2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
21 #include "XMLObjectBaseTestCase.h"
23 #include <xmltooling/security/CredentialResolver.h>
24 #include <xmltooling/security/SecurityHelper.h>
25 #include <xmltooling/security/X509TrustEngine.h>
28 #include <xsec/enc/XSECCryptoKey.hpp>
29 #include <xsec/enc/XSECCryptoX509.hpp>
31 class PKIXEngineTest : public CxxTest::TestSuite {
33 X509TrustEngine* buildTrustEngine(const char* filename) {
34 string config = data_path + "x509/" + filename + ".xml";
35 ifstream in(config.c_str());
36 DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
37 XercesJanitor<DOMDocument> janitor(doc);
38 return dynamic_cast<X509TrustEngine*>(
39 XMLToolingConfig::getConfig().TrustEngineManager.newPlugin(
40 STATIC_PKIX_TRUSTENGINE, doc->getDocumentElement()
45 CredentialResolver* m_dummy;
46 XSECCryptoX509* m_ee; // end entity
47 XSECCryptoX509* m_int1; // any policy
48 XSECCryptoX509* m_int2; // explicit policy
49 XSECCryptoX509* m_int3; // policy mapping
53 m_dummy = XMLToolingConfig::getConfig().CredentialResolverManager.newPlugin(DUMMY_CREDENTIAL_RESOLVER, nullptr);
55 m_ee = m_int1 = m_int2 = m_int3 = nullptr;
56 vector<XSECCryptoX509*> certs;
57 string pathname = data_path + "x509/mdt-signer.crt.pem";
58 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
59 pathname = data_path + "x509/mdt-ica.1.crt.pem";
60 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
61 pathname = data_path + "x509/mdt-ica.2.crt.pem";
62 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
63 pathname = data_path + "x509/mdt-ica.3.crt.pem";
64 SecurityHelper::loadCertificatesFromFile(certs, pathname.c_str());
80 void testAnyPolicy() {
81 auto_ptr<X509TrustEngine> trust(buildTrustEngine("AnyPolicy"));
83 vector<XSECCryptoX509*> untrusted(1, m_int1);
84 TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
87 void testExplicitPolicy() {
88 auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicy"));
90 vector<XSECCryptoX509*> untrusted(1, m_int1);
91 TSM_ASSERT("PKIX validation succeeded despite anyPolicyInhibit", !trust->validate(m_ee, untrusted, *m_dummy));
93 untrusted[0] = m_int2;
94 TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
96 untrusted[0] = m_int3;
97 TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
100 void testExplicitPolicyMap() {
101 auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicyMap"));
103 vector<XSECCryptoX509*> untrusted(1, m_int3);
104 TSM_ASSERT("PKIX validation failed", trust->validate(m_ee, untrusted, *m_dummy));
107 void testExplicitPolicyNoMap() {
108 auto_ptr<X509TrustEngine> trust(buildTrustEngine("ExplicitPolicyNoMap"));
110 vector<XSECCryptoX509*> untrusted(1, m_int3);
111 TSM_ASSERT("PKIX validation succeeded despite policyMappingInhibit", !trust->validate(m_ee, untrusted, *m_dummy));