Cleaner implementation and precise docs on SHA256

Author: rayluo

.gitignore

@@ -62,3 +62,6 @@ msal_cache.bin
 
 .env
 .perf.baseline
+
+*.pfx
+.vscode/settings.json

msal/application.py

@@ -66,7 +66,7 @@ def _str2bytes(raw):
     except:
         return raw
 
-def _extract_cert_and_thumbprints(private_key, cert):
+def _extract_cert_and_thumbprints(cert):
     # Cert concepts https://security.stackexchange.com/a/226758/125264
     from cryptography.hazmat.primitives import hashes, serialization
     cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM).decode()
@@ -75,7 +75,7 @@ def _extract_cert_and_thumbprints(private_key, cert):
     ]
     sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex()
     sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex()
-    return private_key, sha256_thumbprint, sha1_thumbprint, x5c
+    return sha256_thumbprint, sha1_thumbprint, x5c
 
 def _parse_pfx(pfx_path, passphrase_bytes):
     # Cert concepts https://security.stackexchange.com/a/226758/125264
@@ -86,7 +86,8 @@ def _parse_pfx(pfx_path, passphrase_bytes):
             f.read(), passphrase_bytes)
     if not (private_key and cert):
         raise ValueError("Your PFX file shall contain both private key and cert")
-    return _extract_cert_and_thumbprints(private_key, cert)
+    sha256_thumbprint, sha1_thumbprint, x5c = _extract_cert_and_thumbprints(cert)
+    return private_key, sha256_thumbprint, sha1_thumbprint, x5c
 
 
 def _load_private_key_from_pem_str(private_key_pem_str, passphrase_bytes):
@@ -290,7 +291,9 @@ def __init__(
 
                     {
                         "private_key": "...-----BEGIN PRIVATE KEY-----... in PEM format",
-                        "thumbprint": "An SHA-1 thumbprint such as A1B2C3D4E5F6...",  # Optional since version 1.35.0
+                        "thumbprint": "An SHA-1 thumbprint such as A1B2C3D4E5F6..."
+                            "Optional since version 1.35.0."
+                            "When absent, MSAL will calculate SHA-256 thumbprint automatically.",
                         "passphrase": "Needed if the private_key is encrypted (Added in version 1.6.0)",
                         "public_certificate": "...-----BEGIN CERTIFICATE-----...",  # Needed if you use Subject Name/Issuer auth. Added in version 0.5.0.
                     }
@@ -805,31 +808,30 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                         passphrase_bytes)
                     if client_credential.get("public_certificate") is True and x5c:
                         headers["x5c"] = x5c
-                elif (client_credential.get("private_key") 
-                      and client_credential.get("public_certificate") 
-                      and not client_credential.get("thumbprint")): #in case user does not pass thumbprint but only certificate and private key
-                        if passphrase_bytes: # PEM with passphrase
-                            private_key = _load_private_key_from_pem_str(
-                                client_credential['private_key'], passphrase_bytes)
-                        else:  # PEM without passphrase
-                            private_key = client_credential['private_key']
-                        
-                        private_key, sha256_thumbprint, sha1_thumbprint, x5c =(
-                             _extract_cert_and_thumbprints(
-                                private_key,
-                                client_credential['public_certificate']))
-                        if x5c:
-                            headers["x5c"] = x5c
-
-                elif (
-                        client_credential.get("private_key")  # PEM blob
-                        and client_credential.get("thumbprint")):
-                    sha1_thumbprint = client_credential["thumbprint"]
-                    if passphrase_bytes:
-                        private_key = _load_private_key_from_pem_str(
+                elif client_credential.get("private_key"):  # PEM blob
+                    private_key = (  # handles both encrypted and unencrypted
+                        _load_private_key_from_pem_str(
                             client_credential['private_key'], passphrase_bytes)
-                    else:  # PEM without passphrase
-                        private_key = client_credential['private_key']
+                        if passphrase_bytes
+                        else client_credential['private_key']
+                    )
+
+                    # Determine thumbprints based on what's provided
+                    if client_credential.get("thumbprint"):
+                        # User provided a thumbprint - use it as SHA-1 (legacy/manual approach)
+                        sha1_thumbprint = client_credential["thumbprint"]
+                        sha256_thumbprint = None
+                    elif isinstance(client_credential.get('public_certificate'), str):
+                        # No thumbprint provided, but we have a certificate to calculate thumbprints
+                        from cryptography import x509
+                        cert = x509.load_pem_x509_certificate(
+                            _str2bytes(client_credential['public_certificate']))
+                        sha256_thumbprint, sha1_thumbprint, headers["x5c"] = (
+                            _extract_cert_and_thumbprints(cert))
+                    else:
+                        raise ValueError(
+                            "You must provide either 'thumbprint' or 'public_certificate' "
+                            "from which the thumbprint can be calculated.")
                 else:
                     raise ValueError(
                         "client_credential needs to follow this format "