make sure we get the right provider in tests

mkleene · mkleene · commit 827a5c352f49 · 2026-05-11T21:30:32.000-04:00
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/CryptoProviderSetupExtension.java b/sdk/src/test/java/io/opentdf/platform/sdk/CryptoProviderSetupExtension.java
@@ -0,0 +1,26 @@
+package io.opentdf.platform.sdk;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.junit.jupiter.api.extension.BeforeAllCallback;
+import org.junit.jupiter.api.extension.ExtensionContext;
+
+import java.security.Provider;
+import java.security.Security;
+import java.util.Arrays;
+
+public class CryptoProviderSetupExtension implements BeforeAllCallback {
+    private BouncyCastleProvider securityProvider;
+
+    @Override
+    public synchronized void beforeAll(ExtensionContext extensionContext) {
+        if (this.securityProvider == null) {
+            var existingProviders =  Security.getProviders();
+            Arrays.asList(existingProviders).stream().map(Provider::getName).forEach(Security::removeProvider);
+            if (Security.getProviders().length != 0) {
+                throw new IllegalStateException("unable to remove all providers");
+            }
+
+            Security.addProvider(this.securityProvider = new BouncyCastleProvider());
+        }
+    }
+}
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java
@@ -54,17 +54,17 @@ void ecPublicKeyInPemformat() {
         String keypairAPubicKey = keyPairA.publicKeyInPEMFormat();
         String keypairAPrivateKey = keyPairA.privateKeyInPEMFormat();
 
-        ECPublicKey publicKeyA = PemUtils.publicKeyFromPem(keypairAPubicKey);
-        ECPrivateKey privateKeyA = PemUtils.privateKeyFromPem(keypairAPrivateKey);
+        ECPublicKey publicKeyA = PemTestUtils.publicKeyFromPem(keypairAPubicKey);
+        ECPrivateKey privateKeyA = PemTestUtils.privateKeyFromPem(keypairAPrivateKey);
 
         System.out.println(keypairAPubicKey);
         System.out.println(keypairAPrivateKey);
 
         byte[] compressedKey1 = keyPairA.compressECPublickey();
-        byte[] compressedKey2 = PemUtils.compressECPublickey(keyPairA.publicKeyInPEMFormat());
+        byte[] compressedKey2 = PemTestUtils.compressECPublickey(keyPairA.publicKeyInPEMFormat());
         assertArrayEquals(compressedKey1, compressedKey2);
 
-        String publicKey = PemUtils.publicKeyFromECPoint(compressedKey1, SECP256R1.getCurveName());
+        String publicKey = PemTestUtils.publicKeyFromECPoint(compressedKey1, SECP256R1.getCurveName());
         assertEquals(keyPairA.publicKeyInPEMFormat(), publicKey);
 
         ECKeyPair keyPairB = new ECKeyPair();
@@ -74,8 +74,8 @@ void ecPublicKeyInPemformat() {
         System.out.println(keypairBPubicKey);
         System.out.println(keypairBPrivateKey);
 
-        ECPublicKey publicKeyB = PemUtils.publicKeyFromPem(keypairBPubicKey);
-        ECPrivateKey privateKeyB = PemUtils.privateKeyFromPem(keypairBPrivateKey);
+        ECPublicKey publicKeyB = PemTestUtils.publicKeyFromPem(keypairBPubicKey);
+        ECPrivateKey privateKeyB = PemTestUtils.privateKeyFromPem(keypairBPrivateKey);
 
         byte[] symmetricKey1 = ECKeyPair.computeECDHKey(publicKeyA, privateKeyB);
         byte[] symmetricKey2 = ECKeyPair.computeECDHKey(publicKeyB, privateKeyA);
@@ -94,14 +94,14 @@ void extractPemPubKeyFromX509() throws CertificateException, IOException, NoSuch
                 "zj0EAwIDSAAwRQIhAItk5SmcWSg06tnOCEqTa6UsChaycX/cmAT8PTDRnaRcAiAl\n" +
                 "Vr2EvlA2x5mWFE/+nDdxxzljYjLZuSDQMEI/J6u0/Q==\n" +
                 "-----END CERTIFICATE-----";
-        String pubKey = PemUtils.getPEMPublicKeyFromX509Cert(x509ECPubKey);
+        String pubKey = PemTestUtils.getPEMPublicKeyFromX509Cert(x509ECPubKey);
         System.out.println(pubKey);
 
-        ECPublicKey publicKey = PemUtils.publicKeyFromPem(pubKey);
-        byte[] compressedKey = PemUtils.compressECPublickey(pubKey);
+        ECPublicKey publicKey = PemTestUtils.publicKeyFromPem(pubKey);
+        byte[] compressedKey = PemTestUtils.compressECPublickey(pubKey);
         System.out.println(Arrays.toString(compressedKey));
 
