Refactor NewClientCertificateCredential #15683

chlowell · 2021-10-01T18:42:21Z

This PR refactors NewClientCertificateCredential to take a slice of certificates and a private key instead of raw certificate data, and adds a helper method to simplify acquiring those in common cases. My motivation is primarily to avoid future problems around encrypted keys. There are many ways to encrypt a certificate's key, and the standard library doesn't support all of them. For example, its method for decrypting legacy PEM encryption is deprecated. Taking only raw cert data may oblige us to support such encryption schemes by writing our own decryption code or adding an external dependency, and asking customers to adopt an ugly workaround in the meantime.

before

certData, err := os.ReadFile("/cert.pem")
cred, err := NewClientCertificateCredential(tenantID, clientID, certData, password, nil)

after

certData, err := os.ReadFile("/cert.pem")
certs, key, err := LoadCerts(certData, password)
cred, err := NewClientCertificateCredential(tenantID, clientID, certs, key, nil)

LoadCerts handles common cases and can become more comprehensive over time; its capabilities are an implementation detail.

richardpark-msft · 2021-10-26T17:17:57Z

Not too familiar with identity. Just some minor comments.

richardpark-msft

Just some comments, looks good to my untrained eye.

sdk/azidentity/client_certificate_credential.go

sdk/azidentity/environment_credential.go

richardpark-msft · 2021-10-26T17:17:37Z

sdk/azidentity/jwt.go

@@ -43,7 +43,7 @@ func createClientAssertionJWT(clientID string, audience string, cert *certConten
 		X5t: base64.RawURLEncoding.EncodeToString(cert.fp),
 	}
 	if sendCertificateChain {
-		headerData.X5c = cert.publicCertificates
+		headerData.X5c = cert.x5c


I do miss the more descriptive name. I know there's reasons, but still. :)

sdk/azidentity/client_certificate_credential.go

richardpark-msft

Looks good, one little nit with an error message.

Co-authored-by: Richard Park <[email protected]>

sdk/azidentity/client_certificate_credential.go

chlowell requested a review from jhendrixMSFT October 1, 2021 18:42

chlowell marked this pull request as ready for review October 4, 2021 22:00

chlowell requested a review from RickWinter as a code owner October 4, 2021 22:00

RickWinter added Client This issue points to a problem in the data-plane of the library. Azure.Identity labels Oct 20, 2021

chlowell requested review from richardpark-msft and seankane-msft October 20, 2021 23:18

chlowell force-pushed the certs branch from 1d263b2 to 411601b Compare October 26, 2021 18:01

richardpark-msft reviewed Oct 26, 2021

View reviewed changes

chlowell added 8 commits October 27, 2021 08:28

Refactor NewClientCertificateCredential

e5e36f7

update tests

63e538a

delete fingerprint.go

488cfbe

changelog

fec21ca

clarify docs

31b9bbd

move type conversion into constructor

642f0dc

better error from NewEnvironmentCredential

0611a24

don't bother trying PEM format when given password

fe752ce

chlowell force-pushed the certs branch from 32681bb to fe752ce Compare October 27, 2021 15:28

add example for docs

f958db8

richardpark-msft reviewed Oct 27, 2021

View reviewed changes