ws-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kai Rommel <krommel2...@googlemail.com>
Subject Re: constant sigSubjectCertConstraints
Date Thu, 03 Jul 2014 09:22:41 GMT
Yes. Thanks.
Test works fine with 1.6.16

Kai


2014-07-02 18:20 GMT+02:00 Colm O hEigeartaigh <coheigea@apache.org>:

> I believe you are seeing this problem:
>
> https://issues.apache.org/jira/browse/WSS-504
>
> Colm.
>
>
> On Wed, Jul 2, 2014 at 4:59 PM, Kai Rommel <krommel2010@googlemail.com>
> wrote:
>
>> Hi,
>> the description of the constants sigSubjectCertConstraints states:
>>     /**
>>      * This configuration tag is a comma separated String of regular
>> expressions which
>>      * will be applied to the subject DN of the certificate used for
>> signature
>>      * validation, after trust verification of the certificate chain
>> associated with the
>>      * certificate. These constraints are not used when the certificate
>> is contained in
>>      * the keystore (direct trust).
>>      */
>>
>> But within the coding of wss4j 1.6.12 the constraints check is always
>> executed.
>>
>> My requirement is to force the upload of the public certificate into the
>> truststore. When this is not done the verification should fail. To avoid
>> that the verification is successful when the public certificate of the root
>> CA is present, I set the value for sigSubjectCertConstraints to
>> "NEVERMATCHES^". But in this case the constraint is checked even when the
>> public certificate was uploaded beforehand.
>>
>> The solution is to set the the constraint to the DN of the public
>> certificate. Nevertheless, with the "NEVERMATCHES^" approach I was able to
>> configure all my cxf-endpoints the same way, and I could handle the
>> verification via the upload of the certificate into the keystore (direct
>> trust).
>>
>> When the description is still valid, isn't there a bug in the coding?
>>
>> Best regards,
>> Kai
>>
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
View raw message