chore: turn on raw aes for improved NET

test-server/java-tests/src/it/java/software/amazon/encryption/s3/RoundTripTests.java

@@ -469,6 +469,8 @@ public void rsaRoundTrip(LanguageServerTarget encLang, LanguageServerTarget decL
         String encS3ECId = encClientOutput.getClientId();
         CreateClientOutput decClientOutput = decClient.createClient(CreateClientInput.builder()
           .config(S3ECConfig.builder()
+            .encryptionAlgorithm(EncryptionAlgorithm.ALG_AES_256_GCM_IV12_TAG16_NO_KDF)
+            .commitmentPolicy(CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT)
             .keyMaterial(rsaKeyOne).build())
           .build());
         String decS3ECId = decClientOutput.getClientId();

test-server/java-tests/src/it/java/software/amazon/encryption/s3/TestUtils.java

@@ -99,7 +99,7 @@ public class TestUtils {
     // For now, only .NET and Java have RSA support
     public static final Set<String> RAW_SUPPORTED =
       Set.of(JAVA_V3_CURRENT, JAVA_V3_TRANSITION, JAVA_V4
-        , NET_V2_CURRENT, NET_V3_CURRENT, NET_V3_TRANSITION
+        , NET_V2_CURRENT, NET_V3_CURRENT, NET_V3_TRANSITION, NET_V4
       );
 
     // .NET only supports decrypting instruction files using AES and RSA.

test-server/net-v4-server/Controllers/ClientController.cs

@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using System.Text.Json;
 using Amazon.Extensions.S3.Encryption;
 using Amazon.Extensions.S3.Encryption.Primitives;
@@ -19,14 +20,36 @@ public IActionResult CreateClient([FromBody] ClientRequest request)
             return StatusCode(501, new GenericServerError { Message = "[NET-V4] EnableDelayedAuthenticationMode not supported" });
         if (request.Config.SetBufferSize.HasValue)
             return StatusCode(501, new GenericServerError { Message = "[NET-V4] SetBufferSize not supported" });
-        if (request.Config.KeyMaterial.RsaKey != null)
-            return StatusCode(501, new GenericServerError { Message = "[NET-V4] RsaKey not supported" });
         if (request.Config.KeyMaterial.AesKey != null)
             return StatusCode(501, new GenericServerError { Message = "[NET-V4] AesKey not supported" });
 
         try
         {
-            var kmsKeyId = request.Config.KeyMaterial.KmsKeyId;
+            EncryptionMaterialsV4 encryptionMaterial;
+            if (request.Config.KeyMaterial.KmsKeyId != null)
+            {
+                // The POST request does not contain encryption context.
+                // However, encryption context is a required field when using KMS.
+                // So, we are passing empty dictionary.
+                var encryptionContext = new Dictionary<string, string>();
+                var kmsKeyId = request.Config.KeyMaterial.KmsKeyId;
+                encryptionMaterial = new EncryptionMaterialsV4(kmsKeyId, KmsType.KmsContext, encryptionContext);
+                logger.LogInformation(
+                    "[NET-V4] Created EncryptionMaterialsV4: KMS={KmsKeyId}",
+                    kmsKeyId);
+            }
+            else if (request.Config.KeyMaterial.RsaKey != null)
+            {
+                var rsaKeyBytes = request.Config.KeyMaterial.RsaKey;
+                var rsaKey = RSA.Create();
+                rsaKey.ImportPkcs8PrivateKey(new ReadOnlySpan<byte>(rsaKeyBytes), out _);
+                encryptionMaterial = new EncryptionMaterialsV4(rsaKey, AsymmetricAlgorithmType.RsaOaepSha1);
+                logger.LogInformation(
+                    "[NET-V4] Created EncryptionMaterialsV4: RSA");
+            } else
+            {
+                return StatusCode(501, new GenericServerError { Message = "[NET-V4] Unknown or missing key material!" });
+            }
             var enableLegacyUnauthenticatedModes = request.Config.EnableLegacyUnauthenticatedModes ?? false;
             var enableLegacyWrappingAlgorithms = request.Config.EnableLegacyWrappingAlgorithms ?? false;
             var commitmentPolicy = MapCommitmentPolicy(request.Config.CommitmentPolicy);
@@ -36,15 +59,6 @@ public IActionResult CreateClient([FromBody] ClientRequest request)
 
             logger.LogInformation("[NET-V4] isSecurityProfileProvided: {isSecurityProfileProvided}, isCommitmentPolicyProvided: {isCommitmentPolicyProvided}, useDefaultConf: {useDefaultConf}", isSecurityProfileProvided, isCommitmentPolicyProvided, useDefaultConf);
 
-            // The POST request does not contain encryption context. 
-            // However, encryption context is a required field when using KMS.
-            // So, we are passing empty dictionary.
-            var encryptionContext = new Dictionary<string, string>();
-            var encryptionMaterial = new EncryptionMaterialsV4(kmsKeyId, KmsType.KmsContext, encryptionContext);
-            logger.LogInformation(
-                "[NET-V4] Created EncryptionMaterialsV4: KMS={KmsKeyId}",
-                kmsKeyId);
-
             // SecurityProfile V4AndLegacy can decrypt from legacy S3EC but V4 cannot
             var enableLegacyMode = enableLegacyUnauthenticatedModes || enableLegacyWrappingAlgorithms;
             var securityProfile = enableLegacyMode ? SecurityProfile.V4AndLegacy : SecurityProfile.V4;

test-server/net-v4-server/Models/ClientRequest.cs

@@ -27,9 +27,7 @@ public class KeyMaterial
 {
     public byte[]? RsaKey { get; set; }
     public byte[]? AesKey { get; set; }
-
-    [Required]
-    public string KmsKeyId { get; set; } = string.Empty;
+    public string? KmsKeyId { get; set; }
 }
 
 [JsonConverter(typeof(JsonStringEnumConverter))]