add jUnit tests for HSM Facade integration.

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-02-17 17:03:28 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-02-17 17:03:28 +0100
commit: 7848c74de2cdafed8bee69d1d5b8e5efa7535bc6 (patch)
tree: 41fb7aeb440982fc3c25f8fa91cd2d7186471a1b /eaaf_modules/eaaf_module_pvp2_core/src/test/java/at
parent: 3b7eb43b0df868e492ccd7ad2daca5e4c0053bb2 (diff)
download: EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.tar.gz
EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.tar.bz2
EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.zip
4 files changed, 532 insertions, 292 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java
new file mode 100644
index 00000000..d5186857
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java
@@ -0,0 +1,328 @@
+package at.gv.egiz.eaaf.modules.pvp2.test;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
+import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
+import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider;
+
+import org.joda.time.DateTime;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.UnmarshallingException;
+import org.opensaml.core.xml.util.XMLObjectSupport;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.AuthnRequest;
+import org.opensaml.saml.saml2.core.EncryptedAssertion;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.encryption.Encrypter;
+import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement;
+import org.opensaml.security.x509.X509Credential;
+import org.opensaml.xmlsec.SecurityConfigurationSupport;
+import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
+import org.opensaml.xmlsec.encryption.support.EncryptionException;
+import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
+import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.Assert;
+
+import net.shibboleth.utilities.java.support.xml.XMLParserException;
+
+
+public abstract class AbstractSamlVerificationEngine {
+
+  @Autowired
+  private PvpMetadataResolverFactory metadataResolverFactory;
+  @Autowired
+  private SamlVerificationEngine verifyEngine;
+  @Autowired
+  protected DummyCredentialProvider credentialProvider;
+
+  @Autowired DummyMetadataProvider metadataProvider;
+  @Autowired IConfiguration authConfig;
+
+  /**
+   * JUnit class initializer.
+   *
+   * @throws Exception In case of an OpenSAML3 initialization error
+   */
+  @BeforeClass
+  public static void classInitializer() throws Exception {
+    EaafOpenSaml3xInitializer.eaafInitialize();
+
+  }
+  protected abstract String getMetadataJunitJKeystore();
+
+  protected abstract String getMetadataClassPathEntityPath();
+
+  protected abstract String getAuthnRequestWithoutSigPath();
+
+  protected abstract String getResponseWithSigPath();
+
+  protected abstract String getResponseWithoutSigPath();
+
+
+  @Test
+  public void validateSamlRequestSuccess() throws SecurityException, Exception {
+
+    final String authnReqPath = getAuthnRequestWithoutSigPath();
+    final String metadataPath = getMetadataClassPathEntityPath();
+    final String spEntityId = metadataPath;
+
+    final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
+        initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
+            credentialProvider.getMetaDataSigningCredential());
+
+    final PvpSProfileRequest msg = new PvpSProfileRequest(
+        inputMsg.getFirst(),
+        SAMLConstants.SAML2_POST_BINDING_URI);
+    msg.setEntityID(spEntityId);
+
+    verifyEngine.verify(msg,
+        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+  }
+
+  @Test
+  public void validateSamlRequestWrongSignature() throws SecurityException, Exception {
+
+    final String authnReqPath = getAuthnRequestWithoutSigPath();
+    final String metadataPath = getMetadataJunitJKeystore();
+    final String spEntityId = metadataPath;
+
+    final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
+        initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
+            credentialProvider.getMetaDataSigningCredential());
+
+    metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
+
+    final PvpSProfileRequest msg = new PvpSProfileRequest(
+        inputMsg.getFirst(),
+        SAMLConstants.SAML2_POST_BINDING_URI);
+    msg.setEntityID(spEntityId);
+
+    try {
+      verifyEngine.verify(msg,
+          TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+      org.junit.Assert.fail("Wrong signature not detected");
+
+    } catch (final Exception e) {
+      Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
+      org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
+
+    }
+  }
+
+  @Test
+  public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception {
+    metadataProvider.runGarbageCollector();
+
+    final String authnReqPath = getResponseWithoutSigPath();
+    final String metadataPath = getMetadataClassPathEntityPath();
+    final String spEntityId = metadataPath;
+
+    final Pair<Response, IPvp2MetadataProvider> inputMsg =
+        initializeResponse(spEntityId, metadataPath, authnReqPath,
+            credentialProvider.getMetaDataSigningCredential());
+
+    final PvpSProfileResponse msg = new PvpSProfileResponse(
+        inputMsg.getFirst());
+    msg.setEntityID(spEntityId);
+
+    verifyEngine.verify(msg,
+        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+  }
+
+  @Test
+  public void verifyResponseSuccessSecondTest()
+      throws Pvp2InternalErrorException, SecurityException, Exception {
+
+    final String authnReqPath = getResponseWithoutSigPath();
+    final String metadataPath = getMetadataClassPathEntityPath();
+    final String spEntityId = metadataPath;
+
+    final Pair<Response, IPvp2MetadataProvider> inputMsg =
+        initializeResponse(spEntityId, metadataPath, authnReqPath,
+            credentialProvider.getMetaDataSigningCredential());
+
+    verifyEngine.verifyIdpResponse(inputMsg.getFirst(),
+        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+  }
+
+  @Test
+  public void verifySpResponse()
+      throws Pvp2InternalErrorException, SecurityException, Exception {
+
+    final String authnReqPath = getResponseWithoutSigPath();
+    final String metadataPath = getMetadataClassPathEntityPath();
