From 6cfde45f50c46941909aada6f43d769ca8314fce Mon Sep 17 00:00:00 2001
From: vasiliy-mikhailov <vasiliy-mikhailov@users.noreply.github.com>
Date: Wed, 24 Jun 2026 21:29:40 +0300
Subject: [PATCH] Add unit tests for EciesWithAwsKmsSavedKey

Additive unit tests only - no existing test or production code changed.

Signed-off-by: vasiliy-mikhailov <vasiliy-mikhailov@users.noreply.github.com>
---
 .../hybrid/EciesWithAwsKmsSavedKeyTest.java   | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKeyTest.java b/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKeyTest.java
index 26ce4e23..ce027003 100644
--- a/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKeyTest.java
+++ b/crypto-tink/src/test/java/de/dominikschadow/javasecurity/tink/hybrid/EciesWithAwsKmsSavedKeyTest.java
@@ -259,4 +259,23 @@ void decryptWithPublicKeyThrowsException() throws Exception {
             ecies.decrypt(testPublicKeysetHandle, cipherText, CONTEXT_INFO)
         );
     }
+
+    @Test
+    void generateAndStorePublicKeyWritesPublicKeysetNotPrivateKeyset() throws Exception {
+        File keysetFile = new File(tempDir, "public-keyset-verification.json");
+        assertFalse(keysetFile.exists());
+
+        ecies.generateAndStorePublicKey(testPrivateKeysetHandle, keysetFile);
+
+        KeysetHandle loadedKeyset = ecies.loadPublicKey(keysetFile);
+
+        // The stored keyset must be a public keyset: it can encrypt but NOT decrypt.
+        // If the private keyset were written instead, decryption would succeed.
+        byte[] cipherText = ecies.encrypt(loadedKeyset, INITIAL_TEXT, CONTEXT_INFO);
+
+        assertThrows(GeneralSecurityException.class, () ->
+            ecies.decrypt(loadedKeyset, cipherText, CONTEXT_INFO),
+            "Loaded keyset must be public-only: decryption must fail"
+        );
+    }
 }