Use SHA2 and PSS for client assertion (#4616)

* Fix tests * Remove other JSON operations * Perf tests * codeql * PR comments * fix
AzureAD · Feb 6, 2024 · d2f015a · d2f015a · haha1903 · Mar 29, 2024
1 parent 8b49739
commit d2f015a
Show file tree

Hide file tree

Showing 30 changed files with 523 additions and 384 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -59,7 +59,7 @@ dotnet_style_predefined_type_for_member_access = true:suggestion
 # name all constant fields using PascalCase
 dotnet_naming_rule.constant_fields_should_be_pascal_case.severity = suggestion
 dotnet_naming_rule.constant_fields_should_be_pascal_case.symbols  = constant_fields
-dotnet_naming_rule.constant_fields_should_be_pascal_case.style    = pascal_case_style
+dotnet_naming_rule.constant_fields_should_be_pascal_case.style = pascal_case_style
 
 dotnet_naming_symbols.constant_fields.applicable_kinds   = field
 dotnet_naming_symbols.constant_fields.required_modifiers = const
@@ -69,7 +69,7 @@ dotnet_naming_style.pascal_case_style.capitalization = pascal_case
 # static fields should have s_ prefix
 dotnet_naming_rule.static_fields_should_have_prefix.severity = suggestion
 dotnet_naming_rule.static_fields_should_have_prefix.symbols  = static_fields
-dotnet_naming_rule.static_fields_should_have_prefix.style    = static_prefix_style
+dotnet_naming_rule.static_fields_should_have_prefix.style = static_prefix_style
 
 dotnet_naming_symbols.static_fields.applicable_kinds   = field
 dotnet_naming_symbols.static_fields.required_modifiers = static
@@ -80,7 +80,7 @@ dotnet_naming_style.static_prefix_style.capitalization = camel_case
 # internal and private fields should be _camelCase
 dotnet_naming_rule.camel_case_for_private_internal_fields.severity = suggestion
 dotnet_naming_rule.camel_case_for_private_internal_fields.symbols  = private_internal_fields
-dotnet_naming_rule.camel_case_for_private_internal_fields.style    = camel_case_underscore_style
+dotnet_naming_rule.camel_case_for_private_internal_fields.style = camel_case_underscore_style
 
 dotnet_naming_symbols.private_internal_fields.applicable_kinds = field
 dotnet_naming_symbols.private_internal_fields.applicable_accessibilities = private, internal
@@ -140,6 +140,23 @@ csharp_space_between_method_declaration_name_and_open_parenthesis = false
 csharp_space_between_method_declaration_parameter_list_parentheses = false
 csharp_space_between_parentheses = false
 csharp_space_between_square_brackets = false
+csharp_using_directive_placement = outside_namespace:silent
+csharp_prefer_simple_using_statement = true:suggestion
+csharp_prefer_braces = true:silent
+csharp_style_namespace_declarations = block_scoped:silent
+csharp_style_prefer_method_group_conversion = true:silent
+csharp_style_prefer_top_level_statements = true:silent
+csharp_style_prefer_primary_constructors = true:suggestion
+csharp_style_expression_bodied_lambdas = true:silent
+csharp_style_expression_bodied_local_functions = false:silent
+csharp_style_prefer_null_check_over_type_check = true:suggestion
+csharp_prefer_simple_default_expression = true:suggestion
+csharp_style_prefer_local_over_anonymous_function = true:suggestion
+csharp_style_prefer_index_operator = true:suggestion
+csharp_style_prefer_range_operator = true:suggestion
+csharp_style_implicit_object_creation_when_type_is_apparent = true:suggestion
+csharp_style_prefer_tuple_swap = true:suggestion
+csharp_style_prefer_utf8_string_literals = true:suggestion
 
 # C++ Files
 
@@ -826,7 +843,7 @@ dotnet_diagnostic.CA1832.severity = none
 dotnet_diagnostic.CA1833.severity = none
 
 # Consider using &apos;StringBuilder.Append(char)&apos; when applicable
-dotnet_diagnostic.CA1834.severity = none
+dotnet_diagnostic.CA1834.severity = warning
 
