test(dcv): add end-to-end key-algorithm issuance matrix

Extract the parameterized BouncyCastle CSR generator + 10-type spec into a
shared KeyAlgorithms helper (used by both the offline submission tests and the
new DCV theory). Add DcvLifecycleTests.EnrollWithDcvOn_IssuesPerKeyAlgorithm:
for each key type (RSA 2048/3072/4096/6144/8192, ECDSA P-256/384/521, Ed25519,
Ed448) enroll a fresh scrup.org DV order with DCV on, drive it to issuance, and
assert the issued cert's public key matches the requested algorithm. Algorithms
CERTInext won't issue (rejected/FAILED/never-GENERATED) Skip with the observed
reason rather than hard-failing. Confirms issuance via targeted GetSingleRecord
polling instead of a full-account sync. Opt-in: CERTINEXT_ALGO_MATRIX_DCV=1.

Also null-forgive two asserted-non-null derefs in EnrollWithDcvOn_OrderIssued
(surfaced now that DcvLifecycleTests compiles on every build via DcvSupport).

Author: spbsoluble

CERTInext.IntegrationTests/AlgorithmMatrixTests.cs

@@ -4,45 +4,36 @@
 
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Threading.Tasks;
 using FluentAssertions;
 using Keyfactor.AnyGateway.Extensions;
-using Org.BouncyCastle.Asn1;
-using Org.BouncyCastle.Asn1.Sec;
-using Org.BouncyCastle.Asn1.X509;
-using Org.BouncyCastle.Crypto;
-using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Pkcs;
-using Org.BouncyCastle.Security;
 using Xunit;
 using Xunit.Abstractions;
 
 namespace Keyfactor.Extensions.CAPlugin.CERTInext.IntegrationTests
 {
     /// <summary>
     /// Key-algorithm coverage matrix: RSA 2048/3072/4096/6144/8192, ECDSA P-256/P-384/P-521,
-    /// Ed25519, and Ed448.
+    /// Ed25519, and Ed448 (see <see cref="KeyAlgorithms"/>).
     ///
-    /// Motivation: every other test in the suite hardcodes an RSA-2048 CSR, so only RSA-2048
+    /// Motivation: every other test in the suite hardcoded an RSA-2048 CSR, so only RSA-2048
     /// certificates were ever exercised end-to-end (and that is all that showed up in Command).
     /// The plugin takes the CSR as enrollment input and submits it verbatim, so the key
-    /// algorithm is entirely determined by the CSR. These tests parameterise CSR generation
-    /// (BouncyCastle — never BCL crypto) across the full matrix.
+    /// algorithm is entirely determined by the CSR.
     ///
-    /// Two layers, matching the agreed scope (submission / CSR-validity only — no DCV, no issuance):
+    /// This file is the offline / submission-only layer (no DCV, no issuance):
     ///   1. <see cref="Csr_RoundTripsKeyAlgorithm"/> — deterministic, no API, always runs. Proves we
     ///      emit a structurally valid, self-consistent PKCS#10 CSR for each algorithm (the public key
     ///      type/size round-trips and the request signature verifies).
     ///   2. <see cref="Enroll_AcceptsKeyAlgorithm"/> — opt-in (creates real sandbox orders). Proves
-    ///      whether CERTInext *accepts* each algorithm at order submission. A CA-side rejection
-    ///      (e.g. "algorithm not supported") is reported as an explicit Skip carrying the CA's own
-    ///      message, so the suite documents real CA support rather than failing on a CA limitation.
+    ///      whether CERTInext *accepts* each algorithm at order submission. A CA-side rejection is
+    ///      reported as an explicit Skip carrying the CA's own message.
     ///
-    /// Caveat: "accepted at submission" is weaker than "will issue". A public CA may accept the
-    /// order and only reject an exotic key (Ed25519/Ed448, very large RSA) at issuance, after DCV.
-    /// End-to-end issuance per algorithm would require the DCV build + a Cloudflare round per order.
+    /// The end-to-end "does CERTInext actually issue this algorithm" matrix (DCV on, one real
+    /// scrup.org cert per type) lives in <c>DcvLifecycleTests.EnrollWithDcvOn_IssuesPerKeyAlgorithm</c>
+    /// and only exists on the DCV build.
     /// </summary>
     public class AlgorithmMatrixTests : IClassFixture<IntegrationTestFixture>
     {
@@ -58,99 +49,7 @@ public AlgorithmMatrixTests(IntegrationTestFixture fixture, ITestOutputHelper ou
             _output = output;
         }
 
