use the new session manager interface
[java-idp.git] / tests / edu / internet2 / middleware / shibboleth / common / TrustTests.java
1 /*
2  * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
3  * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
4  * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
5  * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
6  * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
7  * limitations under the License.
8  */
9
10 package edu.internet2.middleware.shibboleth.common;
11
12 import java.io.File;
13 import java.io.IOException;
14 import java.security.KeyStore;
15 import java.security.KeyStoreException;
16 import java.security.NoSuchAlgorithmException;
17 import java.security.cert.CertificateException;
18 import java.security.cert.X509Certificate;
19 import java.util.Arrays;
20
21 import junit.framework.TestCase;
22
23 import org.apache.log4j.BasicConfigurator;
24 import org.apache.log4j.Level;
25 import org.apache.log4j.Logger;
26 import org.opensaml.Configuration;
27 import org.opensaml.saml2.metadata.EntityDescriptor;
28 import org.opensaml.saml2.metadata.SPSSODescriptor;
29 import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
30 import org.opensaml.saml2.metadata.provider.MetadataProvider;
31 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
32 import org.opensaml.security.TrustEngine;
33 import org.opensaml.security.X509EntityCredential;
34 import org.opensaml.security.impl.SimpleX509EntityCredential;
35
36 import edu.internet2.middleware.shibboleth.common.ShibResource.ResourceNotAvailableException;
37 import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrustEngine;
38
39 /**
40  * Test suite for SAML/Shibboleth trust validation.
41  * 
42  * @author Walter Hoehn
43  */
44 public class TrustTests extends TestCase {
45
46         public TrustTests(String name) {
47
48                 super(name);
49                 BasicConfigurator.resetConfiguration();
50                 BasicConfigurator.configure();
51                 Logger.getRootLogger().setLevel(Level.OFF);
52                 
53                 Configuration.init();
54         }
55
56         public static void main(String[] args) {
57
58                 junit.textui.TestRunner.run(CredentialsTests.class);
59                 BasicConfigurator.configure();
60                 Logger.getRootLogger().setLevel(Level.OFF);
61         }
62
63         protected void setUp() throws Exception {
64
65                 super.setUp();
66         }
67
68         public void testInlineX509CertValidate() {
69
70                 try {
71                         // Pull the role descriptor from example metadata
72                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata1.xml"));
73                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
74                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
75
76                         // Use a pre-defined cert
77                         KeyStore keyStore = KeyStore.getInstance("JKS");
78                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
79                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
80                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
81
82                         // Try to validate against the metadata
83                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
84                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
85                                         .asList(new X509Certificate[]{cert})), role);
86                         if (!successful) {
87                                 fail("Validation should have succeeded.");
88                         }
89
90                 } catch (MetadataProviderException e) {
91                         fail("Error in test specification: " + e);
92                 } catch (ResourceNotAvailableException e) {
93                         fail("Error in test specification: " + e);
94                 } catch (IOException e) {
95                         fail("Error in test specification: " + e);
96                 } catch (NoSuchAlgorithmException e) {
97                         fail("Error in test specification: " + e);
98                 } catch (CertificateException e) {
99                         fail("Error in test specification: " + e);
100                 } catch (KeyStoreException e) {
101                         fail("Error in test specification: " + e);
102                 }
103         }
104
105         public void testInlineX509CertValidationFail() {
106
107                 try {
108                         // Pull the role descriptor from example metadata
109                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata1.xml"));
110                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
111                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
112
113                         // Use a pre-defined cert
114                         KeyStore keyStore = KeyStore.getInstance("JKS");
115                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
116                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
117                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline2");
118
119                         // Try to validate against the metadata
120                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
121                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
122                                         .asList(new X509Certificate[]{cert})), role);
123                         if (successful) {
124                                 fail("Validation should have failed.");
125                         }
126
127                 } catch (MetadataProviderException e) {
128                         fail("Error in test specification: " + e);
129                 } catch (ResourceNotAvailableException e) {
130                         fail("Error in test specification: " + e);
131                 } catch (IOException e) {
132                         fail("Error in test specification: " + e);
133                 } catch (NoSuchAlgorithmException e) {
134                         fail("Error in test specification: " + e);
135                 } catch (CertificateException e) {
136                         fail("Error in test specification: " + e);
137                 } catch (KeyStoreException e) {
138                         fail("Error in test specification: " + e);
139                 }
140         }
141
142         public void testPkixX509CertValidate() {
143
144                 try {
145                         // Pull the role descriptor from example metadata
146                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata2.xml"));
147                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
148                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
149
150                         // Use a pre-defined cert
151                         KeyStore keyStore = KeyStore.getInstance("JKS");
152                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
153                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
154                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
155
156                         // Try to validate against the metadata
