From 56289ed029e0d63c3166d8899a87ba52e0e4275d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20Mili=C4=87?= Date: Mon, 4 Aug 2025 11:58:25 +0200 Subject: [PATCH] feature/Add props use_tpp_signature_revocation_list --- obp-api/src/main/resources/props/sample.props.template | 4 ++++ .../src/main/scala/code/api/util/CertificateVerifier.scala | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/obp-api/src/main/resources/props/sample.props.template b/obp-api/src/main/resources/props/sample.props.template index 64c7733d3..6560b0a12 100644 --- a/obp-api/src/main/resources/props/sample.props.template +++ b/obp-api/src/main/resources/props/sample.props.template @@ -165,6 +165,10 @@ jwt.use.ssl=false # Bypass TPP signature validation # bypass_tpp_signature_validation = false +## Use TPP signature revocation list +## - CRLs (Certificate Revocation Lists), or +## - OCSP (Online Certificate Status Protocol). +# use_tpp_signature_revocation_list = true ## Reject Berlin Group TRANSACTIONS with status "received" after a defined time (in seconds) # berlin_group_outdated_transactions_time_in_seconds = 300 diff --git a/obp-api/src/main/scala/code/api/util/CertificateVerifier.scala b/obp-api/src/main/scala/code/api/util/CertificateVerifier.scala index 019aabd6e..4cc0a408f 100644 --- a/obp-api/src/main/scala/code/api/util/CertificateVerifier.scala +++ b/obp-api/src/main/scala/code/api/util/CertificateVerifier.scala @@ -80,7 +80,11 @@ object CertificateVerifier extends MdcLoggable { // Set up PKIX parameters for validation val pkixParams = new PKIXParameters(trustAnchors) - pkixParams.setRevocationEnabled(false) // Disable CRL checks + if(APIUtil.getPropsAsBoolValue("use_tpp_signature_revocation_list", defaultValue = true)) { + pkixParams.setRevocationEnabled(true) // Enable CRL checks + } else { + pkixParams.setRevocationEnabled(false) // Disable CRL checks + } // Validate certificate chain val certPath = CertificateFactory.getInstance("X.509").generateCertPath(Collections.singletonList(certificate))