Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.6.12, 1.6.15
-
None
Description
Since an upgrade to WSS 1.6.12 my log files are flooded by WARNings of the SignatureTrustValidator class "No Subject DN Certificate Constraints were defined. This could be a security issue".
The certificate in my request is contained in the keystore and according to the SIG_SUBJECT_CERT_CONSTRAINTS explanation in the WSHandlerConstants class "These constraints are not used when the certificate is contained in the keystore (direct trust).". Therefore I did not define any constraints, the corresponding object is null.
The commit https://fisheye6.atlassian.com/changelog/wss4j?cs=1511796 introduced the behavior change, now also calling the SignatureTrustValidator.matches(...) constraints validation function where it previously did not, and according to above description, should not.