Add new mtls pop package for MSI flows

Author: gladjohn

LibsAndSamples.sln

@@ -196,6 +196,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MacMauiAppWithBroker", "tes
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MacConsoleAppWithBroker", "tests\devapps\MacConsoleAppWithBroker\MacConsoleAppWithBroker.csproj", "{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Identity.Client.MtlsPop", "src\client\Microsoft.Identity.Client.MtlsPop\Microsoft.Identity.Client.MtlsPop.csproj", "{269A7A67-E48E-49A6-936B-60F1BE51F0CD}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug + MobileApps|Any CPU = Debug + MobileApps|Any CPU
@@ -2022,6 +2024,48 @@ Global
 		{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}.Release|x64.Build.0 = Release|Any CPU
 		{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}.Release|x86.ActiveCfg = Release|Any CPU
 		{DBD18BC8-72E4-47D4-BD79-8DEBD9F2C0D0}.Release|x86.Build.0 = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|Any CPU.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|Any CPU.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|ARM.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|ARM.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|ARM64.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|ARM64.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|iPhone.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|iPhone.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|x64.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|x64.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|x86.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug + MobileApps|x86.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|ARM.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|ARM.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|ARM64.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|ARM64.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|iPhone.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|iPhone.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|x64.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Debug|x86.Build.0 = Debug|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|Any CPU.Build.0 = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|ARM.ActiveCfg = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|ARM.Build.0 = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|ARM64.ActiveCfg = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|ARM64.Build.0 = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|iPhone.ActiveCfg = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|iPhone.Build.0 = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|iPhoneSimulator.ActiveCfg = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|iPhoneSimulator.Build.0 = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|x64.ActiveCfg = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|x64.Build.0 = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|x86.ActiveCfg = Release|Any CPU
+		{269A7A67-E48E-49A6-936B-60F1BE51F0CD}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

src/client/Microsoft.Identity.Client.MtlsPop/Attestation/AttestationClient.cs

@@ -0,0 +1,117 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Runtime.InteropServices;
+using System.Text;
+using Microsoft.Win32.SafeHandles;
+
+namespace Microsoft.Identity.Client.MtlsPop.Attestation
+{
+    /// <summary>
+    /// Managed façade for <c>AttestationClientLib.dll</c>.  Holds initialization state,
+    /// does ref-count hygiene on <see cref="SafeNCryptKeyHandle"/>, and returns a JWT.
+    /// </summary>
+    public sealed class AttestationClient : IDisposable
+    {
+        private bool _initialized;
+
+        /// <summary>
+        /// AttestationClient constructor.  Pro-actively verifies the native DLL,
+        /// </summary>
+        /// <exception cref="InvalidOperationException"></exception>
+        public AttestationClient()
+        {
+            /* step 0 ── pro-actively verify the native DLL */
+            string dllError = NativeDiagnostics.ProbeNativeDll();
+            if (dllError is not null)
+                throw new InvalidOperationException(dllError);
+
+            /* step 1 ── load & initialize */
+            NativeDllResolver.EnsureLoaded();
+
+            var info = new AttestationClientLib.AttestationLogInfo
+            {
+                Log = AttestationLogger.ConsoleLogger,
+                Ctx = IntPtr.Zero
+            };
+
+            _initialized = AttestationClientLib.InitAttestationLib(ref info) == 0;
+            if (!_initialized)
+                throw new InvalidOperationException("Failed to initialize AttestationClientLib.");
+        }
+
+        /// <summary>
+        /// Calls the native <c>AttestKeyGuardImportKey</c> and returns a structured result.
+        /// </summary>
+        public AttestationResult Attest(string endpoint,
+                                        SafeNCryptKeyHandle keyHandle,
+                                        string clientId)
+        {
+            if (!_initialized)
+                return new(AttestationStatus.NotInitialized, null, -1,
+                           "Native library not initialized.");
+
+            IntPtr buf = IntPtr.Zero;
+            bool addRef = false;
+
+            try
+            {
+                keyHandle.DangerousAddRef(ref addRef);
+
+                int rc = AttestationClientLib.AttestKeyGuardImportKey(
+                             endpoint, null, null, keyHandle, out buf, clientId);
+
+                if (rc != 0)
+                    return new(AttestationStatus.NativeError, null, rc, null);
+
+                if (buf == IntPtr.Zero)
+                    return new(AttestationStatus.TokenEmpty, null, 0,
+                               "rc==0 but token buffer was null.");
+
+                string jwt = Marshal.PtrToStringAnsi(buf)!;
+                return new(AttestationStatus.Success, jwt, 0, null);
+            }
+            catch (DllNotFoundException ex)
+            {
+                return new(AttestationStatus.Exception, null, -1,
+                    $"Native DLL not found: {ex.Message}");
+            }
+            catch (BadImageFormatException ex)
+            {
+                return new(AttestationStatus.Exception, null, -1,
+                    $"Architecture mismatch (x86/x64) or corrupted DLL: {ex.Message}");
+            }
+            catch (SEHException ex)
+            {
+                return new(AttestationStatus.Exception, null, -1,
+                    $"Native library raised SEHException: {ex.Message}");
+            }
+            catch (Exception ex)
+            {
+                return new(AttestationStatus.Exception, null, -1, ex.Message);
+            }
+            finally
+            {
+                if (buf != IntPtr.Zero)
+                    AttestationClientLib.FreeAttestationToken(buf);
+                if (addRef)
+                    keyHandle.DangerousRelease();
+            }
+        }
+
+        /// <summary>
+        /// Disposes the client, releasing any resources and un-initializing the native library.
+        /// </summary>
+        public void Dispose()
+        {
+            if (_initialized)
+            {
+                AttestationClientLib.UninitAttestationLib();
+                _initialized = false;
+            }
+            GC.SuppressFinalize(this);
+        }
+    }
+}

