Merge pull request #898 from AzureAD/avdunn/sha256-fix

Fix regression issue in IClientCertificate caused by SHA256 changes

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java

@@ -46,14 +46,15 @@ final class ClientCertificate implements IClientCertificate {
         this.publicKeyCertificateChain = publicKeyCertificateChain;
     }
 
-    public String publicCertificateHash()
+    @Override
+    public String publicCertificateHash256()
             throws CertificateEncodingException, NoSuchAlgorithmException {
 
         return Base64.getEncoder().encodeToString(ClientCertificate
                 .getHashSha256(publicKeyCertificateChain.get(0).getEncoded()));
     }
 
-    public String publicCertificateHashSha1()
+    public String publicCertificateHash()
             throws CertificateEncodingException, NoSuchAlgorithmException {
 
         return Base64.getEncoder().encodeToString(ClientCertificate

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -101,11 +101,7 @@ private void initClientAuthentication(IClientCredential clientCredential) {
         } else if (clientCredential instanceof ClientCertificate) {
             this.clientCertAuthentication = true;
             this.clientCertificate = (ClientCertificate) clientCredential;
-            if (Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS) {
-                clientAuthentication = buildValidClientCertificateAuthoritySha1();
-            } else  {
-                clientAuthentication = buildValidClientCertificateAuthority();
-            }
+            clientAuthentication = buildValidClientCertificateAuthority();
         } else if (clientCredential instanceof ClientAssertion) {
             clientAuthentication = createClientAuthFromClientAssertion((ClientAssertion) clientCredential);
         } else {
@@ -119,32 +115,23 @@ protected ClientAuthentication clientAuthentication() {
             final Date currentDateTime = new Date(System.currentTimeMillis());
             final Date expirationTime = ((PrivateKeyJWT) clientAuthentication).getJWTAuthenticationClaimsSet().getExpirationTime();
             if (expirationTime.before(currentDateTime)) {
-                //The asserted private jwt with the client certificate can expire so rebuild it when the
                 clientAuthentication = buildValidClientCertificateAuthority();
             }
         }
         return clientAuthentication;
     }
 
     private ClientAuthentication buildValidClientCertificateAuthority() {
-        ClientAssertion clientAssertion = JwtHelper.buildJwt(
-                clientId(),
-                clientCertificate,
-                this.authenticationAuthority.selfSignedJwtAudience(),
-                sendX5c,
-                false);
-        return createClientAuthFromClientAssertion(clientAssertion);
-    }
+        //The library originally used SHA-1 for thumbprints as other algorithms were not supported server-side.
+        //When this was written support for SHA-256 had been added, however ADFS scenarios still only allowed SHA-1.
+        boolean useSha1 = Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS;
 
-    //The library originally used SHA-1 for thumbprints as other algorithms were not supported server-side,
-    //  and while support for SHA-256 has been added certain flows still only allow SHA-1
-    private ClientAuthentication buildValidClientCertificateAuthoritySha1() {
         ClientAssertion clientAssertion = JwtHelper.buildJwt(
                 clientId(),
                 clientCertificate,
                 this.authenticationAuthority.selfSignedJwtAudience(),
                 sendX5c,
-                true);
+                useSha1);
         return createClientAuthFromClientAssertion(clientAssertion);
     }
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IClientCertificate.java

@@ -23,7 +23,20 @@ public interface IClientCertificate extends IClientCredential {
     PrivateKey privateKey();
 
     /**
-     * Base64 encoded hash of the the public certificate.
+     * Base64 encoded SHA-256 hash of the public certificate.
+     *
+     * @return base64 encoded string
+     * @throws CertificateEncodingException if an encoding error occurs
+     * @throws NoSuchAlgorithmException     if requested algorithm is not available in the environment
+     */
+    default String publicCertificateHash256() throws CertificateEncodingException, NoSuchAlgorithmException {
+        //Default implementation that returns null, to add backwards compatibility for those implementing this public interface.
+        //If left as null, the library will default to the older publicCertificateHash() method and SHA-1 hashing.
+        return null;
+    }
+
+    /**
+     * Base64 encoded SHA-1 hash of the public certificate.
      *
      * @return base64 encoded string
      * @throws CertificateEncodingException if an encoding error occurs

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/JwtHelper.java

@@ -56,11 +56,13 @@ static ClientAssertion buildJwt(String clientId, final ClientCertificate credent
                 builder.x509CertChain(certs);
             }
 
-            //SHA-256 is preferred, however certain flows still require SHA-1 due to what is supported server-side
-            if (useSha1) {
-                builder.x509CertThumbprint(new Base64URL(credential.publicCertificateHashSha1()));
+            //SHA-256 is preferred, however certain flows still require SHA-1 due to what is supported server-side. If SHA-256
+            // is not supported or the IClientCredential.publicCertificateHash256() method is not implemented, the library will default to SHA-1.
+            String hash256 = credential.publicCertificateHash256();
+            if (useSha1 || hash256 == null) {
+                builder.x509CertThumbprint(new Base64URL(credential.publicCertificateHash()));
             } else {
-                builder.x509CertSHA256Thumbprint(new Base64URL(credential.publicCertificateHash()));
+                builder.x509CertSHA256Thumbprint(new Base64URL(hash256));
             }
 
             jwt = new SignedJWT(builder.build(), claimsSet);

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ClientCertificateTest.java

@@ -3,18 +3,22 @@
 
 package com.microsoft.aad.msal4j;
 
