certificate made optionall

Author: Vit Curda

msal/application.py

@@ -66,25 +66,27 @@ def _str2bytes(raw):
     except:
         return raw
 
+def _extract_cert_and_thumbprints(private_key, cert):
+    # Cert concepts https://security.stackexchange.com/a/226758/125264
+    from cryptography.hazmat.primitives import hashes, serialization
+    cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM).decode()
+    x5c = [
+        '\n'.join(cert_pem.splitlines()[1:-1])
+    ]
+    sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex()
+    sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex()
+    return private_key, sha256_thumbprint, sha1_thumbprint, x5c
 
 def _parse_pfx(pfx_path, passphrase_bytes):
     # Cert concepts https://security.stackexchange.com/a/226758/125264
-    from cryptography.hazmat.primitives import hashes, serialization
     from cryptography.hazmat.primitives.serialization import pkcs12
     with open(pfx_path, 'rb') as f:
         private_key, cert, _ = pkcs12.load_key_and_certificates(  # cryptography 2.5+
             # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates
             f.read(), passphrase_bytes)
     if not (private_key and cert):
         raise ValueError("Your PFX file shall contain both private key and cert")
-    cert_pem = cert.public_bytes(encoding=serialization.Encoding.PEM).decode()  # cryptography 1.0+
-    x5c = [
-        '\n'.join(cert_pem.splitlines()[1:-1])  # Strip the "--- header ---" and "--- footer ---"
-    ]
-    sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex()  # cryptography 0.7+
-    sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex()  # cryptography 0.7+
-        # https://cryptography.io/en/latest/x509/reference/#x-509-certificate-object
-    return private_key, sha256_thumbprint, sha1_thumbprint, x5c
+    return _extract_cert_and_thumbprints(private_key, cert)
 
 
 def _load_private_key_from_pem_str(private_key_pem_str, passphrase_bytes):
@@ -306,7 +308,7 @@ def __init__(
 
                     {
                         "private_key": "...-----BEGIN PRIVATE KEY-----... in PEM format",
-                        "thumbprint": "A1B2C3D4E5F6...",
+                        "thumbprint": "A1B2C3D4E5F6...", (Optinal, if not provided, MSAL will calculate it. Added in version 1.34.0)
                         "public_certificate": "...-----BEGIN CERTIFICATE-----...",
                         "passphrase": "Passphrase if the private_key is encrypted (Optional. Added in version 1.6.0)",
                     }
@@ -815,6 +817,15 @@ def _build_client(self, client_credential, authority, skip_regional_client=False
                         passphrase_bytes)
                     if client_credential.get("public_certificate") is True and x5c:
                         headers["x5c"] = x5c
+                elif (client_credential.get("private_key") 
+                      and client_credential.get("public_certificate") 
+                      and not client_credential.get("thumbprint")): # in case user does not pass thumbprint but only certificate and private key
+                        private_key, sha256_thumbprint, sha1_thumbprint, x5c =(
+                             _extract_cert_and_thumbprints(
+                                client_credential['private_key'],
+                                client_credential['public_certificate']))
+                        if x5c:
+                            headers["x5c"] = x5c
                 elif (
                         client_credential.get("private_key")  # PEM blob
                         and client_credential.get("thumbprint")):

msal/sku.py

@@ -2,5 +2,5 @@
 """
 
 # The __init__.py will import this. Not the other way around.
-__version__ = "1.33.0b1"
+__version__ = "1.34.0b1"
 SKU = "MSAL.Python"