+    final String spEntityId = metadataPath;
+
+    final Pair<Response, IPvp2MetadataProvider> inputMsg =
+        initializeResponse(spEntityId, metadataPath, authnReqPath,
+            credentialProvider.getMetaDataSigningCredential());
+
+    verifyEngine.verifySloResponse(inputMsg.getFirst(),
+        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+  }
+
+  @Test
+  public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception {
+
+    final String authnReqPath = getResponseWithSigPath();
+    final String metadataPath = getMetadataClassPathEntityPath();
+    final String spEntityId = metadataPath;
+
+    final Pair<Response, IPvp2MetadataProvider> inputMsg =
+        initializeResponse(spEntityId, metadataPath, authnReqPath,
+            credentialProvider.getMetaDataSigningCredential());
+
+    final PvpSProfileResponse msg = new PvpSProfileResponse(
+        inputMsg.getFirst());
+    msg.setEntityID(spEntityId);
+
+    try {
+      verifyEngine.verify(msg,
+          TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+      org.junit.Assert.fail("Wrong XML schema not detected");
+
+    } catch (final Exception e) {
+      Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
+      org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId());
+
+    }
+  }
+
+  @Test
+  public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception {
+
+    final String authnReqPath = getResponseWithoutSigPath();
+    final String metadataPath = getMetadataJunitJKeystore();
+    final String spEntityId = metadataPath;
+
+    final Pair<Response, IPvp2MetadataProvider> inputMsg =
+        initializeResponse(spEntityId, metadataPath, authnReqPath,
+            credentialProvider.getMetaDataSigningCredential());
+
+    final PvpSProfileResponse msg = new PvpSProfileResponse(
+        inputMsg.getFirst());
+    msg.setEntityID(spEntityId);
+
+    try {
+      verifyEngine.verify(msg,
+          TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+      org.junit.Assert.fail("No TrustedCert not detected");
+
+    } catch (final Exception e) {
+      Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
+      org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
+
+    }
+  }
+
+  protected Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath,
+      String authnReqPath, EaafX509Credential credential)
+          throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException {
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        metadataPath, null, "jUnit metadata resolver", null);
+
+    final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath));
+    authnReq.setIssueInstant(DateTime.now());
+    final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
+    issuer.setValue(spEntityId);
+    authnReq.setIssuer(issuer);
+
+    return Pair.newInstance(
+        Saml2Utils.signSamlObject(authnReq, credential, true),
+        mdResolver);
+  }
+
+  protected Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId,
+      String metadataPath, String authnReqPath, EaafX509Credential credential)
+      throws SamlSigningException, CredentialsNotAvailableException,
+      XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException {
+
+    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+        metadataPath, null, "jUnit metadata resolver", null);
+
+    final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream(
+        XMLObjectProviderRegistrySupport.getParserPool(),
+        AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath));
+    authnReq.setIssueInstant(DateTime.now());
+    final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
+    issuer.setValue(spEntityId);
+    authnReq.setIssuer(issuer);
+
+    return Pair.newInstance(
+        Saml2Utils.signSamlObject(authnReq, credential, true),
+        mdResolver);
+
+  }
+
+  protected static EncryptedAssertion doEncryption(Assertion assertion,
+      X509Credential encryptionCredentials, IConfiguration authConfig)
+      throws Exception {
+    try {
+      final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential(
+          encryptionCredentials,
+          authConfig.getBasicConfiguration(
+              PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG,
+              PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA),
+          authConfig.getBasicConfiguration(
+              PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG,
+              PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC));
+
+      final DataEncryptionParameters dataEncParams = new DataEncryptionParameters();
+      dataEncParams.setAlgorithm(authConfig.getBasicConfiguration(
+          PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE));
+
+      final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>();
+      final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
+      keyEncParam.setEncryptionCredential(encryptionCredentials);
+      keyEncParam.setAlgorithm(keyEncAlg);
+
+      final KeyInfoGeneratorFactory kigf =
+          SecurityConfigurationSupport.getGlobalEncryptionConfiguration()
+              .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials);
+      keyEncParam.setKeyInfoGenerator(kigf.newInstance());
+      keyEncParamList.add(keyEncParam);
+
+      final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
+      samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
+
+      return samlEncrypter.encrypt(assertion);
+
+    } catch (final EncryptionException | SamlSigningException e1) {
+      throw new Exception(e1);
+
+    }
+
+  }
+
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
index be3f9a8f..3ba4c962 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
@@ -6,6 +6,7 @@ import java.util.List;
 import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException;
 import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
 import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfigMap;
 import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
 import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
@@ -34,10 +35,11 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 public class CredentialProviderTest {
 
