google · miguelaranda0 · Dec 11, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
diff --git a/common/src/jni/main/cpp/conscrypt/native_crypto.cc b/common/src/jni/main/cpp/conscrypt/native_crypto.cc
@@ -1548,7 +1548,7 @@ static jlong NativeCrypto_EVP_PKEY_from_private_seed(JNIEnv* env, jclass, jint p
     return reinterpret_cast<uintptr_t>(pkey.release());
 }
 
-static jbyteArray NativeCrypto_EVP_PKEY_get_private_seed(JNIEnv* env, jclass cls, jobject pkeyRef) {
+static jbyteArray NativeCrypto_EVP_PKEY_get_private_seed(JNIEnv* env, jclass, jobject pkeyRef) {
     CHECK_ERROR_QUEUE_ON_RETURN;
     JNI_TRACE("EVP_PKEY_get_private_seed(%p)", pkeyRef);
 
@@ -11752,8 +11752,6 @@ static void NativeCrypto_SSL_CTX_set_spake_credential(
         jbyteArray id_verifier_array, jboolean is_client, jint handshake_limit,
         jlong ssl_ctx_address, CONSCRYPT_UNUSED jobject holder) {
     CHECK_ERROR_QUEUE_ON_RETURN;
-    JNI_TRACE("SSL_CTX_set_spake_credential(%p, %p, %p, %p, %d, %d, %ld)", context, pw_array,
-              id_prover_array, id_verifier_array, is_client, handshake_limit, ssl_ctx_address);
 
     SSL_CTX* ssl_ctx = to_SSL_CTX(env, ssl_ctx_address, true);
 

diff --git a/common/src/test/java/org/conscrypt/java/security/KeyPairGeneratorTest.java b/common/src/test/java/org/conscrypt/java/security/KeyPairGeneratorTest.java
@@ -64,57 +64,60 @@ public class KeyPairGeneratorTest {
 
     @Test
     public void test_getInstance() throws Exception {
-        ServiceTester.test("KeyPairGenerator")
-            // Do not test AndroidKeyStore Provider. It does not accept vanilla public keys for
-            // signature verification. It's OKish not to test here because it's tested by
-            // cts/tests/tests/keystore.
-            .skipProvider("AndroidKeyStore")
-            // The SunEC provider tries to pass a sun-only AlgorithmParameterSpec to the default
-            // AlgorithmParameters:EC when its KeyPairGenerator is initialized.  Since Conscrypt
-            // is the highest-ranked provider when running our tests, its implementation of
-            // AlgorithmParameters:EC is returned, and it doesn't understand the special
-            // AlgorithmParameterSpec, so the KeyPairGenerator can't be initialized.
-            .skipProvider("SunEC")
-            // The SunPKCS11-NSS provider on OpenJDK 7 attempts to delegate to the SunEC provider,
-            // which doesn't exist on OpenJDK 7, and thus totally fails.  This appears to be a bug
-            // introduced into later revisions of OpenJDK 7.
-            .skipProvider("SunPKCS11-NSS")
-            .run(new ServiceTester.Test() {
-                @Override
-                public void test(Provider provider, String algorithm) throws Exception {
-                    AlgorithmParameterSpec params = null;
-
-                    if ("DH".equals(algorithm) || "DiffieHellman".equalsIgnoreCase(algorithm)) {
-                        params = getDHParams();
-                    }
-                    // KeyPairGenerator.getInstance(String)
-                    KeyPairGenerator kpg1 = KeyPairGenerator.getInstance(algorithm);
-                    assertEquals(algorithm, kpg1.getAlgorithm());
-                    if (params != null) {
-                        kpg1.initialize(params);
+        ServiceTester
+                .test("KeyPairGenerator")
+                // Do not test AndroidKeyStore Provider. It does not accept vanilla public keys for
+                // signature verification. It's OKish not to test here because it's tested by
+                // cts/tests/tests/keystore.
+                .skipProvider("AndroidKeyStore")
+                // The SunEC provider tries to pass a sun-only AlgorithmParameterSpec to the default
+                // AlgorithmParameters:EC when its KeyPairGenerator is initialized.  Since Conscrypt
+                // is the highest-ranked provider when running our tests, its implementation of
+                // AlgorithmParameters:EC is returned, and it doesn't understand the special
+                // AlgorithmParameterSpec, so the KeyPairGenerator can't be initialized.
+                .skipProvider("SunEC")
+                // The SunPKCS11-NSS provider on OpenJDK 7 attempts to delegate to the SunEC
+                // provider, which doesn't exist on OpenJDK 7, and thus totally fails.  This appears
+                // to be a bug introduced into later revisions of OpenJDK 7.
+                .skipProvider("SunPKCS11-NSS")
+                .run(new ServiceTester.Test() {
+                    @Override
+
+                    // @SuppressWarnings("InsecureCryptoUsage")
+                    public void test(Provider provider, String algorithm) throws Exception {
+                        AlgorithmParameterSpec params = null;
+
+                        if ("DH".equals(algorithm) || "DiffieHellman".equalsIgnoreCase(algorithm)) {
+                            params = getDHParams();
+                        }
+                        // KeyPairGenerator.getInstance(String)
+                        KeyPairGenerator kpg1 = KeyPairGenerator.getInstance(algorithm);
+                        assertEquals(algorithm, kpg1.getAlgorithm());
+                        if (params != null) {
+                            kpg1.initialize(params);
+                        }
+                        test_KeyPairGenerator(kpg1);
+
+                        // KeyPairGenerator.getInstance(String, Provider)
+                        KeyPairGenerator kpg2 = KeyPairGenerator.getInstance(algorithm, provider);
+                        assertEquals(algorithm, kpg2.getAlgorithm());
+                        assertEquals(provider, kpg2.getProvider());
+                        if (params != null) {
+                            kpg2.initialize(params);
+                        }
+                        test_KeyPairGenerator(kpg2);
+
+                        // KeyPairGenerator.getInstance(String, String)
+                        KeyPairGenerator kpg3 =
+                                KeyPairGenerator.getInstance(algorithm, provider.getName());
+                        assertEquals(algorithm, kpg3.getAlgorithm());
+                        assertEquals(provider, kpg3.getProvider());
+                        if (params != null) {
+                            kpg3.initialize(params);
+                        }
+                        test_KeyPairGenerator(kpg3);
                     }
-                    test_KeyPairGenerator(kpg1);
-
-                    // KeyPairGenerator.getInstance(String, Provider)
-                    KeyPairGenerator kpg2 = KeyPairGenerator.getInstance(algorithm, provider);
-                    assertEquals(algorithm, kpg2.getAlgorithm());
-                    assertEquals(provider, kpg2.getProvider());
-                    if (params != null) {
-                        kpg2.initialize(params);
-                    }
-                    test_KeyPairGenerator(kpg2);
-
-                    // KeyPairGenerator.getInstance(String, String)
-                    KeyPairGenerator kpg3 = KeyPairGenerator.getInstance(algorithm,
-                        provider.getName());
-                    assertEquals(algorithm, kpg3.getAlgorithm());
-                    assertEquals(provider, kpg3.getProvider());
-                    if (params != null) {
-                        kpg3.initialize(params);
-                    }
-                    test_KeyPairGenerator(kpg3);
-                }
-            });
+                });
     }
 
