added tests

dschadow · dschadow · commit 5e9ab49b990a · 2026-01-10T21:17:33.000+01:00
diff --git a/crypto-tink/pom.xml b/crypto-tink/pom.xml
@@ -39,5 +39,15 @@
             <artifactId>junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>
diff --git a/crypto-tink/src/main/java/de/dominikschadow/javasecurity/tink/aead/AesGcmWithAwsKmsSavedKey.java b/crypto-tink/src/main/java/de/dominikschadow/javasecurity/tink/aead/AesGcmWithAwsKmsSavedKey.java
@@ -46,12 +46,15 @@
  */
 public class AesGcmWithAwsKmsSavedKey {
     private static final String AWS_MASTER_KEY_URI = "aws-kms://arn:aws:kms:us-east-1:776241929911:key/7aeb00c6-d416-4130-bed1-a8ee6064d7d9";
-    private final AwsKmsClient awsKmsClient = new AwsKmsClient();
+    private final AwsKmsClient awsKmsClient;
 
     /**
-     * Init AeadConfig in the Tink library.
+     * Init AeadConfig in the Tink library with provided AwsKmsClient.
+     *
+     * @param awsKmsClient the AWS KMS client to use
      */
-    public AesGcmWithAwsKmsSavedKey() throws GeneralSecurityException {
+    public AesGcmWithAwsKmsSavedKey(AwsKmsClient awsKmsClient) throws GeneralSecurityException {
+        this.awsKmsClient = awsKmsClient;
         AeadConfig.register();
     }
 
diff --git a/crypto-tink/src/main/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKey.java b/crypto-tink/src/main/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKey.java
@@ -46,12 +46,15 @@
  */
 public class EciesWithAwsKmsSavedKey {
     private static final String AWS_MASTER_KEY_URI = "aws-kms://arn:aws:kms:us-east-1:776241929911:key/7aeb00c6-d416-4130-bed1-a8ee6064d7d9";
-    private final AwsKmsClient awsKmsClient = new AwsKmsClient();
+    private final AwsKmsClient awsKmsClient;
 
     /**
-     * Init HybridConfig in the Tink library.
+     * Init HybridConfig in the Tink library with provided AwsKmsClient.
+     *
+     * @param awsKmsClient the AWS KMS client to use
      */
-    public EciesWithAwsKmsSavedKey() throws GeneralSecurityException {
+    public EciesWithAwsKmsSavedKey(AwsKmsClient awsKmsClient) throws GeneralSecurityException {
+        this.awsKmsClient = awsKmsClient;
         HybridConfig.register();
     }
 
diff --git a/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/aead/AesGcmWithAwsKmsSavedKeyTest.java b/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/aead/AesGcmWithAwsKmsSavedKeyTest.java
@@ -17,44 +17,193 @@
  */
 package de.dominikschadow.javasecurity.tink.aead;
 
+import com.google.crypto.tink.Aead;
+import com.google.crypto.tink.KeyTemplates;
 import com.google.crypto.tink.KeysetHandle;
-import org.junit.jupiter.api.Assertions;
+import com.google.crypto.tink.aead.AeadConfig;
+import com.google.crypto.tink.integration.awskms.AwsKmsClient;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.io.TempDir;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
 
 import java.io.File;
 import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
 
-@Disabled("These test require AWS KMS configuration")
+@ExtendWith(MockitoExtension.class)
 class AesGcmWithAwsKmsSavedKeyTest {
     private static final byte[] INITIAL_TEXT = "Some dummy text to work with".getBytes(StandardCharsets.UTF_8);
     private static final byte[] ASSOCIATED_DATA = "Some additional data".getBytes(StandardCharsets.UTF_8);
-    private static final String KEYSET_FILENAME = "src/test/resources/keysets/aead-aes-gcm-kms.json";
-    private final File keysetFile = new File(KEYSET_FILENAME);
-    private KeysetHandle secretKey;
+
+    @Mock
+    private AwsKmsClient awsKmsClient;
+
+    @TempDir
+    File tempDir;
 
     private AesGcmWithAwsKmsSavedKey aes;
+    private KeysetHandle testKeysetHandle;
+
+    @BeforeAll
+    static void initTink() throws GeneralSecurityException {
+        AeadConfig.register();
+    }
 