+import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestInstance;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.mock;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
 
 import java.math.BigInteger;
-import java.security.PrivateKey;
+import java.security.*;
+import java.security.cert.CertificateException;
 import java.security.interfaces.RSAPrivateKey;
+import java.util.*;
 
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class ClientCertificateTest {
@@ -36,4 +40,69 @@ void testGetClient() {
         final ClientCertificate kc = ClientCertificate.create(key, null);
         assertNotNull(kc);
     }
+
+    @Test
+    void testIClientCertificateInterface_Sha1andSha256() throws NoSuchAlgorithmException, CertificateException {
+        //See https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/863 for context on this test.
+        //Essentially, it aims to test compatibility for customers that implemented IClientCertificate in older versions of the library.
+
+        //IClientCertificate.publicCertificateHash256() returns null by default if not implemented...
+        IClientCertificate certificate = new TestClientCredential();
+        assertNull(certificate.publicCertificateHash256());
+
+        //... but ClientCredentialFactory has an implemented version, so it should not be null.
+        certificate = ClientCredentialFactory.createFromCertificate(TestHelper.getPrivateKey(), TestHelper.getX509Cert());
+        assertNotNull(certificate.publicCertificateHash256());
+    }
+
+    @Test
+    void testIClientCertificateInterface_CredentialFactoryUsesSha256() throws Exception {
+        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+
+        ConfidentialClientApplication cca =
+                ConfidentialClientApplication.builder("clientId", ClientCredentialFactory.createFromCertificate(TestHelper.getPrivateKey(), TestHelper.getX509Cert()))
+                        .authority("https://login.microsoftonline.com/tenant")
+                        .instanceDiscovery(false)
+                        .validateAuthority(false)
+                        .httpClient(httpClientMock)
+                        .build();
+
+        HashMap<String, String> tokenResponseValues = new HashMap<>();
+        tokenResponseValues.put("access_token", "accessTokenSha256");
+
+        when(httpClientMock.send(any(HttpRequest.class))).thenAnswer( parameters -> {
+            HttpRequest request = parameters.getArgument(0);
+            Set<String> headerParams = ((PrivateKeyJWT) cca.clientAuthentication()).getClientAssertion().getHeader().getIncludedParams();
+            if (request.body().contains(((PrivateKeyJWT) cca.clientAuthentication()).getClientAssertion().serialize())
+                    && headerParams.contains("x5t#S256")) {
+
+                return TestHelper.expectedResponse(200, TestHelper.getSuccessfulTokenResponse(tokenResponseValues));
+            }
+            return null;
+        });
+        
+        ClientCredentialParameters parameters = ClientCredentialParameters.builder(Collections.singleton("scopes")).build();
+
+        IAuthenticationResult result = cca.acquireToken(parameters).get();
+
+        assertNotNull(result);
+        assertEquals("accessTokenSha256", result.accessToken());
+    }
+
+    class TestClientCredential implements IClientCertificate {
+        @Override
+        public PrivateKey privateKey() {
+            return null;
+        }
+
+        @Override
+        public String publicCertificateHash() {
+            return "";
+        }
+
+        @Override
+        public List<String> getEncodedPublicKeyCertificateChain() {
+            return Collections.emptyList();
+        }
+    }
 }

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/TestHelper.java

@@ -7,12 +7,15 @@
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
+
 import java.io.File;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.security.*;
+import java.security.cert.X509Certificate;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
@@ -40,6 +43,14 @@ class TestHelper {
             "\"tid\": \"%s\"," +
             "\"ver\": \"2.0\"}";
 
+    static X509Certificate x509Cert = getX509Cert();
+    static PrivateKey privateKey = getPrivateKey();
+
+    public static String CERTIFICATE_ALIAS = "LabAuth.MSIDLab.com";
+    private static final String WIN_KEYSTORE = "Windows-MY";
+    private static final String KEYSTORE_PROVIDER = "SunMSCAPI";
+    private static final String MAC_KEYSTORE = "KeychainStore";
+
     static String readResource(Class<?> classInstance, String resource) {
         try {
             return new String(Files.readAllBytes(Paths.get(classInstance.getResource(resource).toURI())));
@@ -125,4 +136,39 @@ static String createIdToken(HashMap<String, String> idTokenValues) {
 
         return String.format("someheader.%s.somesignature", encodedTokenValues);
     }
-}
+
+    static void setPrivateKeyAndCert() {
+        try {
+            String os = System.getProperty("os.name");
+            KeyStore keystore;
+            if (os.toLowerCase().contains("windows")) {
+                keystore = KeyStore.getInstance(WIN_KEYSTORE, KEYSTORE_PROVIDER);
+            } else {
+                keystore = KeyStore.getInstance(MAC_KEYSTORE);
+            }
+
+            keystore.load(null, null);
+            privateKey = (PrivateKey) keystore.getKey(CERTIFICATE_ALIAS, null);
+            x509Cert = (X509Certificate) keystore.getCertificate(
+                    CERTIFICATE_ALIAS);
+        } catch (Exception e) {
+            throw new RuntimeException("Error getting certificate from keystore: " + e.getMessage());
+        }
+    }
+
+    static X509Certificate getX509Cert() {
+        if (x509Cert == null) {
+            setPrivateKeyAndCert();
+        }
+
+        return x509Cert;
+    }
+
+    static PrivateKey getPrivateKey() {
+        if (privateKey == null) {
+            setPrivateKeyAndCert();
+        }
+
+        return privateKey;
+    }
+}