157                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
158                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
159                                         .asList(new X509Certificate[]{cert})), role);
160                         if (!successful) {
161                                 fail("Validation should have succeeded.");
162                         }
163
164                 } catch (MetadataProviderException e) {
165                         fail("Error in test specification: " + e);
166                 } catch (ResourceNotAvailableException e) {
167                         fail("Error in test specification: " + e);
168                 } catch (IOException e) {
169                         fail("Error in test specification: " + e);
170                 } catch (NoSuchAlgorithmException e) {
171                         fail("Error in test specification: " + e);
172                 } catch (CertificateException e) {
173                         fail("Error in test specification: " + e);
174                 } catch (KeyStoreException e) {
175                         fail("Error in test specification: " + e);
176                 }
177         }
178
179         public void testPkixX509CertValidateRecurseEntities() {
180
181                 try {
182                         // Pull the role descriptor from example metadata
183                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata3.xml"));
184                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
185                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
186
187                         // Use a pre-defined cert
188                         KeyStore keyStore = KeyStore.getInstance("JKS");
189                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
190                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
191                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
192
193                         // Try to validate against the metadata
194                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
195                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
196                                         .asList(new X509Certificate[]{cert})), role);
197                         if (!successful) {
198                                 fail("Validation should have succeeded.");
199                         }
200
201                 } catch (MetadataProviderException e) {
202                         fail("Error in test specification: " + e);
203                 } catch (ResourceNotAvailableException e) {
204                         fail("Error in test specification: " + e);
205                 } catch (IOException e) {
206                         fail("Error in test specification: " + e);
207                 } catch (NoSuchAlgorithmException e) {
208                         fail("Error in test specification: " + e);
209                 } catch (CertificateException e) {
210                         fail("Error in test specification: " + e);
211                 } catch (KeyStoreException e) {
212                         fail("Error in test specification: " + e);
213                 }
214         }
215
216         public void testPkixX509CertValidateRecurseEntitiesWBadFirst() {
217
218                 try {
219                         // Pull the role descriptor from example metadata
220                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata12.xml"));
221                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
222                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
223
224                         // Use a pre-defined cert
225                         KeyStore keyStore = KeyStore.getInstance("JKS");
226                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
227                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
228                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
229
230                         // Try to validate against the metadata
231                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
232                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
233                                         .asList(new X509Certificate[]{cert})), role);
234                         if (!successful) {
235                                 fail("Validation should have succeeded.");
236                         }
237
238                 } catch (MetadataProviderException e) {
239                         fail("Error in test specification: " + e);
240                 } catch (ResourceNotAvailableException e) {
241                         fail("Error in test specification: " + e);
242                 } catch (IOException e) {
243                         fail("Error in test specification: " + e);
244                 } catch (NoSuchAlgorithmException e) {
245                         fail("Error in test specification: " + e);
246                 } catch (CertificateException e) {
247                         fail("Error in test specification: " + e);
248                 } catch (KeyStoreException e) {
249                         fail("Error in test specification: " + e);
250                 }
251         }
252         public void testPkixX509CertValidateRecurseEntitiesWMultipleKeyAuthoritiesOnOneDescriptor() {
253
254                 try {
255                         // Pull the role descriptor from example metadata
256                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata13.xml"));
257                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
258                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
259
260                         // Use a pre-defined cert
261                         KeyStore keyStore = KeyStore.getInstance("JKS");
262                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
263                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
264                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
265
266                         // Try to validate against the metadata
267                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
268                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
269                                         .asList(new X509Certificate[]{cert})), role);
270                         if (!successful) {
271                                 fail("Validation should have succeeded.");
272                         }
273
274                 } catch (MetadataProviderException e) {
275                         fail("Error in test specification: " + e);
276                 } catch (ResourceNotAvailableException e) {
277                         fail("Error in test specification: " + e);
278                 } catch (IOException e) {
279                         fail("Error in test specification: " + e);
280                 } catch (NoSuchAlgorithmException e) {
281                         fail("Error in test specification: " + e);
282                 } catch (CertificateException e) {
283                         fail("Error in test specification: " + e);
284                 } catch (KeyStoreException e) {
285                         fail("Error in test specification: " + e);
286                 }
287         }
288