     @BeforeEach
-    protected void setup() throws Exception {
-        aes = new AesGcmWithAwsKmsSavedKey();
+    void setup() throws Exception {
+        aes = new AesGcmWithAwsKmsSavedKey(awsKmsClient);
+        testKeysetHandle = KeysetHandle.generateNew(KeyTemplates.get("AES128_GCM"));
+    }
 
-        aes.generateAndStoreKey(keysetFile);
-        secretKey = aes.loadKey(keysetFile);
+    @Test
+    void constructorInitializesSuccessfully() throws GeneralSecurityException {
+        AesGcmWithAwsKmsSavedKey instance = new AesGcmWithAwsKmsSavedKey(awsKmsClient);
+        assertNotNull(instance);
+    }
+
+    @Test
+    void constructorWithNullAwsKmsClientThrowsNoException() throws GeneralSecurityException {
+        // The constructor accepts null - validation happens later when using the client
+        AesGcmWithAwsKmsSavedKey instance = new AesGcmWithAwsKmsSavedKey(null);
+        assertNotNull(instance);
+    }
+
+    @Test
+    void encryptReturnsEncryptedData() throws Exception {
+        byte[] cipherText = aes.encrypt(testKeysetHandle, INITIAL_TEXT, ASSOCIATED_DATA);
+
+        assertNotNull(cipherText);
+        assertNotEquals(new String(INITIAL_TEXT, StandardCharsets.UTF_8), new String(cipherText, StandardCharsets.UTF_8));
     }
 
     @Test
-    void encryptionAndDecryptionWithValidInputsIsSuccessful() throws Exception {
-        byte[] cipherText = aes.encrypt(secretKey, INITIAL_TEXT, ASSOCIATED_DATA);
-        byte[] plainText = aes.decrypt(secretKey, cipherText, ASSOCIATED_DATA);
+    void encryptWithEmptyAssociatedDataSucceeds() throws Exception {
+        byte[] cipherText = aes.encrypt(testKeysetHandle, INITIAL_TEXT, new byte[0]);
+
+        assertNotNull(cipherText);
+        assertTrue(cipherText.length > 0);
+    }
 
