Oracle/nomyo4J
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Start with encryption

Browse source
This commit is contained in:
Oracle 2026-04-23 19:22:01 +02:00
parent 9df61e0cd3
commit b6af1c9792
Signed by: Oracle
SSH key fingerprint: SHA256:x4/RtnjUyuHkdvmwNDsWSfcfF1V5PNr3OpriZqOvCX8
8 changed files with 413 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

7
pom.xml
View file

@ -27,6 +27,13 @@
<version>5.12.1</version>
<scope>test</scope>
</dependency>
<!-- Source: https://mvnrepository.com/artifact/com.google.code.gson/gson -->
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.13.2</version>
<scope>compile</scope>
</dependency>
</dependencies>
<build>

61
src/main/java/ai/nomyo/EncryptedRequest.java Normal file
View file

@ -0,0 +1,61 @@
package ai.nomyo;
import com.google.gson.Gson;
import com.google.gson.annotations.SerializedName;
import lombok.Getter;
import lombok.Setter;
/**
* Root class matching the 'packageJson' structure.
*/
@Setter
@Getter
public class EncryptedRequest {
// Getters and Setters
@SerializedName("version")
private String version;
@SerializedName("algorithm")
private String algorithm;
@SerializedName("encrypted_payload")
private EncryptedPayload encryptedPayload;
@SerializedName("encrypted_aes_key")
private String encryptedAESKey; // Java variable name corrected to proper spelling
@SerializedName("key_algorithm")
private String keyAlgorithm;
@SerializedName("payload_algorithm")
private String payloadAlgorithm;
/**
* Represents the inner object containing the encrypted payload details.
*/
@Setter
@Getter
public static class EncryptedPayload {
// Getters and Setters
@SerializedName("ciphertext")
private String ciphertext;
@SerializedName("nonce")
private String nonce;
@SerializedName("tag")
private String tag;
public EncryptedPayload(String ciphertext, String nonce, String tag) {
this.ciphertext = ciphertext;
this.nonce = nonce;
this.tag = tag;
}
}
public String toJson() {
return new Gson().toJson(this);
}
}

14
src/main/java/ai/nomyo/Main.java
View file

@ -1,6 +1,6 @@
package ai.nomyo;
import ai.nomyo.errors.SecurityError;
import java.util.concurrent.ExecutionException;
/**
* Entry point loads RSA keys and validates key length.
@ -10,17 +10,15 @@ public class Main {
static void main() {
SecureCompletionClient secureCompletionClient = new SecureCompletionClient();
//secureCompletionClient.generateKeys(true, "client_keys", "pokemon");
secureCompletionClient.loadKeys("client_keys/private_key.pem", "pokemon");
//secureCompletionClient.loadKeys("client_keys/private_key.pem", "pokemon");
try {
secureCompletionClient.validateRsaKey(secureCompletionClient.getPrivateKey());
} catch (SecurityError e) {
System.out.println("RSA Key is too short!");
return;
System.out.println(secureCompletionClient.fetchServerPublicKey().get());
} catch (InterruptedException | ExecutionException e) {
throw new RuntimeException(e);
}
System.out.println("RSA Key has correct length!");
}
}

