Adding more unit tests

karen-avetisyan-mc · karen-avetisyan-mc · commit f4543ae1e65e · 2025-11-11T13:49:57.000Z
diff --git a/src/test/java/com/mastercard/developer/encryption/aes/AESCBCTest.java b/src/test/java/com/mastercard/developer/encryption/aes/AESCBCTest.java
@@ -1,7 +1,6 @@
 package com.mastercard.developer.encryption.aes;
 
 import com.mastercard.developer.encryption.EncryptionException;
-import com.mastercard.developer.encryption.jwe.JweHeader;
 import com.mastercard.developer.encryption.jwe.JweObject;
 import com.mastercard.developer.json.JsonEngine;
 import com.mastercard.developer.utils.EncodingUtils;
@@ -12,7 +11,8 @@
 import javax.crypto.spec.SecretKeySpec;
 import java.nio.charset.StandardCharsets;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
 
 public class AESCBCTest {
 
@@ -21,19 +21,55 @@ public class AESCBCTest {
 
     @Test
     public void testDecrypt_ShouldDecryptSuccessfully_WhenHmacVerificationIsEnabledAndTagIsValid() throws Exception {
-        // Given: A properly encrypted JWE object with valid HMAC tag
-        // This is a real A128CBC-HS256 encrypted payload
-        String jweString = "eyJraWQiOiI3NjFiMDAzYzFlYWRlM2E1NDkwZTUwMDBkMzc4ODdiYWE1ZTZlYzBlMjI2YzA3NzA2ZTU5OTQ1MWZjMDMyYTc5IiwiY3R5IjoiYXBwbGljYXRpb25cL2pzb24iLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.5bsamlChk0HR3Nqg2UPJ2Fw4Y0MvC2pwWzNv84jYGkOXyqp1iwQSgETGaplIa7JyLg1ZWOqwNHEx3N7gsN4nzwAnVgz0eta6SsoQUE9YQ-5jek0COslUkoqIQjlQYJnYur7pqttDibj87fcw13G2agle5fL99j1QgFPjNPYqH88DMv481XGFa8O3VfJhW93m73KD2gvE5GasOPOkFK9wjKXc9lMGSgSArp3Awbc_oS2Cho_SbsvuEQwkhnQc2JKT3IaSWu8yK7edNGwD6OZJLhMJzWJlY30dUt2Eqe1r6kMT0IDRl7jHJnVIr2Qpe56CyeZ9V0aC5RH1mI5dYk4kHg.yI0CS3NdBrz9CCW2jwBSDw.6zr2pOSmAGdlJG0gbH53Eg.UFgf3-P9UjgMocEu7QA_vQ";
+        // Given: A properly constructed JWE with correct HMAC tag
+        byte[] cekBytes = new byte[32]; // 256-bit key (128-bit HMAC key + 128-bit AES key)
+        java.security.SecureRandom random = new java.security.SecureRandom();
+        random.nextBytes(cekBytes);
+
+        SecretKeySpec cek = new SecretKeySpec(cekBytes, "AES");
+        SecretKeySpec hmacKey = new SecretKeySpec(cekBytes, 0, 16, "HmacSHA256");
+        SecretKeySpec aesKey = new SecretKeySpec(cekBytes, 16, 16, "AES");
+
+        // Encrypt data
+        byte[] plainText = "Valid HMAC Test Data".getBytes(StandardCharsets.UTF_8);
+        byte[] iv = new byte[16];
+        random.nextBytes(iv);
+
+        javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance("AES/CBC/PKCS5Padding");
+        cipher.init(javax.crypto.Cipher.ENCRYPT_MODE, aesKey, new javax.crypto.spec.IvParameterSpec(iv));
+        byte[] cipherText = cipher.doFinal(plainText);
+
+        // Compute proper HMAC according to JWE spec
+        String rawHeader = EncodingUtils.base64UrlEncode("{\"enc\":\"A128CBC-HS256\",\"alg\":\"RSA-OAEP-256\"}".getBytes());
+        byte[] aad = rawHeader.getBytes(StandardCharsets.US_ASCII);
+
+        javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA256");
+        mac.init(hmacKey);
+        mac.update(aad);
+        mac.update(iv);
+        mac.update(cipherText);
+
+        // Add AL (AAD length in bits as 64-bit big-endian)
+        long aadLengthBits = (long) aad.length * 8;
+        java.nio.ByteBuffer alBuffer = java.nio.ByteBuffer.allocate(8);
+        alBuffer.putLong(aadLengthBits);
+        mac.update(alBuffer.array());
+
+        byte[] hmacOutput = mac.doFinal();
+        byte[] authTag = new byte[16]; // First 16 bytes (tag length = key length for A128CBC-HS256)
+        System.arraycopy(hmacOutput, 0, authTag, 0, 16);
+
+        // Construct JWE string
+        String jweString = rawHeader + ".dummy." + EncodingUtils.base64UrlEncode(iv) + "." +
+                          EncodingUtils.base64UrlEncode(cipherText) + "." + EncodingUtils.base64UrlEncode(authTag);
         JweObject jweObject = JweObject.parse(jweString, JsonEngine.getDefault());
 
-        // When: Decrypt with a known CEK and HMAC verification enabled
-        // Note: This is a test key matching the encrypted payload
-        byte[] cekBytes = new byte[32]; // 256-bit key (128-bit HMAC key + 128-bit AES key)
-        // For testing, we'll use the actual encrypted key from the JWE
-        // In a real scenario, this would be unwrapped from the encrypted key
+        // When: Decrypt with HMAC verification enabled
+        byte[] result = AESCBC.decrypt(cek, jweObject, true);
 
-        // We can't directly test without the unwrapped key, so let's test the verification logic
-        // by creating a mock scenario
+        // Then: Should succeed and return correct plaintext
+        assertNotNull(result);
+        assertEquals("Valid HMAC Test Data", new String(result, StandardCharsets.UTF_8));
     }
 
     @Test
