Port more test vectors to kotlin

pgpainless-wot/build.gradle

@@ -34,16 +34,19 @@ dependencies {
     testFixturesImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
     testFixturesImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
     testFixturesRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
+    testFixturesApi(project(":pgpainless-core"))
 
     // Logging
     testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
 
-    implementation(project(":pgpainless-core"))
-    api(project(":wot-dijkstra"))
-
     // Certificate store
     api "org.pgpainless:pgp-certificate-store:$certDJavaVersion"
-    api "org.pgpainless:pgpainless-cert-d:$pgpainlessCertDVersion"
+    api ("org.pgpainless:pgpainless-cert-d:$pgpainlessCertDVersion") {
+        exclude(group: "org.pgpainless", module: "pgpainless-core")
+    }
+
+    implementation(project(":pgpainless-core"))
+    api(project(":wot-dijkstra"))
 }
 
 test {

pgpainless-wot/src/test/kotlin/org/pgpainless/wot/AdHocTest.kt

@@ -0,0 +1,14 @@
+package org.pgpainless.wot
+
+import org.junit.jupiter.api.Test
+import org.pgpainless.wot.testfixtures.AdHocVectors
+
+class AdHocTest {
+
+    @Test
+    fun test() {
+        val store = AdHocVectors.BestViaRoot().pgpCertificateStore
+        val wot = WebOfTrust(store).also { it.initialize() }
+        val network = wot.network
+    }
+}

pgpainless-wot/src/test/kotlin/org/pgpainless/wot/WebOfTrustTest.kt

@@ -20,11 +20,11 @@ import kotlin.test.Test
 
 class WebOfTrustTest {
 
-    private val fooBankCa = fingerprintOf(WotTestVectors.getTestVectors().freshFooBankCaCert)
-    private val fooBankEmployee = fingerprintOf(WotTestVectors.getTestVectors().freshFooBankEmployeeCert)
-    private val fooBankAdmin = fingerprintOf(WotTestVectors.getTestVectors().freshFooBankAdminCert)
-    private val barBankCa = fingerprintOf(WotTestVectors.getTestVectors().freshBarBankCaCert)
-    private val barBankEmployee = fingerprintOf(WotTestVectors.getTestVectors().freshBarBankEmployeeCert)
+    private val fooBankCa = fingerprintOf(WotTestVectors.freshFooBankCaCert)
+    private val fooBankEmployee = fingerprintOf(WotTestVectors.freshFooBankEmployeeCert)
+    private val fooBankAdmin = fingerprintOf(WotTestVectors.freshFooBankAdminCert)
+    private val barBankCa = fingerprintOf(WotTestVectors.freshBarBankCaCert)
+    private val barBankEmployee = fingerprintOf(WotTestVectors.freshBarBankEmployeeCert)
 
     private fun fingerprintOf(cert: PGPPublicKeyRing): Fingerprint {
         return Fingerprint(OpenPgpFingerprint.of(cert).toString())

pgpainless-wot/src/testFixtures/java/org/pgpainless/wot/testfixtures/WotTestVectors.java

