Refactoring (#216)

* VS 2026 runner
* Improved JSON parsing
* Module exports test

Author: MichaelGrafnetter

.github/workflows/autobuild.yml

@@ -14,7 +14,7 @@ on:
 jobs:
   build:
     name: 'Build'
-    runs-on: windows-2025
+    runs-on: windows-2025-vs2026
     timeout-minutes: 10
     env:
       DOTNET_NOLOGO: true
@@ -106,7 +106,7 @@ jobs:
       shell: pwsh
       id: get-module-version
       run: |
-        $version = Import-PowerShellDataFile -Path ./Src/DSInternals.PowerShell/DSInternals.psd1 | Select-Object -ExpandProperty ModuleVersion
+        $version = (Test-ModuleManifest -Path ./Src/DSInternals.PowerShell/DSInternals.psd1 -ErrorAction SilentlyContinue).Version
         echo "version=$version" >> $env:GITHUB_OUTPUT
 
     - name: Upload PowerShell Module as Artifact

.github/workflows/release.yml

@@ -143,8 +143,8 @@ jobs:
         "DSInternals.Replication.Interop/Release_*/DSInternals.Replication.Interop.dll"
         "DSInternals.SAM/release_*/DSInternals.SAM.dll"
         "DSInternals.PowerShell/Release/DSInternals/*/DSInternals.PowerShell.dll"
-        "DSInternals.PowerShell/Release/DSInternals/DSInternals.Bootstrap.psm1"
         "DSInternals.PowerShell/Release/DSInternals/DSInternals.psd1"
+        "DSInternals.PowerShell/Release/DSInternals/Test-ModuleCompatibility.ps1"
         "DSInternals.PowerShell/Release/DSInternals/Integrity.Tests.ps1"
         "DSInternals.PowerShell/Release/DSInternals/DSInternals.types.ps1xml"
         "DSInternals.PowerShell/Release/DSInternals/Views/*.ps1xml"
@@ -217,8 +217,8 @@ jobs:
       shell: pwsh
       id: get-module-info
       run: |
-        [hashtable] $manifest = Import-PowerShellDataFile -Path ./Src/DSInternals.PowerShell/DSInternals.psd1
-        [string] $version = $manifest.ModuleVersion
+        [System.Management.Automation.PSModuleInfo] $manifest = Test-ModuleManifest -Path ./Src/DSInternals.PowerShell/DSInternals.psd1 -ErrorAction SilentlyContinue
+        [string] $version = $manifest.Version
         [string] $releaseNotes = $manifest.PrivateData.PSData.ReleaseNotes
 
         echo "version=$version" >> $env:GITHUB_OUTPUT

.github/copilot-instructions.md AGENTS.md.github/copilot-instructions.md renamed to AGENTS.md

@@ -3,21 +3,22 @@
 ## Project Overview
 
 DSInternals is a .NET-based project consisting of:
+
 - **DSInternals Framework**: A .NET library exposing internal Active Directory features
 - **DSInternals PowerShell Module**: PowerShell cmdlets built on top of the Framework
 
 The project primarily focuses on Active Directory security auditing, offline database manipulation, and password management.
 
-Read the [README.md](README.md), [CHANGELOG.md](../Documentation/CHANGELOG.md), and [CONTRIBUTING.md](CONTRIBUTING.md) files
-and the [PowerShell module documentation](../Documentation/PowerShell/Readme.md) for further context.
+Read the [README.md](.github/README.md), [CHANGELOG.md](Documentation/CHANGELOG.md), and [CONTRIBUTING.md](.github/CONTRIBUTING.md) files
+and the [PowerShell module documentation](Documentation/PowerShell/Readme.md) for further context.
 
