2 * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
3 * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
4 * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
5 * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
6 * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
7 * limitations under the License.
10 package edu.internet2.middleware.shibboleth.common;
13 import java.io.IOException;
14 import java.security.KeyStore;
15 import java.security.KeyStoreException;
16 import java.security.NoSuchAlgorithmException;
17 import java.security.cert.CertificateException;
18 import java.security.cert.X509Certificate;
20 import junit.framework.TestCase;
22 import org.apache.log4j.BasicConfigurator;
23 import org.apache.log4j.Level;
24 import org.apache.log4j.Logger;
26 import edu.internet2.middleware.shibboleth.common.ShibResource.ResourceNotAvailableException;
27 import edu.internet2.middleware.shibboleth.common.provider.BasicTrust;
28 import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust;
29 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
30 import edu.internet2.middleware.shibboleth.metadata.Metadata;
31 import edu.internet2.middleware.shibboleth.metadata.MetadataException;
32 import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
33 import edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata;
34 import edu.internet2.middleware.shibboleth.xml.Parser;
37 * Test suite for SAML/Shibboleth trust validation.
39 * @author Walter Hoehn
41 public class TrustTests extends TestCase {
43 private Parser.DOMParser parser = new Parser.DOMParser(true);
45 public TrustTests(String name) {
48 BasicConfigurator.resetConfiguration();
49 BasicConfigurator.configure();
50 Logger.getRootLogger().setLevel(Level.OFF);
53 public static void main(String[] args) {
55 junit.textui.TestRunner.run(CredentialsTests.class);
56 BasicConfigurator.configure();
57 Logger.getRootLogger().setLevel(Level.OFF);
60 protected void setUp() throws Exception {
65 public void testInlineX509CertValidate() {
68 // Pull the role descriptor from example metadata
69 Metadata metadata = new XMLMetadata(new File("data/metadata1.xml").toURL().toString());
70 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
71 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
72 "urn:oasis:names:tc:SAML:1.1:protocol");
74 // Use a pre-defined cert
75 KeyStore keyStore = KeyStore.getInstance("JKS");
76 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
77 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
78 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
80 // Try to validate against the metadata
81 Trust validator = new BasicTrust();
82 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
84 fail("Validation should have succeeded.");
87 } catch (MetadataException e) {
88 fail("Error in test specification: " + e);
89 } catch (ResourceNotAvailableException e) {
90 fail("Error in test specification: " + e);
91 } catch (IOException e) {
92 fail("Error in test specification: " + e);
93 } catch (NoSuchAlgorithmException e) {
94 fail("Error in test specification: " + e);
95 } catch (CertificateException e) {
96 fail("Error in test specification: " + e);
97 } catch (KeyStoreException e) {
98 fail("Error in test specification: " + e);
102 public void testInlineX509CertValidationFail() {
105 // Pull the role descriptor from example metadata
106 Metadata metadata = new XMLMetadata(new File("data/metadata1.xml").toURL().toString());
107 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
108 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
109 "urn:oasis:names:tc:SAML:1.1:protocol");
111 // Use a pre-defined cert
112 KeyStore keyStore = KeyStore.getInstance("JKS");
113 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
114 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
115 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline2");
117 // Try to validate against the metadata
118 Trust validator = new BasicTrust();
119 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
121 fail("Validation should have failed.");
124 } catch (MetadataException e) {
125 fail("Error in test specification: " + e);
126 } catch (ResourceNotAvailableException e) {
127 fail("Error in test specification: " + e);
128 } catch (IOException e) {
129 fail("Error in test specification: " + e);
130 } catch (NoSuchAlgorithmException e) {
131 fail("Error in test specification: " + e);
132 } catch (CertificateException e) {
133 fail("Error in test specification: " + e);
134 } catch (KeyStoreException e) {
135 fail("Error in test specification: " + e);
139 public void testPkixX509CertValidate() {
142 // Pull the role descriptor from example metadata
143 Metadata metadata = new XMLMetadata(new File("data/metadata2.xml").toURL().toString());
144 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
145 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
146 "urn:oasis:names:tc:SAML:1.1:protocol");
148 // Use a pre-defined cert
149 KeyStore keyStore = KeyStore.getInstance("JKS");
150 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
151 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
152 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
154 // Try to validate against the metadata
155 Trust validator = new ShibbolethTrust();
156 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
158 fail("Validation should have succeeded.");
161 } catch (MetadataException e) {
162 fail("Error in test specification: " + e);
163 } catch (ResourceNotAvailableException e) {
164 fail("Error in test specification: " + e);
165 } catch (IOException e) {
166 fail("Error in test specification: " + e);
