FIDO2: add regression tests for SK key algorithm dispatch

nindanaoto · claude · kruton · commit 7bbf83d46cb3 · 2026-03-26T22:48:09.000-07:00
Add tests that use realistic algorithm names ("Ed25519" and "EC")
matching what real SkEd25519PublicKey and SkEcdsaPublicKey return.
These reproduce the bug where isEd25519Key() matched SK Ed25519 keys
before the instanceof SkPublicKey check, causing DER encoding failure.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/test/java/com/trilead/ssh2/auth/AuthenticationManagerSkKeyTest.java b/src/test/java/com/trilead/ssh2/auth/AuthenticationManagerSkKeyTest.java
@@ -53,11 +53,17 @@ public class AuthenticationManagerSkKeyTest {
 	 */
 	static class TestSkPublicKey implements SkPublicKey {
 		private final String keyType;
+		private final String algorithm;
 		private final String application;
 		private final byte[] keyData;
 
 		TestSkPublicKey(String keyType, String application, byte[] keyData) {
+			this(keyType, keyType, application, keyData);
+		}
+
+		TestSkPublicKey(String keyType, String algorithm, String application, byte[] keyData) {
 			this.keyType = keyType;
+			this.algorithm = algorithm;
 			this.application = application;
 			this.keyData = keyData.clone();
 		}
@@ -79,7 +85,7 @@ public byte[] getKeyData() {
 
 		@Override
 		public String getAlgorithm() {
-			return keyType;
+			return algorithm;
 		}
 
 		@Override
@@ -238,6 +244,45 @@ public void authenticateSkKey_SendsAuthenticationRequest() throws Exception {
 			"Authentication should send at least one message");
 	}
 
+	/**
+	 * Regression test: SK Ed25519 key with "Ed25519" algorithm must use the SK
+	 * code path, not the generic Ed25519 path. The real SkEd25519PublicKey returns
+	 * "Ed25519" from getAlgorithm(), which matches isEd25519Key(). Without the
+	 * fix, this causes Ed25519Verify.encodePublicKey() to attempt DER decoding
+	 * and fail with InvalidKeySpecException.
+	 */
+	@Test
+	public void authenticateSkEd25519Key_WithEd25519Algorithm_UsesSkPath() throws Exception {
+		TestSkPublicKey skKey = new TestSkPublicKey(SK_ED25519_KEY_TYPE, "Ed25519", DEFAULT_APPLICATION, TEST_KEY_DATA);
+		TestSignatureProxy signatureProxy = new TestSignatureProxy(skKey, TEST_SIGNATURE);
+
+		setupMocksForAuthentication();
+		setupMockForAuthSuccess();
+
+		authManager.authenticatePublicKey(TEST_USER, signatureProxy);
+
+		assertEquals(SignatureProxy.SHA512, signatureProxy.getLastHashAlgorithm(),
+			"SK Ed25519 key with Ed25519 algorithm should use SK path with SHA512");
+	}
+
+	/**
+	 * Regression test: SK ECDSA key with "EC" algorithm must use the SK
+	 * code path, not the generic ECDSA path.
+	 */
+	@Test
+	public void authenticateSkEcdsaKey_WithEcAlgorithm_UsesSkPath() throws Exception {
+		TestSkPublicKey skKey = new TestSkPublicKey(SK_ECDSA_KEY_TYPE, "EC", DEFAULT_APPLICATION, TEST_KEY_DATA);
+		TestSignatureProxy signatureProxy = new TestSignatureProxy(skKey, TEST_SIGNATURE);
+
+		setupMocksForAuthentication();
+		setupMockForAuthSuccess();
+
+		authManager.authenticatePublicKey(TEST_USER, signatureProxy);
+
+		assertEquals(SignatureProxy.SHA256, signatureProxy.getLastHashAlgorithm(),
+			"SK ECDSA key with EC algorithm should use SK path with SHA256");
+	}
+
 	private void setupMocksForAuthentication() throws IOException {
 		lenient().when(tm.getSessionIdentifier()).thenReturn(TEST_SESSION_ID);
 		lenient().when(tm.getExtensionInfo()).thenReturn(extensionInfo);
