Implemented "SeparatePrivateKey" flag functionality; added unit tests

Author: joevanwanzeeleKF

AwsSecretsManager.Tests/CertUtilitiesConvertPfxToPemTests.cs

@@ -0,0 +1,83 @@
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using FluentAssertions;
+using Xunit;
+
+namespace Keyfactor.Extensions.Orchestrators.AwsSecretsManager.Tests
+{
+    /// <summary>
+    /// Tests for the legacy CertUtilities.ConvertPfxToPem (the concatenated-PEM format used by
+    /// AWSSMPEM without SeparatePrivateKey). The RSA/EC cases specifically guard against the
+    /// Windows CNG export failure ("The requested operation is not supported") that occurs when
+    /// exporting a private key imported from a PFX via the .NET key APIs.
+    /// </summary>
+    public class CertUtilitiesConvertPfxToPemTests
+    {
+        [Fact]
+        public void ConvertPfxToPem_Rsa_ReturnsLeafAndPkcs8Key()
+        {
+            // Regression guard: before routing the key export through BouncyCastle, this threw
+            // a CryptographicException on Windows for any PFX whose key originated from CNG.
+            var pfx = TestCertFactory.CreateSelfSignedRsaPfxBase64();
+
+            var pem = CertUtilities.ConvertPfxToPem(pfx, TestCertFactory.Password);
+
+            pem.Should().Contain("-----BEGIN CERTIFICATE-----").And.Contain("-----END CERTIFICATE-----");
+            pem.Should().Contain("-----BEGIN PRIVATE KEY-----").And.Contain("-----END PRIVATE KEY-----");
+            pem.Should().NotContain("BEGIN RSA PRIVATE KEY", "the key must be PKCS#8");
+        }
+
+        [Fact]
+        public void ConvertPfxToPem_Ec_ReturnsPkcs8Key()
+        {
+            var pfx = TestCertFactory.CreateSelfSignedEcPfxBase64();
+
+            var pem = CertUtilities.ConvertPfxToPem(pfx, TestCertFactory.Password);
+
+            pem.Should().Contain("-----BEGIN PRIVATE KEY-----");
+            pem.Should().NotContain("BEGIN EC PRIVATE KEY");
+        }
+
+        [Fact]
+        public void ConvertPfxToPem_KeyMatchesCertificate()
+        {
+            var pfx = TestCertFactory.CreateSelfSignedRsaPfxBase64("CN=pem-match");
+
+            var pem = CertUtilities.ConvertPfxToPem(pfx, TestCertFactory.Password);
+
+            // CreateFromPem throws if the key does not correspond to the certificate.
+            using var rebuilt = X509Certificate2.CreateFromPem(pem, pem);
+            rebuilt.HasPrivateKey.Should().BeTrue();
+            rebuilt.Subject.Should().Contain("pem-match");
+        }
+
+        [Fact]
+        public void ConvertPfxToPem_ChainPfx_ReturnsLeafOnly()
+        {
+            // The legacy format is leaf + key only (no chain). This locks that contract and
+            // distinguishes it from ConvertPfxToCertAndKeyPem, which includes the full chain.
+            var pfx = TestCertFactory.CreateChainPfxBase64(out var leafSubject, out _);
+
+            var pem = CertUtilities.ConvertPfxToPem(pfx, TestCertFactory.Password);
+
+            var certs = new X509Certificate2Collection();
+            certs.ImportFromPem(pem);
+
+            certs.Count.Should().Be(1, "the legacy PEM format includes only the leaf certificate");
+            certs[0].Subject.Should().Be(leafSubject);
+        }
+
+        [Fact]
+        public void ConvertPfxToPem_InvalidBase64_Throws()
+        {
+            Action act = () => CertUtilities.ConvertPfxToPem("not-base64!!!", TestCertFactory.Password);
+
+            act.Should().Throw<ArgumentException>();
+        }
+    }
+}

