JCE: throw correct InvalidParameterException from Cipher.init() if mode is unsupported or incorrect

cconlon · cconlon · commit 27bac22bfc35 · 2025-08-20T16:27:38.000-06:00
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptCipher.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptCipher.java
@@ -42,6 +42,7 @@
 import java.security.Key;
 import java.security.NoSuchAlgorithmException;
 import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidParameterException;
 import java.security.InvalidKeyException;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
@@ -522,7 +523,7 @@ private void wolfCryptSetDirection(int opmode)
                 break;
 
             default:
-                throw new InvalidKeyException(
+                throw new InvalidParameterException(
                     "Cipher opmode must be ENCRYPT_MODE or DECRPYT_MODE");
         }
     }
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptCipherTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptCipherTest.java
@@ -60,6 +60,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.InvalidKeyException;
 import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidParameterException;
 import java.security.spec.AlgorithmParameterSpec;
 import java.security.AlgorithmParameters;
 
@@ -191,6 +192,35 @@ public void testGetBlockSize()
         }
     }
 
+    @Test
+    public void testAesInvalidModeThrowsInvalidParameterException()
+        throws NoSuchProviderException, NoSuchAlgorithmException,
+               NoSuchPaddingException, InvalidKeyException,
+               InvalidAlgorithmParameterException {
+
+        Cipher cipher;
+
+        try {
+            cipher = Cipher.getInstance("AES/CBC/NoPadding", jceProvider);
+        } catch (NoSuchAlgorithmException e) {
+            /* skip if AES-CBC is not enabled */
+            return;
+        }
+
+        SecretKeySpec keySpec = new SecretKeySpec(new byte[16], "AES");
+        IvParameterSpec ivSpec = new IvParameterSpec(new byte[16]);
+
+        int invalidMode = 100;
+
+        try {
+            cipher.init(invalidMode, keySpec, ivSpec);
+            fail("Cipher.init() with invalid mode should throw " +
+                 "InvalidParameterException");
+        } catch (InvalidParameterException e) {
+            /* expected */
+        }
+    }
+
     @Test
     public void testAesCbcNoPadding()
         throws NoSuchProviderException, NoSuchAlgorithmException,