-        Assertions.assertAll(
+    @Test
+    void decryptReturnsOriginalData() throws Exception {
+        byte[] cipherText = aes.encrypt(testKeysetHandle, INITIAL_TEXT, ASSOCIATED_DATA);
+        byte[] plainText = aes.decrypt(testKeysetHandle, cipherText, ASSOCIATED_DATA);
+
+        assertEquals(new String(INITIAL_TEXT, StandardCharsets.UTF_8), new String(plainText, StandardCharsets.UTF_8));
+    }
+
+    @Test
+    void decryptWithWrongAssociatedDataThrowsException() throws Exception {
+        byte[] cipherText = aes.encrypt(testKeysetHandle, INITIAL_TEXT, ASSOCIATED_DATA);
+        byte[] wrongAssociatedData = "Wrong associated data".getBytes(StandardCharsets.UTF_8);
+
+        assertThrows(GeneralSecurityException.class, () -> 
+            aes.decrypt(testKeysetHandle, cipherText, wrongAssociatedData)
+        );
+    }
+
+    @Test
+    void decryptWithCorruptedCipherTextThrowsException() throws Exception {
+        byte[] cipherText = aes.encrypt(testKeysetHandle, INITIAL_TEXT, ASSOCIATED_DATA);
+        // Corrupt the ciphertext
+        cipherText[0] = (byte) (cipherText[0] ^ 0xFF);
+
+        assertThrows(GeneralSecurityException.class, () -> 
+            aes.decrypt(testKeysetHandle, cipherText, ASSOCIATED_DATA)
+        );
+    }
+
+    @Test
+    void encryptionAndDecryptionRoundTripIsSuccessful() throws Exception {
+        byte[] cipherText = aes.encrypt(testKeysetHandle, INITIAL_TEXT, ASSOCIATED_DATA);
+        byte[] plainText = aes.decrypt(testKeysetHandle, cipherText, ASSOCIATED_DATA);
+
+        assertAll(
                 () -> assertNotEquals(new String(INITIAL_TEXT, StandardCharsets.UTF_8), new String(cipherText, StandardCharsets.UTF_8)),
                 () -> assertEquals(new String(INITIAL_TEXT, StandardCharsets.UTF_8), new String(plainText, StandardCharsets.UTF_8))
         );
     }
-}
+
+    @Test
+    void encryptProducesDifferentCipherTextForSameInput() throws Exception {
+        byte[] cipherText1 = aes.encrypt(testKeysetHandle, INITIAL_TEXT, ASSOCIATED_DATA);
+        byte[] cipherText2 = aes.encrypt(testKeysetHandle, INITIAL_TEXT, ASSOCIATED_DATA);
+
+        // AES-GCM uses random nonces, so encrypting the same plaintext twice should produce different ciphertexts
+        assertNotEquals(new String(cipherText1, StandardCharsets.UTF_8), new String(cipherText2, StandardCharsets.UTF_8));
+    }
+
+    @Test
+    void generateAndStoreKeyDoesNotOverwriteExistingFile() throws Exception {
+        File keysetFile = new File(tempDir, "existing-keyset.json");
+        assertTrue(keysetFile.createNewFile());
+        long originalLength = keysetFile.length();
+
+        aes.generateAndStoreKey(keysetFile);
+
+        // File should remain unchanged (empty) since it already existed
+        assertEquals(originalLength, keysetFile.length());
+        verify(awsKmsClient, never()).getAead(any());
+    }
+
+    @Test
+    void generateAndStoreKeyCallsAwsKmsClientForNewFile() throws Exception {
+        File keysetFile = new File(tempDir, "new-keyset.json");
+        Aead mockAead = mock(Aead.class);
+        when(awsKmsClient.getAead(any())).thenReturn(mockAead);
+        // Tink internally validates the encrypted keyset, so we need to throw an exception
+        // to simulate what happens when AWS KMS is not available, but still verify the call
+        when(mockAead.encrypt(any(), any())).thenThrow(new GeneralSecurityException("Mocked AWS KMS encryption"));
+
+        assertFalse(keysetFile.exists());
+        
+        assertThrows(GeneralSecurityException.class, () -> aes.generateAndStoreKey(keysetFile));
+
+        // Verify that AWS KMS client was called
+        verify(awsKmsClient).getAead(contains("aws-kms://"));
+        verify(mockAead).encrypt(any(), any());
+    }
+
+    @Test
+    void loadKeyCallsAwsKmsClient() throws Exception {
+        // First create a keyset file using the same mock setup
+        File keysetFile = new File(tempDir, "load-test-keyset.json");
+        Aead mockAead = mock(Aead.class);
+        when(awsKmsClient.getAead(any())).thenReturn(mockAead);
+        
+        // Mock encrypt to return the plaintext (simulating encryption that returns same bytes)
+        when(mockAead.encrypt(any(), any())).thenAnswer(invocation -> invocation.getArgument(0));
+        // Mock decrypt to return the ciphertext (simulating decryption that returns same bytes)
+        when(mockAead.decrypt(any(), any())).thenAnswer(invocation -> invocation.getArgument(0));
+        
+        aes.generateAndStoreKey(keysetFile);
+
+        KeysetHandle loadedKey = aes.loadKey(keysetFile);
+
+        assertNotNull(loadedKey);
+        // Verify getAead was called twice - once for generate, once for load
+        verify(awsKmsClient, times(2)).getAead(contains("aws-kms://"));
+    }
+
+    @Test
+    void encryptWithNullKeysetHandleThrowsException() {
+        assertThrows(NullPointerException.class, () -> 
+            aes.encrypt(null, INITIAL_TEXT, ASSOCIATED_DATA)
+        );
+    }
+
+    @Test
+    void decryptWithNullKeysetHandleThrowsException() {
+        assertThrows(NullPointerException.class, () -> 
+            aes.decrypt(null, INITIAL_TEXT, ASSOCIATED_DATA)
+        );
+    }
+}
diff --git a/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKeyTest.java b/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKeyTest.java
