feature/Add props use_tpp_signature_revocation_list

2026-02-06 13:46:49 +00:00 · 2025-08-04 11:58:25 +02:00 · 2025-08-04 11:58:25 +02:00 · 56289ed029
commit 56289ed029
parent 5315b91353
2 changed files with 9 additions and 1 deletions
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@ -165,6 +165,10 @@ jwt.use.ssl=false

 # Bypass TPP signature validation
 # bypass_tpp_signature_validation = false
+## Use TPP signature revocation list
+## - CRLs (Certificate Revocation Lists), or
+## - OCSP (Online Certificate Status Protocol).
+# use_tpp_signature_revocation_list = true

 ## Reject Berlin Group TRANSACTIONS with status "received" after a defined time (in seconds)
 # berlin_group_outdated_transactions_time_in_seconds = 300
--- a/obp-api/src/main/scala/code/api/util/CertificateVerifier.scala
+++ b/obp-api/src/main/scala/code/api/util/CertificateVerifier.scala
@ -80,7 +80,11 @@ object CertificateVerifier extends MdcLoggable {

      // Set up PKIX parameters for validation
      val pkixParams = new PKIXParameters(trustAnchors)
-      pkixParams.setRevocationEnabled(false) // Disable CRL checks
+      if(APIUtil.getPropsAsBoolValue("use_tpp_signature_revocation_list", defaultValue = true)) {
+        pkixParams.setRevocationEnabled(true) // Enable CRL checks
+      } else {
+        pkixParams.setRevocationEnabled(false) // Disable CRL checks
+      }

      // Validate certificate chain
      val certPath = CertificateFactory.getInstance("X.509").generateCertPath(Collections.singletonList(certificate))