 # Prefer the &apos;Memory&apos;-based overloads for &apos;ReadAsync&apos; and &apos;WriteAsync&apos;
 dotnet_diagnostic.CA1835.severity = none
@@ -1284,3 +1301,21 @@ dotnet_diagnostic.RS1012.severity = none
 dotnet_diagnostic.RS1013.severity = none
 
 dotnet_diagnostic.RS1014.severity = none
+dotnet_style_operator_placement_when_wrapping = beginning_of_line
+tab_width = 4
+dotnet_style_coalesce_expression = true:suggestion
+dotnet_style_null_propagation = true:suggestion
+dotnet_style_prefer_is_null_check_over_reference_equality_method = true:suggestion
+dotnet_style_prefer_auto_properties = true:silent
+dotnet_style_object_initializer = true:suggestion
+dotnet_style_prefer_collection_expression = true:suggestion
+dotnet_style_collection_initializer = true:suggestion
+dotnet_style_prefer_simplified_boolean_expressions = true:suggestion
+dotnet_style_prefer_conditional_expression_over_assignment = true:silent
+dotnet_style_prefer_conditional_expression_over_return = true:silent
+dotnet_style_explicit_tuple_names = true:suggestion
+dotnet_style_prefer_inferred_tuple_names = true:suggestion
+dotnet_style_prefer_inferred_anonymous_type_member_names = true:suggestion
+dotnet_style_prefer_compound_assignment = true:suggestion
+dotnet_style_prefer_simplified_interpolation = true:suggestion
+dotnet_style_namespace_match_folder = true:suggestion
diff --git a/src/client/Microsoft.Identity.Client/AppConfig/AuthorityInfo.cs b/src/client/Microsoft.Identity.Client/AppConfig/AuthorityInfo.cs
@@ -138,6 +138,14 @@ private AuthorityInfo(
             AuthorityType == AuthorityType.B2C ||
             AuthorityType == AuthorityType.Ciam;
 
+        /// <summary>
+        /// True if SHA2 and PSS can be used for creating the client credential from a certificate 
+        /// </summary>
+        internal bool IsSha2CredentialSupported =>
+            AuthorityType != AuthorityType.Dsts &&
+            AuthorityType != AuthorityType.Generic &&
+            AuthorityType != AuthorityType.Adfs;
+
         #region Builders
         internal static AuthorityInfo FromAuthorityUri(string authorityUri, bool validateAuthority)
         {

diff --git a/src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs b/src/client/Microsoft.Identity.Client/AuthScheme/PoP/PoPAuthenticationScheme.cs
@@ -75,9 +75,9 @@ public string FormatAccessToken(MsalAccessTokenCacheItem msalAccessTokenCacheIte
             }
 
             var header = new JObject();
-            header[JsonWebTokenConstants.ReservedHeaderParameters.Algorithm] = _popCryptoProvider.CryptographicAlgorithm;
-            header[JsonWebTokenConstants.ReservedHeaderParameters.KeyId] = KeyId;
-            header[JsonWebTokenConstants.ReservedHeaderParameters.Type] = Constants.PoPTokenType;
+            header[JsonWebTokenConstants.Algorithm] = _popCryptoProvider.CryptographicAlgorithm;
+            header[JsonWebTokenConstants.KeyId] = KeyId;
+            header[JsonWebTokenConstants.Type] = Constants.PoPTokenType;
 
             var body = CreateBody(msalAccessTokenCacheItem);
 

diff --git a/...crosoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs b/...crosoft.Identity.Client/Internal/ClientCredential/CertificateAndClaimsClientCredential.cs
@@ -1,7 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
 using System.Collections.Generic;
+using System.Runtime.ConstrainedExecution;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
@@ -17,17 +20,20 @@ internal class CertificateAndClaimsClientCredential : IClientCredential
     {
         private readonly IDictionary<string, string> _claimsToSign;
         private readonly bool _appendDefaultClaims;
-        private readonly string _base64EncodedThumbprint; // x5t
+
         public X509Certificate2 Certificate { get; }
 
         public AssertionType AssertionType => AssertionType.CertificateWithoutSni;
 
-        public CertificateAndClaimsClientCredential(X509Certificate2 certificate, IDictionary<string, string> claimsToSign, bool appendDefaultClaims)
+        public CertificateAndClaimsClientCredential(
+            X509Certificate2 certificate,
+            IDictionary<string, string> claimsToSign, 
+            bool appendDefaultClaims)
         {
             Certificate = certificate;
             _claimsToSign = claimsToSign;
             _appendDefaultClaims = appendDefaultClaims;
-            _base64EncodedThumbprint = Base64UrlHelpers.Encode(certificate.GetCertHash());
+
         }
 
         public Task AddConfidentialClientParametersAsync(
@@ -37,6 +43,7 @@ public Task AddConfidentialClientParametersAsync(
             string clientId, 
             string tokenEndpoint, 
             bool sendX5C, 
+            bool useSha2AndPss,
             CancellationToken cancellationToken)
         {
             var jwtToken = new JsonWebToken(
@@ -46,7 +53,7 @@ public Task AddConfidentialClientParametersAsync(
                 _claimsToSign,
                 _appendDefaultClaims);
 