-        // ---------------------------------------------------------------------------
-        // Key-algorithm specifications
-        // ---------------------------------------------------------------------------
-
-        private enum KeyKind { Rsa, Ecdsa, Ed25519, Ed448 }
-
-        private sealed class KeySpec
-        {
-            public string Tag;                 // stable, human-readable id ("RSA-2048", "ECDSA-P256", ...)
-            public KeyKind Kind;
-            public int Strength;               // RSA modulus bits, or EC field size in bits (informational for Ed)
-            public string SignatureAlgorithm;  // BouncyCastle signature-algorithm name for the CSR
-            public DerObjectIdentifier CurveOid; // EC named-curve OID (null for non-EC)
-        }
-
-        // CA/Baseline-Requirements hash pairing: P-256→SHA256, P-384→SHA384, P-521→SHA512.
-        private static readonly KeySpec[] Specs =
-        {
-            new() { Tag = "RSA-2048",   Kind = KeyKind.Rsa, Strength = 2048, SignatureAlgorithm = "SHA256withRSA" },
-            new() { Tag = "RSA-3072",   Kind = KeyKind.Rsa, Strength = 3072, SignatureAlgorithm = "SHA256withRSA" },
-            new() { Tag = "RSA-4096",   Kind = KeyKind.Rsa, Strength = 4096, SignatureAlgorithm = "SHA256withRSA" },
-            new() { Tag = "RSA-6144",   Kind = KeyKind.Rsa, Strength = 6144, SignatureAlgorithm = "SHA256withRSA" },
-            new() { Tag = "RSA-8192",   Kind = KeyKind.Rsa, Strength = 8192, SignatureAlgorithm = "SHA256withRSA" },
-            new() { Tag = "ECDSA-P256", Kind = KeyKind.Ecdsa, Strength = 256, SignatureAlgorithm = "SHA256withECDSA", CurveOid = SecObjectIdentifiers.SecP256r1 },
-            new() { Tag = "ECDSA-P384", Kind = KeyKind.Ecdsa, Strength = 384, SignatureAlgorithm = "SHA384withECDSA", CurveOid = SecObjectIdentifiers.SecP384r1 },
-            new() { Tag = "ECDSA-P521", Kind = KeyKind.Ecdsa, Strength = 521, SignatureAlgorithm = "SHA512withECDSA", CurveOid = SecObjectIdentifiers.SecP521r1 },
-            new() { Tag = "Ed25519",    Kind = KeyKind.Ed25519, Strength = 256, SignatureAlgorithm = "Ed25519" },
-            new() { Tag = "Ed448",      Kind = KeyKind.Ed448, Strength = 448, SignatureAlgorithm = "Ed448" },
-        };
-
-        private static KeySpec SpecFor(string tag) => Specs.Single(s => s.Tag == tag);
-
-        /// <summary>xUnit member-data source — one row per key type, keyed by its stable tag.</summary>
-        public static IEnumerable<object[]> KeyTypes => Specs.Select(s => new object[] { s.Tag });
-
-        // ---------------------------------------------------------------------------
-        // CSR generation (BouncyCastle)
-        // ---------------------------------------------------------------------------
-
-        private static AsymmetricCipherKeyPair GenerateKeyPair(KeySpec spec)
-        {
-            switch (spec.Kind)
-            {
-                case KeyKind.Rsa:
-                {
-                    var gen = new RsaKeyPairGenerator();
-                    gen.Init(new KeyGenerationParameters(new SecureRandom(), spec.Strength));
-                    return gen.GenerateKeyPair();
-                }
-                case KeyKind.Ecdsa:
-                {
-                    var gen = new ECKeyPairGenerator("ECDSA");
-                    gen.Init(new ECKeyGenerationParameters(spec.CurveOid, new SecureRandom()));
-                    return gen.GenerateKeyPair();
-                }
-                case KeyKind.Ed25519:
-                {
-                    var gen = new Ed25519KeyPairGenerator();
-                    gen.Init(new Ed25519KeyGenerationParameters(new SecureRandom()));
-                    return gen.GenerateKeyPair();
-                }
-                case KeyKind.Ed448:
-                {
-                    var gen = new Ed448KeyPairGenerator();
-                    gen.Init(new Ed448KeyGenerationParameters(new SecureRandom()));
-                    return gen.GenerateKeyPair();
-                }
-                default:
-                    throw new ArgumentOutOfRangeException(nameof(spec), spec.Kind, "unhandled key kind");
-            }
-        }
-
-        private static string GenerateCsrPem(string commonName, KeySpec spec)
-        {
-            var keyPair = GenerateKeyPair(spec);
-            var subject = new X509Name($"CN={commonName}");
-            var csr = new Pkcs10CertificationRequest(spec.SignatureAlgorithm, subject, keyPair.Public, null, keyPair.Private);
-
-            return "-----BEGIN CERTIFICATE REQUEST-----\n"
-                + Convert.ToBase64String(csr.GetEncoded(), Base64FormattingOptions.InsertLineBreaks)
-                + "\n-----END CERTIFICATE REQUEST-----";
-        }
-
-        private static byte[] DerFromPem(string pem)
-        {
-            var b64 = pem
-                .Replace("-----BEGIN CERTIFICATE REQUEST-----", string.Empty)
-                .Replace("-----END CERTIFICATE REQUEST-----", string.Empty)
-                .Replace("\r", string.Empty)
-                .Replace("\n", string.Empty)
-                .Trim();
-            return Convert.FromBase64String(b64);
-        }
+        public static IEnumerable<object[]> KeyTypes => KeyAlgorithms.AsMemberData;
 