-        compressedKey = PemUtils.compressECPublickey(pubKey);
+        compressedKey = PemTestUtils.compressECPublickey(pubKey);
         System.out.println(Arrays.toString(compressedKey));
         System.out.println(compressedKey.length);
 
@@ -112,7 +112,7 @@ void extractPemPubKeyFromX509() throws CertificateException, IOException, NoSuch
         System.out.println(keypairPubicKey);
         System.out.println(keypairPrivateKey);
 
-        byte[] symmetricKey = ECKeyPair.computeECDHKey(publicKey, PemUtils.privateKeyFromPem(keypairPrivateKey));
+        byte[] symmetricKey = ECKeyPair.computeECDHKey(publicKey, PemTestUtils.privateKeyFromPem(keypairPrivateKey));
         System.out.println(Arrays.toString(symmetricKey));
 
         byte[] key = ECKeyPair.calculateHKDF(ECKeys.salt.getBytes(StandardCharsets.UTF_8), symmetricKey);
@@ -138,11 +138,11 @@ void testECDH()  {
         String expectedKey = "3KGgsptHbTsbxJtql6sHUcx255KcUhxdeJWKjmPMlcc=";
 
         // SDK side
-        ECPublicKey kasPubKey = PemUtils.publicKeyFromPem(ECKeys.kasPublicKey);
-        ECPrivateKey kasPriKey = PemUtils.privateKeyFromPem(ECKeys.kasPrivateKey);
+        ECPublicKey kasPubKey = PemTestUtils.publicKeyFromPem(ECKeys.kasPublicKey);
+        ECPrivateKey kasPriKey = PemTestUtils.privateKeyFromPem(ECKeys.kasPrivateKey);
 
-        ECPublicKey sdkPubKey = PemUtils.publicKeyFromPem(ECKeys.sdkPublicKey);
-        ECPrivateKey sdkPriKey = PemUtils.privateKeyFromPem(ECKeys.sdkPrivateKey);
+        ECPublicKey sdkPubKey = PemTestUtils.publicKeyFromPem(ECKeys.sdkPublicKey);
+        ECPrivateKey sdkPriKey = PemTestUtils.privateKeyFromPem(ECKeys.sdkPrivateKey);
 
         byte[] symmetricKey = ECKeyPair.computeECDHKey(kasPubKey, sdkPriKey);
         byte[] key = ECKeyPair.calculateHKDF(ECKeys.salt.getBytes(StandardCharsets.UTF_8), symmetricKey);
@@ -155,11 +155,11 @@ void testECDH()  {
         encodedKey = Base64.getEncoder().encodeToString(key);
         assertEquals(encodedKey, expectedKey);
 
-        byte[] ecPoint = PemUtils.compressECPublickey(ECKeys.sdkPublicKey);
+        byte[] ecPoint = PemTestUtils.compressECPublickey(ECKeys.sdkPublicKey);
         String encodeECPoint = Base64.getEncoder().encodeToString(ecPoint);
         assertEquals(encodeECPoint, "Al3vx59pBnP8tRxuUFw18aK9ym6rFrxZRhpVQytUQ+Kg");
 
-        String publicKey = PemUtils.publicKeyFromECPoint(ecPoint,
+        String publicKey = PemTestUtils.publicKeyFromECPoint(ecPoint,
                 SECP256R1.name());
         assertArrayEquals(ECKeys.sdkPublicKey.toCharArray(), publicKey.toCharArray());
     }
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/PemTestUtils.java b/sdk/src/test/java/io/opentdf/platform/sdk/PemTestUtils.java
@@ -20,21 +20,30 @@
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
+import java.security.Security;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.X509EncodedKeySpec;
+import java.util.Objects;
 
 /**
  * BouncyCastle-flavored PEM/X.509 helpers used only by tests. Kept here so the SDK
  * production classpath does not have a BouncyCastle dependency. The implementations
  * use BouncyCastle internally but expose standard JCA key interfaces, so callers can
  * pass results directly to JCA-based APIs.
  */
-final class PemUtils {
+final class PemTestUtils {
+    private static final JcaPEMKeyConverter converter;
 
+    static {
+        var provider = Objects.requireNonNull(
+                Security.getProvider("BC"),
+                "BC provider must be registered");
+        converter = new JcaPEMKeyConverter().setProvider(provider);
+    }
 
-    private PemUtils() {
+    private PemTestUtils() {
     }
 
     static ECPublicKey publicKeyFromPem(String pemEncoding) {
@@ -43,7 +52,6 @@ static ECPublicKey publicKeyFromPem(String pemEncoding) {
             SubjectPublicKeyInfo publicKeyInfo = (SubjectPublicKeyInfo) parser.readObject();
             parser.close();
 