src/client/Microsoft.Identity.Client.MtlsPop/Attestation/AttestationClientLib.cs

@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.Win32.SafeHandles;
+using System;
+using System.IO;
+using System.Runtime.InteropServices;
+
+namespace Microsoft.Identity.Client.MtlsPop.Attestation
+{
+    internal static class AttestationClientLib
+    {
+        internal enum LogLevel { Error, Warn, Info, Debug }
+
+        internal delegate void LogFunc(
+            IntPtr ctx, string tag, LogLevel lvl, string func, int line, string msg);
+
+        [StructLayout(LayoutKind.Sequential)]
+        internal struct AttestationLogInfo
+        {
+            public LogFunc Log;
+            public IntPtr Ctx;
+        }
+
+        [DllImport("AttestationClientLib.dll", CallingConvention = CallingConvention.Cdecl,
+                   CharSet = CharSet.Ansi)]
+        internal static extern int InitAttestationLib(ref AttestationLogInfo info);
+
+        [DllImport("AttestationClientLib.dll", CallingConvention = CallingConvention.Cdecl,
+                   CharSet = CharSet.Ansi)]
+        internal static extern int AttestKeyGuardImportKey(
+            string endpoint,
+            string authToken,
+            string clientPayload,
+            SafeNCryptKeyHandle keyHandle,
+            out IntPtr token,
+            string clientId);
+
+        [DllImport("AttestationClientLib.dll", CallingConvention = CallingConvention.Cdecl)]
+        internal static extern void FreeAttestationToken(IntPtr token);
+
+        [DllImport("AttestationClientLib.dll", CallingConvention = CallingConvention.Cdecl)]
+        internal static extern void UninitAttestationLib();
+    }
+}

src/client/Microsoft.Identity.Client.MtlsPop/Attestation/AttestationErrors.cs

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Identity.Client.MtlsPop.Attestation
+{
+    internal static class AttestationErrors
+    {
+        internal static string Describe(AttestationResultErrorCode rc) => rc switch
+        {
+            AttestationResultErrorCode.ERRORCURLINITIALIZATION
+                => "libcurl failed to initialize (DLL missing or version mismatch).",
+            AttestationResultErrorCode.ERRORHTTPREQUESTFAILED
+                => "Could not reach the attestation service (network / proxy?).",
+            AttestationResultErrorCode.ERRORATTESTATIONFAILED
+                => "The enclave rejected the evidence (key type / PCR policy).",
+            AttestationResultErrorCode.ERRORJWTDECRYPTIONFAILED
+                => "The JWT returned by the service could not be decrypted.",
+            AttestationResultErrorCode.ERRORLOGGERINITIALIZATION
+                => "Native logger setup failed (rare).",
+            _ => rc.ToString()         // default: enum name
+        };
+    }
+}

src/client/Microsoft.Identity.Client.MtlsPop/Attestation/AttestationLogger.cs

@@ -0,0 +1,15 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+
+namespace Microsoft.Identity.Client.MtlsPop.Attestation
+{
+    internal static class AttestationLogger
+    {
+        /// <summary>Default logger that pipes native messages to <c>Console.WriteLine</c>.</summary>
+        internal static readonly AttestationClientLib.LogFunc ConsoleLogger = (_,
+            tag, lvl, func, line, msg) =>
+            Console.WriteLine($"[{lvl}] {tag} {func}:{line}  {msg}");
+    }
+}

src/client/Microsoft.Identity.Client.MtlsPop/Attestation/AttestationResult.cs

@@ -0,0 +1,18 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.Identity.Client.MtlsPop.Attestation
+{
+    /// <summary>
+    /// AttestationResult is the result of an attestation operation.
+    /// </summary>
+    /// <param name="Status"></param>
+    /// <param name="Jwt"></param>
+    /// <param name="NativeErrorCode"></param>
+    /// <param name="ErrorMessage"></param>
+    public sealed record AttestationResult(
+        AttestationStatus Status,
+        string Jwt,
+        int NativeErrorCode,
+        string ErrorMessage);
+}