I believe you are seeing this problem: https://issues.apache.org/jira/browse/WSS-504
Colm. On Wed, Jul 2, 2014 at 4:59 PM, Kai Rommel <[email protected]> wrote: > Hi, > the description of the constants sigSubjectCertConstraints states: > /** > * This configuration tag is a comma separated String of regular > expressions which > * will be applied to the subject DN of the certificate used for > signature > * validation, after trust verification of the certificate chain > associated with the > * certificate. These constraints are not used when the certificate is > contained in > * the keystore (direct trust). > */ > > But within the coding of wss4j 1.6.12 the constraints check is always > executed. > > My requirement is to force the upload of the public certificate into the > truststore. When this is not done the verification should fail. To avoid > that the verification is successful when the public certificate of the root > CA is present, I set the value for sigSubjectCertConstraints to > "NEVERMATCHES^". But in this case the constraint is checked even when the > public certificate was uploaded beforehand. > > The solution is to set the the constraint to the DN of the public > certificate. Nevertheless, with the "NEVERMATCHES^" approach I was able to > configure all my cxf-endpoints the same way, and I could handle the > verification via the upload of the certificate into the keystore (direct > trust). > > When the description is still valid, isn't there a bug in the coding? > > Best regards, > Kai > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
