2 * Copyright 2001-2007 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 #include <saml/SAMLConfig.h>
19 #include <saml/saml2/metadata/Metadata.h>
20 #include <saml/saml2/metadata/MetadataCredentialCriteria.h>
21 #include <saml/saml2/metadata/MetadataProvider.h>
22 #include <xmltooling/security/AbstractPKIXTrustEngine.h>
23 #include <xmltooling/security/X509Credential.h>
25 using namespace opensaml::saml2;
26 using namespace opensaml::saml2md;
27 using namespace xmlsignature;
30 class SampleTrustEngine : public AbstractPKIXTrustEngine {
32 SampleTrustEngine() {}
33 ~SampleTrustEngine() {}
35 class SampleIterator : public PKIXValidationInfoIterator {
36 CredentialResolver* m_resolver;
37 mutable vector<XSECCryptoX509CRL*> m_crls;
40 SampleIterator() : m_resolver(NULL), m_done(false) {
41 string config = data_path + "security/FilesystemCredentialResolver.xml";
42 ifstream in(config.c_str());
43 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
44 XercesJanitor<DOMDocument> janitor(doc);
45 m_resolver = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(
46 FILESYSTEM_CREDENTIAL_RESOLVER,doc->getDocumentElement()
63 int getVerificationDepth() const {
67 const vector<XSECCryptoX509*>& getTrustAnchors() const {
68 return dynamic_cast<const X509Credential*>(m_resolver->resolve())->getEntityCertificateChain();
71 const vector<XSECCryptoX509CRL*>& getCRLs() const {
72 XSECCryptoX509CRL* crl = dynamic_cast<const X509Credential*>(m_resolver->resolve())->getCRL();
74 m_crls.push_back(crl);
79 PKIXValidationInfoIterator* getPKIXValidationInfoIterator(
80 const CredentialResolver& credResolver, CredentialCriteria* criteria=NULL, const KeyInfoResolver* keyInfoResolver=NULL
82 dynamic_cast<const MetadataCredentialCriteria*>(criteria);
83 return new SampleIterator();
88 class AbstractPKIXTrustEngineTest : public CxxTest::TestSuite, public SAMLObjectBaseTestCase {
91 SAMLObjectBaseTestCase::setUp();
95 SAMLObjectBaseTestCase::tearDown();
98 void testAbstractPKIXTrustEngine() {
99 string config = data_path + "security/XMLMetadataProvider.xml";
100 ifstream in(config.c_str());
101 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
102 XercesJanitor<DOMDocument> janitor(doc);
104 auto_ptr_XMLCh path("path");
105 string s = data_path + "security/example-metadata.xml";
106 auto_ptr_XMLCh file(s.c_str());
107 doc->getDocumentElement()->setAttributeNS(NULL,path.get(),file.get());
109 // Build metadata provider.
110 auto_ptr<MetadataProvider> metadataProvider(
111 opensaml::SAMLConfig::getConfig().MetadataProviderManager.newPlugin(XML_METADATA_PROVIDER,doc->getDocumentElement())
114 metadataProvider->init();
116 catch (XMLToolingException& ex) {
121 // Build trust engine.
122 auto_ptr<TrustEngine> trustEngine(new SampleTrustEngine());
124 // Get signed assertion.
125 config = data_path + "signature/SAML2Assertion.xml";
126 ifstream in2(config.c_str());
127 DOMDocument* doc2=XMLToolingConfig::getConfig().getParser().parse(in2);
128 XercesJanitor<DOMDocument> janitor2(doc2);
129 auto_ptr<Assertion> assertion(dynamic_cast<Assertion*>(XMLObjectBuilder::getBuilder(doc2->getDocumentElement())->buildFromDocument(doc2)));
132 Locker locker(metadataProvider.get());
133 const EntityDescriptor* descriptor = metadataProvider->getEntityDescriptor("https://idp.example.org");
134 TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
136 RoleDescriptor* role=descriptor->getIDPSSODescriptors().front();
137 TSM_ASSERT("Role not present", role!=NULL);
139 Signature* sig=assertion->getSignature();
140 TSM_ASSERT("Signature not present", sig!=NULL);
142 MetadataCredentialCriteria cc(*role);
143 cc.setPeerName("https://idp.example.org");
144 TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *metadataProvider, &cc));
146 descriptor = metadataProvider->getEntityDescriptor("https://idp2.example.org");
147 TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
149 role=descriptor->getIDPSSODescriptors().front();
150 TSM_ASSERT("Role not present", role!=NULL);
152 MetadataCredentialCriteria cc2(*role);
153 cc2.setPeerName("https://idp2.example.org");
154 TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *metadataProvider, &cc2));