Working on the ability to terminate trust at a chosen Trust Anchor.

This should pass the tests. It used to be that we did not fail when chainBuilder.Build(certificate) returned false. That is not longer the case and I think it is a better way to validate. In the past we would examine the problem flags to determine if it was a failure. This means many tests need to run with X509RevocationMode set to NoCheck and that is fine for these tests.
JoeShook · Nov 5, 2024 · b431104 · b431104
1 parent f42c279
commit b431104
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 8 deletions.
diff --git a/Udap.Common/Certificates/TrustChainValidator.cs b/Udap.Common/Certificates/TrustChainValidator.cs
@@ -204,13 +204,6 @@ public bool IsTrustedCertificate(string clientName,
                 {
                     bool isAnchor = roots?.FindByThumbprint(chainElement.Certificate.Thumbprint) != null;
 
-                    if (this.ChainElementHasProblems(chainElement))
-                    {
-                        this.NotifyProblem(chainElement);
-                        this.NotifyUntrusted(chainElement.Certificate);
-                        return false;
-                    }
-
                     if (isAnchor)
                     {
                         // Found a valid anchor!

diff --git a/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerCommunityTest.cs b/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerCommunityTest.cs
@@ -125,6 +125,7 @@ public UdapControllerCommunityTest(ApiForCommunityTestFixture fixture, ITestOutp
                 {
                     DisableCertificateDownloads = true,
                     UrlRetrievalTimeout = TimeSpan.FromMilliseconds(1),
+                    RevocationMode = X509RevocationMode.NoCheck
                 }, 
                 problemFlags,
                 _testOutputHelper.ToLogger<TrustChainValidator>()));
@@ -567,7 +568,8 @@ public async Task ValidateChainWithMyAnchorAndIntermediateTest()
             {
                 DisableCertificateDownloads = true,
                 UrlRetrievalTimeout = TimeSpan.FromMilliseconds(1),
-            }, 
+                RevocationMode = X509RevocationMode.NoCheck
+        }, 
             problemFlags,
             _testOutputHelper.ToLogger<TrustChainValidator>()));
 

diff --git a/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerTests.cs b/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerTests.cs
@@ -158,6 +158,7 @@ public UdapControllerTests(ApiTestFixture fixture, ITestOutputHelper testOutputH
             {
                 DisableCertificateDownloads = true,
                 UrlRetrievalTimeout = TimeSpan.FromMilliseconds(1),
+                RevocationMode = X509RevocationMode.NoCheck
             }, 
             problemFlags,
             testOutputHelper.ToLogger<TrustChainValidator>()));

diff --git a/_tests/UdapServer.Tests/IntegrationRegistrationTests.cs b/_tests/UdapServer.Tests/IntegrationRegistrationTests.cs
@@ -299,6 +299,7 @@ public async Task GoodIUdapClientRegistrationStore()
                 {
                     DisableCertificateDownloads = true,
                     UrlRetrievalTimeout = TimeSpan.FromMicroseconds(1),
+                    RevocationMode = X509RevocationMode.NoCheck
                 }, 
                 problemFlags,
                 _testOutputHelper.ToLogger<TrustChainValidator>()));
@@ -415,6 +416,7 @@ public async Task GoodCertificationsRegistrationStore()
                 {
                     DisableCertificateDownloads = true,
                     UrlRetrievalTimeout = TimeSpan.FromMicroseconds(1),
+                    RevocationMode = X509RevocationMode.NoCheck
                 },
                 problemFlags,
                 _testOutputHelper.ToLogger<TrustChainValidator>()));