Yes. Thanks. Test works fine with 1.6.16 Kai
2014-07-02 18:20 GMT+02:00 Colm O hEigeartaigh <cohei...@apache.org>: > I believe you are seeing this problem: > > https://issues.apache.org/jira/browse/WSS-504 > > Colm. > > > On Wed, Jul 2, 2014 at 4:59 PM, Kai Rommel <krommel2...@googlemail.com> > wrote: > >> Hi, >> the description of the constants sigSubjectCertConstraints states: >> /** >> * This configuration tag is a comma separated String of regular >> expressions which >> * will be applied to the subject DN of the certificate used for >> signature >> * validation, after trust verification of the certificate chain >> associated with the >> * certificate. These constraints are not used when the certificate >> is contained in >> * the keystore (direct trust). >> */ >> >> But within the coding of wss4j 1.6.12 the constraints check is always >> executed. >> >> My requirement is to force the upload of the public certificate into the >> truststore. When this is not done the verification should fail. To avoid >> that the verification is successful when the public certificate of the root >> CA is present, I set the value for sigSubjectCertConstraints to >> "NEVERMATCHES^". But in this case the constraint is checked even when the >> public certificate was uploaded beforehand. >> >> The solution is to set the the constraint to the DN of the public >> certificate. Nevertheless, with the "NEVERMATCHES^" approach I was able to >> configure all my cxf-endpoints the same way, and I could handle the >> verification via the upload of the certificate into the keystore (direct >> trust). >> >> When the description is still valid, isn't there a bug in the coding? >> >> Best regards, >> Kai >> >> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
