More junit tests.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Sun, 3 Apr 2005 06:04:43 +0000 (06:04 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Sun, 3 Apr 2005 06:04:43 +0000 (06:04 +0000)
Fixed a bug in path validation.
First stab at chain length constraints.

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1368 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

data/metadata2.xml
data/metadata3.xml
data/metadata4.xml
data/metadata5.xml [new file with mode: 0644]
data/metadata6.xml [new file with mode: 0644]
data/trusttest.jks
src/edu/internet2/middleware/shibboleth/common/ShibbolethTrust.java
tests/edu/internet2/middleware/shibboleth/common/TrustTests.java

index 6ca85a6..bb1ecb4 100644 (file)
@@ -5,7 +5,7 @@
        Name="urn-x:testFed1" validUntil="3010-01-01T00:00:00Z">
        <EntityDescriptor entityID="urn-x:testSP1">
                 <Extensions>
-                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0" VerifyDepth="0">
+                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0">
                                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                        <ds:X509Data>
                                                <ds:X509Certificate>MIIC9zCCArQCBEJMcbswCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUTjEQ
index f7efa5e..25b66ce 100644 (file)
@@ -4,7 +4,7 @@
        xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd" 
        Name="urn-x:testFed1" validUntil="3010-01-01T00:00:00Z">
                 <Extensions>
-                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0" VerifyDepth="0">
+                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0">
                                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                        <ds:X509Data>
                                                <ds:X509Certificate>MIIC9zCCArQCBEJMcbswCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUTjEQ
index e785edc..071d377 100644 (file)
@@ -5,7 +5,7 @@
        Name="urn-x:testFed1" validUntil="3010-01-01T00:00:00Z">
        <EntityDescriptor entityID="urn-x:testSP1">
                 <Extensions>
-                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0" VerifyDepth="0">
+                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0">
                                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
                 <!-- HEPKI Master Test CA -->
diff --git a/data/metadata5.xml b/data/metadata5.xml
new file mode 100644 (file)
index 0000000..7670cc9
--- /dev/null
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+       xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd" 
+       Name="urn-x:testFed1" validUntil="3010-01-01T00:00:00Z">
+       <EntityDescriptor entityID="urn-x:testSP1">
+                <Extensions>
+                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0">
+                               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+           <ds:X509Data>
+                <!-- HEPKI Master Test CA -->
+                <ds:X509Certificate>MIIC6zCCAlSgAwIBAgICAlQwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBNYXN0ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTAyMDYzMDIyMTYzOVoXDTI5MTExNjIyMTYzOVowgakx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlz
+b24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJE
+aXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBL
+SSBNYXN0ZXIgQ0EgLS0gMjAwMjA3MDFBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDJ3FDZym9Ja94DP7TUZXf3Vu3CZwqZzYThgjUT2eBJBYVALISSJ+RjJ2j2
+CYpq3wesSgWHqfrpPnTgTBvn5ZZF9diX6ipAmC0H75nySDY8B5AN1RbmPsAZ51F9
+7Eo+6JZ59BFYgowGXyQpMfhBykBSySnvnOX5ygTCz20LwKkErQIDAQABoyAwHjAP
+BgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQQFAAOBgQB1
+8ZXB+KeXbDVkz+b2xVXYmJiWrp73IOvi3DuIuX1n88tbIH0ts7dJLEqr+c0owgtu
+QBqLb9DfPG2GkJ1uOK75wPY6XWusCKDJKMVY/N4ec9ew55MnDlFFvl4C+LkiS2YS
+Ysrh7fFJKKp7Pkc1fxsusK+MBXjVZtq0baXsU637qw==
+</ds:X509Certificate>
+            </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyAuthority>
+               </Extensions>
+               <SPSSODescriptor 
+                       protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+                       <KeyDescriptor>
+                               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                                       <ds:KeyName>wraith.memphis.edu</ds:KeyName>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                       <AssertionConsumerService index="1" 
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
+                               Location="https://www.example.org/Shibboleth.shire"/>
+               </SPSSODescriptor>
+               
+       </EntityDescriptor>
+</EntitiesDescriptor>
\ No newline at end of file
diff --git a/data/metadata6.xml b/data/metadata6.xml
new file mode 100644 (file)
index 0000000..8471961
--- /dev/null
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+       xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd" 
+       Name="urn-x:testFed1" validUntil="3010-01-01T00:00:00Z">
+       <EntityDescriptor entityID="urn-x:testSP1">
+                <Extensions>
+                       <KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0" VerifyDepth="0">
+                               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+           <ds:X509Data>
+                <!-- HEPKI Master Test CA -->
+                <ds:X509Certificate>MIIC6zCCAlSgAwIBAgICAlQwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBNYXN0ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTAyMDYzMDIyMTYzOVoXDTI5MTExNjIyMTYzOVowgakx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlz
+b24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJE
+aXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBL
+SSBNYXN0ZXIgQ0EgLS0gMjAwMjA3MDFBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDJ3FDZym9Ja94DP7TUZXf3Vu3CZwqZzYThgjUT2eBJBYVALISSJ+RjJ2j2
+CYpq3wesSgWHqfrpPnTgTBvn5ZZF9diX6ipAmC0H75nySDY8B5AN1RbmPsAZ51F9
+7Eo+6JZ59BFYgowGXyQpMfhBykBSySnvnOX5ygTCz20LwKkErQIDAQABoyAwHjAP
+BgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQQFAAOBgQB1
+8ZXB+KeXbDVkz+b2xVXYmJiWrp73IOvi3DuIuX1n88tbIH0ts7dJLEqr+c0owgtu
+QBqLb9DfPG2GkJ1uOK75wPY6XWusCKDJKMVY/N4ec9ew55MnDlFFvl4C+LkiS2YS
+Ysrh7fFJKKp7Pkc1fxsusK+MBXjVZtq0baXsU637qw==
+</ds:X509Certificate>
+            </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyAuthority>
+               </Extensions>
+               <SPSSODescriptor 
+                       protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+                       <KeyDescriptor>
+                               <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                                       <ds:KeyName>wraith.memphis.edu</ds:KeyName>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+                       <AssertionConsumerService index="1" 
+                               Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
+                               Location="https://www.example.org/Shibboleth.shire"/>
+               </SPSSODescriptor>
+               
+       </EntityDescriptor>
+</EntitiesDescriptor>
\ No newline at end of file
index 16c0ca6..ec06b00 100644 (file)
Binary files a/data/trusttest.jks and b/data/trusttest.jks differ
index 327deed..1399d21 100644 (file)
@@ -31,8 +31,8 @@ import java.security.cert.CertPathValidator;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertificateParsingException;
+import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathValidatorResult;
-import java.security.cert.PKIXParameters;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -50,7 +50,8 @@ import org.apache.log4j.Logger;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.keys.KeyInfo;
 import org.apache.xml.security.keys.content.KeyName;
-import org.apache.xml.security.keys.keyresolver.KeyResolverException;
+import org.apache.xml.security.keys.content.X509Data;
+import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
 
