ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kai Rommel <>
Subject constant sigSubjectCertConstraints
Date Wed, 02 Jul 2014 15:59:46 GMT
the description of the constants sigSubjectCertConstraints states:
     * This configuration tag is a comma separated String of regular
expressions which
     * will be applied to the subject DN of the certificate used for
     * validation, after trust verification of the certificate chain
associated with the
     * certificate. These constraints are not used when the certificate is
contained in
     * the keystore (direct trust).

But within the coding of wss4j 1.6.12 the constraints check is always

My requirement is to force the upload of the public certificate into the
truststore. When this is not done the verification should fail. To avoid
that the verification is successful when the public certificate of the root
CA is present, I set the value for sigSubjectCertConstraints to
"NEVERMATCHES^". But in this case the constraint is checked even when the
public certificate was uploaded beforehand.

The solution is to set the the constraint to the DN of the public
certificate. Nevertheless, with the "NEVERMATCHES^" approach I was able to
configure all my cxf-endpoints the same way, and I could handle the
verification via the upload of the certificate into the keystore (direct

When the description is still valid, isn't there a bug in the coding?

Best regards,

View raw message