138
src/main/java/ai/nomyo/SecureCompletionClient.java
View file

@ -6,20 +6,27 @@ import ai.nomyo.util.Pass2Key;
import lombok.Getter;
import javax.crypto.*;
import java.io.FileWriter;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.IOException;
import java.math.BigInteger;
import java.net.*;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.*;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Map;
import java.util.Set;
import java.security.spec.*;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.*;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.locks.ReentrantLock;
/**
@ -61,19 +68,17 @@ public class SecureCompletionClient {
* Lock for double-checked key initialization.
*/
private final ReentrantLock keyInitLock = new ReentrantLock();
private final HttpClient httpClient;
/**
* RSA private key ({@code null} until loaded/generated).
*/
@Getter
private PrivateKey privateKey;
/**
* PEM-encoded public key ({@code null} until loaded/generated).
*/
@Getter
private String publicPemKey;
/**
* Keys initialized.
*/
@ -98,6 +103,7 @@ public class SecureCompletionClient {
this.useSecureMemory = secureMemory;
this.keySize = Constants.RSA_KEY_SIZE;
this.maxRetries = maxRetries;
this.httpClient = HttpClient.newHttpClient();
}
private static String readFileContent(String filePath) throws IOException {
@ -230,9 +236,38 @@ public class SecureCompletionClient {
/**
* GET {@code {routerUrl}/pki/public_key}. Returns server PEM public key.
* Errors are propagated as {@link CompletionException} wrappers around the underlying checked exception.
*/
public CompletableFuture<String> fetchServerPublicKey() {
throw new UnsupportedOperationException("Not yet implemented");
if (!this.routerUrl.startsWith("https://")) {
if (!this.allowHttp) {
return CompletableFuture.failedFuture(new SecurityError("Server public key must be fetched over HTTPS to prevent MITM attacks."));
} else {
System.out.println("Fetching server public key over HTTP (local dev mode)");
}
}
URI url;
try {
url = new URI(this.routerUrl + "/pki/public_key");
} catch (URISyntaxException e) {
return CompletableFuture.failedFuture(new CompletionException("Invalid URI: " + e.getMessage(), e));
}
HttpRequest request = HttpRequest.newBuilder(url).timeout(Duration.of(60, ChronoUnit.SECONDS)).GET().build();
return this.httpClient.sendAsync(request, HttpResponse.BodyHandlers.ofString()).thenApply(response -> {
if (response.statusCode() != 200) {
throw new CompletionException(new APIConnectionError("Could not fetch server public key!"));
}
return response.body();
}).thenApply(body -> {
if (!PEMConverter.validatePEM(body)) {
throw new CompletionException(new InvalidKeyException("PEM key had invalid format"));
}
return body;
});
}
/**
@ -249,8 +284,77 @@ public class SecureCompletionClient {
/**
* Core hybrid encryption: AES-256-GCM encrypts {@code payloadBytes} with {@code aesKey}.
*/
public CompletableFuture<byte[]> doEncrypt(byte[] payloadBytes, byte[] aesKey) {
throw new UnsupportedOperationException("Not yet implemented");
public CompletableFuture<byte[]> doEncrypt(byte[] payloadBytes, Key aesKey) {
return CompletableFuture.supplyAsync(() -> {
