From 473ce034ee7f8c0df02353aaeef20977d9ea3087 Mon Sep 17 00:00:00 2001
From: rishav-karanjit <rishavkj@amazon.com>
Date: Tue, 11 Nov 2025 23:45:49 -0800
Subject: [PATCH 1/2] auto commit

---
 .../amazon/encryption/s3/TestUtils.java       |  2 +-
 .../Controllers/ClientController.cs           | 38 +++++++++++++------
 .../net-v4-server/Models/ClientRequest.cs     |  4 +-
 .../net-v4-server/s3ec-net-v4-improved        |  2 +-
 4 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java
index df346319..c20fd5a6 100644
--- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java
+++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java
@@ -99,7 +99,7 @@ public class TestUtils {
     // For now, only .NET and Java have RSA support
     public static final Set<String> RAW_SUPPORTED =
       Set.of(JAVA_V3_CURRENT, JAVA_V3_TRANSITION, JAVA_V4
-        , NET_V2_CURRENT, NET_V3_CURRENT, NET_V3_TRANSITION
+        , NET_V2_CURRENT, NET_V3_CURRENT, NET_V3_TRANSITION, NET_V4
       );
 
     // .NET only supports decrypting instruction files using AES and RSA.
diff --git a/test-server/net-v4-server/Controllers/ClientController.cs b/test-server/net-v4-server/Controllers/ClientController.cs
index 9e9ae66e..5298d758 100644
--- a/test-server/net-v4-server/Controllers/ClientController.cs
+++ b/test-server/net-v4-server/Controllers/ClientController.cs
@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using System.Text.Json;
 using Amazon.Extensions.S3.Encryption;
 using Amazon.Extensions.S3.Encryption.Primitives;
@@ -19,14 +20,36 @@ public IActionResult CreateClient([FromBody] ClientRequest request)
             return StatusCode(501, new GenericServerError { Message = "[NET-V4] EnableDelayedAuthenticationMode not supported" });
         if (request.Config.SetBufferSize.HasValue)
             return StatusCode(501, new GenericServerError { Message = "[NET-V4] SetBufferSize not supported" });
-        if (request.Config.KeyMaterial.RsaKey != null)
-            return StatusCode(501, new GenericServerError { Message = "[NET-V4] RsaKey not supported" });
         if (request.Config.KeyMaterial.AesKey != null)
             return StatusCode(501, new GenericServerError { Message = "[NET-V4] AesKey not supported" });
         
         try
         {
-            var kmsKeyId = request.Config.KeyMaterial.KmsKeyId;
+            EncryptionMaterialsV4 encryptionMaterial;
+            if (request.Config.KeyMaterial.KmsKeyId != null)
+            {
+                // The POST request does not contain encryption context.
+                // However, encryption context is a required field when using KMS.
+                // So, we are passing empty dictionary.
+                var encryptionContext = new Dictionary<string, string>();
+                var kmsKeyId = request.Config.KeyMaterial.KmsKeyId;
+                encryptionMaterial = new EncryptionMaterialsV4(kmsKeyId, KmsType.KmsContext, encryptionContext);
+                logger.LogInformation(
+                    "[NET-V4] Created EncryptionMaterialsV4: KMS={KmsKeyId}",
+                    kmsKeyId);
+            }
+            else if (request.Config.KeyMaterial.RsaKey != null)
+            {
+                var rsaKeyBytes = request.Config.KeyMaterial.RsaKey;
+                var rsaKey = RSA.Create();
+                rsaKey.ImportPkcs8PrivateKey(new ReadOnlySpan<byte>(rsaKeyBytes), out _);
+                encryptionMaterial = new EncryptionMaterialsV4(rsaKey, AsymmetricAlgorithmType.RsaOaepSha1);
+                logger.LogInformation(
+                    "[NET-V4] Created EncryptionMaterialsV4: RSA");
+            } else
+            {
+                return StatusCode(501, new GenericServerError { Message = "[NET-V4] Unknown or missing key material!" });
+            }
             var enableLegacyUnauthenticatedModes = request.Config.EnableLegacyUnauthenticatedModes ?? false;
             var enableLegacyWrappingAlgorithms = request.Config.EnableLegacyWrappingAlgorithms ?? false;
             var commitmentPolicy = MapCommitmentPolicy(request.Config.CommitmentPolicy);
@@ -36,15 +59,6 @@ public IActionResult CreateClient([FromBody] ClientRequest request)
 
             logger.LogInformation("[NET-V4] isSecurityProfileProvided: {isSecurityProfileProvided}, isCommitmentPolicyProvided: {isCommitmentPolicyProvided}, useDefaultConf: {useDefaultConf}", isSecurityProfileProvided, isCommitmentPolicyProvided, useDefaultConf);
             
-            // The POST request does not contain encryption context. 
-            // However, encryption context is a required field when using KMS.
-            // So, we are passing empty dictionary.
-            var encryptionContext = new Dictionary<string, string>();
-            var encryptionMaterial = new EncryptionMaterialsV4(kmsKeyId, KmsType.KmsContext, encryptionContext);
-            logger.LogInformation(
-                "[NET-V4] Created EncryptionMaterialsV4: KMS={KmsKeyId}",
-                kmsKeyId);
-            
             // SecurityProfile V4AndLegacy can decrypt from legacy S3EC but V4 cannot
             var enableLegacyMode = enableLegacyUnauthenticatedModes || enableLegacyWrappingAlgorithms;
             var securityProfile = enableLegacyMode ? SecurityProfile.V4AndLegacy : SecurityProfile.V4;
diff --git a/test-server/net-v4-server/Models/ClientRequest.cs b/test-server/net-v4-server/Models/ClientRequest.cs
index 52dd0317..a5eff6f7 100644
--- a/test-server/net-v4-server/Models/ClientRequest.cs
+++ b/test-server/net-v4-server/Models/ClientRequest.cs
@@ -27,9 +27,7 @@ public class KeyMaterial
 {
     public byte[]? RsaKey { get; set; }
     public byte[]? AesKey { get; set; }
-
-    [Required]
-    public string KmsKeyId { get; set; } = string.Empty;
+    public string? KmsKeyId { get; set; }
 }
 
 [JsonConverter(typeof(JsonStringEnumConverter))]
diff --git a/test-server/net-v4-server/s3ec-net-v4-improved b/test-server/net-v4-server/s3ec-net-v4-improved
index ebbc5d84..691d22a5 160000
--- a/test-server/net-v4-server/s3ec-net-v4-improved
+++ b/test-server/net-v4-server/s3ec-net-v4-improved
@@ -1 +1 @@
-Subproject commit ebbc5d849371fe5d7f5f2dfc2d8f772458f7fcd8
+Subproject commit 691d22a504184fd71f2dae7fd354bd669b58cc07

From 43afbdf7ae7fd53b7a8c5482d26e71a091fc3ea7 Mon Sep 17 00:00:00 2001
From: rishav-karanjit <rishavkj@amazon.com>
Date: Wed, 12 Nov 2025 10:50:54 -0800
Subject: [PATCH 2/2] auto commit

---
 .../it/java/software/amazon/encryption/s3/RoundTripTests.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java
index 0aa6d611..1167e4db 100644
--- a/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java
+++ b/test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java
@@ -469,6 +469,8 @@ public void rsaRoundTrip(LanguageServerTarget encLang, LanguageServerTarget decL
         String encS3ECId = encClientOutput.getClientId();
         CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder()
           .config(S3ECConfig.builder()
+            .encryptionAlgorithm(EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
+            .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
             .keyMaterial(rsaKeyOne).build())
           .build());
         String decS3ECId = decClientOutput.getClientId();