   private static final String HSM_FACASE_HOST = "eid.a-sit.at";
-  private static final String HSM_FACASE_PORT = "9000";
+  private static final String HSM_FACASE_PORT = "9050";
+  private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt";
   private static final String HSM_FACASE_USERNAME = "authhandler-junit";
   private static final String HSM_FACASE_PASSWORD = "supersecret123";
-  private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt";
+  private static final String HSM_FACASE_HSM_NAME = "software";
 
   private static final String PATH_JKS_WITH_TRUST_CERTS = "src/test/resources/data/junit.jks";
   private static final String PATH_JKS_WITHOUT_TRUST_CERTS = "src/test/resources/data/junit_without_trustcerts.jks";
@@ -50,6 +52,8 @@ public class CredentialProviderTest {
 
   private static final String PASSWORD = "password";
 
+  private static final String HSM_FACADE_KEY_ALIAS = "authhandler-sign";
+
 
   @Autowired private ApplicationContext context;
   @Autowired private DummyAuthConfigMap config;
@@ -61,9 +65,10 @@ public class CredentialProviderTest {
   public void initialize() {
     config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, HSM_FACASE_HOST);
     config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, HSM_FACASE_PORT);
+    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST);
     config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, HSM_FACASE_USERNAME);
     config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, HSM_FACASE_PASSWORD);
-    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST);
+    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HSM_NAME, HSM_FACASE_HSM_NAME);
 
     config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME);
 