SecureRandom random = new SecureRandom();
byte[] nonce = new byte[12];
random.nextBytes(nonce);
Cipher cipher = null;
try {
cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(aesKey.getEncoded(), "AES"), new GCMParameterSpec(128, nonce));
} catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidAlgorithmParameterException |
InvalidKeyException e) {
throw new RuntimeException(e);
}
byte[] ciphertext;
try {
ciphertext = cipher.doFinal(payloadBytes);
} catch (IllegalBlockSizeException | BadPaddingException e) {
throw new RuntimeException(e);
}
String serverPEM;
try {
serverPEM = fetchServerPublicKey().get();
} catch (InterruptedException | ExecutionException e) {
throw new RuntimeException(e);
}
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(PEMConverter.fromPEM(serverPEM).getBytes());
PublicKey serverPublicKey;
try {
serverPublicKey = KeyFactory.getInstance("RSA").generatePublic(keySpec);
} catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
Cipher rsa;
byte[] enryptedAESKey = aesKey.getEncoded();
try {
rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
rsa.init(Cipher.ENCRYPT_MODE, serverPublicKey);
} catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException e) {
throw new RuntimeException(e);
}
try {
rsa.doFinal(enryptedAESKey);
} catch (IllegalBlockSizeException | BadPaddingException e) {
throw new RuntimeException(e);
}
byte[] tag = Arrays.copyOfRange(ciphertext, ciphertext.length - (128 / Byte.SIZE), ciphertext.length);
EncryptedRequest request = new EncryptedRequest();
request.setVersion("1.0");
request.setAlgorithm("hybrid-aes256-rsa4096");
request.setEncryptedPayload(new EncryptedRequest.EncryptedPayload(Base64.getEncoder().encodeToString(ciphertext), Base64.getEncoder().encodeToString(nonce), Base64.getEncoder().encodeToString(tag)));
request.setEncryptedAESKey(Base64.getEncoder().encodeToString(enryptedAESKey));
request.setKeyAlgorithm("RSA-OAEP-SHA256");
request.setPayloadAlgorithm("AES-256-GCM");
return request.toJson().getBytes(StandardCharsets.UTF_8);
});
}
/**
@ -311,11 +415,7 @@ public class SecureCompletionClient {
keyInitLock.lock();
try {
if (keysInitialized) return;
if (keyDir == null || keyDir.isEmpty()) {
generateKeys(false);
} else {
generateKeys(true);
}
generateKeys(keyDir != null && !keyDir.isEmpty());
keysInitialized = true;
} finally {
keyInitLock.unlock();
@ -340,10 +440,10 @@ public class SecureCompletionClient {
try {
var kf = KeyFactory.getInstance("RSA");
try {
var crtSpec = kf.getKeySpec(key, java.security.spec.RSAPrivateCrtKeySpec.class);
var crtSpec = kf.getKeySpec(key, RSAPrivateCrtKeySpec.class);
return crtSpec.getModulus().bitLength();
} catch (Exception ignored) {
var privSpec = kf.getKeySpec(key, java.security.spec.RSAPrivateKeySpec.class);
var privSpec = kf.getKeySpec(key, RSAPrivateKeySpec.class);
return privSpec.getModulus().bitLength();
}
} catch (Exception ignored) {
@ -380,7 +480,7 @@ public class SecureCompletionClient {
* URL-encodes PEM key for {@code X-Public-Key} header.
*/
public String urlEncodePublicKey(String pemKey) {
return java.net.URLEncoder.encode(pemKey, StandardCharsets.UTF_8);
return URLEncoder.encode(pemKey, StandardCharsets.UTF_8);
}
/**