     private static final Map<String, List<Integer>> KEY_SIZES = new HashMap<>();
@@ -301,6 +304,7 @@ private void test_Key(KeyPairGenerator kpg, Key k) throws Exception {
         test_KeyWithAllKeyFactories(k);
     }
 
+    // @SuppressWarnings("InsecureCryptoUsage")
     private void test_KeyWithAllKeyFactories(Key k) throws Exception {
         byte[] encoded = k.getEncoded();
 
@@ -446,6 +450,7 @@ private static DHParameterSpec getDHParams() {
     });
 
     @Test
+    // @SuppressWarnings("InsecureCryptoUsage")
     public void testDSAGeneratorWithParams() throws Exception {
         final DSAParameterSpec dsaSpec = new DSAParameterSpec(DSA_P, DSA_Q, DSA_G);
 

diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/HttpsURLConnectionTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/HttpsURLConnectionTest.java
@@ -118,6 +118,7 @@ public void failedUrlConnect() throws Exception {
         Future<Void> future = executor.submit(server.run(op));
 
         HttpsURLConnection connection = server.tlsConnection("/file");
+        // google3-add: broken HTTPS hostname verification
         int response = connection.getResponseCode();
         assertEquals(404, response);
 
@@ -151,6 +152,7 @@ public void urlReadTimeout() throws Exception {
         Future<Void> future = executor.submit(server.run(op));
 
         HttpsURLConnection connection = server.tlsConnection("/file");
+        // google3-add: broken HTTPS hostname verification
         connection.setConnectTimeout(0);
         connection.setReadTimeout(1000);
 

diff --git a/openjdk/src/test/java/org/conscrypt/ConscryptTest.java b/openjdk/src/test/java/org/conscrypt/ConscryptTest.java
@@ -22,22 +22,25 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
-import java.security.Provider;
-import java.security.Security;
-import javax.net.ssl.SSLContext;
-
 import org.conscrypt.java.security.StandardNames;
+// import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
+import java.security.Provider;
+import java.security.Security;
+
+import javax.net.ssl.SSLContext;
+
 @RunWith(JUnit4.class)
 public class ConscryptTest {
 
     /**
      * This confirms that the version machinery is working.
      */
     @Test
+    // @Ignore("Failing on google3. TODO(b/309186591)")
     public void testVersionIsSensible() {
         Conscrypt.Version version = Conscrypt.version();
         assertNotNull(version);
@@ -71,8 +74,7 @@ public void buildTls13WithoutTrustManager() throws Exception {
     @Test
     public void buildInvalid() {
         try {
-            Conscrypt.newProviderBuilder()
-                .defaultTlsProtocol("invalid").build();
+            Conscrypt.newProviderBuilder().defaultTlsProtocol("invalid").build();
             fail();
         } catch (IllegalArgumentException e) {
             // Expected.
@@ -81,10 +83,11 @@ public void buildInvalid() {
 
     private void buildProvider(String defaultProtocol, boolean withTrustManager) throws Exception {
         Provider provider = Conscrypt.newProviderBuilder()
-            .setName("test name")
-            .provideTrustManager(withTrustManager)
-            .defaultTlsProtocol(defaultProtocol)
-            .build();
+                                    .setName("test name")
+                                    .provideTrustManager(withTrustManager)
+                                    .defaultTlsProtocol(defaultProtocol)
+
+                                    .build();
 
         assertEquals("test name", provider.getName());
         assertEquals(withTrustManager, provider.containsKey("TrustManagerFactory.PKIX"));