 ## Technology Stack
 
 - **Languages**: C#, C++/CLI, PowerShell
 - **Frameworks**: .NET Framework 4.8, .NET 10.0 (Windows-only)
 - **Build System**: MSBuild with Central Package Management
 - **Testing**: MSTest with Microsoft.Testing.Platform runner
-- **IDE**: Visual Studio 2026+ with the [DSInternals.slnx](../Src/DSInternals.slnx) solution
+- **IDE**: Visual Studio 2026+ with the [DSInternals.slnx](Src/DSInternals.slnx) solution
 
 ## Build Instructions
 
@@ -80,5 +81,3 @@ powershell -File ./Invoke-SmokeTests.ps1 -Configuration 'Debug'
 # Run smoke tests in PowerShell Core
 pwsh -File ./Invoke-SmokeTests.ps1 -Configuration 'Debug'
 ```
-
-

Documentation/CHANGELOG.md

@@ -5,6 +5,29 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [Unreleased]
+
+### Added
+
+- Instructions and prompts for GitHub Copilot.
+
+### Changed
+
+- A new code signing certificate has been obtained from [DigiCert](https://www.digicert.com/).
+- Merged the `*.psm1` script bootstrapper of the binary PowerShell module into the `*.psd1` module manifest.
+- Improved the structure of the `DSInternals.Replication` NuGet package,
+  which now includes assemblies for all processor architectures and the Visual C++ runtime.
+
+### Fixed
+
+- Improved generation of NGC keys stored in the `msDS-KeyCredentialLink` AD attribute
+  to pass new validation constraints introduced in January 2026 Windows updates.
+
+### Removed
+
+- PowerShell cmdlets and all code related to the [decommissioned Azure AD Graph API](https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview)
+  have been removed.
+
 ## [6.2] - 2025-12-05
 
 > [!WARNING]
@@ -296,14 +319,14 @@ This is a PowerShell-only release.
 
 ### Added
 
-- The new [Set-AzureADUserEx](PowerShell/Set-AzureADUserEx.md#set-azureaduserex) cmdlet can be used to revoke FIDO2 and NGC keys in Azure Active Directory.
+- The new `Set-AzureADUserEx` cmdlet can be used to revoke FIDO2 and NGC keys in Azure Active Directory.
 
 ## [4.3] - 2020-04-02
 
 ### Added
 
 - New logo and package icons!
-- The new [Get-AzureADUserEx](PowerShell/Get-AzureADUserEx.md#get-azureaduserex) cmdlet can be used to retrieve FIDO and NGC keys from Azure Active Directory, as the first tool on the market.
+- The new `Get-AzureADUserEx` cmdlet can be used to retrieve FIDO and NGC keys from Azure Active Directory, as the first tool on the market.
 - Both [lastLogon](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/93258066-276d-4357-8458-981c19caad95) and [lastLogonTimestamp](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada1/530d7194-20f6-4aaa-8d80-9ca6b6350ad6) user account attributes are now exposed. The LastLogonDate PowerShell property returns whichever of these 2 values is available.
 - The `-Server` parameter of the [Get-ADSIAccount](PowerShell/Get-ADSIAccount.md#get-adsiaccount) cmdlet now has the standard `-ComputerName` alias.
 

Documentation/PowerShell/Add-ADReplNgcKey.md

@@ -15,31 +15,31 @@ Composes and updates the msDS-KeyCredentialLink value on an object through the M
 ### ByName
 ```
 Add-ADReplNgcKey -PublicKey <Byte[]> [-SamAccountName] <String> [[-Domain] <String>] -Server <String>
- [-Credential <PSCredential>] [-Protocol <RpcProtocol>] [<CommonParameters>]
+ [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ### ByUPN
 ```
 Add-ADReplNgcKey -PublicKey <Byte[]> -UserPrincipalName <String> -Server <String> [-Credential <PSCredential>]
- [-Protocol <RpcProtocol>] [<CommonParameters>]
+ [<CommonParameters>]
 ```
 
