Bugzilla – Bug 6642
jglobus signing_policy checking should be case insensitive
Last modified: 2009-02-09 17:51:07
You need to
before you can comment on or make changes to this bug.
Currently, the jglobus signing_policy checking is case sensitive while the C
signing_policy checking is case insensitive. In the C code,
globus_i_gsi_cert_utils_dn_cmp() calls strcasecmp(), i.e., string comparison
David Groep explains:
> Actually: almost all attributes you would legitimately encounter
> in a DN are subtypes of attributeType 'name', which has
> EQUALITY MATCHING RULE caseIgnoreMatch
> SUBSTRINGS MATCHING RULE caseIgnoreSubstringsMatch
> as its definition in X.520.
> So, even when transliterated into a plain string representation (as in the
> "/"-separated or ","-separated formats) the comparison ought to be
> There is only one caveat: caseIgnoreMatch can only be done if the
> original encoding of the attribute value is PrintableString or IA5STring.
> There is no defined algorithm to do a caseIgnoreMatch for UTF8 strings.
> So, if the original encoding of the attribute in the certificate was
> UTF8String, the matching ought to be exact. Alas: once transliterated
> into the "/" or "," string representation, the knowledge of the original
> attribute encoding is lost forever :-((
> Which is why one SHOULD have done matching on the original ASN.1 structure
> of the DN ...
> For the time being: you're likely fine doing case-insensitive matching
> the content of the DN is obviously UTF8 :-)
Here's a patch to bring jglobus in line with the C signing_policy code:
diff -u -r1.4 SigningPolicyParser.java
--- src/org/globus/gsi/SigningPolicyParser.java 10 Apr 2008 00:20:32 -0000
+++ src/org/globus/gsi/SigningPolicyParser.java 9 Feb 2009 16:47:03 -0000
@@ -526,7 +526,7 @@
logger.debug("String with replaced pattern is " + patternStr);
- return Pattern.compile(patternStr);
+ return Pattern.compile(patternStr, Pattern.CASE_INSENSITIVE);
// find first space or tab as separator.
Fixed committed to trunk and 4.0.x branch