 import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
@@ -163,8 +164,16 @@ public class ShibbolethTrust extends Trust {
                        KeyInfo keyInfo = (KeyInfo) keyInfos.next();
                        if (keyInfo.containsX509Data()) {
                                try {
-                                       anchors.add(new TrustAnchor(keyInfo.getX509Certificate(), null));
-                               } catch (KeyResolverException e) {
+                                       for (int i = 0; i < keyInfo.lengthX509Data(); i++) {
+                                               X509Data data = keyInfo.itemX509Data(i);
+                                               if (data.containsCertificate()) {
+                                                       for (int j = 0; j < data.lengthCertificate(); j++) {
+                                                               XMLX509Certificate xmlCert = data.itemCertificate(j);
+                                                               anchors.add(new TrustAnchor(xmlCert.getX509Certificate(), null));
+                                                       }
+                                               }
+                                       }
+                               } catch (XMLSecurityException e) {
                                        log.error("Encountered an error constructing trust list from shibboleth metadata: " + e);
                                }
                        }
@@ -176,14 +185,14 @@ public class ShibbolethTrust extends Trust {
                        try {
                                CertPath path = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(certChain));
                                CertPathValidator validator = CertPathValidator.getInstance("PKIX");
-                               PKIXParameters params = new PKIXParameters(anchors);
-                               //TODO hmm... what about this
+
+                               PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, null);
+                               params.setMaxPathLength(authority.getVerifyDepth());
+                               //System.err.println(params.toString());
+                               //TODO hmm... what about revocation
                                params.setRevocationEnabled(false);
-                               //TODO todo do we care about usage bits at all?
-                               PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params);
 
-                               System.err.println(result.getPolicyTree());
-                               // TODO honor verify depth
+                               PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params);
                                log.debug("Path successfully validated.");
                                return true;
 
