feature/Introduce props bypass_tpp_signature_validation

2026-02-06 15:56:57 +00:00 · 2025-03-12 16:15:21 +01:00 · 2025-03-12 16:15:21 +01:00 · db803af420
commit db803af420
parent 1f8e5bcb57
2 changed files with 9 additions and 5 deletions
--- a/obp-api/src/main/resources/props/sample.props.template
+++ b/obp-api/src/main/resources/props/sample.props.template
@ -162,6 +162,9 @@ jwt.use.ssl=false
 # truststore.path.tpp_signature = path/to/ca.p12
 # truststore.password.tpp_signature = truststore-password

+# Bypass TPP signature validation
+# bypass_tpp_signature_validation = true
+

 ## Enable writing API metrics (which APIs are called) to RDBMS
 write_metrics=true
--- a/obp-api/src/main/scala/code/api/util/BerlinGroupSigning.scala
+++ b/obp-api/src/main/scala/code/api/util/BerlinGroupSigning.scala
@ -1,12 +1,11 @@
 package code.api.util

-import code.api.{CertificateConstants, RequestHeader}
+import code.api.RequestHeader
 import code.util.Helper.MdcLoggable
 import com.openbankproject.commons.model.User
 import net.liftweb.common.{Box, Failure, Full}
 import net.liftweb.http.provider.HTTPParam

-import java.util.Base64
 import java.nio.charset.StandardCharsets
 import java.nio.file.{Files, Paths}
 import java.security._
@ -113,7 +112,7 @@ object BerlinGroupSigning extends MdcLoggable {
   * @param forwardResult Propagated result of calling function
   * @return Propagated result of calling function or signing request error
   */
-  def verifySignedRequest(body: Box[String], verb: String, url: String, reqHeaders: List[HTTPParam], forwardResult: (Box[User], Option[CallContext])) = {
+  def verifySignedRequest(body: Box[String], verb: String, url: String, reqHeaders: List[HTTPParam], forwardResult: (Box[User], Option[CallContext])): (Box[User], Option[CallContext]) = {
    def checkRequestIsSigned(requestHeaders: List[HTTPParam]): Boolean = {
      requestHeaders.exists(_.name == RequestHeader.`TPP-Signature-Certificate`) &&
      requestHeaders.exists(_.name == RequestHeader.Signature) &&
@ -132,8 +131,8 @@ object BerlinGroupSigning extends MdcLoggable {

            val signatureHeaderValue = getHeaderValue(RequestHeader.Signature, requestHeaders)
            val signature = parseSignatureHeader(signatureHeaderValue).getOrElse("signature", "NONE")
-            val headersss = parseSignatureHeader(signatureHeaderValue).getOrElse("headers", "").split(" ").toList
-            val headers = headersss.map(h =>
+            val headersToSign = parseSignatureHeader(signatureHeaderValue).getOrElse("headers", "").split(" ").toList
+            val headers = headersToSign.map(h =>
              if(h.toLowerCase() == RequestHeader.Digest.toLowerCase()) {
                s"$h: SHA-256=$digest"
              } else {
@ -143,8 +142,10 @@ object BerlinGroupSigning extends MdcLoggable {
            val signingString = headers.mkString("\n")
            val isVerified = verifySignature(signingString, signature, certificatePem)
            val isValidated = CertificateVerifier.validateCertificate(certificatePem)
+            val bypassValidation = APIUtil.getPropsAsBoolValue("bypass_tpp_signature_validation", defaultValue = false)
            (isVerified, isValidated) match {
              case (true, true) => forwardResult
+              case (true, false) if bypassValidation => forwardResult
              case (true, false) => (Failure(ErrorMessages.X509PublicKeyCannotBeValidated), forwardResult._2)
              case (false, _) => (Failure(ErrorMessages.X509PublicKeyCannotVerify), forwardResult._2)
            }