@@ -1,290 +0,0 @@
-// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package org.pgpainless.wot.testfixtures;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.pgpainless.PGPainless;
-import org.pgpainless.algorithm.Trustworthiness;
-import org.pgpainless.key.protection.SecretKeyRingProtector;
-import org.pgpainless.signature.subpackets.CertificationSubpackets;
-import org.pgpainless.util.Passphrase;
-
-public class WotTestVectors {
-
-    private static WotTestVectors INSTANCE = null;
-
-    public static WotTestVectors getTestVectors() {
-        if (INSTANCE == null) {
-            INSTANCE = new WotTestVectors();
-        }
-        return INSTANCE;
-    }
-
-    public PGPSecretKeyRing getFreshFooBankCaKey() throws IOException {
-        return PGPainless.readKeyRing().secretKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankCaKey.asc"));
-    }
-
-    public PGPPublicKeyRing getFreshFooBankCaCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankCaCert.asc"));
-    }
-
-    public String getFooBankCaPassphrase() {
-        return "superS3cureP4ssphrase";
-    }
-
-    public SecretKeyRingProtector getFooBankCaProtector() {
-        return SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword(getFooBankCaPassphrase()));
-    }
-
-    public PGPSecretKeyRing getFreshFooBankEmployeeKey() throws IOException {
-        return PGPainless.readKeyRing().secretKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankEmployeeKey.asc"));
-    }
-
-    public PGPPublicKeyRing getFreshFooBankEmployeeCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankEmployeeCert.asc"));
-    }
-
-    public String getFooBankEmployeePassphrase() {
-        return "iLoveWorking@FooBank";
-    }
-
-    public SecretKeyRingProtector getFooBankEmployeeProtector() {
-        return SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword(getFooBankEmployeePassphrase()));
-    }
-
-    public PGPSecretKeyRing getFreshFooBankAdminKey() throws IOException {
-        return PGPainless.readKeyRing().secretKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankAdminKey.asc"));
-    }
-
-    public PGPPublicKeyRing getFreshFooBankAdminCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankAdminCert.asc"));
-    }
-
-    public String getFooBankAdminPassphrase() {
-        return "keepFooBankSecure";
-    }
-
-    public SecretKeyRingProtector getFooBankAdminProtector() {
-        return SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword(getFooBankAdminPassphrase()));
-    }
-
-    public PGPSecretKeyRing getFreshFooBankCustomerKey() throws IOException {
-        return PGPainless.readKeyRing().secretKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankCustomerKey.asc"));
-    }
-
-    public PGPPublicKeyRing getFreshFooBankCustomerCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/foobankCustomerCert.asc"));
-    }
-
-    public PGPSecretKeyRing getFreshBarBankCaKey() throws IOException {
-        return PGPainless.readKeyRing().secretKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/barbankCaKey.asc"));
-    }
-
-    public PGPPublicKeyRing getFreshBarBankCaCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/barbankCaCert.asc"));
-    }
-
-    public PGPSecretKeyRing getFreshBarBankEmployeeKey() throws IOException {
-        return PGPainless.readKeyRing().secretKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/barbankEmployeeKey.asc"));
-    }
-
-    public PGPPublicKeyRing getFreshBarBankEmployeeCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/barbankEmployeeCert.asc"));
-    }
-
-    public PGPSecretKeyRing getFreshFakeFooBankEmployeeKey() throws IOException {
-        return PGPainless.readKeyRing().secretKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/fakeFoobankEmployeeKey.asc"));
-    }
-
-    public PGPPublicKeyRing getFreshFakeFooBankEmployeeCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/freshly_generated/fakeFoobankEmployeeCert.asc"));
-    }
-