289         public void testPkixX509CertValidateWithCAPath() {
290
291                 try {
292                         // Pull the role descriptor from example metadata
293                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata4.xml"));
294                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
295                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
296
297                         // Use a pre-defined cert
298                         KeyStore keyStore = KeyStore.getInstance("JKS");
299                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
300                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
301                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline3");
302
303                         // Try to validate against the metadata
304                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
305                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
306                                         .asList(new X509Certificate[]{cert})), role);
307                         if (!successful) {
308                                 fail("Validation should have succeeded.");
309                         }
310
311                 } catch (MetadataProviderException e) {
312                         fail("Error in test specification: " + e);
313                 } catch (ResourceNotAvailableException e) {
314                         fail("Error in test specification: " + e);
315                 } catch (IOException e) {
316                         fail("Error in test specification: " + e);
317                 } catch (NoSuchAlgorithmException e) {
318                         fail("Error in test specification: " + e);
319                 } catch (CertificateException e) {
320                         fail("Error in test specification: " + e);
321                 } catch (KeyStoreException e) {
322                         fail("Error in test specification: " + e);
323                 }
324         }
325
326         public void testPkixX509CertFailBadNameMatch() {
327
328                 try {
329                         // Pull the role descriptor from example metadata
330                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata11.xml"));
331                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
332                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
333
334                         // Use a pre-defined cert
335                         KeyStore keyStore = KeyStore.getInstance("JKS");
336                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
337                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
338                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline3");
339
340                         // Try to validate against the metadata
341                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
342                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
343                                         .asList(new X509Certificate[]{cert})), role);
344                         if (successful) {
345                                 fail("Validation should have failed.  DN in cert does not match the metadata.");
346                         }
347
348                 } catch (MetadataProviderException e) {
349                         fail("Error in test specification: " + e);
350                 } catch (ResourceNotAvailableException e) {
351                         fail("Error in test specification: " + e);
352                 } catch (IOException e) {
353                         fail("Error in test specification: " + e);
354                 } catch (NoSuchAlgorithmException e) {
355                         fail("Error in test specification: " + e);
356                 } catch (CertificateException e) {
357                         fail("Error in test specification: " + e);
358                 } catch (KeyStoreException e) {
359                         fail("Error in test specification: " + e);
360                 }
361         }
362
363         public void testPkixX509CertFailValidateWithPathTooLong() {
364
365                 try {
366                         // Pull the role descriptor from example metadata
367                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata6.xml"));
368                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
369                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
370
371                         // Use a pre-defined cert
372                         KeyStore keyStore = KeyStore.getInstance("JKS");
373                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
374                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
375                         X509Certificate endEntity = (X509Certificate) keyStore.getCertificate("inline3");
376                         X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
377
378                         // Try to validate against the metadata
379                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
380                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays.asList(new X509Certificate[]{
381                                         endEntity, intermediate})), role);
382                         if (successful) {
383                                 fail("Validation should not have succeeded.");
384                         }
385
386                 } catch (MetadataProviderException e) {
387                         fail("Error in test specification: " + e);
388                 } catch (ResourceNotAvailableException e) {
389                         fail("Error in test specification: " + e);
390                 } catch (IOException e) {
391                         fail("Error in test specification: " + e);
392                 } catch (NoSuchAlgorithmException e) {
393                         fail("Error in test specification: " + e);
394                 } catch (CertificateException e) {
395                         fail("Error in test specification: " + e);
396                 } catch (KeyStoreException e) {
397                         fail("Error in test specification: " + e);
398                 }
399         }
400
401         public void testPkixX509CertValidateWithClientSuppliedIntermediate() {
402
403                 try {
404                         // Pull the role descriptor from example metadata
405                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata5.xml"));
406                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
407                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
408
409                         // Use a pre-defined cert
410                         KeyStore keyStore = KeyStore.getInstance("JKS");
411                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
412                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
413                         X509Certificate endEntity = (X509Certificate) keyStore.getCertificate("inline3");
414                         X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
415
416                         // Try to validate against the metadata
417                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
