More work on the move to OpenSAML2-based trust.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 28 Jul 2006 15:36:26 +0000 (15:36 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 28 Jul 2006 15:36:26 +0000 (15:36 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1982 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_1ArtifactQueryHandler.java
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.java
tests/edu/internet2/middleware/shibboleth/common/TrustTests.java

index 80dff33..3339703 100644 (file)
@@ -36,6 +36,7 @@ import org.opensaml.artifact.Artifact;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.security.impl.HttpX509EntityCredential;
 import org.w3c.dom.Element;
 
 import edu.internet2.middleware.shibboleth.artifact.ArtifactMapping;
@@ -140,7 +141,7 @@ public class SAMLv1_1ArtifactQueryHandler extends BaseServiceHandler implements
 
                                // Make sure that the suppplied credential is valid for the provider to which the artifact was issued
                                if (chain != null && chain.length > 0) {
-                                       if (!support.getTrust().validate(chain[0], chain, role)) {
+                                       if (!support.getTrust().validate(new HttpX509EntityCredential(request), role)) {
                                                log.error("Supplied TLS credential ("
                                                                + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
                                                                + ") is NOT valid for provider (" + mapping.getServiceProviderId()
index 8532a3b..0f504b1 100644 (file)
@@ -52,6 +52,8 @@ import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.security.X509EntityCredential;
+import org.opensaml.security.impl.HttpX509EntityCredential;
 import org.w3c.dom.Element;
 
 import edu.internet2.middleware.shibboleth.aa.AAException;
@@ -86,7 +88,7 @@ public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements
                return "SAML v1.1 Attribute Query";
        }
 
-       private String authenticateAs(String assertedId, X509Certificate[] chain, IdPProtocolSupport support)
+       private String authenticateAs(String assertedId, X509EntityCredential credential, IdPProtocolSupport support)
                        throws InvalidProviderCredentialException {
 
                // See if we have metadata for this provider
@@ -115,12 +117,13 @@ public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements
                }
 
                // Make sure that the supplied credential is valid for the selected provider role.
-               if ((ar_role != null && support.getTrust().validate(chain[0], chain, ar_role))
-                               || (sp_role != null && support.getTrust().validate(chain[0], chain, sp_role))) {
+               if ((ar_role != null && support.getTrust().validate(credential, ar_role))
+                               || (sp_role != null && support.getTrust().validate(credential, sp_role))) {
                        log.info("Supplied credentials validated for this provider.");
                        return assertedId;
                } else {
-                       log.error("Supplied credentials (" + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
+                       log.error("Supplied credentials ("
+                                       + credential.getEntityCertificate().getSubjectX500Principal().getName(X500Principal.RFC2253)
                                        + ") are NOT valid for provider (" + assertedId + ").");
                        throw new InvalidProviderCredentialException("Invalid credentials.");
                }
@@ -160,7 +163,8 @@ public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements
                        try {
                                if (attributeQuery.getResource() != null) {
                                        log.info("Remote provider has identified itself as: (" + attributeQuery.getResource() + ").");
-                                       effectiveName = authenticateAs(attributeQuery.getResource(), credentials, support);
+                                       effectiveName = authenticateAs(attributeQuery.getResource(), new HttpX509EntityCredential(request),
+                                                       support);
                                }
 
                                if (effectiveName == null) {
@@ -170,7 +174,8 @@ public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements
                                        // Try the additional candidates.
                                        String[] candidateNames = getCredentialNames(credentials[0]);
                                        for (int c = 0; effectiveName == null && c < candidateNames.length; c++) {
-                                               effectiveName = authenticateAs(candidateNames[c], credentials, support);
+                                               effectiveName = authenticateAs(candidateNames[c], new HttpX509EntityCredential(request),
+                                                               support);
                                        }
                                }
                        } catch (InvalidProviderCredentialException ipc) {
index a31d6ed..12a4a8b 100644 (file)
@@ -16,22 +16,24 @@ import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 
 import junit.framework.TestCase;
 
 import org.apache.log4j.BasicConfigurator;
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProvider;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
+import org.opensaml.security.TrustEngine;
+import org.opensaml.security.X509EntityCredential;
+import org.opensaml.security.impl.SimpleX509EntityCredential;
 
 import edu.internet2.middleware.shibboleth.common.ShibResource.ResourceNotAvailableException;
-import edu.internet2.middleware.shibboleth.common.provider.BasicTrust;
-import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.Metadata;
-import edu.internet2.middleware.shibboleth.metadata.MetadataException;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
-import edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadata;
-import edu.internet2.middleware.shibboleth.xml.Parser;
+import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrustEngine;
 