-    public PGPPublicKeyRing getCrossSignedBarBankCaCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("cross_signed/barbankCaCert.asc"));
-    }
-
-    public PGPPublicKeyRing getCrossSignedBarBankEmployeeCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("cross_signed/barbankEmployeeCert.asc"));
-    }
-
-    public PGPPublicKeyRing getCrossSignedFooBankAdminCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("cross_signed/foobankAdminCert.asc"));
-    }
-
-    public PGPPublicKeyRing getCrossSignedFooBankCaCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("cross_signed/foobankCaCert.asc"));
-    }
-
-    public PGPPublicKeyRing getCrossSignedFooBankEmployeeCert() throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("cross_signed/foobankEmployeeCert.asc"));
-    }
-
-    public static void main(String[] args) throws PGPException, IOException {
-        new WotTestVectors().crossSign();
-    }
-
-    // Generate cross signed test vectors from freshly generated
-    public void crossSign() throws IOException, PGPException {
-        PGPSecretKeyRing freshFooBankCaKey = getFreshFooBankCaKey();
-        PGPPublicKeyRing freshFooBankCaCert = getFreshFooBankCaCert();
-
-        PGPSecretKeyRing freshFooBankEmployeeKey = getFreshFooBankEmployeeKey();
-        PGPPublicKeyRing freshFooBankEmployeeCert = getFreshFooBankEmployeeCert();
-
-        PGPSecretKeyRing freshFooBankAdminKey = getFreshFooBankAdminKey();
-        PGPPublicKeyRing freshFooBankAdminCert = getFreshFooBankAdminCert();
-
-        PGPSecretKeyRing freshFooBankCustomerKey = getFreshFooBankCustomerKey();
-        PGPPublicKeyRing freshFooBankCustomerCert = getFreshFooBankCustomerCert();
-
-        PGPSecretKeyRing freshBarBankCaKey = getFreshBarBankCaKey();
-        PGPPublicKeyRing freshBarBankCaCert = getFreshBarBankCaCert();
-
-        PGPSecretKeyRing freshBarBankEmployeeKey = getFreshBarBankEmployeeKey();
-        PGPPublicKeyRing freshBarBankEmployeeCert = getFreshBarBankEmployeeCert();
-
-        PGPSecretKeyRing freshFakeFooBankEmployeeKey = getFreshFakeFooBankEmployeeKey();
-        PGPPublicKeyRing freshFakeFooBankEmployeeCert = getFreshFakeFooBankEmployeeCert();
-
-        final String fooBankRegex = "<[^>]+[@.]foobank\\.com>$";
-        final String barBankRegex = "<[^>]+[@.]barbank\\.com>$";
-
-        // Foo CA signs Foo Employee
-        PGPPublicKeyRing caCertifiedFooBankEmployeeCert = PGPainless.certify()
-                .userIdOnCertificate("Foo Bank Employee <employee@foobank.com>", freshFooBankEmployeeCert)
-                .withKey(freshFooBankCaKey, getFooBankCaProtector())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.addNotationData(false, "affiliation@foobank.com", "employee");
-                    }
-                })
-                .getCertifiedCertificate();
-
-        // Foo CA signs Foo Admin
-        PGPPublicKeyRing caCertifiedFooBankAdminCert = PGPainless.certify()
-                .userIdOnCertificate("Foo Bank Admin <admin@foobank.com>", freshFooBankAdminCert)
-                .withKey(freshFooBankCaKey, getFooBankCaProtector())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.addNotationData(false, "affiliation@foobank.com", "administrator");
-                    }
-                })
-                .getCertifiedCertificate();
-
-        // Foo Employee delegates trust to Foo CA
-        PGPPublicKeyRing employeeDelegatedCaCert = PGPainless.certify()
-                .certificate(freshFooBankCaCert, Trustworthiness.fullyTrusted().introducer())
-                .withKey(freshFooBankEmployeeKey, getFooBankEmployeeProtector())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.setRegularExpression(fooBankRegex);
-                    }
-                })
-                .getCertifiedCertificate();
-
-        // Foo Admin delegates trust to Foo CA
-        PGPPublicKeyRing adminDelegatedCaCert = PGPainless.certify()
-                .certificate(freshFooBankCaCert, Trustworthiness.fullyTrusted().introducer())
