xmltoolingtest/PKIXEngineTest.h

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 #include "XMLObjectBaseTestCase.h"
  22
  23 #include <xmltooling/security/ChainingTrustEngine.h>
  24 #include <xmltooling/security/CredentialResolver.h>
  25 #include <xmltooling/security/SecurityHelper.h>
  26
  27 #include <fstream>
  28 #include <xsec/enc/XSECCryptoKey.hpp>
  29 #include <xsec/enc/XSECCryptoX509.hpp>
  30
  31 class PKIXEngineTest : public CxxTest::TestSuite {
  32
  33     X509TrustEngine* buildTrustEngine(const char* filename) {
  34         string config = data_path + "x509/" + filename + ".xml";
  35         ifstream in(config.c_str());
  36         DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  37         XercesJanitor<DOMDocument> janitor(doc);
  38         return dynamic_cast<X509TrustEngine*>(
  39             XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(
  40                 STATIC_PKIX_TRUSTENGINE, doc->getDocumentElement()
  41                 )
  42             );
  43     }
  44
  45     CredentialResolver* m_dummy;
  46     ChainingTrustEngine* m_chain;
  47     XSECCryptoX509* m_ee;   // end entity
  48     XSECCryptoX509* m_int1; // any policy
  49     XSECCryptoX509* m_int2; // explicit policy
  50     XSECCryptoX509* m_int3; // policy mapping
  51
  52 public:
  53     void setUp() {
  54         m_dummy = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr);
  55         m_chain = dynamic_cast<ChainingTrustEngine*>(XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(CHAINING_TRUSTENGINE, nullptr));
  56
  57         m_ee = m_int1 = m_int2 = m_int3 = nullptr;
  58         vector<XSECCryptoX509*> certs;
  59         string pathname = data_path + "x509/mdt-signer.crt.pem";
  60         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  61         pathname = data_path + "x509/mdt-ica.1.crt.pem";
  62         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  63         pathname = data_path + "x509/mdt-ica.2.crt.pem";
  64         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  65         pathname = data_path + "x509/mdt-ica.3.crt.pem";
  66         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  67         m_ee = certs[0];
  68         m_int1 = certs[1];
  69         m_int2 = certs[2];
  70         m_int3 = certs[3];
  71     }
  72
  73     void tearDown() {
  74         delete m_chain;
  75         delete m_dummy;
  76         delete m_ee;
  77         delete m_int1;
  78         delete m_int2;
  79         delete m_int3;
  80     }
  81
  82
  83     void testAnyPolicy() {
  84         TrustEngine* trust = buildTrustEngine("AnyPolicy");
  85         m_chain->addTrustEngine(trust);
  86
  87         vector<XSECCryptoX509*> untrusted(1, m_int1);
  88         TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
  89
  90         TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
  91         delete trust;
  92     }
  93
  94     void testExplicitPolicy() {
  95         TrustEngine* trust = buildTrustEngine("ExplicitPolicy");
  96         m_chain->addTrustEngine(trust);
  97
  98         vector<XSECCryptoX509*> untrusted(1, m_int1);
  99         TSM_ASSERT("PKIX validation succeeded despite anyPolicyInhibit", !m_chain->validate(m_ee, untrusted, *m_dummy));
 100
 101         untrusted[0] = m_int2;
 102         TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
 103
 104         untrusted[0] = m_int3;
 105         TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
 106
 107         TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
 108         delete trust;
 109     }
 110
 111     void testExplicitPolicyMap() {
 112         TrustEngine* trust = buildTrustEngine("ExplicitPolicyMap");
 113         m_chain->addTrustEngine(trust);
 114
 115         vector<XSECCryptoX509*> untrusted(1, m_int3);
 116         TSM_ASSERT("PKIX validation failed", m_chain->validate(m_ee, untrusted, *m_dummy));
 117
 118         TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
 119         delete trust;
 120     }
 121
 122     void testExplicitPolicyNoMap() {
 123         TrustEngine* trust = buildTrustEngine("ExplicitPolicyNoMap");
 124         m_chain->addTrustEngine(trust);
 125
 126         vector<XSECCryptoX509*> untrusted(1, m_int3);
 127         TSM_ASSERT("PKIX validation succeeded despite policyMappingInhibit", !m_chain->validate(m_ee, untrusted, *m_dummy));
 128
 129         TSM_ASSERT_EQUALS("Trust engine removal failed", m_chain->removeTrustEngine(trust), trust);
 130         delete trust;
 131     }
 132
 133 };