Package eu.emi.security.authn.x509.impl

Class OpensslNameUtils

  • public class OpensslNameUtils
extends java.lang.Object
    This class provides support for the legacy Openssl format of DN encoding. Please do not use this format unless it is absolutely necessary. It has a number of problems see particular methods documentation for details.
    Author:
    K. Benedyczak

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.util.Map<java.lang.String,​java.lang.String> NORMALIZED_LABELS
      Holds mappings of labels which occur in the wild but are output differently by OpenSSL.

    • Method Summary

      All Methods Static Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      static java.lang.String convertFromRfc2253​(java.lang.String srcDn, boolean globusFlavouring)
      Returns an OpenSSL legacy (and as of now the default in OpenSSL) encoding of the provided RFC 2253 DN.
      static java.lang.String normalize​(java.lang.String legacyDN)
      Performs cleaning of the provided openssl legacy DN.
      static java.lang.String opensslToRfc2253​(java.lang.String inputDN)
      Deprecated.
      This method is not planned for removal but it is marked as deprecated as it is highly unreliable and you should update your code not to use openssl style DNs at all
      static java.lang.String opensslToRfc2253​(java.lang.String inputDN, boolean withWildcards)
      Deprecated.
      This method is not planned for removal but it is marked as deprecated as it is highly unreliable and you should update your code not to use openssl style DNs at all

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • NORMALIZED_LABELS

        public static final java.util.Map<java.lang.String,​java.lang.String> NORMALIZED_LABELS
        Holds mappings of labels which occur in the wild but are output differently by OpenSSL. Also useful to have a uniform representation when creating a normalized form. Note that in some cases OpenSSL doesn't have a label -> then an oid is used.

    • Constructor Detail

      • OpensslNameUtils

        public OpensslNameUtils()

    • Method Detail

      • normalize

        public static java.lang.String normalize​(java.lang.String legacyDN)
        Performs cleaning of the provided openssl legacy DN. The following actions are performed:
        • all strings of the form '/TOKEN=' are converted to the '/NORMALIZED-TOKEN=', where TOKEN and NORMALIZED-TOKEN are taken from the NORMALIZED_LABELS map
        • the string is converted to lower case
        Please note that this normalization is far from being perfect: non-ascii characters encoded in hex are not lower-cased, it may happen that some tokens are not in the map, values containing '/TOKEN=' as a substring will be messed up.
        Parameters:
        legacyDN - legacy DN
        Returns:
        normalized string (hopefully) suitable for the string comparison

      • opensslToRfc2253

        @Deprecated
public static java.lang.String opensslToRfc2253​(java.lang.String inputDN)
        Deprecated.
        This method is not planned for removal but it is marked as deprecated as it is highly unreliable and you should update your code not to use openssl style DNs at all
        Parameters:
        inputDN - input DN
        Returns:
        RFC 2253 representation of the input
        Since:
        1.1.0
        See Also:
        with second arg equal to false

      • opensslToRfc2253

        @Deprecated
public static java.lang.String opensslToRfc2253​(java.lang.String inputDN,
                                                boolean withWildcards)
        Deprecated.
        This method is not planned for removal but it is marked as deprecated as it is highly unreliable and you should update your code not to use openssl style DNs at all
        Tries to convert the OpenSSL string representation of a DN into a RFC 2253 form. The conversion is as follows:
        1. the string is split on '/',
        2. all resulting parts which have no '=' sign inside are glued with the previous element
        3. parts are output with ',' as a separator in reversed order.
        Parameters:
        inputDN - input DN
        withWildcards - whether '*' wildcards need to be recognized
        Returns:
        RFC 2253 representation of the input
        Since:
        1.1.0

      • convertFromRfc2253

        public static java.lang.String convertFromRfc2253​(java.lang.String srcDn,
                                                  boolean globusFlavouring)
        Returns an OpenSSL legacy (and as of now the default in OpenSSL) encoding of the provided RFC 2253 DN. Please note that this method is:
        • written on a best effort basis: OpenSSL format is not documented anywhere.
        • it much more problematic to perform an opposite translation as OpenSSL format is highly ambiguous.
        • it is STRONGLY suggested not to use this format anywhere, especially in security setups, as many different DNs has the same OpenSSL representation, and also not to use this method.
        Additionally there is a possibility to turn on the "Globus" compatible mode. In this mode this method behaves more similarly to the one provided by the COG Jglobus. The basic difference is that RDNs containing multiple AVAs are are concatenated with '+' not with '/'.

        If you want to compare the output of this method (using string comparison) with something generated by openssl from a certificate, you can expect problems in case of:

        • multivalued RDNs: you should sort them, but in OpenSSL format it is even impossible to find them. With globusFlavouring turned on it is bit better, but as there is no escaping of special characters you are lost too.
        • not-so-common attributes used in DN: there is a plenty of attributes which have (or have not) short or long names defined in OpenSSL. This changes over the time in OpenSSL. Also every Globus/gLite/... tool can use a different set. Therefore whether a correct short name, long name or oid is used by this method is also problematic. It is guaranteed that the basic ones (DC, C, OU, O, L, ...) are working. But in case of less common expect troubles (e.g. openssl 1.0.0i uses 'id-pda-countryOfResidence', while this method will output 'CountryOfResidence').
        Parameters:
        srcDn - input in RFC 2253 format or similar
        globusFlavouring - globus flavouring
        Returns:
        openssl format encoded input.
        Since:
        1.1.0