-                .withKey(freshFooBankAdminKey, getFooBankAdminProtector())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.setRegularExpression(fooBankRegex);
-                    }
-                })
-                .getCertifiedCertificate();
-
-        // Customer delegates trust to Foo CA
-        PGPPublicKeyRing customerDelegatedCaCert = PGPainless.certify()
-                .certificate(freshFooBankCaCert, Trustworthiness.fullyTrusted().introducer())
-                .withKey(freshFooBankCustomerKey, SecretKeyRingProtector.unprotectedKeys())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.setRegularExpression(fooBankRegex);
-                    }
-                })
-                .getCertifiedCertificate();
-
-        PGPPublicKeyRing mergedFooCa = PGPPublicKeyRing.join(employeeDelegatedCaCert, adminDelegatedCaCert);
-        mergedFooCa = PGPPublicKeyRing.join(mergedFooCa, customerDelegatedCaCert);
-
-        // Foo Admin delegates trust to Bar CA
-        PGPPublicKeyRing fooAdminDelegatedBarCa = PGPainless.certify()
-                .certificate(freshBarBankCaCert, Trustworthiness.fullyTrusted().introducer())
-                .withKey(freshFooBankAdminKey, getFooBankAdminProtector())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.setRegularExpression("<[^>]+[@.]barbank\\.com>$");
-                    }
-                }).getCertifiedCertificate();
-
-        // Bar Employee delegates Bar CA
-        PGPPublicKeyRing barEmployeeDelegatesBarCa = PGPainless.certify()
-                .certificate(freshBarBankCaCert, Trustworthiness.fullyTrusted().introducer())
-                .withKey(freshBarBankEmployeeKey, SecretKeyRingProtector.unprotectedKeys())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.setRegularExpression(barBankRegex);
-                    }
-                })
-                .getCertifiedCertificate();
-
-        PGPPublicKeyRing mergedBarCa = PGPPublicKeyRing.join(fooAdminDelegatedBarCa, barEmployeeDelegatesBarCa);
-
-        // Bar CA signs Bar Employee
-        PGPPublicKeyRing barCaCertifiedEmployeeCert = PGPainless.certify()
-                .userIdOnCertificate("Bar Bank Employee <employee@barbank.com>", freshBarBankEmployeeCert)
-                .withKey(freshBarBankCaKey, SecretKeyRingProtector.unprotectedKeys())
-                .buildWithSubpackets(new CertificationSubpackets.Callback() {
-                    @Override
-                    public void modifyHashedSubpackets(CertificationSubpackets hashedSubpackets) {
-                        hashedSubpackets.addNotationData(false, "affiliation@barbank.com", "employee");
-                    }
-                })
-                .getCertifiedCertificate();
-
-        // CHECKSTYLE:OFF
-        System.out.println("Foo Employee");
-        System.out.println(PGPainless.asciiArmor(caCertifiedFooBankEmployeeCert));
-
-        System.out.println("Foo Admin");
-        System.out.println(PGPainless.asciiArmor(caCertifiedFooBankAdminCert));
-
-        System.out.println("Foo CA");
-        System.out.println(PGPainless.asciiArmor(mergedFooCa));
-
-        System.out.println("Bar CA");
-        System.out.println(PGPainless.asciiArmor(mergedBarCa));
-
-        System.out.println("Bar Employee");
-        System.out.println(PGPainless.asciiArmor(barCaCertifiedEmployeeCert));
-        // CHECKSTYLE:ON
-    }
-
-    private static InputStream getTestResourceInputStream(String resource) {
-        InputStream inputStream = WotTestVectors.class.getClassLoader().getResourceAsStream(resource);
-        if (inputStream == null) {
-            throw new IllegalArgumentException(String.format("Unknown resource %s", resource));
-        }
-        return inputStream;
-    }
-
-    public PGPPublicKeyRing getFelixKey()
-            throws IOException {
-        return PGPainless.readKeyRing().publicKeyRing(getTestResourceInputStream("test_vectors/anomalies/felix.pub"));
-    }
-}