@@ -505,6 +510,91 @@ public class CredentialProviderTest {
     }
   }
 
+  @Test
+  @DirtiesContext
+  public void hasFacadeMissingKeyStoreName() {
+    config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE,
+        KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType());
+    config.removeConfigValue(DummyCredentialProvider.KEYSTORE_NAME);
+
+    try {
+      context.getBean(DummyCredentialProvider.class);
+      Assert.fail("No KeyStore not detected");
+
+    } catch (final BeansException e) {
+      org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class,
+          e.getCause(), "Wrong exception");
+
+    }
+
+  }
+
+  @Test
+  @DirtiesContext
+  public void hasFacadeWrongAlias() {
+    config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE,
+        KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType());
+    config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME);
+
+    final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class);
+
+    Assert.assertNotNull("Credetialprovider", credential);
+    Assert.assertNotNull("Friendlyname", credential.getFriendlyName());
+
+    config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS,
+        RandomStringUtils.randomAlphabetic(5));
+
+    try {
+      checkCredential(credential.getMetaDataSigningCredential(),
+          PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
+          PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA);
+      Assert.fail("Wrong 'alias' not detected");
+
+    } catch (final CredentialsNotAvailableException e) {
+      Assert.assertEquals("Wrong errorCode", "internal.pvp.01", e.getErrorId());
+
+    }
+
+  }
+
+  @Test
+  @DirtiesContext
+  public void validConfigurationHsmFacade() throws CredentialsNotAvailableException {
+
+    config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE,
+        KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType());
+    config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME);
+
+    final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class);
+
+    Assert.assertNotNull("Credetialprovider", credential);
+    Assert.assertNotNull("Friendlyname", credential.getFriendlyName());
+
+    config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS,
+        HSM_FACADE_KEY_ALIAS);
+    config.putConfigValue(DummyCredentialProvider.KEY_METADATA_PASSWORD,
+        PASSWORD);
+
+
+    checkCredential(credential.getMetaDataSigningCredential(),
+        PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
+        PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA);
+
+    config.putConfigValue(DummyCredentialProvider.KEY_SIGNING_ALIAS,
+        HSM_FACADE_KEY_ALIAS);
+
+    checkCredential(credential.getMessageSigningCredential(),
+        PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
+        PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA);
+
+
+    final List<X509Certificate> trustCerts = credential.getTrustedCertificates();
+    Assert.assertNotNull("TrustCerts are null", trustCerts);
+    Assert.assertTrue("TrustCerts not empty", trustCerts.isEmpty());
+
+  }
+
+
   private void checkCredential(EaafX509Credential metaDataSigningCredential, String sigAlg, String keyEncAlg) {
     Assert.assertNotNull("No metadata signing credentials", metaDataSigningCredential);
     Assert.assertNotNull("SigAlg is null",
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java
index 66e87537..bc0084f7 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java
@@ -1,53 +1,33 @@
 package at.gv.egiz.eaaf.modules.pvp2.test;
 
-import java.util.ArrayList;
-import java.util.List;
-
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
 import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
 import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
 import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
 import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
 import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
 import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
 import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
 import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
-import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
 import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
 import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
 import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
 import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider;
 
 import org.joda.time.DateTime;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
 import org.opensaml.core.xml.io.UnmarshallingException;
 import org.opensaml.core.xml.util.XMLObjectSupport;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.core.Assertion;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.core.EncryptedAssertion;
-import org.opensaml.saml.saml2.core.Issuer;
 import org.opensaml.saml.saml2.core.Response;
 import org.opensaml.saml.saml2.core.StatusCode;
-import org.opensaml.saml.saml2.encryption.Encrypter;
-import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement;
-import org.opensaml.security.x509.X509Credential;
-import org.opensaml.xmlsec.SecurityConfigurationSupport;
-import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
-import org.opensaml.xmlsec.encryption.support.EncryptionException;
-import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
-import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory;
 import org.opensaml.xmlsec.signature.support.SignatureConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.ContextConfiguration;
@@ -62,11 +42,9 @@ import net.shibboleth.utilities.java.support.xml.XMLParserException;
 @ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml",
     "/spring/test_eaaf_core_spring_config.beans.xml" })
 @TestPropertySource(locations = { "/config/config_1.props" })
-public class SamlVerificationEngineTest {
+public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine {
 
   @Autowired
-  private PvpMetadataResolverFactory metadataResolverFactory;
-  @Autowired
   private SamlVerificationEngine verifyEngine;
   @Autowired
   private DummyCredentialProvider credentialProvider;
@@ -74,103 +52,38 @@ public class SamlVerificationEngineTest {
   @Autowired DummyMetadataProvider metadataProvider;
   @Autowired IConfiguration authConfig;
 
-  /**
-   * JUnit class initializer.
-   *
-   * @throws Exception In case of an OpenSAML3 initialization error
-   */
-  @BeforeClass
-  public static void classInitializer() throws Exception {
-    EaafOpenSaml3xInitializer.eaafInitialize();
+  @Override
+  protected String getMetadataClassPathEntityPath() {
+    return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
 
