tests: cover Open() exception types and short input

mtmk · mtmk · commit 510d61a21a5c · 2026-03-31T12:03:33.000+01:00
Tighten three existing tests from ThrowsAny&lt;Exception&gt; to
Throws&lt;NKeysException&gt; now that Open() normalizes exceptions.
Add a theory test verifying short inputs (0, 28, 29, 43 bytes)
are rejected with NKeysException.
diff --git a/NATS.NKeys.Tests/NKeysTest.cs b/NATS.NKeys.Tests/NKeysTest.cs
@@ -468,7 +468,7 @@ public void DecodePubCurveKey_blackbox_wrong_sender_fails_open()
         var sealed1 = alice.Seal(Encoding.UTF8.GetBytes("secret"), bob.GetPublicKey());
 
         // Bob tries to open with Eve's public key as sender — must fail
-        Assert.ThrowsAny<Exception>(() => bob.Open(sealed1, eve.GetPublicKey()));
+        Assert.Throws<NKeysException>(() => bob.Open(sealed1, eve.GetPublicKey()));
     }
 
     [Fact]
@@ -482,7 +482,7 @@ public void DecodePubCurveKey_blackbox_wrong_receiver_fails_open()
         var sealed1 = alice.Seal(Encoding.UTF8.GetBytes("secret"), bob.GetPublicKey());
 
         // Eve tries to open something meant for Bob
-        Assert.ThrowsAny<Exception>(() => eve.Open(sealed1, alice.GetPublicKey()));
+        Assert.Throws<NKeysException>(() => eve.Open(sealed1, alice.GetPublicKey()));
     }
 
     [Fact]
@@ -496,7 +496,7 @@ public void DecodePubCurveKey_blackbox_tampered_ciphertext_fails()
         // Flip a byte in the encrypted payload (after version + nonce header)
         sealed1[30] ^= 0xFF;
 
-        Assert.ThrowsAny<Exception>(() => bob.Open(sealed1, alice.GetPublicKey()));
+        Assert.Throws<NKeysException>(() => bob.Open(sealed1, alice.GetPublicKey()));
     }
 
     [Fact]
@@ -517,6 +517,29 @@ public void DecodePubCurveKey_blackbox_each_seal_produces_different_ciphertext()
         Assert.Equal(message, bob.Open(sealed2, alice.GetPublicKey()));
     }
 
+    [Theory]
+    [InlineData(0)]
+    [InlineData(28)]
+    [InlineData(29)]
+    [InlineData(43)]
+    public void Open_rejects_short_input(int length)
+    {
+        var kp = KeyPair.CreatePair(PrefixByte.Curve);
+        var input = new byte[length];
+
+        // Fill with valid version header if long enough
+        if (length >= 4)
+        {
+            input[0] = (byte)'x';
+            input[1] = (byte)'k';
+            input[2] = (byte)'v';
+            input[3] = (byte)'1';
+        }
+
+        var ex = Assert.Throws<NKeysException>(() => kp.Open(input, kp.GetPublicKey()));
+        Assert.Equal("Encrypted input is not valid", ex.Message);
+    }
+
     [Fact]
     public void Public_key_does_not_have_seed_nor_secret_key()
     {
