Add testing for PAKE in TrustManagerFactory and KeyManagerFactory (#1298

) * Move Android-specific test code to /platform. . --------- Co-authored-by: Miguel Aranda <[email protected]>
google · Jan 21, 2025 · dad8ff7 · dad8ff7
1 parent 63ac9ca
commit dad8ff7
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 20 deletions.
diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/KeyManagerFactoryTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/KeyManagerFactoryTest.java
@@ -16,6 +16,7 @@
 
 package org.conscrypt.javax.net.ssl;
 
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
@@ -149,9 +150,9 @@ private void test_KeyManagerFactory(KeyManagerFactory kmf) throws Exception {
             }
         }
 
-        if (kmf.getAlgorithm() == "PAKE") {
+        if (kmf.getAlgorithm().equals("PAKE")) {
             assertThrows(KeyStoreException.class, () -> kmf.init(null, null));
-            return;
+            return; // Functional testing is in PakeKeyManagerFactoryTest
         }
 
         // init with null for default behavior

diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/TrustManagerFactoryTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/TrustManagerFactoryTest.java
@@ -39,6 +39,7 @@
 import javax.net.ssl.X509TrustManager;
 import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.conscrypt.Conscrypt;
+import org.conscrypt.Spake2PlusTrustManager;
 import org.conscrypt.java.security.StandardNames;
 import org.conscrypt.java.security.TestKeyStore;
 import org.junit.Test;
@@ -83,24 +84,25 @@ private void test_TrustManagerFactory(TrustManagerFactory tmf) throws Exception
         assertNotNull(tmf.getAlgorithm());
         assertNotNull(tmf.getProvider());
 
-        if (tmf.getAlgorithm() == "PAKE") {
-            return;
-        }
-
         // before init
-        try {
-            tmf.getTrustManagers();
-            fail();
-        } catch (IllegalStateException expected) {
-            // Ignored.
-        }
+        if (!tmf.getAlgorithm().equals("PAKE")) {
+            try {
+                tmf.getTrustManagers();
+                fail();
+            } catch (IllegalStateException expected) {
+                // Ignored.
+            }
 
-        // init with null ManagerFactoryParameters
-        try {
+            // init with null ManagerFactoryParameters
+            try {
+                tmf.init((ManagerFactoryParameters) null);
+                fail();
+            } catch (InvalidAlgorithmParameterException expected) {
+                // Ignored.
+            }
+        } else {
             tmf.init((ManagerFactoryParameters) null);
-            fail();
-        } catch (InvalidAlgorithmParameterException expected) {
-            // Ignored.
+            test_TrustManagerFactory_getTrustManagers(tmf);
         }
 
         // init with useless ManagerFactoryParameters
@@ -142,8 +144,10 @@ private void test_TrustManagerFactory(TrustManagerFactory tmf) throws Exception
         test_TrustManagerFactory_getTrustManagers(tmf);
 
         // init with specific key store
-        tmf.init(getTestKeyStore().keyStore);
-        test_TrustManagerFactory_getTrustManagers(tmf);
+        if (!tmf.getAlgorithm().equals("PAKE")) {
+            tmf.init(getTestKeyStore().keyStore);
+            test_TrustManagerFactory_getTrustManagers(tmf);
+        }
     }
 
     private void test_TrustManagerFactory_getTrustManagers(TrustManagerFactory tmf)
@@ -156,9 +160,17 @@ private void test_TrustManagerFactory_getTrustManagers(TrustManagerFactory tmf)
             if (trustManager instanceof X509TrustManager) {
                 test_X509TrustManager(tmf.getProvider(), (X509TrustManager) trustManager);
             }
+            if (trustManager instanceof Spake2PlusTrustManager) {
+                test_pakeTrustManager((Spake2PlusTrustManager) trustManager);
+            }
         }
     }
 
+    private void test_pakeTrustManager(Spake2PlusTrustManager tm) throws Exception {
+        tm.checkClientTrusted();
+        tm.checkServerTrusted();
+    }
+
     private void test_X509TrustManager(Provider p, X509TrustManager tm) throws Exception {
         for (String keyType : KEY_TYPES) {
             X509Certificate[] issuers = tm.getAcceptedIssuers();

diff --git a/platform/src/main/java/org/conscrypt/PakeKeyManagerFactory.java b/platform/src/main/java/org/conscrypt/PakeKeyManagerFactory.java
@@ -70,7 +70,9 @@ public void engineInit(ManagerFactoryParameters spec)
         if (clientParams != null || serverParams != null) {
             throw new IllegalStateException("PakeKeyManagerFactory is already initialized");
         }
-        requireNonNull(spec);
+        if (spec == null) {
+            throw new InvalidAlgorithmParameterException("ManagerFactoryParameters cannot be null");
+        }
         if (spec instanceof PakeClientKeyManagerParameters) {
             clientParams = (PakeClientKeyManagerParameters) spec;
         } else if (spec instanceof PakeServerKeyManagerParameters) {

diff --git a/platform/src/test/java/org/conscrypt/PakeKeyManagerFactoryTest.java b/platform/src/test/java/org/conscrypt/PakeKeyManagerFactoryTest.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.conscrypt;
+
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+
+import android.net.ssl.PakeClientKeyManagerParameters;
+import android.net.ssl.PakeOption;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.JUnit4;
+
+import java.security.KeyStoreException;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+
+@RunWith(JUnit4.class)
+public class PakeKeyManagerFactoryTest {
+    @Test
+    public void pakeKeyManagerFactoryTest() throws Exception {
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("PAKE");
+        assertThrows(KeyStoreException.class, () -> kmf.init(null, null));
+        byte[] password = new byte[] {1, 2, 3};
+        byte[] clientId = new byte[] {2, 3, 4};
+        byte[] serverId = new byte[] {4, 5, 6};
+        PakeOption option =
+                new PakeOption.Builder("SPAKE2PLUS_PRERELEASE")
+                        .addMessageComponent("password", password)
+                        .build();
+
+        PakeClientKeyManagerParameters params =
+                new PakeClientKeyManagerParameters.Builder()
+                        .setClientId(clientId.clone())
+                        .setServerId(serverId.clone())
+                        .addOption(option)
+                        .build();
+        kmf.init(params);
+
+        KeyManager[] keyManagers = kmf.getKeyManagers();
+        assertEquals(1, keyManagers.length);
+
+        Spake2PlusKeyManager keyManager = (Spake2PlusKeyManager) keyManagers[0];
+        assertArrayEquals(password, keyManager.getPassword());
+        assertArrayEquals(clientId, keyManager.getIdProver());
+        assertArrayEquals(serverId, keyManager.getIdVerifier());
+    }
+}