   }
 
-  @Test
-  public void validateSamlRequestSuccess() throws SecurityException, Exception {
-
-    final String authnReqPath = "/data/AuthRequest_without_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
-    final String spEntityId = metadataPath;
-
-    final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
-        initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
-            credentialProvider.getMetaDataSigningCredential());
-
-    final PvpSProfileRequest msg = new PvpSProfileRequest(
-        inputMsg.getFirst(),
-        SAMLConstants.SAML2_POST_BINDING_URI);
-    msg.setEntityID(spEntityId);
-
-    verifyEngine.verify(msg,
-        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
+  @Override
+  protected String getMetadataJunitJKeystore() {
+    return "classpath:/data/pvp_metadata_junit_keystore.xml";
   }
 
-  @Test
-  public void validateSamlRequestWrongSignature() throws SecurityException, Exception {
-
-    final String authnReqPath = "/data/AuthRequest_without_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
-    final String spEntityId = metadataPath;
-
-    final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
-        initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
-            credentialProvider.getMetaDataSigningCredential());
-
-    metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
-
-    final PvpSProfileRequest msg = new PvpSProfileRequest(
-        inputMsg.getFirst(),
-        SAMLConstants.SAML2_POST_BINDING_URI);
-    msg.setEntityID(spEntityId);
-
-    try {
-      verifyEngine.verify(msg,
-          TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-      org.junit.Assert.fail("Wrong signature not detected");
-
-    } catch (final Exception e) {
-      Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
-      org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
+  @Override
+  protected String getAuthnRequestWithoutSigPath() {
+    return "/data/AuthRequest_without_sig_1.xml";
 
-    }
   }
 
-  @Test
-  public void validateSamlInvalidRequest() throws SecurityException, Exception {
-
-    final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
-    final String spEntityId = metadataPath;
-
-    final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
-        initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
-            credentialProvider.getMetaDataSigningCredential());
-
-    metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
-
-    final PvpSProfileRequest msg = new PvpSProfileRequest(
-        inputMsg.getFirst(),
-        SAMLConstants.SAML2_POST_BINDING_URI);
-    msg.setEntityID(spEntityId);
-
-    try {
-      verifyEngine.verify(msg,
-          TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-      org.junit.Assert.fail("invalid request not detected");
-
-    } catch (final Exception e) {
-      Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
-      org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId());
+  @Override
+  protected String getResponseWithSigPath() {
+    return "/data/Response_with_sig_1.xml";
+  }
 
-    }
+  @Override
+  protected String getResponseWithoutSigPath() {
+    return "/data/Response_without_sig_1.xml";
   }
 
   @Test
   public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception {
 
-    final String authnReqPath = "/data/AuthRequest_without_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String authnReqPath = getAuthnRequestWithoutSigPath();
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = metadataPath;
 
     metadataProvider.runGarbageCollector();
@@ -199,79 +112,27 @@ public class SamlVerificationEngineTest {
   }
 
   @Test
-  public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception {
-    metadataProvider.runGarbageCollector();
-
-    final String authnReqPath = "/data/Response_without_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
-    final String spEntityId = metadataPath;
-
-    final Pair<Response, IPvp2MetadataProvider> inputMsg =
-        initializeResponse(spEntityId, metadataPath, authnReqPath,
-            credentialProvider.getMetaDataSigningCredential());
-
-    final PvpSProfileResponse msg = new PvpSProfileResponse(
-        inputMsg.getFirst());
-    msg.setEntityID(spEntityId);
-
-    verifyEngine.verify(msg,
-        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
-  }
-
-  @Test
-  public void verifyResponseSuccessSecondTest()
-      throws Pvp2InternalErrorException, SecurityException, Exception {
-
-    final String authnReqPath = "/data/Response_without_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
-    final String spEntityId = metadataPath;
-
-    final Pair<Response, IPvp2MetadataProvider> inputMsg =
-        initializeResponse(spEntityId, metadataPath, authnReqPath,
-            credentialProvider.getMetaDataSigningCredential());
-
-    verifyEngine.verifyIdpResponse(inputMsg.getFirst(),
-        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
-  }
-
-  @Test
-  public void verifySpResponse()
-      throws Pvp2InternalErrorException, SecurityException, Exception {
+  public void validateSamlInvalidRequest() throws SecurityException, Exception {
 
-    final String authnReqPath = "/data/Response_without_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
+    final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = metadataPath;
 
