part #2

src/__Libraries/__Tests/StellaOps.Cryptography.Kms.Tests/CloudKmsClientTests.CryptoProvider.cs

@@ -1,3 +1,5 @@
+using System;
+using System.Collections.Generic;
 using StellaOps.Cryptography;
 using StellaOps.Cryptography.Kms;
 using StellaOps.TestKit;
@@ -9,7 +11,7 @@ public sealed partial class CloudKmsClientTests
 {
     [Trait("Category", TestCategories.Unit)]
     [Fact]
-    public void KmsCryptoProvider_Skips_NonExportable_Keys()
+    public void KmsCryptoProvider_Returns_VerificationOnly_Keys_When_PublicMaterial_Available()
     {
         using var fixture = new EcdsaFixture();
         var parameters = fixture.Parameters;
@@ -28,6 +30,36 @@ public sealed partial class CloudKmsClientTests
 
         provider.UpsertSigningKey(signingKey);
 
+        var keys = provider.GetSigningKeys();
+        var key = Assert.Single(keys);
+        Assert.Equal(signingKey.Reference.KeyId, key.Reference.KeyId);
+        Assert.Null(key.PrivateParameters.D);
+        Assert.NotNull(key.PublicParameters.Q.X);
+        Assert.NotNull(key.PublicParameters.Q.Y);
+        Assert.Equal(signingKey.Metadata["kms.version"], key.Metadata["kms.version"]);
+    }
+
+    [Trait("Category", TestCategories.Unit)]
+    [Fact]
+    public void KmsCryptoProvider_Skips_Keys_Without_PublicMaterial()
+    {
+        using var fixture = new EcdsaFixture();
+        var parameters = fixture.Parameters;
+        var kmsClient = new NonExportingKmsClient(parameters, FixedNow);
+        var provider = new KmsCryptoProvider(kmsClient);
+
+        var signingKey = new CryptoSigningKey(
+            new CryptoKeyReference("kms-key-no-public", "kms"),
+            KmsAlgorithms.Es256,
+            new byte[32],
+            FixedNow,
+            metadata: new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase)
+            {
+                ["kms.version"] = "kms-key-no-public",
+            });
+
+        provider.UpsertSigningKey(signingKey);
+
         var keys = provider.GetSigningKeys();
         Assert.Empty(keys);
     }