Use SHA256 thumbprints in non-ADFS cert flows

Author: Avery-Dunn

msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/ClientCredentialsIT.java

@@ -160,7 +160,7 @@ private ClientAssertion getClientAssertion(String clientId) {
                 clientId,
                 (ClientCertificate) certificate,
                 "https://login.microsoftonline.com/common/oauth2/v2.0/token",
-                true);
+                true, false);
     }
 
     private void assertAcquireTokenCommon(String clientId, IClientCredential credential, String authority) throws Exception {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java

@@ -56,6 +56,13 @@ public String publicCertificateHash()
                 .getHash(publicKeyCertificateChain.get(0).getEncoded()));
     }
 
+    public String publicCertificateHashSha1()
+            throws CertificateEncodingException, NoSuchAlgorithmException {
+
+        return Base64.getEncoder().encodeToString(ClientCertificate
+                .getHashSha1(publicKeyCertificateChain.get(0).getEncoded()));
+    }
+
     public List<String> getEncodedPublicKeyCertificateChain() throws CertificateEncodingException {
         List<String> result = new ArrayList<>();
 
@@ -119,9 +126,15 @@ static ClientCertificate create(final PrivateKey key, final X509Certificate publ
         return new ClientCertificate(key, Arrays.asList(publicKeyCertificate));
     }
 
-    private static byte[] getHash(final byte[] inputBytes) throws NoSuchAlgorithmException {
+    private static byte[] getHashSha1(final byte[] inputBytes) throws NoSuchAlgorithmException {
         final MessageDigest md = MessageDigest.getInstance("SHA-1");
         md.update(inputBytes);
         return md.digest();
     }
+
+    private static byte[] getHash(final byte[] inputBytes) throws NoSuchAlgorithmException {
+        final MessageDigest md = MessageDigest.getInstance("SHA-256");
+        md.update(inputBytes);
+        return md.digest();
+    }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -101,7 +101,11 @@ private void initClientAuthentication(IClientCredential clientCredential) {
         } else if (clientCredential instanceof ClientCertificate) {
             this.clientCertAuthentication = true;
             this.clientCertificate = (ClientCertificate) clientCredential;
-            clientAuthentication = buildValidClientCertificateAuthority();
+            if (Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS) {
+                clientAuthentication = buildValidClientCertificateAuthorityLegacySha1();
+            } else  {
+                clientAuthentication = buildValidClientCertificateAuthority();
+            }
         } else if (clientCredential instanceof ClientAssertion) {
             clientAuthentication = createClientAuthFromClientAssertion((ClientAssertion) clientCredential);
         } else {
@@ -127,7 +131,18 @@ private ClientAuthentication buildValidClientCertificateAuthority() {
                 clientId(),
                 clientCertificate,
                 this.authenticationAuthority.selfSignedJwtAudience(),
-                sendX5c);
+                sendX5c,
+                false);
+        return createClientAuthFromClientAssertion(clientAssertion);
+    }
+
+    private ClientAuthentication buildValidClientCertificateAuthorityLegacySha1() {
+        ClientAssertion clientAssertion = JwtHelper.buildJwt(
+                clientId(),
+                clientCertificate,
+                this.authenticationAuthority.selfSignedJwtAudience(),
+                sendX5c,
+                true);
         return createClientAuthFromClientAssertion(clientAssertion);
     }
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/JwtHelper.java

@@ -21,7 +21,8 @@
 final class JwtHelper {
 
     static ClientAssertion buildJwt(String clientId, final ClientCertificate credential,
-                                    final String jwtAudience, boolean sendX5c) throws MsalClientException {
+                                    final String jwtAudience, boolean sendX5c,
+                                    boolean useLegacySha1) throws MsalClientException {
         if (StringHelper.isBlank(clientId)) {
             throw new IllegalArgumentException("clientId is null or empty");
         }
@@ -55,7 +56,11 @@ static ClientAssertion buildJwt(String clientId, final ClientCertificate credent
                 builder.x509CertChain(certs);
             }
 
-            builder.x509CertThumbprint(new Base64URL(credential.publicCertificateHash()));
+            if (useLegacySha1) {
+                builder.x509CertThumbprint(new Base64URL(credential.publicCertificateHashSha1()));
+            } else {
+                builder.x509CertSHA256Thumbprint(new Base64URL(credential.publicCertificateHash()));
+            }
 
             jwt = new SignedJWT(builder.build(), claimsSet);
             final RSASSASigner signer = new RSASSASigner(credential.privateKey());