xmltoolingtest/PKIXEngineTest.h

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 #include "XMLObjectBaseTestCase.h"
  22
  23 #include <xmltooling/security/CredentialResolver.h>
  24 #include <xmltooling/security/SecurityHelper.h>
  25 #include <xmltooling/security/X509TrustEngine.h>
  26
  27 #include <fstream>
  28 #include <xsec/enc/XSECCryptoKey.hpp>
  29 #include <xsec/enc/XSECCryptoX509.hpp>
  30
  31 class PKIXEngineTest : public CxxTest::TestSuite {
  32
  33     X509TrustEngine* buildTrustEngine(const char* filename) {
  34         string config = data_path + "x509/" + filename + ".xml";
  35         ifstream in(config.c_str());
  36         DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  37         XercesJanitor<DOMDocument> janitor(doc);
  38         return dynamic_cast<X509TrustEngine*>(
  39             XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(
  40                 STATIC_PKIX_TRUSTENGINE, doc->getDocumentElement()
  41                 )
  42             );
  43     }
  44
  45     CredentialResolver* m_dummy;
  46     XSECCryptoX509* m_ee;   // end entity
  47     XSECCryptoX509* m_int1; // any policy
  48     XSECCryptoX509* m_int2; // explicit policy
  49     XSECCryptoX509* m_int3; // policy mapping
  50
  51 public:
  52     void setUp() {
  53         m_dummy = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr);
  54
  55         m_ee = m_int1 = m_int2 = m_int3 = nullptr;
  56         vector<XSECCryptoX509*> certs;
  57         string pathname = data_path + "x509/mdt-signer.crt.pem";
  58         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  59         pathname = data_path + "x509/mdt-ica.1.crt.pem";
  60         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  61         pathname = data_path + "x509/mdt-ica.2.crt.pem";
  62         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  63         pathname = data_path + "x509/mdt-ica.3.crt.pem";
  64         SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
  65         m_ee = certs[0];
  66         m_int1 = certs[1];
  67         m_int2 = certs[2];
  68         m_int3 = certs[3];
  69     }
  70
  71     void tearDown() {
  72         delete m_dummy;
  73         delete m_ee;
  74         delete m_int1;
  75         delete m_int2;
  76         delete m_int3;
  77     }
  78
  79
  80     void testAnyPolicy() {
  81         auto_ptr<X509TrustEngine> trust(buildTrustEngine("AnyPolicy"));
  82
  83         vector<XSECCryptoX509*> untrusted(1, m_int1);
  84         TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
  85     }
  86
  87     void testExplicitPolicy() {
  88         auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicy"));
  89
  90         vector<XSECCryptoX509*> untrusted(1, m_int1);
  91         TSM_ASSERT("PKIX validation succeeded despite anyPolicyInhibit", !trust->validate(m_ee, untrusted, *m_dummy));
  92
  93         untrusted[0] = m_int2;
  94         TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
  95
  96         untrusted[0] = m_int3;
  97         TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
  98     }
  99
 100     void testExplicitPolicyMap() {
 101         auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicyMap"));
 102
 103         vector<XSECCryptoX509*> untrusted(1, m_int3);
 104         TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
 105     }
 106
 107     void testExplicitPolicyNoMap() {
 108         auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicyNoMap"));
 109
 110         vector<XSECCryptoX509*> untrusted(1, m_int3);
 111         TSM_ASSERT("PKIX validation succeeded despite policyMappingInhibit", !trust->validate(m_ee, untrusted, *m_dummy));
 112     }
 113
 114 };