18
src/main/java/ai/nomyo/util/PEMConverter.java
View file

@ -1,5 +1,6 @@
package ai.nomyo.util;
import java.util.Arrays;
import java.util.Base64;
/**
@ -23,4 +24,21 @@ public class PEMConverter {
return publicKeyFormatted.toString();
}
public static String fromPEM(String pem) {
pem = pem.replaceAll("^-----BEGIN\\s+PRIVATE\\s+KEY-----|^------END\\s+PUBLIC\\s+KEY-----\n", "");
return Arrays.toString(Base64.getDecoder().decode(pem));
}
public static boolean validatePEM(String keyIn) {
if (keyIn == null || keyIn.isBlank()) {
return false;
}
String trimmed = keyIn.trim();
return trimmed.startsWith("-----BEGIN PUBLIC KEY-----")
&& trimmed.endsWith("-----END PUBLIC KEY-----");
}
}

24
src/test/java/ai/nomyo/SecureCompletionClientE2ETest.java
View file

@ -3,6 +3,8 @@ package ai.nomyo;
import ai.nomyo.errors.*;
import org.junit.jupiter.api.*;
import org.junit.jupiter.api.io.TempDir;
import org.junit.jupiter.api.parallel.Execution;
import org.junit.jupiter.api.parallel.ExecutionMode;
import java.io.File;
import java.nio.file.Files;
@ -11,7 +13,8 @@ import java.security.*;
import static org.junit.jupiter.api.Assertions.*;
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
@Execution(ExecutionMode.CONCURRENT)
class SecureCompletionClientE2ETest {
private static final String TEST_PASSWORD = "e2e-test-password-456";
@ -31,7 +34,7 @@ class SecureCompletionClientE2ETest {
// Full Lifecycle E2E Tests
@Test
@Order(1)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("E2E: Generate keys, save to disk, load in new client, validate")
void e2e_fullLifecycle_generateSaveLoadValidate() {
// Step 1: Generate keys and save to disk
@ -72,7 +75,7 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(2)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("E2E: Generate plaintext keys, load, and validate")
void e2e_plaintextKeys_generateLoadValidate() {
// Generate plaintext keys (no password)
@ -96,7 +99,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(3)
@DisplayName("E2E: Key validation with various key sizes")
void e2e_keyValidation_variousSizes() throws Exception {
SecureCompletionClient client = new SecureCompletionClient();
@ -126,7 +128,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(4)
@DisplayName("E2E: HTTP status mapping covers all documented cases")
void e2e_httpStatusMapping_allCases() {
SecureCompletionClient client = new SecureCompletionClient();
@ -176,7 +177,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(5)
@DisplayName("E2E: Retryable status codes match Constants.RETRYABLE_STATUS_CODES")
void e2e_retryableStatusCodes_matchConstants() {
SecureCompletionClient client = new SecureCompletionClient();
@ -189,7 +189,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(6)
@DisplayName("E2E: URL encoding of public key PEM")
void e2e_urlEncoding_publicKey() {
SecureCompletionClient client = new SecureCompletionClient();
@ -214,7 +213,7 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(7)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("E2E: Multiple clients can independently generate and load keys")
void e2e_multipleClients_independentOperations() throws Exception {
File dir1 = tempDir.resolve("dir1").toFile();
@ -258,7 +257,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(8)
@DisplayName("E2E: Client constructor parameters are correctly set")
void e2e_clientConstructor_parametersSetCorrectly() {
SecureCompletionClient client = new SecureCompletionClient(
@ -275,7 +273,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(9)
@DisplayName("E2E: Client strips trailing slashes from routerUrl")
void e2e_clientConstructor_stripsTrailingSlashes() {
SecureCompletionClient client = new SecureCompletionClient(
@ -287,7 +284,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(10)
@DisplayName("E2E: Client uses default values when constructed with no args")
void e2e_clientConstructor_defaultValues() {
SecureCompletionClient client = new SecureCompletionClient();
@ -299,7 +295,7 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(11)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("E2E: Encrypted key file is unreadable without password")
void e2e_encryptedKey_unreadableWithoutPassword() throws Exception {
SecureCompletionClient client = new SecureCompletionClient();
@ -321,7 +317,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(12)
@DisplayName("E2E: Generate keys without saving produces in-memory keys")
void e2e_generateKeys_noSave_producesInMemoryKeys() {
SecureCompletionClient client = new SecureCompletionClient();
@ -336,7 +331,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(13)
@DisplayName("E2E: SecurityError is thrown for null key validation")
void e2e_nullKeyValidation_throwsSecurityError() {
SecureCompletionClient client = new SecureCompletionClient();
@ -349,7 +343,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(14)
@DisplayName("E2E: mapHttpStatus returns null for 200 status")
void e2e_mapHttpStatus_200_returnsNull() {
SecureCompletionClient client = new SecureCompletionClient();
@ -359,7 +352,6 @@ class SecureCompletionClientE2ETest {
}
@Test
@Order(15)
@DisplayName("E2E: mapHttpStatus includes response body in error message")
void e2e_mapHttpStatus_includesResponseBody() {
SecureCompletionClient client = new SecureCompletionClient();