pgpainless-wot/src/testFixtures/kotlin/org/pgpainless/wot/testfixtures/AdHocVectors.kt

@@ -0,0 +1,113 @@
+package org.pgpainless.wot.testfixtures
+
+import org.bouncycastle.openpgp.PGPKeyRing
+import org.bouncycastle.openpgp.PGPPublicKeyRing
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection
+import org.bouncycastle.openpgp.PGPSecretKeyRing
+import org.pgpainless.PGPainless
+import org.pgpainless.key.OpenPgpFingerprint
+import org.pgpainless.key.generation.type.rsa.RsaLength
+import org.pgpainless.key.protection.SecretKeyRingProtector
+import org.pgpainless.signature.subpackets.CertificationSubpackets
+import org.pgpainless.signature.subpackets.CertificationSubpackets.Callback
+import org.pgpainless.wot.KeyRingCertificateStore
+import org.pgpainless.wot.dijkstra.sq.Fingerprint
+import pgp.certificate_store.PGPCertificateStore
+
+interface AdHocVectors {
+
+    /**
+     * When doing backwards propagation, we find paths from all nodes to the
+     * target.  Since we don't stop when we reach a root, the returned path
+     * should still be optimal.  Consider:
+     *
+     * A --- 120/10 ---> B --- 120/10 ---> C --- 120/10 ---> Target
+     *  \                                                      /
+     *   `--- 50/10 ---> Y --- 50/10 ---> Z --- 50/10 --------'
+     * When the root is B, then the path that we find for A should be A -> B -> C -> Target, not A -> Y -> Z -> Target.
+     */
+    class BestViaRoot : AdHocVectors {
+        val aliceUID: String = "Alice <alice@pgpainless.org>"
+        val aliceKey: PGPSecretKeyRing = PGPainless.generateKeyRing().modernKeyRing(aliceUID)
+        val aliceCert = PGPPublicKeyRing(aliceKey)
+        val aliceFingerprint = Fingerprint(aliceKey)
+
+        val bobUID = "Bob <bob@pgpainless.org>"
+        val bobKey: PGPSecretKeyRing = PGPainless.generateKeyRing().simpleRsaKeyRing(bobUID, RsaLength._3072)
+        val bobCert = PGPPublicKeyRing(bobKey)
+        val bobFingerprint = Fingerprint(bobKey)
+
+        val carolUID = "Carol <carol@example.com>"
+        val carolKey: PGPSecretKeyRing = PGPainless.generateKeyRing().simpleEcKeyRing(carolUID)
+        val carolCert = PGPPublicKeyRing(carolKey)
+        val carolFingerprint = Fingerprint(carolKey)
+
+        val targetUID = "Tanja <tanja@target.tld>"
+        val targetKey: PGPSecretKeyRing = PGPainless.generateKeyRing().modernKeyRing(targetUID)
+        val targetCert = PGPPublicKeyRing(targetKey)
+        val targetFingerprint = Fingerprint(targetKey)
+
+        val yellowUID = "Yellow <yellow@alternate.path>"
+        val yellowKey: PGPSecretKeyRing = PGPainless.generateKeyRing().modernKeyRing(yellowUID)
+        val yellowCert = PGPPublicKeyRing(yellowKey)
+        val yellowFingerprint = Fingerprint(yellowKey)
+
+        val zebraUID = "Zebra <zebra@alternate.path>"
+        val zebraKey: PGPSecretKeyRing = PGPainless.generateKeyRing().modernKeyRing(zebraUID)
+        val zebraCert = PGPPublicKeyRing(zebraKey)
+        val zebraFingerprint = Fingerprint(zebraKey)
+
+        override val publicKeyRingCollection: PGPPublicKeyRingCollection
+            get() {
+                val signedCerts = listOf(
+                        targetCert.let {
+                            // C ---120/10--> Target
+                            certify(issuer = carolKey, target = it, amount = 120, depth = 10)
+                        }.let {
+                            // Z ---50/10---> Target
+                            certify(issuer = zebraKey, target = it, amount = 50, depth = 10)
+                        },
+                        carolCert.let {
+                            // B ---120/10--> C
+                            certify(issuer = bobKey, target = it, amount = 120, depth = 10)
+                        },
+                        bobCert.let {
+                            // A ---120/10--> B
+                            certify(issuer = aliceKey, target = it, amount = 120, depth = 10)
+                        },
+                        zebraCert.let {
+                            // Y ---50/10--> Z
+                            certify(issuer = yellowKey, target = it, amount = 50, depth = 10)
+                        },
+                        yellowCert.let {
+                            // A ---50/10--> Y
+                            certify(issuer = aliceKey, target = it, amount = 50, depth = 10)
+                        })
+                return PGPPublicKeyRingCollection(signedCerts)
+            }
+    }
+
+    val publicKeyRingCollection: PGPPublicKeyRingCollection
+
+    val pgpCertificateStore: PGPCertificateStore
+        get() = KeyRingCertificateStore(publicKeyRingCollection)
+
+    fun certify(issuer: PGPSecretKeyRing,
+                target: PGPPublicKeyRing,
+                userId: String = target.publicKey.userIDs.next()!!,
+                amount: Int,
+                depth: Int): PGPPublicKeyRing = PGPainless.certify()
+            .userIdOnCertificate(userId, target)
+            .withKey(issuer, SecretKeyRingProtector.unprotectedKeys())
+            .buildWithSubpackets(object : Callback {
+                override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets?) {
+                    hashedSubpackets!!.setTrust(depth, amount)
+                }
+            }).certifiedCertificate
+
+    fun PGPPublicKeyRing(secretKey: PGPSecretKeyRing): PGPPublicKeyRing =
+            PGPainless.extractCertificate(secretKey)
+
+    fun Fingerprint(keyRing: PGPKeyRing): Fingerprint =
+            Fingerprint(OpenPgpFingerprint.of(keyRing).toString())
+}