         // ---------------------------------------------------------------------------
         // Layer 1 — deterministic CSR-validity round-trip (no API, always runs)
@@ -167,11 +66,11 @@ private static byte[] DerFromPem(string pem)
         [MemberData(nameof(KeyTypes))]
         public void Csr_RoundTripsKeyAlgorithm(string tag)
         {
-            var spec = SpecFor(tag);
+            var spec = KeyAlgorithms.For(tag);
 
-            string pem = GenerateCsrPem($"algo-{tag.ToLowerInvariant().Replace("-", string.Empty)}.example.com", spec);
+            string pem = KeyAlgorithms.GenerateCsrPem($"algo-{KeyAlgorithms.Slug(tag)}.example.com", spec);
 
-            var request = new Pkcs10CertificationRequest(DerFromPem(pem));
+            var request = new Pkcs10CertificationRequest(KeyAlgorithms.DerFromPem(pem));
 
             request.Verify().Should().BeTrue($"the {tag} CSR must be self-signed with a verifiable signature");
 
@@ -216,7 +115,9 @@ public void Csr_RoundTripsKeyAlgorithm(string tag)
         ///
         /// Opt-in: requires <c>CERTINEXT_ALGO_MATRIX=1</c> because each run creates a real (pending,
         /// non-issued) DV order on the sandbox account. No DCV is performed, so the orders park at
-        /// EXTERNALVALIDATION and are not cleaned up here.
+        /// EXTERNALVALIDATION and are not cleaned up here. "Accepted at submission" is weaker than
+        /// "will issue" — see <c>DcvLifecycleTests.EnrollWithDcvOn_IssuesPerKeyAlgorithm</c> for the
+        /// end-to-end issuance matrix.
         /// </summary>
         [SkippableTheory]
         [MemberData(nameof(KeyTypes))]
@@ -227,9 +128,9 @@ public async Task Enroll_AcceptsKeyAlgorithm(string tag)
                 Environment.GetEnvironmentVariable(OptInFlag) == "1",
                 $"Set {OptInFlag}=1 to run the live algorithm-submission matrix (creates real sandbox orders).");
 
-            var spec = SpecFor(tag);
-            string cn = $"algo-{tag.ToLowerInvariant().Replace("-", string.Empty)}.example.com";
-            string csrPem = GenerateCsrPem(cn, spec);
+            var spec = KeyAlgorithms.For(tag);
+            string cn = $"algo-{KeyAlgorithms.Slug(tag)}.example.com";
+            string csrPem = KeyAlgorithms.GenerateCsrPem(cn, spec);
 
             var productInfo = new EnrollmentProductInfo
             {

CERTInext.IntegrationTests/DcvLifecycleTests.cs

@@ -9,6 +9,7 @@
 using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Generators;
+using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Pkcs;
 using Org.BouncyCastle.Security;
 using FluentAssertions;
@@ -360,14 +361,149 @@ public async Task EnrollWithDcvOn_OrderIssuedEndToEnd_AndAppearsInSync()
                 fetched.Status.Should().Be((int)EndEntityStatus.GENERATED);
                 fetched.Certificate.Should().NotBeNullOrWhiteSpace(
                     "GetSingleRecord must populate the PEM for a GENERATED order.");
-                _output.WriteLine($"  Sync cert PEM length: {record.Certificate.Length}; " +
-                                  $"GetSingleRecord PEM length: {fetched.Certificate.Length}");
+                _output.WriteLine($"  Sync cert PEM length: {record.Certificate!.Length}; " +
+                                  $"GetSingleRecord PEM length: {fetched.Certificate!.Length}");
             }
 