62
src/test/java/ai/nomyo/SecureCompletionClientTest.java
View file

@ -4,6 +4,8 @@ import ai.nomyo.errors.SecurityError;
import ai.nomyo.util.Pass2Key;
import org.junit.jupiter.api.*;
import org.junit.jupiter.api.io.TempDir;
import org.junit.jupiter.api.parallel.Execution;
import org.junit.jupiter.api.parallel.ExecutionMode;
import java.io.File;
import java.math.BigInteger;
@ -16,29 +18,18 @@ import java.security.spec.RSAPrivateCrtKeySpec;
import static org.junit.jupiter.api.Assertions.*;
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
@Execution(ExecutionMode.CONCURRENT)
class SecureCompletionClientTest {
private static final String TEST_PASSWORD = "test-password-123";
private static final String PLAINTEXT_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7o4qne60TBb\n-----END PRIVATE KEY-----";
private SecureCompletionClient client;
@BeforeEach
void setUp() {
client = new SecureCompletionClient();
}
@AfterEach
void tearDown() {
client = null;
}
// Key Generation Tests
@Test
@Order(1)
@DisplayName("generateKeys should create 4096-bit RSA key pair")
void generateKeys_shouldCreateValidKeyPair() {
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(false);
PrivateKey privateKey = client.getPrivateKey();
@ -51,9 +42,9 @@ class SecureCompletionClientTest {
}
@Test
@Order(2)
@DisplayName("generateKeys should produce keys with correct bit size")
void generateKeys_shouldProduceCorrectKeySize() throws Exception {
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(false);
PrivateKey privateKey = client.getPrivateKey();
@ -66,9 +57,9 @@ class SecureCompletionClientTest {
}
@Test
@Order(3)
@DisplayName("generateKeys should create unique keys on each call")
void generateKeys_shouldProduceUniqueKeys() {
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(false);
PrivateKey firstKey = client.getPrivateKey();
@ -83,11 +74,12 @@ class SecureCompletionClientTest {
// Key Generation with File Save Tests
@Test
@Order(4)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("generateKeys with saveToFile=true should create key files")
void generateKeys_withSaveToFile_shouldCreateKeyFiles(@TempDir Path tempDir) {
File keyDir = tempDir.toFile();
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(true, keyDir.getAbsolutePath(), null);
File privateKeyFile = new File(keyDir, Constants.DEFAULT_PRIVATE_KEY_FILE);
@ -100,11 +92,12 @@ class SecureCompletionClientTest {
}
@Test
@Order(5)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("generateKeys with password should encrypt private key file")
void generateKeys_withPassword_shouldEncryptPrivateKey(@TempDir Path tempDir) throws Exception {
File keyDir = tempDir.toFile();
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(true, keyDir.getAbsolutePath(), TEST_PASSWORD);
File privateKeyFile = new File(keyDir, Constants.DEFAULT_PRIVATE_KEY_FILE);
@ -117,11 +110,12 @@ class SecureCompletionClientTest {
}
@Test
@Order(6)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("generateKeys should not overwrite existing key files")
void generateKeys_shouldNotOverwriteExistingKeys(@TempDir Path tempDir) {
File keyDir = tempDir.toFile();
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(true, keyDir.getAbsolutePath(), null);
File privateKeyFile = new File(keyDir, Constants.DEFAULT_PRIVATE_KEY_FILE);
long firstSize = privateKeyFile.length();
@ -136,10 +130,11 @@ class SecureCompletionClientTest {
// Key Loading Tests
@Test
@Order(7)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("loadKeys should load plaintext private key from file")
void loadKeys_plaintext_shouldLoadPrivateKey(@TempDir Path tempDir) {
File keyDir = tempDir.toFile();
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(true, keyDir.getAbsolutePath(), null);
PrivateKey originalKey = client.getPrivateKey();
@ -157,10 +152,11 @@ class SecureCompletionClientTest {
}
@Test
@Order(8)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("loadKeys should load encrypted private key with correct password")
void loadKeys_encrypted_correctPassword_shouldLoadPrivateKey(@TempDir Path tempDir) {
File keyDir = tempDir.toFile();
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(true, keyDir.getAbsolutePath(), TEST_PASSWORD);
PrivateKey originalKey = client.getPrivateKey();
@ -179,10 +175,11 @@ class SecureCompletionClientTest {
}
@Test
@Order(9)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("loadKeys should handle wrong password gracefully")
void loadKeys_encrypted_wrongPassword_shouldHandleGracefully(@TempDir Path tempDir) {
File keyDir = tempDir.toFile();
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(true, keyDir.getAbsolutePath(), TEST_PASSWORD);
SecureCompletionClient loadClient = new SecureCompletionClient();
@ -198,7 +195,6 @@ class SecureCompletionClientTest {
}
@Test
@Order(10)
@DisplayName("loadKeys should throw exception for non-existent file")
void loadKeys_nonExistentFile_shouldThrowException() {