-    final Pair<Response, IPvp2MetadataProvider> inputMsg =
-        initializeResponse(spEntityId, metadataPath, authnReqPath,
+    final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
+        initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
             credentialProvider.getMetaDataSigningCredential());
 
-    verifyEngine.verifySloResponse(inputMsg.getFirst(),
-        TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
-  }
-
-  @Test
-  public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception {
-
-    final String authnReqPath = "/data/Response_with_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
-    final String spEntityId = metadataPath;
-
-    final Pair<Response, IPvp2MetadataProvider> inputMsg =
-        initializeResponse(spEntityId, metadataPath, authnReqPath,
-            credentialProvider.getMetaDataSigningCredential());
+    metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
 
-    final PvpSProfileResponse msg = new PvpSProfileResponse(
-        inputMsg.getFirst());
+    final PvpSProfileRequest msg = new PvpSProfileRequest(
+        inputMsg.getFirst(),
+        SAMLConstants.SAML2_POST_BINDING_URI);
     msg.setEntityID(spEntityId);
 
     try {
       verifyEngine.verify(msg,
           TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-      org.junit.Assert.fail("Wrong XML schema not detected");
+      org.junit.Assert.fail("invalid request not detected");
 
     } catch (final Exception e) {
       Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
@@ -281,37 +142,10 @@ public class SamlVerificationEngineTest {
   }
 
   @Test
-  public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception {
-
-    final String authnReqPath = "/data/Response_without_sig_1.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
-    final String spEntityId = metadataPath;
-
-    final Pair<Response, IPvp2MetadataProvider> inputMsg =
-        initializeResponse(spEntityId, metadataPath, authnReqPath,
-            credentialProvider.getMetaDataSigningCredential());
-
-    final PvpSProfileResponse msg = new PvpSProfileResponse(
-        inputMsg.getFirst());
-    msg.setEntityID(spEntityId);
-
-    try {
-      verifyEngine.verify(msg,
-          TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-      org.junit.Assert.fail("No TrustedCert not detected");
-
-    } catch (final Exception e) {
-      Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
-      org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
-
-    }
-  }
-
-  @Test
   public void verifyAssertionSucessNotEncrypted() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -328,7 +162,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionWrongAudiency() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -349,7 +183,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionWrongStatusCode() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -374,7 +208,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionWrongIssueInstant() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -399,7 +233,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionNoContitions() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -424,7 +258,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionWrongContitions() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -448,7 +282,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionWrongContitionsAudienceRestrictions() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -475,7 +309,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionWrongContitionsNotBefore() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -501,7 +335,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionWrongContitionsNotOnOrAfter() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -527,7 +361,7 @@ public class SamlVerificationEngineTest {
   public void verifyAssertionValidContitions() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -548,7 +382,7 @@ public class SamlVerificationEngineTest {
   public void verifyEncAssertionWrongKey() throws SamlSigningException, Pvp2MetadataException,
       CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
     final String authnReqPath = "/data/Asserion_enc_no_key.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://eid.a-sit.at/Shibboleth.sso/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -569,7 +403,7 @@ public class SamlVerificationEngineTest {
   @Test
   public void verifyEncAssertion() throws Exception {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -602,7 +436,7 @@ public class SamlVerificationEngineTest {
   @Test
   public void verifyEncAssertionWrongSchema() throws Exception {
     final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
-    final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+    final String metadataPath = getMetadataJunitJKeystore();
     final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
 
     final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -636,85 +470,4 @@ public class SamlVerificationEngineTest {
 