             _output.WriteLine($"--- Verdict: DCV-on enroll for {cn} drove DCV end-to-end via plugin, " +
                               $"order {enrollResult.CARequestID} surfaced in sync with Status={record.Status}. ---");
         }
 
+        /// <summary>
+        /// End-to-end key-algorithm issuance matrix: RSA 2048/3072/4096/6144/8192, ECDSA
+        /// P-256/P-384/P-521, Ed25519, Ed448 (see <see cref="KeyAlgorithms"/>). For each type,
+        /// enroll a fresh scrup.org DV order with DCV ON, drive it to issuance via the plugin
+        /// (Cloudflare TXT publish → VerifyDcv → bounded sync passes), and assert the issued cert
+        /// carries a parseable body whose public key matches the requested algorithm.
+        ///
+        /// An algorithm CERTInext won't issue — rejected at submission, FAILED, or never reaching
+        /// GENERATED within the polling window — is reported as an explicit Skip carrying the
+        /// observed reason, so the matrix documents which algorithms CERTInext actually issues
+        /// without hard-failing on a legitimate CA limitation.
+        ///
+        /// Opt-in (issues a real cert per accepted algorithm): set <c>CERTINEXT_ALGO_MATRIX_DCV=1</c>.
+        /// Requires Cloudflare DCV credentials.
+        /// </summary>
+        [SkippableTheory]
+        [MemberData(nameof(KeyAlgorithms.AsMemberData), MemberType = typeof(KeyAlgorithms))]
+        public async Task EnrollWithDcvOn_IssuesPerKeyAlgorithm(string tag)
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+            Skip.If(System.Environment.GetEnvironmentVariable("CERTINEXT_ALGO_MATRIX_DCV") != "1",
+                "Opt-in: set CERTINEXT_ALGO_MATRIX_DCV=1 to issue one real scrup.org cert per key algorithm.");
+            Skip.If(!_fixture.IsCloudflareConfigured,
+                "CERTINEXT_CF_API_TOKEN + CERTINEXT_CF_ZONE_ID required — DCV issuance must publish real TXT records.");
+
+            var spec = KeyAlgorithms.For(tag);
+            string suffix = System.Guid.NewGuid().ToString("N").Substring(0, 8);
+            string cn = $"algo-{KeyAlgorithms.Slug(tag)}-{suffix}.scrup.org";
+            string csr = KeyAlgorithms.GenerateCsrPem(cn, spec);
+
+            var plugin = BuildPlugin(dcvEnabled: true);
+
+            // --- Enroll. A submission-time rejection (unsupported algorithm) → Skip with the CA's reason. ---
+            EnrollmentResult enrollResult;
+            try
+            {
+                enrollResult = await plugin.Enroll(
+                    csr:            csr,
+                    subject:        $"CN={cn}",
+                    san:            new Dictionary<string, string[]> { ["dns"] = new[] { cn } },
+                    productInfo:    IntegrationTestData.DvSslProductInfo(_fixture.Config.DefaultProductCode),
+                    requestFormat:  RequestFormat.PKCS10,
+                    enrollmentType: EnrollmentType.New);
+            }
+            catch (Exception ex)
+            {
+                _output.WriteLine($"[SKIP] {tag}: CERTInext rejected the DV order at submission — {ex.Message}");
+                Skip.If(true, $"CERTInext did not accept a {tag} DV order (likely an unsupported key algorithm). CA message: {ex.Message}");
+                return; // unreachable — Skip throws
+            }
+
+            enrollResult.Should().NotBeNull();
+            enrollResult.CARequestID.Should().NotBeNullOrWhiteSpace($"{tag}: CA must return a CARequestID when it accepts the order");
+            _output.WriteLine($"[{tag}] enrolled cn={cn} id={enrollResult.CARequestID} status={enrollResult.Status}");
+
+            // --- Poll this one order to issuance via GetSingleRecord (targeted; avoids the
+            //     full-account sync, which would also drive DCV on unrelated pending orders). ---
+            const int maxPolls = 6;
+            const int delaySeconds = 15;
+            AnyCAPluginCertificate record = null;
+            for (int poll = 1; poll <= maxPolls; poll++)
+            {
+                record = await plugin.GetSingleRecord(enrollResult.CARequestID);
