From b4311040788a39686160e29837f06d7a88c5601c Mon Sep 17 00:00:00 2001 From: Joseph Shook Date: Tue, 5 Nov 2024 15:45:39 -0800 Subject: [PATCH] Working on the ability to terminate trust at a chosen Trust Anchor. This should pass the tests. It used to be that we did not fail when chainBuilder.Build(certificate) returned false. That is not longer the case and I think it is a better way to validate. In the past we would examine the problem flags to determine if it was a failure. This means many tests need to run with X509RevocationMode set to NoCheck and that is fine for these tests. --- Udap.Common/Certificates/TrustChainValidator.cs | 7 ------- .../FhirLabsApi/UdapControllerCommunityTest.cs | 4 +++- .../UdapMetadata.Tests/FhirLabsApi/UdapControllerTests.cs | 1 + _tests/UdapServer.Tests/IntegrationRegistrationTests.cs | 2 ++ 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Udap.Common/Certificates/TrustChainValidator.cs b/Udap.Common/Certificates/TrustChainValidator.cs index c68eda70..718c2c26 100644 --- a/Udap.Common/Certificates/TrustChainValidator.cs +++ b/Udap.Common/Certificates/TrustChainValidator.cs @@ -204,13 +204,6 @@ public bool IsTrustedCertificate(string clientName, { bool isAnchor = roots?.FindByThumbprint(chainElement.Certificate.Thumbprint) != null; - if (this.ChainElementHasProblems(chainElement)) - { - this.NotifyProblem(chainElement); - this.NotifyUntrusted(chainElement.Certificate); - return false; - } - if (isAnchor) { // Found a valid anchor! diff --git a/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerCommunityTest.cs b/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerCommunityTest.cs index 2a9711f7..6507c237 100644 --- a/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerCommunityTest.cs +++ b/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerCommunityTest.cs @@ -125,6 +125,7 @@ public UdapControllerCommunityTest(ApiForCommunityTestFixture fixture, ITestOutp { DisableCertificateDownloads = true, UrlRetrievalTimeout = TimeSpan.FromMilliseconds(1), + RevocationMode = X509RevocationMode.NoCheck }, problemFlags, _testOutputHelper.ToLogger())); @@ -567,7 +568,8 @@ public async Task ValidateChainWithMyAnchorAndIntermediateTest() { DisableCertificateDownloads = true, UrlRetrievalTimeout = TimeSpan.FromMilliseconds(1), - }, + RevocationMode = X509RevocationMode.NoCheck + }, problemFlags, _testOutputHelper.ToLogger())); diff --git a/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerTests.cs b/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerTests.cs index 42c3e773..97980a8f 100644 --- a/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerTests.cs +++ b/_tests/UdapMetadata.Tests/FhirLabsApi/UdapControllerTests.cs @@ -158,6 +158,7 @@ public UdapControllerTests(ApiTestFixture fixture, ITestOutputHelper testOutputH { DisableCertificateDownloads = true, UrlRetrievalTimeout = TimeSpan.FromMilliseconds(1), + RevocationMode = X509RevocationMode.NoCheck }, problemFlags, testOutputHelper.ToLogger())); diff --git a/_tests/UdapServer.Tests/IntegrationRegistrationTests.cs b/_tests/UdapServer.Tests/IntegrationRegistrationTests.cs index 068037c9..8445304e 100644 --- a/_tests/UdapServer.Tests/IntegrationRegistrationTests.cs +++ b/_tests/UdapServer.Tests/IntegrationRegistrationTests.cs @@ -299,6 +299,7 @@ public async Task GoodIUdapClientRegistrationStore() { DisableCertificateDownloads = true, UrlRetrievalTimeout = TimeSpan.FromMicroseconds(1), + RevocationMode = X509RevocationMode.NoCheck }, problemFlags, _testOutputHelper.ToLogger())); @@ -415,6 +416,7 @@ public async Task GoodCertificationsRegistrationStore() { DisableCertificateDownloads = true, UrlRetrievalTimeout = TimeSpan.FromMicroseconds(1), + RevocationMode = X509RevocationMode.NoCheck }, problemFlags, _testOutputHelper.ToLogger()));