167 } catch (NoSuchAlgorithmException e) {
168 fail("Error in test specification: " + e);
169 } catch (CertificateException e) {
170 fail("Error in test specification: " + e);
171 } catch (KeyStoreException e) {
172 fail("Error in test specification: " + e);
176 public void testPkixX509CertValidateRecurseEntities() {
179 // Pull the role descriptor from example metadata
180 Metadata metadata = new XMLMetadata(new File("data/metadata3.xml").toURL().toString());
181 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
182 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
183 "urn:oasis:names:tc:SAML:1.1:protocol");
185 // Use a pre-defined cert
186 KeyStore keyStore = KeyStore.getInstance("JKS");
187 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
188 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
189 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
191 // Try to validate against the metadata
192 Trust validator = new ShibbolethTrust();
193 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
195 fail("Validation should have succeeded.");
198 } catch (MetadataException e) {
199 fail("Error in test specification: " + e);
200 } catch (ResourceNotAvailableException e) {
201 fail("Error in test specification: " + e);
202 } catch (IOException e) {
203 fail("Error in test specification: " + e);
204 } catch (NoSuchAlgorithmException e) {
205 fail("Error in test specification: " + e);
206 } catch (CertificateException e) {
207 fail("Error in test specification: " + e);
208 } catch (KeyStoreException e) {
209 fail("Error in test specification: " + e);
213 public void testPkixX509CertValidateWithCAPath() {
216 // Pull the role descriptor from example metadata
217 Metadata metadata = new XMLMetadata(new File("data/metadata4.xml").toURL().toString());
218 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
219 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
220 "urn:oasis:names:tc:SAML:1.1:protocol");
222 // Use a pre-defined cert
223 KeyStore keyStore = KeyStore.getInstance("JKS");
224 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
225 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
226 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline3");
228 // Try to validate against the metadata
229 Trust validator = new ShibbolethTrust();
230 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
232 fail("Validation should have succeeded.");
235 } catch (MetadataException e) {
236 fail("Error in test specification: " + e);
237 } catch (ResourceNotAvailableException e) {
238 fail("Error in test specification: " + e);
239 } catch (IOException e) {
240 fail("Error in test specification: " + e);
241 } catch (NoSuchAlgorithmException e) {
242 fail("Error in test specification: " + e);
243 } catch (CertificateException e) {
244 fail("Error in test specification: " + e);
245 } catch (KeyStoreException e) {
246 fail("Error in test specification: " + e);
250 public void testPkixX509CertFailBadNameMatch() {
253 // Pull the role descriptor from example metadata
254 Metadata metadata = new XMLMetadata(new File("data/metadata11.xml").toURL().toString());
255 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
256 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
257 "urn:oasis:names:tc:SAML:1.1:protocol");
259 // Use a pre-defined cert
260 KeyStore keyStore = KeyStore.getInstance("JKS");
261 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
262 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
263 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline3");
265 // Try to validate against the metadata
266 Trust validator = new ShibbolethTrust();
267 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
269 fail("Validation should have failed. DN in cert does not match the metadata.");
272 } catch (MetadataException e) {
273 fail("Error in test specification: " + e);
274 } catch (ResourceNotAvailableException e) {
275 fail("Error in test specification: " + e);
276 } catch (IOException e) {
277 fail("Error in test specification: " + e);
278 } catch (NoSuchAlgorithmException e) {
279 fail("Error in test specification: " + e);
280 } catch (CertificateException e) {
281 fail("Error in test specification: " + e);
282 } catch (KeyStoreException e) {
283 fail("Error in test specification: " + e);
287 public void testPkixX509CertFailValidateWithPathTooLong() {
290 // Pull the role descriptor from example metadata
291 Metadata metadata = new XMLMetadata(new File("data/metadata6.xml").toURL().toString());
292 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
293 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
294 "urn:oasis:names:tc:SAML:1.1:protocol");
296 // Use a pre-defined cert
297 KeyStore keyStore = KeyStore.getInstance("JKS");
298 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
299 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
300 X509Certificate endEntity = (X509Certificate) keyStore.getCertificate("inline3");
301 X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
303 // Try to validate against the metadata
304 Trust validator = new ShibbolethTrust();
305 boolean successful = validator.validate(endEntity, new X509Certificate[]{endEntity, intermediate}, role);
307 fail("Validation should not have succeeded.");
310 } catch (MetadataException e) {
311 fail("Error in test specification: " + e);
312 } catch (ResourceNotAvailableException e) {
313 fail("Error in test specification: " + e);
314 } catch (IOException e) {
315 fail("Error in test specification: " + e);
316 } catch (NoSuchAlgorithmException e) {
317 fail("Error in test specification: " + e);
318 } catch (CertificateException e) {