-            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
             return (ECPublicKey) converter.getPublicKey(publicKeyInfo);
         } catch (IOException e) {
             throw new RuntimeException(e);
@@ -56,7 +64,6 @@ static ECPrivateKey privateKeyFromPem(String pemEncoding) {
             PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) parser.readObject();
             parser.close();
 
-            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
             return (ECPrivateKey) converter.getPrivateKey(privateKeyInfo);
         } catch (IOException e) {
             throw new RuntimeException(e);
@@ -65,17 +72,7 @@ static ECPrivateKey privateKeyFromPem(String pemEncoding) {
 
     static String getPEMPublicKeyFromX509Cert(String pemInX509Format) {
         try {
-            PEMParser parser = new PEMParser(new StringReader(pemInX509Format));
-            X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) parser.readObject();
-            parser.close();
-            SubjectPublicKeyInfo publicKeyInfo = x509CertificateHolder.getSubjectPublicKeyInfo();
-            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
-            ECPublicKey publicKey;
-            try {
-                publicKey = (ECPublicKey) converter.getPublicKey(publicKeyInfo);
-            } catch (PEMException e) {
-                throw new RuntimeException(e);
-            }
+            ECPublicKey publicKey = getEcPublicKey(pemInX509Format);
 
             StringWriter writer = new StringWriter();
             PemWriter pemWriter = new PemWriter(writer);
@@ -88,6 +85,20 @@ static String getPEMPublicKeyFromX509Cert(String pemInX509Format) {
         }
     }
 
+    private static ECPublicKey getEcPublicKey(String pemInX509Format) throws IOException {
+        PEMParser parser = new PEMParser(new StringReader(pemInX509Format));
+        X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) parser.readObject();
+        parser.close();
+        SubjectPublicKeyInfo publicKeyInfo = x509CertificateHolder.getSubjectPublicKeyInfo();
+        ECPublicKey publicKey;
+        try {
+            publicKey = (ECPublicKey) converter.getPublicKey(publicKeyInfo);
+        } catch (PEMException e) {
+            throw new RuntimeException(e);
+        }
+        return publicKey;
+    }
+
     static byte[] compressECPublickey(String pemECPubKey) {
         try {
             KeyFactory ecKeyFac = KeyFactory.getInstance("EC");
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/TDFTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/TDFTest.java
@@ -10,7 +10,6 @@
 import io.opentdf.platform.policy.kasregistry.KeyAccessServerRegistryServiceClient;
 import io.opentdf.platform.policy.kasregistry.ListKeyAccessServersRequest;
 import io.opentdf.platform.policy.kasregistry.ListKeyAccessServersResponse;
-import io.opentdf.platform.sdk.Config.KASInfo;
 import io.opentdf.platform.sdk.TDF.Reader;
 import org.apache.commons.compress.utils.SeekableInMemoryByteChannel;
 import org.junit.jupiter.api.BeforeAll;
@@ -89,9 +88,9 @@ public byte[] unwrap(Manifest.KeyAccess keyAccess, String policy, KeyType sessio
                 if (sessionKeyType.isEc()) {
                     var kasPrivateKey = CryptoUtils
                             .getPrivateKeyPEM(keypairs.get(index).getPrivate());
-                    var privateKey = PemUtils.privateKeyFromPem(kasPrivateKey);
+                    var privateKey = PemTestUtils.privateKeyFromPem(kasPrivateKey);
                     var clientEphemeralPublicKey = keyAccess.ephemeralPublicKey;
-                    var publicKey = PemUtils.publicKeyFromPem(clientEphemeralPublicKey);
+                    var publicKey = PemTestUtils.publicKeyFromPem(clientEphemeralPublicKey);
                     byte[] symKey = ECKeyPair.computeECDHKey(publicKey, privateKey);
 
                     var sessionKey = ECKeyPair.calculateHKDF(GLOBAL_KEY_SALT, symKey);
diff --git a/sdk/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension b/sdk/src/test/resources/META-INF/services/org.junit.jupiter.api.extension.Extension
@@ -0,0 +1 @@
+io.opentdf.platform.sdk.CryptoProviderSetupExtension
diff --git a/sdk/src/test/resources/junit-platform.properties b/sdk/src/test/resources/junit-platform.properties
@@ -0,0 +1 @@
+junit.jupiter.extensions.autodetection.enabled = true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+io.opentdf.platform.sdk.CryptoProviderSetupExtension`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+junit.jupiter.extensions.autodetection.enabled = true`