pgpainless-wot/src/testFixtures/kotlin/org/pgpainless/wot/testfixtures/WotTestVectors.kt

@@ -0,0 +1,245 @@
+package org.pgpainless.wot.testfixtures
+
+import org.bouncycastle.openpgp.PGPException
+import org.bouncycastle.openpgp.PGPPublicKeyRing
+import org.bouncycastle.openpgp.PGPSecretKeyRing
+import org.pgpainless.PGPainless
+import org.pgpainless.algorithm.Trustworthiness
+import org.pgpainless.key.protection.SecretKeyRingProtector
+import org.pgpainless.signature.subpackets.CertificationSubpackets
+import org.pgpainless.util.Passphrase
+import java.io.IOException
+import java.io.InputStream
+
+class WotTestVectors {
+
+    companion object {
+
+        @JvmStatic
+        fun getTestResource(resource: String): InputStream {
+            val input = WotTestVectors::class.java.classLoader.getResourceAsStream(resource)
+            return requireNotNull(input) {
+                "Unknown resource $resource"
+            }
+        }
+
+        @JvmStatic
+        val freshFooBankCaKey: PGPSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankCaKey.asc"))!!
+
+        @JvmStatic
+        val freshFooBankCaCert: PGPPublicKeyRing = PGPainless.readKeyRing().publicKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankCaCert.asc"))!!
+
+        @JvmStatic
+        val fooBankCaPassphrase = "superS3cureP4ssphrase"
+
+        @JvmStatic
+        val fooBankCaProtector: SecretKeyRingProtector = SecretKeyRingProtector.unlockAnyKeyWith(
+                Passphrase.fromPassword(fooBankCaPassphrase))
+
+        @JvmStatic
+        val freshFooBankEmployeeKey: PGPSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankEmployeeKey.asc"))!!
+
+        @JvmStatic
+        val freshFooBankEmployeeCert: PGPPublicKeyRing = PGPainless.readKeyRing().publicKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankEmployeeCert.asc"))!!
+
+        @JvmStatic
+        val fooBankEmployeePassphrase = "iLoveWorking@FooBank"
+
+        @JvmStatic
+        val fooBankEmployeeProtector: SecretKeyRingProtector = SecretKeyRingProtector.unlockAnyKeyWith(
+                Passphrase.fromPassword(fooBankEmployeePassphrase))
+
+        @JvmStatic
+        val freshFooBankAdminKey: PGPSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankAdminKey.asc"))!!
+
+        @JvmStatic
+        val freshFooBankAdminCert: PGPPublicKeyRing = PGPainless.readKeyRing().publicKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankAdminCert.asc"))!!
+
+        @JvmStatic
+        val fooBankAdminPassphrase = "keepFooBankSecure"
+
+        @JvmStatic
+        val fooBankAdminProtector: SecretKeyRingProtector = SecretKeyRingProtector.unlockAnyKeyWith(
+                Passphrase.fromPassword(fooBankAdminPassphrase))
+
+        @JvmStatic
+        val freshFooBankCustomerKey: PGPSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankCustomerKey.asc"))!!
+
+        @JvmStatic
+        val freshFooBankCustomerCert: PGPPublicKeyRing = PGPainless.readKeyRing().publicKeyRing(
+                getTestResource("test_vectors/freshly_generated/foobankCustomerCert.asc"))!!
+
+        @JvmStatic
+        val fooBankCustomerProtector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys()
+
+        @JvmStatic
+        val freshBarBankCaKey: PGPSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(
+                getTestResource("test_vectors/freshly_generated/barbankCaKey.asc"))!!
+
+        @JvmStatic
+        val freshBarBankCaCert: PGPPublicKeyRing = PGPainless.readKeyRing().publicKeyRing(
+                getTestResource("test_vectors/freshly_generated/barbankCaCert.asc"))!!
+
+        @JvmStatic
+        val barBankCaProtector: SecretKeyRingProtector = SecretKeyRingProtector.unprotectedKeys()
