2 * Copyright 2001-2006 Internet2
\r
4 * Licensed under the Apache License, Version 2.0 (the "License");
\r
5 * you may not use this file except in compliance with the License.
\r
6 * You may obtain a copy of the License at
\r
8 * http://www.apache.org/licenses/LICENSE-2.0
\r
10 * Unless required by applicable law or agreed to in writing, software
\r
11 * distributed under the License is distributed on an "AS IS" BASIS,
\r
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
13 * See the License for the specific language governing permissions and
\r
14 * limitations under the License.
\r
17 #include "internal.h"
\r
18 #include <saml/SAMLConfig.h>
\r
19 #include <saml/security/AbstractPKIXTrustEngine.h>
\r
20 #include <saml/saml2/metadata/MetadataProvider.h>
\r
22 using namespace opensaml::saml2;
\r
23 using namespace opensaml::saml2md;
\r
24 using namespace xmlsignature;
\r
27 class SampleTrustEngine : public AbstractPKIXTrustEngine {
\r
29 SampleTrustEngine() {}
\r
30 ~SampleTrustEngine() {}
\r
32 class SampleIterator : public PKIXValidationInfoIterator {
\r
33 vector<XSECCryptoX509CRL*> m_crls;
\r
34 KeyResolver::ResolvedCertificates m_certs;
\r
35 KeyResolver* m_resolver;
\r
38 SampleIterator() : m_resolver(NULL), m_done(false) {
\r
39 string config = data_path + "security/FilesystemKeyResolver.xml";
\r
40 ifstream in(config.c_str());
\r
41 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
\r
42 XercesJanitor<DOMDocument> janitor(doc);
\r
43 m_resolver = XMLToolingConfig::getConfig().KeyResolverManager.newPlugin(
\r
44 FILESYSTEM_KEY_RESOLVER,doc->getDocumentElement()
\r
46 m_resolver->resolveCertificates((KeyInfo*)NULL,m_certs);
\r
60 int getVerificationDepth() const {
\r
64 const vector<XSECCryptoX509*>& getTrustAnchors() const {
\r
68 const vector<XSECCryptoX509CRL*>& getCRLs() const {
\r
73 PKIXValidationInfoIterator* getPKIXValidationInfoIterator(const RoleDescriptor& role) const {
\r
74 return new SampleIterator();
\r
79 class AbstractPKIXTrustEngineTest : public CxxTest::TestSuite, public SAMLObjectBaseTestCase {
\r
82 SAMLObjectBaseTestCase::setUp();
\r
86 SAMLObjectBaseTestCase::tearDown();
\r
89 void testExplicitKeyTrustEngine() {
\r
90 string config = data_path + "security/FilesystemMetadataProvider.xml";
\r
91 ifstream in(config.c_str());
\r
92 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
\r
93 XercesJanitor<DOMDocument> janitor(doc);
\r
95 auto_ptr_XMLCh path("path");
\r
96 string s = data_path + "security/example-metadata.xml";
\r
97 auto_ptr_XMLCh file(s.c_str());
\r
98 doc->getDocumentElement()->setAttributeNS(NULL,path.get(),file.get());
\r
100 // Build metadata provider.
\r
101 auto_ptr<MetadataProvider> metadataProvider(
\r
102 SAMLConfig::getConfig().MetadataProviderManager.newPlugin(FILESYSTEM_METADATA_PROVIDER,doc->getDocumentElement())
\r
105 metadataProvider->init();
\r
107 catch (XMLToolingException& ex) {
\r
108 TS_TRACE(ex.what());
\r
112 // Build trust engine.
\r
113 auto_ptr<opensaml::TrustEngine> trustEngine(new SampleTrustEngine());
\r
115 // Get signed assertion.
\r
116 config = data_path + "signature/SAML2Assertion.xml";
\r
117 ifstream in2(config.c_str());
\r
118 DOMDocument* doc2=XMLToolingConfig::getConfig().getParser().parse(in2);
\r
119 XercesJanitor<DOMDocument> janitor2(doc2);
\r
120 auto_ptr<Assertion> assertion(dynamic_cast<Assertion*>(XMLObjectBuilder::getBuilder(doc2->getDocumentElement())->buildFromDocument(doc2)));
\r
121 janitor2.release();
\r
123 Locker locker(metadataProvider.get());
\r
124 const EntityDescriptor* descriptor = metadataProvider->getEntityDescriptor("https://idp.example.org");
\r
125 TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
\r
127 RoleDescriptor* role=descriptor->getIDPSSODescriptors().front();
\r
128 TSM_ASSERT("Role not present", role!=NULL);
\r
130 Signature* sig=assertion->getSignature();
\r
131 TSM_ASSERT("Signature not present", sig!=NULL);
\r
132 TSM_ASSERT("Signature failed to validate.", trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
\r
134 descriptor = metadataProvider->getEntityDescriptor("https://idp2.example.org");
\r
135 TSM_ASSERT("Retrieved entity descriptor was null", descriptor!=NULL);
\r
137 role=descriptor->getIDPSSODescriptors().front();
\r
138 TSM_ASSERT("Role not present", role!=NULL);
\r
140 TSM_ASSERT("Signature validated.", !trustEngine->validate(*sig, *role, metadataProvider->getKeyResolver()));
\r