 ### BySID
 ```
 Add-ADReplNgcKey -PublicKey <Byte[]> -ObjectSid <SecurityIdentifier> -Server <String>
- [-Credential <PSCredential>] [-Protocol <RpcProtocol>] [<CommonParameters>]
+ [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ### ByDN
 ```
 Add-ADReplNgcKey -PublicKey <Byte[]> [-DistinguishedName] <String> -Server <String>
- [-Credential <PSCredential>] [-Protocol <RpcProtocol>] [<CommonParameters>]
+ [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ### ByGuid
 ```
 Add-ADReplNgcKey -PublicKey <Byte[]> -ObjectGuid <Guid> -Server <String> [-Credential <PSCredential>]
- [-Protocol <RpcProtocol>] [<CommonParameters>]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION

Documentation/PowerShell/Get-ADReplAccount.md

@@ -15,42 +15,38 @@ Reads one or more accounts through the MS-DRSR protocol, including secret attrib
 ### All
 ```
 Get-ADReplAccount [-All] [-NamingContext <String>] [-Properties <AccountPropertySets>]
- [-ExportFormat <AccountExportFormat>] -Server <String> [-Credential <PSCredential>] [-Protocol <RpcProtocol>]
- [<CommonParameters>]
+ [-ExportFormat <AccountExportFormat>] -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ### ByName
 ```
 Get-ADReplAccount [-Properties <AccountPropertySets>] [-ExportFormat <AccountExportFormat>]
  [-SamAccountName] <String> [[-Domain] <String>] -Server <String> [-Credential <PSCredential>]
- [-Protocol <RpcProtocol>] [<CommonParameters>]
+ [<CommonParameters>]
 ```
 
 ### ByUPN
 ```
 Get-ADReplAccount [-Properties <AccountPropertySets>] [-ExportFormat <AccountExportFormat>]
- -UserPrincipalName <String> -Server <String> [-Credential <PSCredential>] [-Protocol <RpcProtocol>]
- [<CommonParameters>]
+ -UserPrincipalName <String> -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ### BySID
 ```
 Get-ADReplAccount [-Properties <AccountPropertySets>] [-ExportFormat <AccountExportFormat>]
- -ObjectSid <SecurityIdentifier> -Server <String> [-Credential <PSCredential>] [-Protocol <RpcProtocol>]
- [<CommonParameters>]
+ -ObjectSid <SecurityIdentifier> -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ### ByDN
 ```
 Get-ADReplAccount [-Properties <AccountPropertySets>] [-ExportFormat <AccountExportFormat>]
- [-DistinguishedName] <String> -Server <String> [-Credential <PSCredential>] [-Protocol <RpcProtocol>]
- [<CommonParameters>]
+ [-DistinguishedName] <String> -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ### ByGuid
 ```
 Get-ADReplAccount [-Properties <AccountPropertySets>] [-ExportFormat <AccountExportFormat>] -ObjectGuid <Guid>
- -Server <String> [-Credential <PSCredential>] [-Protocol <RpcProtocol>] [<CommonParameters>]
+ -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION

Documentation/PowerShell/Get-ADReplBackupKey.md

@@ -13,8 +13,7 @@ Reads the DPAPI backup keys from a domain controller through the MS-DRSR protoco
 ## SYNTAX
 
 ```
-Get-ADReplBackupKey [-Domain <String>] -Server <String> [-Credential <PSCredential>] [-Protocol <RpcProtocol>]
- [<CommonParameters>]
+Get-ADReplBackupKey [-Domain <String>] -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION

Documentation/PowerShell/Get-ADReplKdsRootKey.md

@@ -13,8 +13,7 @@ Fetches the specified KDS Root Key through the MS-DRSR protocol.
 ## SYNTAX
 
 ```
-Get-ADReplKdsRootKey [-RootKeyId] <Guid> -Server <String> [-Credential <PSCredential>]
- [-Protocol <RpcProtocol>] [<CommonParameters>]
+Get-ADReplKdsRootKey [-RootKeyId] <Guid> -Server <String> [-Credential <PSCredential>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION

