Merge pull request phax#308 from beth-soptim/sig_subject_contraints

phax · web-flow · commit 69a79853d251 · 2025-03-17T10:26:00.000+01:00
Support setting the certificate issuer constraints for WSS4J phax#307
diff --git a/phase4-lib/src/main/java/com/helger/phase4/crypto/IAS4CryptoFactory.java b/phase4-lib/src/main/java/com/helger/phase4/crypto/IAS4CryptoFactory.java
@@ -16,12 +16,13 @@
  */
 package com.helger.phase4.crypto;
 
-import java.security.KeyStore;
+import org.apache.wss4j.common.crypto.Crypto;
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
-
-import org.apache.wss4j.common.crypto.Crypto;
+import java.security.KeyStore;
+import java.util.Collection;
+import java.util.regex.Pattern;
 
 /**
  * The basic phase4 crypto interface.
@@ -102,4 +103,17 @@ default String getKeyPasswordPerAlias (@Nullable final String sSearchKeyAlias)
    */
   @Nullable
   KeyStore getTrustStore ();
+
+  /**
+   * Returns the signature subject certificate constraints as regular expressions
+   *
+   * @return The signature subject certificate constraints as regular expressions or <code>null</code> if no checks should be performed.
+   * @since 3.0.7
+   */
+  @Nullable
+  default Collection<Pattern> getSignatureSubjectCertConstraints ()
+  {
+    return null;
+  }
+
 }
diff --git a/phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java b/phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java
@@ -21,9 +21,11 @@
 import java.security.Provider;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.List;
 import java.util.Locale;
 import java.util.function.Supplier;
+import java.util.regex.Pattern;
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
@@ -195,11 +197,11 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
       if (false)
         aRequestData.setEnableRevocation (true);
 
-      // TODO workaround to avoid the warning (if CRL checking is enabled)
-      // No Subject DN Certificate Constraints were defined. This could be a
-      // security issue
-      if (false)
-        aRequestData.setSubjectCertConstraints (new CommonsArrayList <> (RegExCache.getPattern (".*")));
+      Collection<Pattern> signatureSubjectCertConstraints = m_aCryptoFactorySign.getSignatureSubjectCertConstraints();
+      if (signatureSubjectCertConstraints != null)
+      {
+        aRequestData.setSubjectCertConstraints (signatureSubjectCertConstraints);
+      }
 
       if (m_aDecryptParameterModifier != null)
       {