+
+        @JvmStatic
+        val freshBarBankEmployeeKey: PGPSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(
+                getTestResource("test_vectors/freshly_generated/barbankEmployeeKey.asc"))!!
+
+        @JvmStatic
+        val freshBarBankEmployeeCert: PGPPublicKeyRing = PGPainless.readKeyRing().publicKeyRing(
+                getTestResource("test_vectors/freshly_generated/barbankEmployeeCert.asc"))!!
+
+        @JvmStatic
+        val freshFakeFooBankEmployeeKey: PGPSecretKeyRing = PGPainless.readKeyRing().secretKeyRing(
+                getTestResource("test_vectors/freshly_generated/fakeFoobankEmployeeKey.asc"))!!
+
+        @JvmStatic
+        val freshFakeFooBankEmployeeCert: PGPPublicKeyRing = PGPainless.readKeyRing().publicKeyRing(
+                getTestResource("test_vectors/freshly_generated/fakeFoobankEmployeeCert.asc"))!!
+
+
+        @Throws(IOException::class)
+        fun getCrossSignedBarBankCaCert(): PGPPublicKeyRing? {
+            return PGPainless.readKeyRing().publicKeyRing(getTestResource("cross_signed/barbankCaCert.asc"))
+        }
+
+        @Throws(IOException::class)
+        fun getCrossSignedBarBankEmployeeCert(): PGPPublicKeyRing? {
+            return PGPainless.readKeyRing().publicKeyRing(getTestResource("cross_signed/barbankEmployeeCert.asc"))
+        }
+
+        @Throws(IOException::class)
+        fun getCrossSignedFooBankAdminCert(): PGPPublicKeyRing? {
+            return PGPainless.readKeyRing().publicKeyRing(getTestResource("cross_signed/foobankAdminCert.asc"))
+        }
+
+        @Throws(IOException::class)
+        fun getCrossSignedFooBankCaCert(): PGPPublicKeyRing? {
+            return PGPainless.readKeyRing().publicKeyRing(getTestResource("cross_signed/foobankCaCert.asc"))
+        }
+
+        @Throws(IOException::class)
+        fun getCrossSignedFooBankEmployeeCert(): PGPPublicKeyRing? {
+            return PGPainless.readKeyRing().publicKeyRing(getTestResource("cross_signed/foobankEmployeeCert.asc"))
+        }
+
+        // Generate cross signed test vectors from freshly generated
+        @Throws(IOException::class, PGPException::class)
+        fun crossSign() {
+            val fooBankRegex = "<[^>]+[@.]foobank\\.com>$"
+            val barBankRegex = "<[^>]+[@.]barbank\\.com>$"
+
+            // Foo CA signs Foo Employee
+            val caCertifiedFooBankEmployeeCert = PGPainless.certify()
+                    .userIdOnCertificate("Foo Bank Employee <employee@foobank.com>", freshFooBankEmployeeCert)
+                    .withKey(freshFooBankCaKey, fooBankCaProtector)
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.addNotationData(false, "affiliation@foobank.com", "employee")
+                        }
+                    })
+                    .certifiedCertificate
+
+            // Foo CA signs Foo Admin
+            val caCertifiedFooBankAdminCert = PGPainless.certify()
+                    .userIdOnCertificate("Foo Bank Admin <admin@foobank.com>", freshFooBankAdminCert)
+                    .withKey(freshFooBankCaKey, fooBankCaProtector)
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.addNotationData(false, "affiliation@foobank.com", "administrator")
+                        }
+                    })
+                    .certifiedCertificate
+
+            // Foo Employee delegates trust to Foo CA
+            val employeeDelegatedCaCert = PGPainless.certify()
+                    .certificate(freshFooBankCaCert, Trustworthiness.fullyTrusted().introducer())
+                    .withKey(freshFooBankEmployeeKey, fooBankEmployeeProtector)