319 fail("Error in test specification: " + e);
320 } catch (KeyStoreException e) {
321 fail("Error in test specification: " + e);
325 public void testPkixX509CertValidateWithClientSuppliedIntermediate() {
328 // Pull the role descriptor from example metadata
329 Metadata metadata = new XMLMetadata(new File("data/metadata5.xml").toURL().toString());
330 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
331 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
332 "urn:oasis:names:tc:SAML:1.1:protocol");
334 // Use a pre-defined cert
335 KeyStore keyStore = KeyStore.getInstance("JKS");
336 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
337 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
338 X509Certificate endEntity = (X509Certificate) keyStore.getCertificate("inline3");
339 X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
341 // Try to validate against the metadata
342 Trust validator = new ShibbolethTrust();
343 boolean successful = validator.validate(endEntity, new X509Certificate[]{endEntity, intermediate}, role);
345 fail("Validation should have succeeded.");
348 } catch (MetadataException e) {
349 fail("Error in test specification: " + e);
350 } catch (ResourceNotAvailableException e) {
351 fail("Error in test specification: " + e);
352 } catch (IOException e) {
353 fail("Error in test specification: " + e);
354 } catch (NoSuchAlgorithmException e) {
355 fail("Error in test specification: " + e);
356 } catch (CertificateException e) {
357 fail("Error in test specification: " + e);
358 } catch (KeyStoreException e) {
359 fail("Error in test specification: " + e);
363 public void testCRL() {
366 // Pull the role descriptor from example metadata
367 Metadata metadata = new XMLMetadata(new File("data/metadata7.xml").toURL().toString());
368 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
369 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
370 "urn:oasis:names:tc:SAML:1.1:protocol");
372 // Use a pre-defined cert
373 KeyStore keyStore = KeyStore.getInstance("JKS");
374 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
375 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
376 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline4");
378 // Try to validate against the metadata
379 Trust validator = new ShibbolethTrust();
380 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
382 fail("Validation should not have succeeded.");
385 } catch (MetadataException e) {
386 fail("Error in test specification: " + e);
387 } catch (ResourceNotAvailableException e) {
388 fail("Error in test specification: " + e);
389 } catch (IOException e) {
390 fail("Error in test specification: " + e);
391 } catch (NoSuchAlgorithmException e) {
392 fail("Error in test specification: " + e);
393 } catch (CertificateException e) {
394 fail("Error in test specification: " + e);
395 } catch (KeyStoreException e) {
396 fail("Error in test specification: " + e);
400 public void testCRLDoesntBreakValid() {
403 // Pull the role descriptor from example metadata
404 Metadata metadata = new XMLMetadata(new File("data/metadata8.xml").toURL().toString());
405 EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
406 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
407 "urn:oasis:names:tc:SAML:1.1:protocol");
409 // Use a pre-defined cert
410 KeyStore keyStore = KeyStore.getInstance("JKS");
411 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
412 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
413 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline4");
415 // Try to validate against the metadata
416 Trust validator = new ShibbolethTrust();
417 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
419 fail("Validation should have succeeded.");
422 } catch (MetadataException e) {
423 fail("Error in test specification: " + e);
424 } catch (ResourceNotAvailableException e) {
425 fail("Error in test specification: " + e);
426 } catch (IOException e) {
427 fail("Error in test specification: " + e);
428 } catch (NoSuchAlgorithmException e) {
429 fail("Error in test specification: " + e);
430 } catch (CertificateException e) {
431 fail("Error in test specification: " + e);
432 } catch (KeyStoreException e) {
433 fail("Error in test specification: " + e);
437 public void testPkixX509CertValidateWithExactProviderIdMatch() {
440 // Pull the role descriptor from example metadata
441 Metadata metadata = new XMLMetadata(new File("data/metadata9.xml").toURL().toString());
442 EntityDescriptor entity = metadata.lookup("Walter Hoehn");
443 SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
444 "urn:oasis:names:tc:SAML:1.1:protocol");
446 // Use a pre-defined cert
447 KeyStore keyStore = KeyStore.getInstance("JKS");
448 keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
449 new char[]{'t', 'e', 's', 't', '1', '2', '3'});
450 X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
452 // Try to validate against the metadata
453 Trust validator = new ShibbolethTrust();
454 boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
456 fail("Validation should have succeeded.");
459 } catch (MetadataException e) {
460 fail("Error in test specification: " + e);
461 } catch (ResourceNotAvailableException e) {
462 fail("Error in test specification: " + e);
463 } catch (IOException e) {
464 fail("Error in test specification: " + e);
465 } catch (NoSuchAlgorithmException e) {
466 fail("Error in test specification: " + e);
467 } catch (CertificateException e) {
468 fail("Error in test specification: " + e);
469 } catch (KeyStoreException e) {
470 fail("Error in test specification: " + e);
projects / java-idp.git / blob