Bug 6642 - jglobus signing_policy checking should be case insensitive
: jglobus signing_policy checking should be case insensitive
Status: RESOLVED FIXED
: CoG jglobus
security
: 1.6.0
: All All
: P3 normal
: 1.7
Assigned To:
:
: 4.0.x
:
:
  Show dependency treegraph
 
Reported: 2009-02-09 10:52 by
Modified: 2009-02-09 17:51 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2009-02-09 10:52:59
Currently, the jglobus signing_policy checking is case sensitive while the C
signing_policy checking is case insensitive. In the C code,
globus_i_gsi_cert_utils_dn_cmp() calls strcasecmp(), i.e., string comparison
ignoring case.

David Groep explains:
> Actually: almost all attributes you would legitimately encounter
> in a DN are subtypes of attributeType 'name', which has
>   EQUALITY MATCHING RULE caseIgnoreMatch
>   SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
> as its definition in X.520.
> So, even when transliterated into a plain string representation (as in the
> "/"-separated or ","-separated formats) the comparison ought to be
> case-INsensitive.
> 
> There is only one caveat: caseIgnoreMatch can only be done if the
> original encoding of the attribute value is PrintableString or IA5STring.
> There is no defined algorithm to do a caseIgnoreMatch for UTF8 strings.
> So, if the original encoding of the attribute in the certificate was
> UTF8String, the matching ought to be exact. Alas: once transliterated
> into the "/" or "," string representation, the knowledge of the original
> attribute encoding is lost forever :-((
> Which is why one SHOULD have done matching on the original ASN.1 structure
> of the DN ...
> 
> For the time being: you're likely fine doing case-insensitive matching
> unless
> the content of the DN is obviously UTF8  :-)

Here's a patch to bring jglobus in line with the C signing_policy code:

diff -u -r1.4 SigningPolicyParser.java
--- src/org/globus/gsi/SigningPolicyParser.java    10 Apr 2008 00:20:32 -0000  
 1.4
+++ src/org/globus/gsi/SigningPolicyParser.java    9 Feb 2009 16:47:03 -0000
@@ -526,7 +526,7 @@

         logger.debug("String with replaced pattern is " + patternStr);

-        return Pattern.compile(patternStr);
+        return Pattern.compile(patternStr, Pattern.CASE_INSENSITIVE);
     }

     // find first space or tab as separator.
------- Comment #1 From 2009-02-09 17:51:07 -------
Thanks Jim.

Fixed committed to trunk and 4.0.x branch