libeufin

Integration and sandbox testing for FinTech APIs and data formats
Log | Files | Refs | Submodules | README | LICENSE
commit 7f1ac03d8abcdf8012616cec2b41bd9cf7c3e434
parent 55bd4e47f8e2b4fdb800927c71b83edb47432cb6
Author: Antoine A <>
Date:   Tue, 15 Oct 2024 13:54:54 +0200

common: enable certificate revocation checks

Diffstat:

Acommon/src/main/kotlin/security.kt | 30++++++++++++++++++++++++++++++


Acommon/src/test/kotlin/TlsTest.kt | 56++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mnexus/src/main/kotlin/tech/libeufin/nexus/Main.kt | 2++


Mnexus/src/main/kotlin/tech/libeufin/nexus/cli/Testing.kt | 3+--


Mtestbench/src/main/kotlin/Main.kt | 1+


5 files changed, 90 insertions(+), 2 deletions(-)

diff --git a/common/src/main/kotlin/security.kt b/common/src/main/kotlin/security.kt
@@ -0,0 +1,29 @@
+/*
+ * This file is part of LibEuFin.
+ * Copyright (C) 2024 Taler Systems S.A.
+
+ * LibEuFin is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation; either version 3, or
+ * (at your option) any later version.
+
+ * LibEuFin is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General
+ * Public License for more details.
+
+ * You should have received a copy of the GNU Affero General Public
+ * License along with LibEuFin; see the file COPYING.  If not, see
+ * <http://www.gnu.org/licenses/>
+ */
+
+package tech.libeufin.common
+
+import java.security.Security
+
+fun setupSecurityProperties() {
+    // Enable certificate revocation check
+    System.setProperty("com.sun.net.ssl.checkRevocation", "true");
+    System.setProperty("com.sun.security.enableCRLDP", "true");
+    Security.setProperty("ocsp.enable", "true");
+}
+\ No newline at end of file
diff --git a/common/src/test/kotlin/TlsTest.kt b/common/src/test/kotlin/TlsTest.kt
@@ -0,0 +1,55 @@
+/*
+ * This file is part of LibEuFin.
+ * Copyright (C) 2024 Taler Systems S.A.
+
+ * LibEuFin is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation; either version 3, or
+ * (at your option) any later version.
+
+ * LibEuFin is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General
+ * Public License for more details.
+
+ * You should have received a copy of the GNU Affero General Public
+ * License along with LibEuFin; see the file COPYING.  If not, see
+ * <http://www.gnu.org/licenses/>
+ */
+
+import io.ktor.client.*
+import io.ktor.client.request.*
+import io.ktor.client.plugins.*
+import io.ktor.client.engine.mock.*
+import io.ktor.http.*
+import org.junit.Test
+import tech.libeufin.nexus.httpClient
+import kotlin.io.path.Path
+import kotlin.io.path.writeBytes
+import kotlin.test.assertEquals
+import kotlin.test.assertFails
+import java.security.Security
+
+class TlsTest {
+    @Test
+    fun securityCheck() = conf { config ->
+        setupSecurityProperties()
+        
+        val secureClient = httpClient()
+        val checks = sequenceOf(
+            "expired",
+            "wrong.host",
+            "self-signed",
+            "untrusted-root",
+            "revoked",
+            // "no-sct", TODO when java support this
+            "preact-cli"
+        )
+        for (check in checks) {
+            println("https://$check.badssl.com")
+            assertFails {
+                secureClient.get("https://$check.badssl.com")
+            }
+        }
+    }
+}
+\ No newline at end of file
diff --git a/nexus/src/main/kotlin/tech/libeufin/nexus/Main.kt b/nexus/src/main/kotlin/tech/libeufin/nexus/Main.kt
@@ -29,6 +29,7 @@ import io.ktor.server.application.*
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import tech.libeufin.common.api.talerApi
+import tech.libeufin.common.setupSecurityProperties
 import tech.libeufin.nexus.api.revenueApi
 import tech.libeufin.nexus.api.wireGatewayApi
 import tech.libeufin.nexus.cli.LibeufinNexus
@@ -50,5 +51,6 @@ fun Application.nexusApi(db: Database, cfg: NexusConfig) = talerApi(logger) {
 }
 
 fun main(args: Array<String>) {
+    setupSecurityProperties()
     LibeufinNexus().main(args)
 }
 \ No newline at end of file
diff --git a/nexus/src/main/kotlin/tech/libeufin/nexus/cli/Testing.kt b/nexus/src/main/kotlin/tech/libeufin/nexus/cli/Testing.kt
@@ -45,10 +45,9 @@ class Wss: CliktCommand() {
     override fun run() = cliCmd(logger, common.log) {
         nexusConfig(common.config).withDb { db, cfg ->
             val (clientKeys, bankKeys) = expectFullKeys(cfg.ebics)
-            val httpClient = httpClient()
             val client = EbicsClient(
                 cfg,
-                httpClient,
+                httpClient(),
                 db,
                 EbicsLogger(ebicsLog),
                 clientKeys,
diff --git a/testbench/src/main/kotlin/Main.kt b/testbench/src/main/kotlin/Main.kt
@@ -258,5 +258,6 @@ class Cli : CliktCommand() {
 }
 
 fun main(args: Array<String>) {
+    setupSecurityProperties()
     Cli().main(args)
 }