 /**
  * Test suite for SAML/Shibboleth trust validation.
@@ -40,8 +42,6 @@ import edu.internet2.middleware.shibboleth.xml.Parser;
  */
 public class TrustTests extends TestCase {
 
-       private Parser.DOMParser parser = new Parser.DOMParser(true);
-
        public TrustTests(String name) {
 
                super(name);
@@ -66,10 +66,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata1.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata1.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -78,13 +77,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
 
                        // Try to validate against the metadata
-                       Trust validator = new BasicTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (!successful) {
                                fail("Validation should have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -103,10 +103,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata1.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata1.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -115,13 +114,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline2");
 
                        // Try to validate against the metadata
-                       Trust validator = new BasicTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (successful) {
                                fail("Validation should have failed.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -140,10 +140,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata2.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata2.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -152,13 +151,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (!successful) {
                                fail("Validation should have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -177,10 +177,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata3.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata3.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -189,13 +188,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (!successful) {
                                fail("Validation should have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -214,10 +214,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata4.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata4.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -226,13 +225,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline3");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (!successful) {
                                fail("Validation should have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -251,10 +251,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata11.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata11.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -263,13 +262,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline3");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (successful) {
                                fail("Validation should have failed.  DN in cert does not match the metadata.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -288,10 +288,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata6.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata6.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -301,13 +300,14 @@ public class TrustTests extends TestCase {
                        X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(endEntity, new X509Certificate[]{endEntity, intermediate}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays.asList(new X509Certificate[]{
+                                       endEntity, intermediate})), role);
                        if (successful) {
                                fail("Validation should not have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -326,10 +326,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata5.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata5.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -339,13 +338,14 @@ public class TrustTests extends TestCase {
                        X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(endEntity, new X509Certificate[]{endEntity, intermediate}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays.asList(new X509Certificate[]{
+                                       endEntity, intermediate})), role);
                        if (!successful) {
                                fail("Validation should have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -364,10 +364,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata7.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata7.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -376,13 +375,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline4");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (successful) {
                                fail("Validation should not have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -401,10 +401,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata8.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata8.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -413,13 +412,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline4");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (!successful) {
                                fail("Validation should have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);
@@ -438,10 +438,9 @@ public class TrustTests extends TestCase {
 
                try {
                        // Pull the role descriptor from example metadata
-                       Metadata metadata = new XMLMetadata(new File("data/metadata9.xml").toURL().toString());
-                       EntityDescriptor entity = metadata.lookup("Walter Hoehn");
-                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
-                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+                       MetadataProvider metadata = new FilesystemMetadataProvider(new File("data/metadata9.xml"));
+                       EntityDescriptor entity = metadata.getEntityDescriptor("Walter Hoehn");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getSPSSODescriptor("urn:oasis:names:tc:SAML:1.1:protocol");
 
                        // Use a pre-defined cert
                        KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -450,13 +449,14 @@ public class TrustTests extends TestCase {
                        X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
 
                        // Try to validate against the metadata
-                       Trust validator = new ShibbolethTrust();
-                       boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+                       TrustEngine<X509EntityCredential> validator = new ShibbolethTrustEngine();
+                       boolean successful = validator.validate(new SimpleX509EntityCredential(Arrays
+                                       .asList(new X509Certificate[]{cert})), role);
                        if (!successful) {
                                fail("Validation should have succeeded.");
                        }
 
-               } catch (MetadataException e) {
+               } catch (MetadataProviderException e) {
                        fail("Error in test specification: " + e);
                } catch (ResourceNotAvailableException e) {
                        fail("Error in test specification: " + e);