Src/DSInternals.Common.Test/KeyCredentialTester.cs

@@ -14,59 +14,10 @@ private static KeyCredential CreateSampleKey()
     {
         byte[] publicKey = "525341310008000003000000000100000000000000000000010001C1A78914457758B0B13C70C710C7F8548F3F9ED56AD4640B6E6A112655C98ECAC1CBD68A298F5686C08439428A97FE6FDF58D78EA481905182BAD684C2D9C5CDE1CDE34AA19742E8BBF58B953EAC4C562FCF598CC176B02DBE9FFFEF5937A65815C236F92892F7E511A1FEDD5483CB33F1EA715D68106180DED2432A293367114A6E325E62F93F73D7ECE4B6A2BCDB829D95C8645C3073B94BA7CB7515CD29042F0967201C6E24A77821E92A6C756DF79841ACBAAE11D90CA03B9FCD24EF9E304B5D35248A7BD70557399960277058AE3E99C7C7E2284858B7BF8B08CDD286964186A50A7FCBCC6A24F00FEE5B9698BBD3B1AEAD0CE81FEA461C0ABD716843A5".HexToBinary();
         Guid deviceId = Guid.Parse("47f577e3-d2d0-4a0a-8aca-e0501098bde4");
-        DateTime creationTime = new DateTime(2020, 1, 1, 0, 0, 0, DateTimeKind.Utc);
+        DateTime creationTime = new(2020, 1, 1, 0, 0, 0, DateTimeKind.Utc);
         return new KeyCredential(publicKey, deviceId, DummyDN, creationTime);
     }
 
-    [TestMethod]
-    public void KeyCredential_RoundTrip_DoubleQuoted()
-    {
-        KeyCredential key = CreateSampleKey();
-        string json = key.ToJson();
-        KeyCredential result = KeyCredential.ParseJson(json);
-        Assert.IsNotNull(result);
-        Assert.AreEqual(key.Identifier, result.Identifier);
-        Assert.AreEqual(key.DeviceId, result.DeviceId);
-        Assert.AreEqual(key.CreationTime, result.CreationTime);
-    }
-
-    [TestMethod]
-    public void KeyCredential_Deserialize_SingleQuoted_Input()
-    {
-        KeyCredential key = CreateSampleKey();
-        string json = key.ToJson().Replace('"', '\'');
-        KeyCredential result = KeyCredential.ParseJson(json);
-        Assert.IsNotNull(result);
-        Assert.AreEqual(key.DeviceId, result.DeviceId);
-    }
-
-    [TestMethod]
-    public void KeyCredential_Deserialize_TrailingComma_And_Comments()
-    {
-        KeyCredential key = CreateSampleKey();
-        string json = key.ToJson();
-        string jsonWithComment = json.Insert(1, "\n  // comment\n");
-        jsonWithComment = jsonWithComment.Substring(0, jsonWithComment.Length - 1) + ",\n}";
-        KeyCredential result = KeyCredential.ParseJson(jsonWithComment);
-        Assert.IsNotNull(result);
-        Assert.AreEqual(key.DeviceId, result.DeviceId);
-    }
-
-    [TestMethod]
-    public void Parse_SingleQuoted_WithEscapedApostrophe_Works()
-    {
-        var jsonSingleQuoted = "{ 'OwnerDN':'CN=O\\'Connor,DC=contoso,DC=com', 'IsComputerKey': false }";
-        var obj = KeyCredential.ParseJson(jsonSingleQuoted);
-        Assert.IsNotNull(obj);
-    }
-
-    [TestMethod]
-    public void Parse_BadJson_StillThrows()
-    {
-        var bad = "{ \"OwnerDN\": \"CN=User,DC=contoso,DC=com\" ";
-        Assert.ThrowsExactly<JsonException>(() => _ = KeyCredential.ParseJson(bad));
-    }
-
     [TestMethod]
     public void KeyCredential_Parse_NonMFAKey()
     {
@@ -500,7 +451,7 @@ public void KeyCredential_Parse_DeviceKey_TPM()
         Assert.AreEqual(KeyFlags.None, key.CustomKeyInfo.Flags);
         Assert.AreEqual("OoYGWyO8xBkLx3x2d0QltMav9+41lY0sGxKIMPF9if0=", key.Identifier);
         Assert.AreEqual(key.LastLogonTime, key.CreationTime);
-        Assert.AreEqual("2019-08-02T18:11:37.5665512Z", key.CreationTime.ToUniversalTime().ToString("o"));
+        Assert.AreEqual("2019-08-02T18:11:37.5665512Z", key.CreationTime.Value.ToUniversalTime().ToString("o"));
         Assert.AreEqual(0x304, key.RawKeyMaterial.Length);
 