+                int status = record?.Status ?? -1;
+                _output.WriteLine($"[{tag}] poll #{poll}: status={status} certLen={record?.Certificate?.Length ?? 0}");
+
+                if (status == (int)EndEntityStatus.GENERATED)
+                    break;
+                if (status == (int)EndEntityStatus.FAILED)
+                {
+                    _output.WriteLine($"[SKIP] {tag}: order {enrollResult.CARequestID} went FAILED — CERTInext will not issue this algorithm.");
+                    Skip.If(true, $"CERTInext FAILED the {tag} order — algorithm not issuable on this account/profile.");
+                    return;
+                }
+                if (poll < maxPolls)
+                    await Task.Delay(TimeSpan.FromSeconds(delaySeconds));
+            }
+
+            record.Should().NotBeNull($"{tag}: enrolled order {enrollResult.CARequestID} must be retrievable");
+
+            if (record!.Status != (int)EndEntityStatus.GENERATED)
+            {
+                // Accepted at submission but not issued within the window — document as Skip, not fail.
+                _output.WriteLine($"[SKIP] {tag}: order {enrollResult.CARequestID} still Status={record.Status} after {maxPolls} polls.");
+                Skip.If(true, $"CERTInext accepted the {tag} order but it did not reach GENERATED within the polling window " +
+                    $"(Status={record.Status}) — possible unsupported algorithm or slow server-side validation.");
+                return;
+            }
+
+            record.Certificate.Should().NotBeNullOrWhiteSpace(
+                $"{tag}: issued cert must carry a PEM body (issue 0001)");
+
+            // Strong check: the issued cert's public key must match the algorithm we requested.
+            AssertIssuedCertMatchesAlgorithm(record.Certificate, spec, tag);
+
+            _output.WriteLine($"--- {tag}: DCV-on issuance OK — order {enrollResult.CARequestID} GENERATED, " +
+                              $"cert public key confirmed as {tag}. ---");
+        }
+
+        /// <summary>
+        /// Parses an issued certificate PEM and asserts its public key matches the requested
+        /// algorithm/size — proves CERTInext issued the key type we submitted, not a substitute.
+        /// </summary>
+        private static void AssertIssuedCertMatchesAlgorithm(string certPem, KeyAlgorithmSpec spec, string tag)
+        {
+            var b64 = certPem
+                .Replace("-----BEGIN CERTIFICATE-----", string.Empty)
+                .Replace("-----END CERTIFICATE-----", string.Empty)
+                .Replace("\r", string.Empty).Replace("\n", string.Empty).Trim();
+
+            var cert = new Org.BouncyCastle.X509.X509CertificateParser().ReadCertificate(Convert.FromBase64String(b64));
+            cert.Should().NotBeNull($"{tag}: issued cert PEM must parse");
+
+            var pub = cert.GetPublicKey();
+            switch (spec.Kind)
+            {
+                case KeyKind.Rsa:
+                    pub.Should().BeOfType<RsaKeyParameters>();
+                    ((RsaKeyParameters)pub).Modulus.BitLength.Should().Be(spec.Strength,
+                        $"{tag}: issued RSA cert must have a {spec.Strength}-bit modulus");
+                    break;
+                case KeyKind.Ecdsa:
+                    pub.Should().BeOfType<ECPublicKeyParameters>();
+                    ((ECPublicKeyParameters)pub).Parameters.Curve.FieldSize.Should().Be(spec.Strength,
+                        $"{tag}: issued EC cert must use a {spec.Strength}-bit curve");
+                    break;
+                case KeyKind.Ed25519:
+                    pub.Should().BeOfType<Ed25519PublicKeyParameters>();
+                    break;
+                case KeyKind.Ed448:
+                    pub.Should().BeOfType<Ed448PublicKeyParameters>();
+                    break;
+            }
+        }
+
         /// <summary>
         /// Exercises the deferred-DCV retry path during single-record refresh against an
         /// existing pending order.  Reads <c>CERTINEXT_PENDING_ORDER_ID</c> from the