@@ -251,4 +260,4 @@ public class ShibbolethTrust extends Trust {
                return matches.group(1);
        }
 
-}
+}
\ No newline at end of file
index 176d400..1aef4bd 100644 (file)
@@ -55,7 +55,7 @@ import edu.internet2.middleware.shibboleth.xml.Parser;
  */
 public class TrustTests extends TestCase {
 
-       private Parser.DOMParser        parser  = new Parser.DOMParser(true);
+       private Parser.DOMParser parser = new Parser.DOMParser(true);
 
        public TrustTests(String name) {
 
@@ -224,9 +224,9 @@ public class TrustTests extends TestCase {
                        fail("Error in test specification: " + e);
                }
        }
-       
-       public void testPkixX509CertValidateWithCAs() {
-               Logger.getRootLogger().setLevel(Level.DEBUG);
+
+       public void testPkixX509CertValidateWithCAPath() {
+
                try {
                        // Pull the role descriptor from example metadata
                        Metadata metadata = new XMLMetadata(new File("data/metadata4.xml").toURL().toString());
@@ -260,6 +260,83 @@ public class TrustTests extends TestCase {
                } catch (KeyStoreException e) {
                        fail("Error in test specification: " + e);
                }
-               Logger.getRootLogger().setLevel(Level.OFF);
+       }
+       
+       public void testPkixX509CertFailValidateWithPathTooLong() {
+
+               try {
+                       // Pull the role descriptor from example metadata
+                       Metadata metadata = new XMLMetadata(new File("data/metadata6.xml").toURL().toString());
+                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
+                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+
+                       // Use a pre-defined cert
+                       KeyStore keyStore = KeyStore.getInstance("JKS");
+                       keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
+                                       new char[]{'t', 'e', 's', 't', '1', '2', '3'});
+                       X509Certificate endEntity = (X509Certificate) keyStore.getCertificate("inline3");
+                       X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
+
+                       // Try to validate against the metadata
+                       Trust validator = new ShibbolethTrust();
+                       boolean successful = validator.validate(role, new X509Certificate[]{endEntity, intermediate},
+                                       KeyDescriptor.ENCRYPTION);
+                       if (successful) {
+                               fail("Validation should not have succeeded.");
+                       }
+
+               } catch (MetadataException e) {
+                       fail("Error in test specification: " + e);
+               } catch (ResourceNotAvailableException e) {
+                       fail("Error in test specification: " + e);
+               } catch (IOException e) {
+                       fail("Error in test specification: " + e);
+               } catch (NoSuchAlgorithmException e) {
+                       fail("Error in test specification: " + e);
+               } catch (CertificateException e) {
+                       fail("Error in test specification: " + e);
+               } catch (KeyStoreException e) {
+                       fail("Error in test specification: " + e);
+               }
+       }
+
+       public void testPkixX509CertValidateWithClientSuppliedIntermediate() {
+
+               try {
+                       // Pull the role descriptor from example metadata
+                       Metadata metadata = new XMLMetadata(new File("data/metadata5.xml").toURL().toString());
+                       EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
+                       SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
+                                       "urn:oasis:names:tc:SAML:1.1:protocol");
+
+                       // Use a pre-defined cert
+                       KeyStore keyStore = KeyStore.getInstance("JKS");
+                       keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
+                                       new char[]{'t', 'e', 's', 't', '1', '2', '3'});
+                       X509Certificate endEntity = (X509Certificate) keyStore.getCertificate("inline3");
+                       X509Certificate intermediate = (X509Certificate) keyStore.getCertificate("im");
+
+                       // Try to validate against the metadata
+                       Trust validator = new ShibbolethTrust();
+                       boolean successful = validator.validate(role, new X509Certificate[]{endEntity, intermediate},
+                                       KeyDescriptor.ENCRYPTION);
+                       if (!successful) {
+                               fail("Validation should have succeeded.");
+                       }
+
+               } catch (MetadataException e) {
+                       fail("Error in test specification: " + e);
+               } catch (ResourceNotAvailableException e) {
+                       fail("Error in test specification: " + e);
+               } catch (IOException e) {
+                       fail("Error in test specification: " + e);
+               } catch (NoSuchAlgorithmException e) {
+                       fail("Error in test specification: " + e);
+               } catch (CertificateException e) {
+                       fail("Error in test specification: " + e);
+               } catch (KeyStoreException e) {
+                       fail("Error in test specification: " + e);
+               }
        }
 }
\ No newline at end of file