         // Serialize
@@ -542,7 +493,7 @@ public void KeyCredential_Parse_Impacket()
         Assert.AreEqual(KeySource.AD, key.Source);
 
         // Bug in Impacket causes a time skew of 1600 years:
-        Assert.AreEqual(3625, key.CreationTime.Year);
+        Assert.AreEqual(3625, key.CreationTime.Value.Year);
 
         // Serialize
         byte[] serialized = key.ToByteArray();
@@ -604,7 +555,7 @@ public void KeyCredential_Generate_CompouterKey_FromPublicKey()
         Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
         Assert.AreEqual(KeyUsage.NGC, key.Usage);
         Assert.AreEqual(KeySource.AD, key.Source);
-        Assert.IsNull(key.CustomKeyInfo);
+        Assert.AreEqual(KeyFlags.MFANotUsed, key.CustomKeyInfo.Flags);
         Assert.IsNull(key.LastLogonTime);
     }
 
@@ -625,7 +576,7 @@ public void KeyCredential_Generate_CompouterKey_FromCertificate()
         Assert.AreEqual(KeyCredentialVersion.Version2, key.Version);
         Assert.AreEqual(KeyUsage.NGC, key.Usage);
         Assert.AreEqual(KeySource.AD, key.Source);
-        Assert.IsNull(key.CustomKeyInfo);
+        Assert.AreEqual(KeyFlags.MFANotUsed, key.CustomKeyInfo.Flags);
         Assert.IsNull(key.LastLogonTime);
     }
 }

