address review feedback

Author: yugangw-msft

adal/authentication_context.py

@@ -235,21 +235,22 @@ def token_func(self):
         return self._acquire_token(token_func)
 
     def acquire_token_with_client_certificate(self, resource, client_id, 
-                                              certificate, thumbprint, send_x5c=False):
+                                              certificate, thumbprint, public_certificate=None):
         '''Gets a token for a given resource via certificate credentials
 
         :param str resource: A URI that identifies the resource for which the
             token is valid.
         :param str client_id: The OAuth client id of the calling application.
         :param str certificate: A PEM encoded certificate private key.
         :param str thumbprint: hex encoded thumbprint of the certificate.
-        :param send_x5c(optional): if True, send the public certificate through 'x5c' JWT header
-            for subject name and issuer based authentication, which is to support cert auto rolls 
+        :param public_certificate(optional): if not None, it will be sent to the service for subject name
+            and issuer based authentication, which is to support cert auto rolls. The value must match the
+            certificate private key parameter.
         :returns: dict with several keys, include "accessToken".
         '''
         def token_func(self):
             token_request = TokenRequest(self._call_context, self, client_id, resource)
-            return token_request.get_token_with_certificate(certificate, thumbprint, send_x5c)
+            return token_request.get_token_with_certificate(certificate, thumbprint, public_certificate)
 
         return self._acquire_token(token_func)
 

adal/self_signed_jwt.py

@@ -118,19 +118,9 @@ def _reduce_thumbprint(self, thumbprint):
         self._raise_on_invalid_thumbprint(canonical)
         return canonical
 
-    def create(self, certificate, thumbprint, send_x5c):
+    def create(self, certificate, thumbprint, public_certificate):
         thumbprint = self._reduce_thumbprint(thumbprint)
 
-        public_certificate = None
-        if send_x5c:
-            # to avoid pulling in OpenSSL dependency, we do low-tech but safe parsing based on markers 
-            # defined in "<github>/libressl-portable/openbsd/blob/master/src/lib/libcrypto/pem/pem.h"
-            match = re.search(r'\-+BEGIN CERTIFICATE.+\-+(?P<public>[^-]+)\-+END CERTIFICATE.+\-+',
-                              certificate, re.I)
-            if not match:
-                raise AdalError("Error:Invalid Certificate: Marker of '-----BEGIN CERTIFICATE-----' was not found")
-            public_certificate = match.group('public').strip()
-
         header = self._create_header(thumbprint, public_certificate)
         payload = self._create_payload()
         return _sign_jwt(header, payload, certificate)

adal/token_request.py

@@ -351,20 +351,20 @@ def get_token_from_cache_with_refresh(self, user_id):
         self._user_id = user_id
         return self._find_token_from_cache()
 
-    def _create_jwt(self, certificate, thumbprint, send_x5c):
+    def _create_jwt(self, certificate, thumbprint, public_certificate):
 
         ssj = self._create_self_signed_jwt()
-        jwt = ssj.create(certificate, thumbprint, send_x5c)
+        jwt = ssj.create(certificate, thumbprint, public_certificate)
 
         if not jwt:
             raise AdalError("Failed to create JWT.")
         return jwt
 
-    def get_token_with_certificate(self, certificate, thumbprint, send_x5c):
+    def get_token_with_certificate(self, certificate, thumbprint, public_certificate):
 
         self._log.info("Getting a token via certificate.")
 
-        jwt = self._create_jwt(certificate, thumbprint, send_x5c)
+        jwt = self._create_jwt(certificate, thumbprint, public_certificate)
 
         oauth_parameters = self._create_oauth_parameters(OAUTH2_GRANT_TYPE.CLIENT_CREDENTIALS)
         oauth_parameters[OAUTH2_PARAMETERS.CLIENT_ASSERTION_TYPE] = OAUTH2_GRANT_TYPE.JWT_BEARER

tests/test_self_signed_jwt.py

@@ -69,7 +69,7 @@ def _create_jwt(self, cert, thumbprint, encodeError = None):
         else:
             self_signed_jwt._encode_jwt = mock.MagicMock(return_value = self.expectedJwt)
 
-        jwt = ssjwt.create(cert, thumbprint, False)
+        jwt = ssjwt.create(cert, thumbprint, public_certificate=None)
         return jwt
 
     def _create_jwt_and_match_expected_err(self, testCert, thumbprint, encodeError = None):