SecureCompletionClient loadClient = new SecureCompletionClient();
@ -213,9 +209,9 @@ class SecureCompletionClientTest {
// Key Validation Tests
@Test
@Order(11)
@DisplayName("validateRsaKey should accept valid 4096-bit key")
void validateRsaKey_validKey_shouldPass() {
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(false);
PrivateKey key = client.getPrivateKey();
@ -224,9 +220,9 @@ class SecureCompletionClientTest {
}
@Test
@Order(12)
@DisplayName("validateRsaKey should reject null key")
void validateRsaKey_nullKey_shouldThrowSecurityError() {
SecureCompletionClient client = new SecureCompletionClient();
SecurityError error = assertThrows(SecurityError.class, () ->
client.validateRsaKey(null));
@ -235,7 +231,6 @@ class SecureCompletionClientTest {
}
@Test
@Order(13)
@DisplayName("validateRsaKey should reject keys below minimum size")
void validateRsaKey_tooSmallKey_shouldThrowSecurityError() throws Exception {
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
@ -243,6 +238,7 @@ class SecureCompletionClientTest {
KeyPair pair = generator.generateKeyPair();
PrivateKey smallKey = pair.getPrivate();
SecureCompletionClient client = new SecureCompletionClient();
SecurityError error = assertThrows(SecurityError.class, () ->
client.validateRsaKey(smallKey));
@ -251,7 +247,6 @@ class SecureCompletionClientTest {
}
@Test
@Order(14)
@DisplayName("validateRsaKey should accept minimum size key (2048 bits)")
void validateRsaKey_minimumSizeKey_shouldPass() throws Exception {
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
@ -259,6 +254,7 @@ class SecureCompletionClientTest {
KeyPair pair = generator.generateKeyPair();
PrivateKey minKey = pair.getPrivate();
SecureCompletionClient client = new SecureCompletionClient();
assertDoesNotThrow(() -> client.validateRsaKey(minKey),
"2048-bit key should pass validation (minimum)");
}
@ -266,12 +262,13 @@ class SecureCompletionClientTest {
// Key Roundtrip Tests
@Test
@Order(15)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("Full roundtrip: generate, save, load should produce same key")
void roundtrip_generateSaveLoad_shouldProduceSameKey(@TempDir Path tempDir) {
File keyDir = tempDir.toFile();
// Generate and save
SecureCompletionClient client = new SecureCompletionClient();
client.generateKeys(true, keyDir.getAbsolutePath(), TEST_PASSWORD);
PrivateKey originalKey = client.getPrivateKey();
@ -291,7 +288,7 @@ class SecureCompletionClientTest {
}
@Test
@Order(16)
@Execution(ExecutionMode.SAME_THREAD)
@DisplayName("Multiple generate/load cycles should work correctly")
void multipleCycles_shouldWorkCorrectly(@TempDir Path tempDir) throws Exception {
File keyDir = tempDir.toFile();
@ -321,9 +318,9 @@ class SecureCompletionClientTest {
// Utility Method Tests
@Test
@Order(17)
@DisplayName("urlEncodePublicKey should properly encode PEM keys")
void urlEncodePublicKey_shouldEncodeCorrectly() {
SecureCompletionClient client = new SecureCompletionClient();
String pemKey = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n-----END PUBLIC KEY-----";
String encoded = client.urlEncodePublicKey(pemKey);
@ -334,9 +331,9 @@ class SecureCompletionClientTest {
}
@Test
@Order(18)
@DisplayName("urlEncodePublicKey should handle empty string")
void urlEncodePublicKey_emptyString_shouldReturnEmpty() {
SecureCompletionClient client = new SecureCompletionClient();
String encoded = client.urlEncodePublicKey("");
assertEquals("", encoded, "Empty string should encode to empty string");
}
@ -344,7 +341,6 @@ class SecureCompletionClientTest {
// Pass2Key Encryption/Decryption Tests
@Test
@Order(19)
@DisplayName("Pass2Key encrypt/decrypt should preserve plaintext")
void pass2Key_encryptDecrypt_shouldPreservePlaintext() throws Exception {
String plaintext = "Test plaintext content for encryption";
@ -361,7 +357,6 @@ class SecureCompletionClientTest {
}
@Test
@Order(20)
@DisplayName("Pass2Key should produce different ciphertext for same plaintext")
void pass2Key_shouldProduceDifferentCiphertext() throws Exception {
String plaintext = "Same plaintext";
@ -375,7 +370,6 @@ class SecureCompletionClientTest {
}
@Test
@Order(21)
@DisplayName("Pass2Key decrypt should fail with wrong password")
void pass2Key_wrongPassword_shouldFail() throws Exception {
String plaintext = "Secret content";
@ -391,7 +385,6 @@ class SecureCompletionClientTest {
}
@Test
@Order(22)
@DisplayName("Pass2Key convertStringToPrivateKey should parse PEM correctly")
void convertStringToPrivateKey_shouldParsePEM() throws Exception {
SecureCompletionClient tempClient = new SecureCompletionClient();
@ -408,7 +401,6 @@ class SecureCompletionClientTest {
}
@Test
@Order(23)
@DisplayName("Pass2Key convertStringToPrivateKey should handle PEM with whitespace")
void convertStringToPrivateKey_shouldHandleWhitespace() throws Exception {
SecureCompletionClient tempClient = new SecureCompletionClient();

