2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
21 #include "XMLObjectBaseTestCase.h"
23 #include <xmltooling/security/ChainingTrustEngine.h>
24 #include <xmltooling/security/CredentialResolver.h>
25 #include <xmltooling/security/SecurityHelper.h>
28 #include <xsec/enc/XSECCryptoKey.hpp>
29 #include <xsec/enc/XSECCryptoX509.hpp>
31 class PKIXEngineTest : public CxxTest::TestSuite {
33 X509TrustEngine* buildTrustEngine(const char* filename) {
34 string config = data_path + "x509/" + filename + ".xml";
35 ifstream in(config.c_str());
36 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
37 XercesJanitor<DOMDocument> janitor(doc);
38 return dynamic_cast<X509TrustEngine*>(
39 XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(
40 STATIC_PKIX_TRUSTENGINE, doc->getDocumentElement()
45 CredentialResolver* m_dummy;
46 ChainingTrustEngine* m_chain;
47 XSECCryptoX509* m_ee; // end entity
48 XSECCryptoX509* m_int1; // any policy
49 XSECCryptoX509* m_int2; // explicit policy
50 XSECCryptoX509* m_int3; // policy mapping
54 m_dummy = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr);
55 m_chain = dynamic_cast<ChainingTrustEngine*>(XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(CHAINING_TRUSTENGINE, nullptr));
57 m_ee = m_int1 = m_int2 = m_int3 = nullptr;
58 vector<XSECCryptoX509*> certs;
59 string pathname = data_path + "x509/mdt-signer.crt.pem";
60 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
61 pathname = data_path + "x509/mdt-ica.1.crt.pem";
62 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
63 pathname = data_path + "x509/mdt-ica.2.crt.pem";
64 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
65 pathname = data_path + "x509/mdt-ica.3.crt.pem";
66 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
83 void testAnyPolicy() {
84 TrustEngine* trust = buildTrustEngine("AnyPolicy");
85 m_chain->addTrustEngine(trust);
87 vector<XSECCryptoX509*> untrusted(1, m_int1);
88 TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
90 TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
94 void testExplicitPolicy() {
95 TrustEngine* trust = buildTrustEngine("ExplicitPolicy");
96 m_chain->addTrustEngine(trust);
98 vector<XSECCryptoX509*> untrusted(1, m_int1);
99 TSM_ASSERT("PKIX validation succeeded despite anyPolicyInhibit", !m_chain->validate(m_ee, untrusted, *m_dummy));
101 untrusted[0] = m_int2;
102 TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
104 untrusted[0] = m_int3;
105 TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
107 TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
111 void testExplicitPolicyMap() {
112 TrustEngine* trust = buildTrustEngine("ExplicitPolicyMap");
113 m_chain->addTrustEngine(trust);
115 vector<XSECCryptoX509*> untrusted(1, m_int3);
116 TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
118 TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
122 void testExplicitPolicyNoMap() {
123 TrustEngine* trust = buildTrustEngine("ExplicitPolicyNoMap");
124 m_chain->addTrustEngine(trust);
126 vector<XSECCryptoX509*> untrusted(1, m_int3);
127 TSM_ASSERT("PKIX validation succeeded despite policyMappingInhibit", !m_chain->validate(m_ee, untrusted, *m_dummy));
129 TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);