418                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays.asList(new X509Certificate[]{
419                                         endEntity, intermediate})), role);
420                         if (!successful) {
421                                 fail("Validation should have succeeded.");
422                         }
423
424                 } catch (MetadataProviderException e) {
425                         fail("Error in test specification: " + e);
426                 } catch (ResourceNotAvailableException e) {
427                         fail("Error in test specification: " + e);
428                 } catch (IOException e) {
429                         fail("Error in test specification: " + e);
430                 } catch (NoSuchAlgorithmException e) {
431                         fail("Error in test specification: " + e);
432                 } catch (CertificateException e) {
433                         fail("Error in test specification: " + e);
434                 } catch (KeyStoreException e) {
435                         fail("Error in test specification: " + e);
436                 }
437         }
438
439         public void testCRL() {
440
441                 try {
442                         // Pull the role descriptor from example metadata
443                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata7.xml"));
444                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
445                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
446
447                         // Use a pre-defined cert
448                         KeyStore keyStore = KeyStore.getInstance("JKS");
449                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
450                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
451                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline4");
452
453                         // Try to validate against the metadata
454                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
455                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
456                                         .asList(new X509Certificate[]{cert})), role);
457                         if (successful) {
458                                 fail("Validation should not have succeeded.");
459                         }
460
461                 } catch (MetadataProviderException e) {
462                         fail("Error in test specification: " + e);
463                 } catch (ResourceNotAvailableException e) {
464                         fail("Error in test specification: " + e);
465                 } catch (IOException e) {
466                         fail("Error in test specification: " + e);
467                 } catch (NoSuchAlgorithmException e) {
468                         fail("Error in test specification: " + e);
469                 } catch (CertificateException e) {
470                         fail("Error in test specification: " + e);
471                 } catch (KeyStoreException e) {
472                         fail("Error in test specification: " + e);
473                 }
474         }
475
476         public void testCRLDoesntBreakValid() {
477                  
478                 try {
479                         // Pull the role descriptor from example metadata
480                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata8.xml"));
481                         EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
482                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
483
484                         // Use a pre-defined cert
485                         KeyStore keyStore = KeyStore.getInstance("JKS");
486                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
487                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
488                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("pkix5");
489
490                         // Try to validate against the metadata
491                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
492                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
493                                         .asList(new X509Certificate[]{cert})), role);
494                         if (!successful) {
495                                 fail("Validation should have succeeded.");
496                         }
497
498                 } catch (MetadataProviderException e) {
499                         fail("Error in test specification: " + e);
500                 } catch (ResourceNotAvailableException e) {
501                         fail("Error in test specification: " + e);
502                 } catch (IOException e) {
503                         fail("Error in test specification: " + e);
504                 } catch (NoSuchAlgorithmException e) {
505                         fail("Error in test specification: " + e);
506                 } catch (CertificateException e) {
507                         fail("Error in test specification: " + e);
508                 } catch (KeyStoreException e) {
509                         fail("Error in test specification: " + e);
510                 }
511         }
512
513         public void testPkixX509CertValidateWithExactProviderIdMatch() {
514
515                 try {
516                         // Pull the role descriptor from example metadata
517                         MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata9.xml"));
518                         EntityDescriptor entity = metadata.getEntityDescriptor("Walter Hoehn");
519                         SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
520
521                         // Use a pre-defined cert
522                         KeyStore keyStore = KeyStore.getInstance("JKS");
523                         keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
524                                         new char[]{'t', 'e', 's', 't', '1', '2', '3'});
525                         X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
526
527                         // Try to validate against the metadata
528                         TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
529                         boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
530                                         .asList(new X509Certificate[]{cert})), role);
531                         if (!successful) {
532                                 fail("Validation should have succeeded.");
533                         }
534
535                 } catch (MetadataProviderException e) {
536                         fail("Error in test specification: " + e);
537                 } catch (ResourceNotAvailableException e) {
538                         fail("Error in test specification: " + e);
539                 } catch (IOException e) {
540                         fail("Error in test specification: " + e);
541                 } catch (NoSuchAlgorithmException e) {
542                         fail("Error in test specification: " + e);
543                 } catch (CertificateException e) {
544                         fail("Error in test specification: " + e);
545                 } catch (KeyStoreException e) {
546                         fail("Error in test specification: " + e);
547                 }
548         }
549
550 }