @Deprecated public static String opensslToRfc2253(String inputDN, boolean withWildcards)

  Deprecated.

  This method is not planned for removal but it is marked as deprecated as it is highly unreliable and you should update your code not to use openssl style DNs at all

  Tries to convert the OpenSSL string representation of a DN into a RFC 2253 form. The conversion is as follows:

  1. the string is split on '/',
  2. all resulting parts which have no '=' sign inside are glued with the previous element
  3. parts are output with ',' as a separator in reversed order.

  Parameters:

  inputDN - input DN

  withWildcards - whether '*' wildcards need to be recognized

  Returns:

  RFC 2253 representation of the input

  Since:

  1.1.0

• convertFromRfc2253

  public static String convertFromRfc2253(String srcDn, boolean globusFlavouring)

  Returns an OpenSSL legacy (and as of now the default in OpenSSL) encoding of the provided RFC 2253 DN. Please note that this method is:

  • written on a best effort basis: OpenSSL format is not documented anywhere.
  • it much more problematic to perform an opposite translation as OpenSSL format is highly ambiguous.
  • it is STRONGLY suggested not to use this format anywhere, especially in security setups, as many different DNs has the same OpenSSL representation, and also not to use this method.

  Additionally there is a possibility to turn on the "Globus" compatible mode. In this mode this method behaves more similarly to the one provided by the COG Jglobus. The basic difference is that RDNs containing multiple AVAs are are concatenated with '+' not with '/'.

  If you want to compare the output of this method (using string comparison) with something generated by openssl from a certificate, you can expect problems in case of:

  • multivalued RDNs: you should sort them, but in OpenSSL format it is even impossible to find them. With globusFlavouring turned on it is bit better, but as there is no escaping of special characters you are lost too.
  • not-so-common attributes used in DN: there is a plenty of attributes which have (or have not) short or long names defined in OpenSSL. This changes over the time in OpenSSL. Also every Globus/gLite/... tool can use a different set. Therefore whether a correct short name, long name or oid is used by this method is also problematic. It is guaranteed that the basic ones (DC, C, OU, O, L, ...) are working. But in case of less common expect troubles (e.g. openssl 1.0.0i uses 'id-pda-countryOfResidence', while this method will output 'CountryOfResidence').

  Parameters:

  srcDn - input in RFC 2253 format or similar

  globusFlavouring - globus flavouring

  Returns:

  openssl format encoded input.

  Since:

  1.1.0