ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: constant sigSubjectCertConstraints
Date Wed, 02 Jul 2014 16:20:27 GMT
I believe you are seeing this problem:

https://issues.apache.org/jira/browse/WSS-504

Colm.


On Wed, Jul 2, 2014 at 4:59 PM, Kai Rommel <krommel2010@googlemail.com>
wrote:

> Hi,
> the description of the constants sigSubjectCertConstraints states:
>     /**
>      * This configuration tag is a comma separated String of regular
> expressions which
>      * will be applied to the subject DN of the certificate used for
> signature
>      * validation, after trust verification of the certificate chain
> associated with the
>      * certificate. These constraints are not used when the certificate is
> contained in
>      * the keystore (direct trust).
>      */
>
> But within the coding of wss4j 1.6.12 the constraints check is always
> executed.
>
> My requirement is to force the upload of the public certificate into the
> truststore. When this is not done the verification should fail. To avoid
> that the verification is successful when the public certificate of the root
> CA is present, I set the value for sigSubjectCertConstraints to
> "NEVERMATCHES^". But in this case the constraint is checked even when the
> public certificate was uploaded beforehand.
>
> The solution is to set the the constraint to the DN of the public
> certificate. Nevertheless, with the "NEVERMATCHES^" approach I was able to
> configure all my cxf-endpoints the same way, and I could handle the
> verification via the upload of the certificate into the keystore (direct
> trust).
>
> When the description is still valid, isn't there a bug in the coding?
>
> Best regards,
> Kai
>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message