166
src/test/java/ai/nomyo/util/PEMConverterTest.java Normal file
View file

@ -0,0 +1,166 @@
package ai.nomyo.util;
import org.junit.jupiter.api.*;
import org.junit.jupiter.api.parallel.Execution;
import org.junit.jupiter.api.parallel.ExecutionMode;
import java.nio.file.Files;
import java.nio.file.Path;
import static org.junit.jupiter.api.Assertions.*;
@Execution(ExecutionMode.CONCURRENT)
class PEMConverterTest {
private static String realPublicKeyPem;
private static String realPrivateKeyPem;
@BeforeAll
static void loadRealKeys() throws Exception {
Path keyDir = Path.of("client_keys");
realPublicKeyPem = Files.readString(keyDir.resolve("public_key.pem"));
realPrivateKeyPem = Files.readString(keyDir.resolve("private_key.pem"));
}
// validatePEM Tests
@Test
@DisplayName("validatePEM should accept real public key file content")
void validatePEM_realPublicKeyFile_shouldPass() {
assertTrue(PEMConverter.validatePEM(realPublicKeyPem),
"Real public key file content should be valid PEM");
}
@Test
@DisplayName("validatePEM should accept PEM generated by toPEM")
void validatePEM_generatedByToPEM_shouldPass() {
String b64Content = realPublicKeyPem
.replace("-----BEGIN PUBLIC KEY-----\n", "")
.replace("\n-----END PUBLIC KEY-----", "")
.replace("\n", "");
byte[] decoded = java.util.Base64.getDecoder().decode(b64Content);
String generatedPem = PEMConverter.toPEM(decoded, false);
assertTrue(PEMConverter.validatePEM(generatedPem),
"PEM generated by toPEM should be valid");
}
@Test
@DisplayName("validatePEM should reject null input")
void validatePEM_nullInput_shouldReturnFalse() {
assertFalse(PEMConverter.validatePEM(null));
}
@Test
@DisplayName("validatePEM should reject blank input")
void validatePEM_blankInput_shouldReturnFalse() {
assertFalse(PEMConverter.validatePEM(" "));
assertFalse(PEMConverter.validatePEM(""));
}
@Test
@DisplayName("validatePEM should reject private key PEM")
void validatePEM_privateKey_shouldReturnFalse() {
assertFalse(PEMConverter.validatePEM(realPrivateKeyPem));
}
@Test
@DisplayName("validatePEM should reject truncated PEM")
void validatePEM_truncated_shouldReturnFalse() {
assertFalse(PEMConverter.validatePEM("-----BEGIN PUBLIC KEY-----\nMIIBIjAN"));
}
@Test
@DisplayName("validatePEM should reject PEM with wrong end marker")
void validatePEM_wrongEndMarker_shouldReturnFalse() {
String pem = "-----BEGIN PUBLIC KEY-----\nMIIBIjAN\n-----BEGIN PRIVATE KEY-----";
assertFalse(PEMConverter.validatePEM(pem));
}
@Test
@DisplayName("validatePEM should accept PEM with trailing newline")
void validatePEM_trailingNewline_shouldPass() {
