Working junit tests for pkix validation, both at the entity and entities level.

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1366 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

diff --git a/data/metadata3.xml b/data/metadata3.xml
new file mode 100644 (file)
index 0000000..f7efa5e
--- /dev/null
+++ b/data/metadata3.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+       xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd" 
+       Name="urn-x:testFed1" validUntil="3010-01-01T00:00:00Z">
+                <Extensions>
+                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0" VerifyDepth="0">
+                               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                                       <ds:X509Data>
+                                               <ds:X509Certificate>MIIC9zCCArQCBEJMcbswCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUTjEQ
+MA4GA1UEBxMHTWVtcGhpczENMAsGA1UEChMEVGVzdDENMAsGA1UECxMEVGVzdDEVMBMGA1UEAxMM
+V2FsdGVyIEhvZWhuMB4XDTA1MDMzMTIxNTUwN1oXDTA1MDYyOTIxNTUwN1owYTELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAlROMRAwDgYDVQQHEwdNZW1waGlzMQ0wCwYDVQQKEwRUZXN0MQ0wCwYDVQQL
+EwRUZXN0MRUwEwYDVQQDEwxXYWx0ZXIgSG9laG4wggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9T
+gR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv
+8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HX
+Ku/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSv
+u/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e
+K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAAC
+gYBGtD+qJdBIzaA/a0oeO/LhW06r9dsPz0LnBD7DLZAFaWpMbfaItwXWANCFleNPzou/mU8+bhOe
+FJ+fkGdW4zbg8lzLOOeRduELoO8srzOdyccmRIeRIkDVj0ckienw0skgKgAvilUWkDQcdpLvtfjl
+W7vFedSYzRQiLso+dFHanDALBgcqhkjOOAQDBQADMAAwLQIUU5z1Ppc7gbjkl3PhkiQghUoTm5YC
+FQCVg3Ej3Sdb8FpJwUXoqO4J6FU/UQ==
+</ds:X509Certificate>
+                                       </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyAuthority>
+               </Extensions>
+       <EntitiesDescriptor Name="urn-x:testFed2" validUntil="3010-01-01T00:00:00Z">
+               <EntityDescriptor entityID="urn-x:testSP1">
+               <SPSSODescriptor 
+                       protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+                       <KeyDescriptor>
+                               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                                       <ds:KeyName>CN=Walter Hoehn, OU=Test, O=Test, L=Memphis, ST=TN, C=US</ds:KeyName>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                       <AssertionConsumerService index="1" 
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
+                               Location="https://www.example.org/Shibboleth.shire"/>
+               </SPSSODescriptor>
+               
+       </EntityDescriptor>
+       </EntitiesDescriptor>
+</EntitiesDescriptor>
\ No newline at end of file

diff --git a/src/edu/internet2/middleware/shibboleth/common/ShibbolethTrust.java b/src/edu/internet2/middleware/shibboleth/common/ShibbolethTrust.java
index 28d9515..651f27f 100644 (file)
--- a/src/edu/internet2/middleware/shibboleth/common/ShibbolethTrust.java
+++ b/src/edu/internet2/middleware/shibboleth/common/ShibbolethTrust.java
@@ -177,15 +177,18 @@ public class ShibbolethTrust extends Trust {
                                CertPath path = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(certChain));
                                CertPathValidator validator = CertPathValidator.getInstance("PKIX");
                                PKIXParameters params = new PKIXParameters(anchors);
+                               //TODO hmm... what about this
+                               params.setRevocationEnabled(false);
+                               
                                PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params);
 
-                               System.err.println(result.getPolicyTree().getDepth());
+                               //System.err.println(result.getPolicyTree().getDepth());
                                // TODO honor verify depth
                                log.debug("Path successfully validated.");
                                return true;
 
                        } catch (CertPathValidatorException e) {
-                               log.debug("Path failed to validate.");
+                               log.debug("Path failed to validate: " + e);
                        } catch (GeneralSecurityException e) {
                                log.error("Encountered an error during validation: " + e);
                        }

diff --git a/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java b/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java
index 1b1701e..0324c94 100644 (file)
--- a/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java
+++ b/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java
@@ -55,7 +55,7 @@ import edu.internet2.middleware.shibboleth.xml.Parser;
  */
 public class TrustTests extends TestCase {
 
-       private Parser.DOMParser parser = new Parser.DOMParser(true);
+       private Parser.DOMParser        parser  = new Parser.DOMParser(true);
 
        public TrustTests(String name) {
 
@@ -150,4 +150,78 @@ public class TrustTests extends TestCase {
                        fail("Error in test specification: " + e);
                }
        }
-}
+
+       public void testPkixX509CertValidate() {
+
+               try {
+                       // Pull the role descriptor from example metadata
+                       Metadata metadata = new XMLMetadata(new File("data/metadata2.xml").toURL().toString());
+                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
+                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+
+                       // Use a pre-defined cert
+                       KeyStore keyStore = KeyStore.getInstance("JKS");
+                       keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
+                                       new char[]{'t', 'e', 's', 't', '1', '2', '3'});
+                       X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
+
+                       // Try to validate against the metadata
+                       Trust validator = new ShibbolethTrust();
+                       boolean successful = validator.validate(role, new X509Certificate[]{cert}, KeyDescriptor.ENCRYPTION);
+                       if (!successful) {
+                               fail("Validation should have succeeded.");
+                       }
+
+               } catch (MetadataException e) {
+                       fail("Error in test specification: " + e);
+               } catch (ResourceNotAvailableException e) {
+                       fail("Error in test specification: " + e);
+               } catch (IOException e) {
+                       fail("Error in test specification: " + e);
+               } catch (NoSuchAlgorithmException e) {
+                       fail("Error in test specification: " + e);
+               } catch (CertificateException e) {
+                       fail("Error in test specification: " + e);
+               } catch (KeyStoreException e) {
+                       fail("Error in test specification: " + e);
+               }
+       }
+
+       public void testPkixX509CertValidateRecurseEntities() {
+
+               try {
+                       // Pull the role descriptor from example metadata
+                       Metadata metadata = new XMLMetadata(new File("data/metadata3.xml").toURL().toString());
+                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
+                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+
+                       // Use a pre-defined cert
+                       KeyStore keyStore = KeyStore.getInstance("JKS");
+                       keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
+                                       new char[]{'t', 'e', 's', 't', '1', '2', '3'});
+                       X509Certificate cert = (X509Certificate) keyStore.getCertificate("inliine1");
+
+                       // Try to validate against the metadata
+                       Trust validator = new ShibbolethTrust();
+                       boolean successful = validator.validate(role, new X509Certificate[]{cert}, KeyDescriptor.ENCRYPTION);
+                       if (!successful) {
+                               fail("Validation should have succeeded.");
+                       }
+
+               } catch (MetadataException e) {
+                       fail("Error in test specification: " + e);
+               } catch (ResourceNotAvailableException e) {
+                       fail("Error in test specification: " + e);
+               } catch (IOException e) {
+                       fail("Error in test specification: " + e);
+               } catch (NoSuchAlgorithmException e) {
+                       fail("Error in test specification: " + e);
+               } catch (CertificateException e) {
+                       fail("Error in test specification: " + e);
+               } catch (KeyStoreException e) {
+                       fail("Error in test specification: " + e);
+               }
+       }
+}
\ No newline at end of file