From 8a7eb21be973c2f1601e70a8bc29279413c8d294 Mon Sep 17 00:00:00 2001
From: wassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Date: Fri, 14 Oct 2005 16:09:06 +0000
Subject: [PATCH] Unit test to protect against recently introduced regression
 bug (metadata keyname matching was turned off for the IdP).

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1880 ab3bd59b-922f-494d-bb5f-6f0a3c29deca
---
 data/metadata11.xml                                |   67 ++++++++++++++++++++
 .../middleware/shibboleth/common/TrustTests.java   |   55 ++++++++++++----
 2 files changed, 110 insertions(+), 12 deletions(-)
 create mode 100644 data/metadata11.xml

diff --git a/data/metadata11.xml b/data/metadata11.xml
new file mode 100644
index 0000000..87f637d
--- /dev/null
+++ b/data/metadata11.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+	xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/sstc-saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd" 
+	Name="urn-x:testFed1" validUntil="3010-01-01T00:00:00Z">
+	<EntityDescriptor entityID="urn-x:testSP1">
+		 <Extensions>
+			<KeyAuthority xmlns="urn:mace:shibboleth:metadata:1.0">
+				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+           <ds:X509Data>
+                <!-- HEPKI Master Test CA -->
+                <ds:X509Certificate>MIIC6zCCAlSgAwIBAgICAlQwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBNYXN0ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTAyMDYzMDIyMTYzOVoXDTI5MTExNjIyMTYzOVowgakx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlz
+b24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJE
+aXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBL
+SSBNYXN0ZXIgQ0EgLS0gMjAwMjA3MDFBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDJ3FDZym9Ja94DP7TUZXf3Vu3CZwqZzYThgjUT2eBJBYVALISSJ+RjJ2j2
+CYpq3wesSgWHqfrpPnTgTBvn5ZZF9diX6ipAmC0H75nySDY8B5AN1RbmPsAZ51F9
+7Eo+6JZ59BFYgowGXyQpMfhBykBSySnvnOX5ygTCz20LwKkErQIDAQABoyAwHjAP
+BgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQQFAAOBgQB1
+8ZXB+KeXbDVkz+b2xVXYmJiWrp73IOvi3DuIuX1n88tbIH0ts7dJLEqr+c0owgtu
+QBqLb9DfPG2GkJ1uOK75wPY6XWusCKDJKMVY/N4ec9ew55MnDlFFvl4C+LkiS2YS
+Ysrh7fFJKKp7Pkc1fxsusK+MBXjVZtq0baXsU637qw==
+</ds:X509Certificate>
+            </ds:X509Data>
+            <ds:X509Data>
+                <!-- HEPKI Server Test CA -->
+                <ds:X509Certificate>MIIC6zCCAlSgAwIBAgICAlYwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBNYXN0ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTAyMDYzMDIyMzIxNFoXDTI3MDIyMDIyMzIxNFowgakx
+CzAJBgNVBAYTAlVTMRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlz
+b24xIDAeBgNVBAoTF1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJE
+aXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBL
+SSBTZXJ2ZXIgQ0EgLS0gMjAwMjA3MDFBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCvImusW7uaRS7xLsi2ZzZuUz6gbfATwxwvtQ+8cuyDpRlhvr1qnghC9Enj
+RH9qpq/Z5FVZ5bqyGziCy0kEPt+2WiZMGRiQEzloi5HNEtz1Nlc7FCJ0HATxtkEU
+hQ96v2DmoIEogPINqLICIqfiraPWFHOp6qDritrdj/fwLptQawIDAQABoyAwHjAP
+BgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQQFAAOBgQAt
+txlP3fTyIVMAIm8ddE8Bvk0/5Bhn5KvMAOMtnlCEArcFd4/m+pU4vEDwK6JSIoKf
+N/ySLXlu5ItApeJMWhcqvrczq5BF4/WQZukC1ha6FS2cAmjy35jYWMfVWcdBi9Yi
+M4SJ6gjGf83y9axPpuHcjwxQ5fLqZfnvrWH+1owJhQ==
+</ds:X509Certificate>
+            </ds:X509Data>
+				</ds:KeyInfo>
+			</KeyAuthority>
+		</Extensions>
+		<SPSSODescriptor 
+			protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
+			<KeyDescriptor>
+				<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+					<ds:KeyName>foo.memphis.edu</ds:KeyName>
+				</ds:KeyInfo>
+			</KeyDescriptor>
+			<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+			<AssertionConsumerService index="1" 
+				Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" 
+				Location="https://www.example.org/Shibboleth.shire"/>
+		</SPSSODescriptor>
+		
+	</EntityDescriptor>
+</EntitiesDescriptor>
diff --git a/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java b/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java
index 62cc4c6..a31d6ed 100644
--- a/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java
+++ b/tests/edu/internet2/middleware/shibboleth/common/TrustTests.java
@@ -1,16 +1,9 @@
 /*
- * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
+ * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.] Licensed under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in
+ * writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
@@ -254,6 +247,43 @@ public class TrustTests extends TestCase {
 		}
 	}
 
+	public void testPkixX509CertFailBadNameMatch() {
+
+		try {
+			// Pull the role descriptor from example metadata
+			Metadata metadata = new XMLMetadata(new File("data/metadata11.xml").toURL().toString());
+			EntityDescriptor entity = metadata.lookup("urn-x:testSP1");
+			SPSSODescriptor role = (SPSSODescriptor) entity.getRoleByType(SPSSODescriptor.class,
+					"urn:oasis:names:tc:SAML:1.1:protocol");
+
+			// Use a pre-defined cert
+			KeyStore keyStore = KeyStore.getInstance("JKS");
+			keyStore.load(new ShibResource(new File("data/trusttest.jks").toURL().toString()).getInputStream(),
+					new char[]{'t', 'e', 's', 't', '1', '2', '3'});
+			X509Certificate cert = (X509Certificate) keyStore.getCertificate("inline3");
+
+			// Try to validate against the metadata
+			Trust validator = new ShibbolethTrust();
+			boolean successful = validator.validate(cert, new X509Certificate[]{cert}, role);
+			if (successful) {
+				fail("Validation should have failed.  DN in cert does not match the metadata.");
+			}
+
+		} catch (MetadataException e) {
+			fail("Error in test specification: " + e);
+		} catch (ResourceNotAvailableException e) {
+			fail("Error in test specification: " + e);
+		} catch (IOException e) {
+			fail("Error in test specification: " + e);
+		} catch (NoSuchAlgorithmException e) {
+			fail("Error in test specification: " + e);
+		} catch (CertificateException e) {
+			fail("Error in test specification: " + e);
+		} catch (KeyStoreException e) {
+			fail("Error in test specification: " + e);
+		}
+	}
+
 	public void testPkixX509CertFailValidateWithPathTooLong() {
 
 		try {
@@ -440,4 +470,5 @@ public class TrustTests extends TestCase {
 			fail("Error in test specification: " + e);
 		}
 	}
+
 }
\ No newline at end of file
-- 
1.7.10.4