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.setRegularExpression(fooBankRegex)
+                        }
+                    })
+                    .certifiedCertificate
+
+            // Foo Admin delegates trust to Foo CA
+            val adminDelegatedCaCert = PGPainless.certify()
+                    .certificate(freshFooBankCaCert, Trustworthiness.fullyTrusted().introducer())
+                    .withKey(freshFooBankAdminKey, fooBankAdminProtector)
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.setRegularExpression(fooBankRegex)
+                        }
+                    })
+                    .certifiedCertificate
+
+            // Customer delegates trust to Foo CA
+            val customerDelegatedCaCert = PGPainless.certify()
+                    .certificate(freshFooBankCaCert, Trustworthiness.fullyTrusted().introducer())
+                    .withKey(freshFooBankCustomerKey, SecretKeyRingProtector.unprotectedKeys())
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.setRegularExpression(fooBankRegex)
+                        }
+                    })
+                    .certifiedCertificate
+            var mergedFooCa = PGPPublicKeyRing.join(employeeDelegatedCaCert, adminDelegatedCaCert)
+            mergedFooCa = PGPPublicKeyRing.join(mergedFooCa, customerDelegatedCaCert)
+
+            // Foo Admin delegates trust to Bar CA
+            val fooAdminDelegatedBarCa = PGPainless.certify()
+                    .certificate(freshBarBankCaCert, Trustworthiness.fullyTrusted().introducer())
+                    .withKey(freshFooBankAdminKey, fooBankAdminProtector)
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.setRegularExpression("<[^>]+[@.]barbank\\.com>$")
+                        }
+                    }).certifiedCertificate
+
+            // Bar Employee delegates Bar CA
+            val barEmployeeDelegatesBarCa = PGPainless.certify()
+                    .certificate(freshBarBankCaCert, Trustworthiness.fullyTrusted().introducer())
+                    .withKey(freshBarBankEmployeeKey, SecretKeyRingProtector.unprotectedKeys())
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.setRegularExpression(barBankRegex)
+                        }
+                    })
+                    .certifiedCertificate
+            val mergedBarCa = PGPPublicKeyRing.join(fooAdminDelegatedBarCa, barEmployeeDelegatesBarCa)
+
+            // Bar CA signs Bar Employee
+            val barCaCertifiedEmployeeCert = PGPainless.certify()
+                    .userIdOnCertificate("Bar Bank Employee <employee@barbank.com>", freshBarBankEmployeeCert)
+                    .withKey(freshBarBankCaKey, SecretKeyRingProtector.unprotectedKeys())
+                    .buildWithSubpackets(object : CertificationSubpackets.Callback {
+                        override fun modifyHashedSubpackets(hashedSubpackets: CertificationSubpackets) {
+                            hashedSubpackets.addNotationData(false, "affiliation@barbank.com", "employee")
+                        }
+                    })
+                    .certifiedCertificate
+
+            // CHECKSTYLE:OFF
+            println("Foo Employee")
+            println(PGPainless.asciiArmor(caCertifiedFooBankEmployeeCert))
+            println("Foo Admin")
+            println(PGPainless.asciiArmor(caCertifiedFooBankAdminCert))
+            println("Foo CA")
+            println(PGPainless.asciiArmor(mergedFooCa))
+            println("Bar CA")
+            println(PGPainless.asciiArmor(mergedBarCa))
+            println("Bar Employee")
+            println(PGPainless.asciiArmor(barCaCertifiedEmployeeCert))
+            // CHECKSTYLE:ON
+        }
+    }
+}