-            string assertion = jwtToken.Sign(Certificate, _base64EncodedThumbprint, sendX5C);
+            string assertion = jwtToken.Sign(Certificate, sendX5C, useSha2AndPss);
 
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, assertion);

diff --git a/src/client/Microsoft.Identity.Client/Internal/ClientCredential/IClientCredential.cs b/src/client/Microsoft.Identity.Client/Internal/ClientCredential/IClientCredential.cs
@@ -27,6 +27,7 @@ Task AddConfidentialClientParametersAsync(
               string clientId,
               string tokenEndpoint,
               bool sendX5C,
+              bool useSha2,
               CancellationToken cancellationToken);
     }
 }
diff --git a/...lient/Microsoft.Identity.Client/Internal/ClientCredential/SecretStringClientCredential.cs b/...lient/Microsoft.Identity.Client/Internal/ClientCredential/SecretStringClientCredential.cs
@@ -22,7 +22,15 @@ public SecretStringClientCredential(string secret)
             Secret = secret;
         }
 
-        public Task AddConfidentialClientParametersAsync(OAuth2Client oAuth2Client, ILoggerAdapter logger, ICryptographyManager cryptographyManager, string clientId, string tokenEndpoint, bool sendX5C, CancellationToken cancellationToken)
+        public Task AddConfidentialClientParametersAsync(
+            OAuth2Client oAuth2Client, 
+            ILoggerAdapter logger, 
+            ICryptographyManager cryptographyManager, 
+            string clientId, 
+            string tokenEndpoint, 
+            bool sendX5C,
+            bool useSha2,
+            CancellationToken cancellationToken)
         {
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientSecret, Secret);
             return Task.CompletedTask;

diff --git a/...nt/Microsoft.Identity.Client/Internal/ClientCredential/SignedAssertionClientCredential.cs b/...nt/Microsoft.Identity.Client/Internal/ClientCredential/SignedAssertionClientCredential.cs
@@ -22,7 +22,15 @@ public SignedAssertionClientCredential(string signedAssertion)
             _signedAssertion = signedAssertion;
         }
 
-        public Task AddConfidentialClientParametersAsync(OAuth2Client oAuth2Client, ILoggerAdapter logger, ICryptographyManager cryptographyManager, string clientId, string tokenEndpoint, bool sendX5C, CancellationToken cancellationToken)
+        public Task AddConfidentialClientParametersAsync(
+            OAuth2Client oAuth2Client, 
+            ILoggerAdapter logger, 
+            ICryptographyManager cryptographyManager, 
+            string clientId, 
+            string tokenEndpoint,
+            bool sendX5C,
+            bool useSha2,
+            CancellationToken cancellationToken)
         {
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, _signedAssertion);

diff --git a/...soft.Identity.Client/Internal/ClientCredential/SignedAssertionDelegateClientCredential.cs b/...soft.Identity.Client/Internal/ClientCredential/SignedAssertionDelegateClientCredential.cs
@@ -28,7 +28,15 @@ public SignedAssertionDelegateClientCredential(Func<AssertionRequestOptions, Tas
             _signedAssertionWithInfoDelegate = signedAssertionDelegate;
         }
 
-        public async Task AddConfidentialClientParametersAsync(OAuth2Client oAuth2Client, ILoggerAdapter logger, ICryptographyManager cryptographyManager, string clientId, string tokenEndpoint, bool sendX5C, CancellationToken cancellationToken)
+        public async Task AddConfidentialClientParametersAsync(
+            OAuth2Client oAuth2Client, 
+            ILoggerAdapter logger, 
+            ICryptographyManager cryptographyManager,
+            string clientId, 
+            string tokenEndpoint,
+            bool sendX5C, 
+            bool useSha2,
+            CancellationToken cancellationToken)
         {
             string signedAssertion = await (_signedAssertionDelegate != null 
                 ? _signedAssertionDelegate(cancellationToken).ConfigureAwait(false)
@@ -41,5 +49,6 @@ public async Task AddConfidentialClientParametersAsync(OAuth2Client oAuth2Client
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertionType, OAuth2AssertionType.JwtBearer);
             oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientAssertion, signedAssertion);
         }
+
     }
 }