Src/DSInternals.Common.Test/KeyMaterialFidoTester.cs

@@ -0,0 +1,59 @@
+using DSInternals.Common.Data;
+
+namespace DSInternals.Common.Test;
+
+/// <summary>
+/// Contains tests for parsing the key material corresponding to KEY_USAGE_FIDO.
+/// </summary>
+[TestClass]
+public class KeyMaterialFidoTester
+{
+    [TestMethod]
+    public void FidoKeyMaterial_Parse_FIDO_Input1()
+    {
+        string encodedKeyMaterial = "eyJ2ZXJzaW9uIjoxLCJhdXRoRGF0YSI6Ik5XeWUxS0NUSWJscFh4NnZrWUlEOGJWZmFKMm1IN3lXR0V3VmZkcG9ESUhGQUFBQUdjdHBTQjZQOTBBNWsrd0tKeW1oVktnQUVCckljaURTekdqanNLcmRTelZJdElHbEFRSURKaUFCSVZnZ29uTkNlY2EwZE5LTzlaWXBGdjlvMCtlZ0VGQ1ZTeXJ0UmN1NndrMStoT2dpV0NDNWE3MFI0ZlNFZ0ZpNWxnQTRBVVBmN1Y0Q2p5VWcvb1VWTFEzem5kZnc1YUZyYUcxaFl5MXpaV055WlhUMSIsIng1YyI6WyJNSUlDdlRDQ0FhV2dBd0lCQWdJRUdLeEd3REFOQmdrcWhraUc5dzBCQVFzRkFEQXVNU3d3S2dZRFZRUURFeU5aZFdKcFkyOGdWVEpHSUZKdmIzUWdRMEVnVTJWeWFXRnNJRFExTnpJd01EWXpNVEFnRncweE5EQTRNREV3TURBd01EQmFHQTh5TURVd01Ea3dOREF3TURBd01Gb3diakVMTUFrR0ExVUVCaE1DVTBVeEVqQVFCZ05WQkFvTUNWbDFZbWxqYnlCQlFqRWlNQ0FHQTFVRUN3d1pRWFYwYUdWdWRHbGpZWFJ2Y2lCQmRIUmxjM1JoZEdsdmJqRW5NQ1VHQTFVRUF3d2VXWFZpYVdOdklGVXlSaUJGUlNCVFpYSnBZV3dnTkRFek9UUXpORGc0TUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZWVvN0xIeEpjQkJpSXd6U1ArdGc1U2t4Y2RTRDhRQytoWjFyRDRPWEF3RzFSczNVYnMvSzQrUHpENEhwN1dLOUpvMU1IcjAzczd5K2txakNydXRPT3FOc01Hb3dJZ1lKS3dZQkJBR0N4QW9DQkJVeExqTXVOaTR4TGpRdU1TNDBNVFE0TWk0eExqY3dFd1lMS3dZQkJBR0M1UndDQVFFRUJBTUNCU0F3SVFZTEt3WUJCQUdDNVJ3QkFRUUVFZ1FReTJsSUhvLzNRRG1UN0FvbkthRlVxREFNQmdOVkhSTUJBZjhFQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ1huUU9YMkdENEx1RmRNUng1YnJyN0l2cW40SVRadXJUR0c3dFg4K2Ewd1lwSU43aGNQRTdiNUlORDlOYWwyYkhPMm9yaC90U1JLU0Z6Qlk1ZTRjdmRhOXJBZFZmR29PalRhQ1c2Rlo1L3RhMk0ydmdFaG96NURvOGZpdW9Yd0JhMVhDcDYxSmZJbFB0eDExUFhtNXBJUzJ3M2JYSTdtWTB1SFVNR3Z4QXp0YTc0ektYTHNsYUxhU1FpYlNLaldLdDloK1NzWHk0SkdxY1ZlZk9sYVFsSmZYTDFUZ2E2d2NPMFFUdTZYcStVdzdaUE5QbnJwQnJMYXVLRGQyMDJSbE40U1A3b2hMM2Q5Ykc2VjVoVXovM091c05FQlpVbjVXM1ZtUGoxWm5GYXZrTUIzUmtSTU9hNThNWkFPUkpUNGltQVB6cnZKMHZ0djk0L3k3MUM2dFo1Il0sImRpc3BsYXlOYW1lIjoiWXViaUtleSA1In0=";
+        byte[] keyMaterialBytes = Convert.FromBase64String(encodedKeyMaterial);
+
+        // Parse the FIDO key
+        var keyMaterial = KeyMaterialFido.ParseJson(keyMaterialBytes);
+
+        // Check all fields
+        Assert.IsNotNull(keyMaterial);
+        Assert.AreEqual(1, keyMaterial.Version);
+        Assert.AreEqual(1, keyMaterial.AttestationCertificatesRaw?.Length);
+        Assert.AreEqual("YubiKey 5", keyMaterial.DisplayName);
+        Assert.AreEqual("e7d092ba192fdbbb2f36552832d616126971a269", keyMaterial.AttestationCertificates[0].Thumbprint.ToLowerInvariant());
+        Assert.AreEqual("cb69481e-8ff7-4039-93ec-0a2729a154a8", keyMaterial.AuthenticatorData?.AttestedCredentialData.AaGuid.ToString());