AwsSecretsManager.Tests/CertUtilitiesSeparateKeyTests.cs

@@ -0,0 +1,88 @@
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using FluentAssertions;
+using Xunit;
+
+namespace Keyfactor.Extensions.Orchestrators.AwsSecretsManager.Tests
+{
+    /// <summary>
+    /// Tests for CertUtilities.ConvertPfxToCertAndKeyPem, which backs the SeparatePrivateKey
+    /// JSON format. Verifies PEM shape, PKCS#8 key header, key/cert correspondence, and the
+    /// critical leaf-first chain ordering.
+    /// </summary>
+    public class CertUtilitiesSeparateKeyTests
+    {
+        [Fact]
+        public void ConvertPfxToCertAndKeyPem_Rsa_ReturnsPemCertAndPkcs8Key()
+        {
+            var pfx = TestCertFactory.CreateSelfSignedRsaPfxBase64();
+
+            var (certPem, keyPem) = CertUtilities.ConvertPfxToCertAndKeyPem(pfx, TestCertFactory.Password);
+
+            certPem.Should().Contain("-----BEGIN CERTIFICATE-----").And.Contain("-----END CERTIFICATE-----");
+            keyPem.Should().Contain("-----BEGIN PRIVATE KEY-----").And.Contain("-----END PRIVATE KEY-----");
+            keyPem.Should().NotContain("BEGIN RSA PRIVATE KEY", "the key must be PKCS#8, matching the legacy PEM format");
+            keyPem.Should().NotContain("ENCRYPTED", "the key is stored unencrypted (relies on KMS at rest)");
+        }
+
+        [Fact]
+        public void ConvertPfxToCertAndKeyPem_Ec_ReturnsPkcs8Key()
+        {
+            var pfx = TestCertFactory.CreateSelfSignedEcPfxBase64();
+
+            var (_, keyPem) = CertUtilities.ConvertPfxToCertAndKeyPem(pfx, TestCertFactory.Password);
+
+            keyPem.Should().Contain("-----BEGIN PRIVATE KEY-----");
+            keyPem.Should().NotContain("BEGIN EC PRIVATE KEY", "EC keys also use the PKCS#8 header convention");
+        }
+
+        [Fact]
+        public void ConvertPfxToCertAndKeyPem_KeyMatchesCertificate()
+        {
+            var pfx = TestCertFactory.CreateSelfSignedRsaPfxBase64("CN=match-test");
+
+            var (certPem, keyPem) = CertUtilities.ConvertPfxToCertAndKeyPem(pfx, TestCertFactory.Password);
+
+            // CreateFromPem throws if the private key does not correspond to the certificate.
+            using var rebuilt = X509Certificate2.CreateFromPem(certPem, keyPem);
+            rebuilt.HasPrivateKey.Should().BeTrue();
+            rebuilt.Subject.Should().Contain("match-test");
+        }
+
+        [Fact]
+        public void ConvertPfxToCertAndKeyPem_IncludesChain_LeafFirst()
+        {
+            var pfx = TestCertFactory.CreateChainPfxBase64(out var leafSubject, out var rootSubject);
+
+            var (certPem, _) = CertUtilities.ConvertPfxToCertAndKeyPem(pfx, TestCertFactory.Password);
+
+            var certs = new X509Certificate2Collection();
+            certs.ImportFromPem(certPem);
+
+            certs.Count.Should().Be(2, "both the leaf and its issuer should be present in the certificate field");
+            certs[0].Subject.Should().Be(leafSubject, "the leaf certificate must come first");
+            certs[1].Subject.Should().Be(rootSubject, "the issuer must follow the leaf");
+        }
+
+        [Fact]
+        public void ConvertPfxToCertAndKeyPem_InvalidBase64_Throws()
+        {
+            Action act = () => CertUtilities.ConvertPfxToCertAndKeyPem("not-base64!!!", TestCertFactory.Password);
+
+            act.Should().Throw<ArgumentException>();
+        }
+
+        [Fact]
+        public void ConvertPfxToCertAndKeyPem_NullOrEmpty_Throws()
+        {
+            Action act = () => CertUtilities.ConvertPfxToCertAndKeyPem("", TestCertFactory.Password);
+
+            act.Should().Throw<ArgumentException>();
+        }
+    }
+}