String pemWithNewline = realPublicKeyPem + "\n";
assertTrue(PEMConverter.validatePEM(pemWithNewline),
"PEM with trailing newline should be valid");
}
// toPEM Tests
@Test
@DisplayName("toPEM should produce correct header and footer")
void toPEM_publicKey_shouldHaveCorrectMarkers() {
String b64Content = realPublicKeyPem
.replace("-----BEGIN PUBLIC KEY-----\n", "")
.replace("\n-----END PUBLIC KEY-----", "")
.replace("\n", "");
byte[] decoded = java.util.Base64.getDecoder().decode(b64Content);
String pem = PEMConverter.toPEM(decoded, false);
assertTrue(pem.startsWith("-----BEGIN PUBLIC KEY-----\n"));
assertTrue(pem.contains("-----END PUBLIC KEY-----"));
}
@Test
@DisplayName("toPEM should produce correct header and footer for private key")
void toPEM_privateKey_shouldHaveCorrectMarkers() {
String b64Content = realPrivateKeyPem
.replace("-----BEGIN PRIVATE KEY-----\n", "")
.replace("\n-----END PRIVATE KEY-----", "")
.replace("\n", "");
byte[] decoded = java.util.Base64.getDecoder().decode(b64Content);
String pem = PEMConverter.toPEM(decoded, true);
assertTrue(pem.startsWith("-----BEGIN PRIVATE KEY-----\n"));
assertTrue(pem.contains("-----END PRIVATE KEY-----"));
}
@Test
@DisplayName("toPEM should wrap base64 content at 64 characters")
void toPEM_shouldWrapAt64Chars() {
byte[] keyBytes = new byte[100];
for (int i = 0; i < 100; i++) {
keyBytes[i] = (byte) i;
}
String pem = PEMConverter.toPEM(keyBytes, false);
String[] lines = pem.split("\n");
for (int i = 1; i < lines.length - 1; i++) {
assertTrue(lines[i].length() <= 64,
"Line " + i + " should be at most 64 chars, got " + lines[i].length());
}
}
// Roundtrip Tests
@Test
@DisplayName("toPEM + validatePEM roundtrip should always pass")
void roundtrip_toPEM_validatePEM_shouldPass() {
String b64Content = realPublicKeyPem
.replace("-----BEGIN PUBLIC KEY-----\n", "")
.replace("\n-----END PUBLIC KEY-----", "")
.replace("\n", "");
byte[] decoded = java.util.Base64.getDecoder().decode(b64Content);
String pem = PEMConverter.toPEM(decoded, false);
assertTrue(PEMConverter.validatePEM(pem),
"PEM generated by toPEM should pass validatePEM");
}
@Test
@DisplayName("toPEM + validatePEM roundtrip should work for private keys")
void roundtrip_toPEM_validatePEM_privateKey_shouldPass() {
String b64Content = realPrivateKeyPem
.replace("-----BEGIN PRIVATE KEY-----\n", "")
.replace("\n-----END PRIVATE KEY-----", "")
.replace("\n", "");
byte[] decoded = java.util.Base64.getDecoder().decode(b64Content);
String pem = PEMConverter.toPEM(decoded, true);
assertFalse(PEMConverter.validatePEM(pem),
"Private key PEM should not pass validatePEM (public key check)");
}
}