+    }
+
+    [TestMethod]
+    public void FidoKeyMaterial_Parse_FIDO_Input2()
+    {
+        string encodedKeyMaterial = "eyJ2ZXJzaW9uIjoxLCJhdXRoRGF0YSI6Ik5XeWUxS0NUSWJscFh4NnZrWUlEOGJWZmFKMm1IN3lXR0V3VmZkcG9ESUhGQUFBRmRoTGUxMFZMN1VmVXE2cm5FL1VkWTVNQUlKVW96bENOMTFMWmFFOFF0SFhWU2JUeXltVEVNaWxpcTA0RjFtblJwaC9YcFFFQ0F5WWdBU0ZZSVAzWms5Vm5URUpONlQ4VWgxMHRPcUpmdDRicW1leVJUUzhvNkJQK2prYkNJbGdnYjFnR0dNMnM3T2dDMTNQdkZBVTJ1UDZJcVVGWWdiaGxQc3diUzRDK1FoV2hhMmh0WVdNdGMyVmpjbVYwOVE9PSIsIng1YyI6WyJNSUlDUXpDQ0FlbWdBd0lCQWdJUUhmSzFXbEhjUzJpRm85bWVhWC90RmpBS0JnZ3Foa2pPUFFRREFqQkpNUXN3Q1FZRFZRUUdFd0pWVXpFZE1Cc0dBMVVFQ2d3VVJtVnBkR2xoYmlCVVpXTm9ibTlzYjJkcFpYTXhHekFaQmdOVkJBTU1Fa1psYVhScFlXNGdSa2xFVHlCRFFTQXdNekFnRncweE9ERXlNalV3TURBd01EQmFHQTh5TURNek1USXlOREl6TlRrMU9Wb3djREVMTUFrR0ExVUVCaE1DVlZNeEhUQWJCZ05WQkFvTUZFWmxhWFJwWVc0Z1ZHVmphRzV2Ykc5bmFXVnpNU0l3SUFZRFZRUUxEQmxCZFhSb1pXNTBhV05oZEc5eUlFRjBkR1Z6ZEdGMGFXOXVNUjR3SEFZRFZRUUREQlZHVkNCQ2FXOVFZWE56SUVaSlJFOHlJREEwTnpBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTNjJoSWJ5ZW5IOVdQbnpZSGVoYUJSM0M3cXN3b21aa2FQekd5VWxGUmlKSU1vM3VJVGVJbUZPRmZOY0R1T3pvcTF3Y1hYR1RtRXRFdHhGMndvOW5va280R0pNSUdHTUIwR0ExVWREZ1FXQkJTQkkxWG9MRFkxL0hKYWJhK1czMm54aHhwM1dqQWZCZ05WSFNNRUdEQVdnQlJCdC94TmRjcU8wcDhzMHhlYnpZTlJpbm5ZcVRBTUJnTlZIUk1CQWY4RUFqQUFNQk1HQ3lzR0FRUUJndVVjQWdFQkJBUURBZ1J3TUNFR0N5c0dBUVFCZ3VVY0FRRUVCQklFRUJMZTEwVkw3VWZVcTZybkUvVWRZNU13Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUk2R1NWaTEwcjY3M3VxdHNvKzJvQjZmNVM1Z0UwZmY0NHQzTmNRK1ROOU5BaUFDL1NDUCtlS3cxQm5tY1NnYnhjUXBZdVdqQlBNVkRmcWVnOHBibU9kSEt3PT0iLCJvQWpxMkNlTkEyL2d5NW14YzV0Vll4NVJ4RWFMektEMWxhMDdhZ3RmR28wPSJdLCJkaXNwbGF5TmFtZSI6IkZlaXRpYW4gQWxsLUluLVBhc3MifQ==";
+        byte[] keyMaterialBytes = Convert.FromBase64String(encodedKeyMaterial);
+
+        // Parse the FIDO key and check all fields
+        var keyMaterial = KeyMaterialFido.ParseJson(keyMaterialBytes);
+        Assert.AreEqual("Feitian All-In-Pass", keyMaterial.DisplayName);
+        Assert.AreEqual("9e3808651ecfa53162772e9d2bc62bfe568350a9", keyMaterial.AttestationCertificates[0].Thumbprint.ToLowerInvariant());
+        Assert.AreEqual("12ded745-4bed-47d4-abaa-e713f51d6393", keyMaterial.AuthenticatorData.AttestedCredentialData.AaGuid.ToString());
+    }
+
+    [TestMethod]
+    public void FidoKeyMaterial_Parse_Null()
+    {
+        Assert.IsNull(KeyMaterialFido.ParseJson((string)null));
+    }
+
+    [TestMethod]
+    public void FidoKeyMaterial_Parse_Empty_String()
+    {
+        Assert.IsNull(KeyMaterialFido.ParseJson(String.Empty));
+    }
+
+    [TestMethod]
+    public void FidoKeyMaterial_Parse_Empty_Array()
+    {
+        Assert.IsNull(KeyMaterialFido.ParseJson([]));
+    }
+}