AwsSecretsManager.Tests/ClientPemJsonWriteTests.cs

@@ -0,0 +1,74 @@
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+using System.Reflection;
+using Amazon.SecretsManager.Model;
+using FluentAssertions;
+using Keyfactor.Extensions.Orchestrators.AwsSecretsManager.models;
+using Newtonsoft.Json;
+using Xunit;
+
+namespace Keyfactor.Extensions.Orchestrators.AwsSecretsManager.Tests
+{
+    /// <summary>
+    /// Exercises the client's PEM-JSON write generators (used when AWSSMPEM has
+    /// SeparatePrivateKey enabled). The generate methods are private and AWS-free, so they
+    /// are invoked via reflection; the resulting SecretString is validated as the expected
+    /// JSON document.
+    /// </summary>
+    public class ClientPemJsonWriteTests
+    {
+        [Fact]
+        public void GenerateAddSecretPemJsonRequest_ProducesJsonSecretWithBothFields()
+        {
+            var jp = BuildJobParameters();
+
+            var req = InvokeGenerate<CreateSecretRequest>("GenerateAddSecretPemJsonRequest", jp);
+
+            req.Name.Should().Be("write-test");
+            AssertValidPemSecretJson(req.SecretString);
+        }
+
+        [Fact]
+        public void GenerateUpdateSecretPemJsonRequest_ProducesJsonSecretWithBothFields()
+        {
+            var jp = BuildJobParameters();
+
+            var req = InvokeGenerate<UpdateSecretRequest>("GenerateUpdateSecretPemJsonRequest", jp);
+
+            req.SecretId.Should().Be("write-test");
+            AssertValidPemSecretJson(req.SecretString);
+        }
+
+        // ── helpers ────────────────────────────────────────────────────────
+
+        private static AwsSecretsManagerJobParameters BuildJobParameters()
+        {
+            var jp = new AwsSecretsManagerJobParameters { StoreType = "AWSSMPEM" };
+            jp.StoreProperties.SeparatePrivateKey = true;
+            jp.CertProperties.Alias = "write-test";
+            jp.CertProperties.Contents = TestCertFactory.CreateSelfSignedRsaPfxBase64("CN=write-test");
+            jp.CertProperties.PrivateKeyPassword = TestCertFactory.Password;
+            return jp;
+        }
+
+        private static T InvokeGenerate<T>(string methodName, AwsSecretsManagerJobParameters jp)
+        {
+            var client = new AwsSecretsManagerClient();
+            var m = typeof(AwsSecretsManagerClient).GetMethod(
+                methodName, BindingFlags.NonPublic | BindingFlags.Instance);
+            m.Should().NotBeNull($"{methodName} must be reachable via reflection");
+            return (T)m!.Invoke(client, new object[] { jp })!;
+        }
+
+        private static void AssertValidPemSecretJson(string secretString)
+        {
+            var parsed = JsonConvert.DeserializeObject<PemSecret>(secretString);
+            parsed.Should().NotBeNull();
+            parsed!.Certificate.Should().Contain("-----BEGIN CERTIFICATE-----");
+            parsed.PrivateKey.Should().Contain("-----BEGIN PRIVATE KEY-----");
+        }
+    }
+}

