Updating hash function for MsalAuth._client_credential_cache#347
Updating hash function for MsalAuth._client_credential_cache#347rodrigobr-msft wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates MSAL certificate-based authentication to compute the certificate thumbprint using SHA-256 instead of SHA-1 when building the client_credential passed into ConfidentialClientApplication.
Changes:
- Switched certificate fingerprinting from SHA-1 to SHA-256 for the
client_credential['thumbprint']value.
Comments suppressed due to low confidence (1)
libraries/microsoft-agents-authentication-msal/microsoft_agents/authentication/msal/msal_auth.py:234
- There are unit tests for
MsalAuthbehavior, but the certificate-auth branch in_create_client_application(including thumbprint generation) isn’t covered. Please add a test that exercisesAuthTypes.certificatewith a real/generated PEM cert and asserts the credential dict passed toConfidentialClientApplicationcontains the expected thumbprint algorithm/format.
# Create an X509 object and calculate the thumbprint
logger.info("Calculating thumbprint for the public certificate.")
cert = load_pem_x509_certificate(
data=bytes(public_certificate, "UTF-8"), backend=default_backend()
)
thumbprint = cert.fingerprint(hashes.SHA256()).hex()
self._client_credential_cache = {
"thumbprint": thumbprint,
"private_key": private_key,
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| data=bytes(public_certificate, "UTF-8"), backend=default_backend() | ||
| ) | ||
| thumbprint = cert.fingerprint(hashes.SHA1()).hex() | ||
| thumbprint = cert.fingerprint(hashes.SHA256()).hex() |
There was a problem hiding this comment.
Switching the certificate thumbprint hash from SHA-1 to SHA-256 changes both the value and length (40 hex chars -> 64). Since this value is passed to MSAL as the client_credential['thumbprint'], please verify MSAL/AAD expects a SHA-256 thumbprint here; if MSAL is still using the x5t (SHA-1) header/claim, this will break certificate-based authentication. If SHA-256 is the goal, consider using the MSAL-supported field/claim for SHA-256 (e.g., x5t#S256 / a dedicated thumbprint_sha256 parameter) or providing both where supported.
This pull request updates the cryptographic hash algorithm used to compute certificate thumbprints in the MSAL authentication logic. The change improves security by switching from SHA-1 to SHA-256 for certificate fingerprinting.
Security improvement:
_create_client_applicationmethod ofmsal_auth.pyto use SHA-256 instead of the less secure SHA-1.