   }
 
-  private Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath,
-      String authnReqPath, EaafX509Credential credential)
-          throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException {
-    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
-        metadataPath, null, "jUnit metadata resolver", null);
-
-    final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream(
-        XMLObjectProviderRegistrySupport.getParserPool(),
-        SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath));
-    authnReq.setIssueInstant(DateTime.now());
-    final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
-    issuer.setValue(spEntityId);
-    authnReq.setIssuer(issuer);
-
-    return Pair.newInstance(
-        Saml2Utils.signSamlObject(authnReq, credential, true),
-        mdResolver);
-  }
-
-  private Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId,
-      String metadataPath, String authnReqPath, EaafX509Credential credential)
-      throws SamlSigningException, CredentialsNotAvailableException,
-      XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException {
-
-    final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
-        metadataPath, null, "jUnit metadata resolver", null);
-
-    final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream(
-        XMLObjectProviderRegistrySupport.getParserPool(),
-        SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath));
-    authnReq.setIssueInstant(DateTime.now());
-    final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
-    issuer.setValue(spEntityId);
-    authnReq.setIssuer(issuer);
-
-    return Pair.newInstance(
-        Saml2Utils.signSamlObject(authnReq, credential, true),
-        mdResolver);
-
-  }
-
-  private static EncryptedAssertion doEncryption(Assertion assertion,
-      X509Credential encryptionCredentials, IConfiguration authConfig)
-      throws Exception {
-    try {
-      final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential(
-          encryptionCredentials,
-          authConfig.getBasicConfiguration(
-              PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG,
-              PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA),
-          authConfig.getBasicConfiguration(
-              PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG,
-              PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC));
-
-      final DataEncryptionParameters dataEncParams = new DataEncryptionParameters();
-      dataEncParams.setAlgorithm(authConfig.getBasicConfiguration(
-          PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE));
-
-      final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>();
-      final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
-      keyEncParam.setEncryptionCredential(encryptionCredentials);
-      keyEncParam.setAlgorithm(keyEncAlg);
-
-      final KeyInfoGeneratorFactory kigf =
-          SecurityConfigurationSupport.getGlobalEncryptionConfiguration()
-              .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials);
-      keyEncParam.setKeyInfoGenerator(kigf.newInstance());
-      keyEncParamList.add(keyEncParam);
-
-      final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
-      samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
-
-      return samlEncrypter.encrypt(assertion);
-
-    } catch (final EncryptionException | SamlSigningException e1) {
-      throw new Exception(e1);
-
-    }
-
-  }
-
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java
new file mode 100644
index 00000000..95f63003
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java
@@ -0,0 +1,69 @@
+package at.gv.egiz.eaaf.modules.pvp2.test;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml",
+    "/spring/test_eaaf_core_spring_config.beans.xml" })
+@TestPropertySource(locations = { "/config/config_3.props" })
+public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerificationEngine {
+
+  @Override
+  protected String getMetadataClassPathEntityPath() {
+    return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
+
+  }
+
+  @Override
+  protected String getMetadataJunitJKeystore() {
+    return "classpath:/data/pvp_metadata_junit_keystore.xml";
+  }
+
+  @Override
+  protected String getAuthnRequestWithoutSigPath() {
+    return "/data/AuthRequest_without_sig_1.xml";
+
+  }
+
+  @Override
+  protected String getResponseWithSigPath() {
+    return "/data/Response_with_sig_1.xml";
+  }
+
+  @Override
+  protected String getResponseWithoutSigPath() {
+    return "/data/Response_without_sig_1.xml";
+  }
+
+  @Test
+  public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception {
+
+    final String authnReqPath = getAuthnRequestWithoutSigPath();
+    final String metadataPath = getMetadataJunitJKeystore();
+    final String spEntityId = metadataPath;
+
+    metadataProvider.runGarbageCollector();
+
+    final EaafX509Credential cred = credentialProvider.getMetaDataSigningCredential();
+    cred.setSignatureAlgorithmForSigning(SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5);
+    try {
+      initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
+          cred);
+      org.junit.Assert.fail("Wrong SigAlg not detected");
+
+    } catch (final SamlSigningException e) {
+      org.junit.Assert.assertEquals("Wrong errorCode", "internal.pvp.96", e.getErrorId());
+
+    }
+  }
+
+
+}
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-02-17 17:03:28 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-02-17 17:03:28 +0100
commit	7848c74de2cdafed8bee69d1d5b8e5efa7535bc6 (patch)
tree	41fb7aeb440982fc3c25f8fa91cd2d7186471a1b /eaaf_modules/eaaf_module_pvp2_core/src/test/java/at
parent	3b7eb43b0df868e492ccd7ad2daca5e4c0053bb2 (diff)
download	EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.tar.gz EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.tar.bz2 EAAF-Components-7848c74de2cdafed8bee69d1d5b8e5efa7535bc6.zip