AwsSecretsManager.Tests/InventorySeparateKeyTests.cs

@@ -0,0 +1,129 @@
+// Copyright 2026 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+using System.Collections.Generic;
+using System.Linq;
+using System.Reflection;
+using Amazon.SecretsManager.Model;
+using FluentAssertions;
+using Keyfactor.Extensions.Orchestrators.AwsSecretsManager.Jobs;
+using Keyfactor.Extensions.Orchestrators.AwsSecretsManager.models;
+using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
+using Moq;
+using Newtonsoft.Json;
+using Xunit;
+
+namespace Keyfactor.Extensions.Orchestrators.AwsSecretsManager.Tests
+{
+    /// <summary>
+    /// Verifies that inventory tolerates BOTH the legacy concatenated-PEM format and the
+    /// new SeparatePrivateKey JSON format, so a format mismatch never drops a secret from
+    /// the returned inventory set (which Command would otherwise interpret as a removal).
+    /// </summary>
+    public class InventorySeparateKeyTests
+    {
+        [Fact]
+        public void ConvertSecretsPem_JsonSplitFormat_IsInventoried()
+        {
+            var secret = new AWSSecret
+            {
+                Name = "json-cert",
+                ARN = "arn:aws:secretsmanager:us-east-1:123:secret:json-cert-AbCdEf",
+                SecretString = BuildSeparateKeyJsonSecret("CN=json-cert"),
+                Tags = new List<Tag>()
+            };
+
+            var items = InvokeConvertPem(secret);
+
+            items.Should().HaveCount(1);
+            items[0].Alias.Should().Be("json-cert");
+            items[0].Certificates.Should().NotBeNullOrEmpty();
+            items[0].PrivateKeyEntry.Should().BeTrue("the JSON document carries a private_key");
+        }
+
+        [Fact]
+        public void ConvertSecretsPem_MixedFormats_BothReturned()
+        {
+            var jsonSecret = new AWSSecret
+            {
+                Name = "json-cert",
+                SecretString = BuildSeparateKeyJsonSecret("CN=json-cert"),
+                Tags = new List<Tag>()
+            };
+            var pemSecret = new AWSSecret
+            {
+                Name = "pem-cert",
+                SecretString = BuildRawPemSecret("CN=pem-cert"),
+                Tags = new List<Tag>()
+            };
+
+            var items = InvokeConvertPem(jsonSecret, pemSecret);
+
+            items.Select(i => i.Alias).Should().BeEquivalentTo(new[] { "json-cert", "pem-cert" });
+        }
+
+        [Fact]
+        public void ConvertSecretsPem_JsonSplitWithTags_SerializesTagsAsJsonString()
+        {
+            var secret = new AWSSecret
+            {
+                Name = "json-cert",
+                SecretString = BuildSeparateKeyJsonSecret("CN=json-cert"),
+                Tags = new List<Tag> { new Tag { Key = "Environment", Value = "Prod" } }
+            };
+
+            var item = InvokeConvertPem(secret).Single();
+
+            item.Parameters.Should().ContainKey("CertificateTags");
+            item.Parameters["CertificateTags"].Should().BeOfType<string>(
+                "the CertificateTags regression contract still applies in the JSON format");
+
+            var tags = JsonConvert.DeserializeObject<Dictionary<string, string>>(
+                (string)item.Parameters["CertificateTags"]);
+            tags.Should().NotBeNull();
+            tags!["Environment"].Should().Be("Prod");
+        }
+
+        // ── helpers ────────────────────────────────────────────────────────
+
+        private static string BuildSeparateKeyJsonSecret(string subject)
+        {
+            var pfx = TestCertFactory.CreateSelfSignedRsaPfxBase64(subject);
+            var (certPem, keyPem) = CertUtilities.ConvertPfxToCertAndKeyPem(pfx, TestCertFactory.Password);
+            return JsonConvert.SerializeObject(new PemSecret { Certificate = certPem, PrivateKey = keyPem });
+        }
+
+        private static string BuildRawPemSecret(string subject)
+        {
+            // Build a legacy-style concatenated PEM (cert + key) without going through the
+            // .NET/CNG export path, which can fail on Windows for keys imported from a PFX.
+            var pfx = TestCertFactory.CreateSelfSignedRsaPfxBase64(subject);
+            var (certPem, keyPem) = CertUtilities.ConvertPfxToCertAndKeyPem(pfx, TestCertFactory.Password);
+            return certPem + "\n" + keyPem;
+        }
+
+        private static List<CurrentInventoryItem> InvokeConvertPem(params AWSSecret[] secrets)
+        {
+            var resolverMock = new Mock<IPAMSecretResolver>();
+            resolverMock.Setup(r => r.Resolve(It.IsAny<string>())).Returns<string>(s => s);
+
+            var inv = new TestableInventory(resolverMock.Object)
+            {
+                PublicJobParameters = new AwsSecretsManagerJobParameters { StoreType = "AWSSMPEM" }
+            };
+
+            var m = typeof(Inventory).GetMethod(
+                "ConvertSecretsPem",
+                BindingFlags.NonPublic | BindingFlags.Instance);
+            m.Should().NotBeNull("ConvertSecretsPem must be reachable via reflection");
+
+            var result = m!.Invoke(inv, new object[] { secrets.ToList() });
+
+            var tuple = (System.Runtime.CompilerServices.ITuple)result!;
+            return (List<CurrentInventoryItem>)tuple[0]!;
+        }
+    }
+}