release 1.7.1 (#291)

1.7.1 release

Author: SomkaPe

README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.7.0
+Current version - 1.7.1
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.7.0</version>
+    <version>1.7.1</version>
 </dependency>
 ```
 ### Gradle
 
 ```
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.7.0'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.7.1'
 ```
 
 ## Usage

changelog.txt

@@ -1,3 +1,9 @@
+Version 1.7.1
+=============
+- sendX5c API added to IConfidentialClientApplication to specify if the x5c claim
+  (public key of the certificate) should be sent to the STS.
+  Default value is true.
+
 Version 1.7.0
 =============
 - Tenant profiles added to IAccount

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.7.0</version>
+	<version>1.7.1</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>

src/integrationtest/java/com.microsoft.aad.msal4j/ClientCredentialsIT.java

@@ -51,7 +51,8 @@ public void acquireTokenClientCredentials_ClientAssertion() throws Exception{
         ClientAssertion clientAssertion = JwtHelper.buildJwt(
                 clientId,
                 (ClientCertificate) certificate,
-                "https://login.microsoftonline.com/common/oauth2/v2.0/token");
+                "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+                true);
 
         IClientCredential credential = ClientCredentialFactory.createFromClientAssertion(
                 clientAssertion.assertion());

src/integrationtest/java/com.microsoft.aad.msal4j/ConfidentialClientApplicationUnitT.java

@@ -156,7 +156,8 @@ public void testClientCertificateRebuildsWhenExpired() throws Exception {
                 "buildJwt",
                 EasyMock.isA(String.class),
                 EasyMock.isA(ClientCertificate.class),
-                EasyMock.isA(String.class))
+                EasyMock.isA(String.class),
+                EasyMock.anyBoolean())
                 .andReturn(shortExperationJwt)
                 .times(2); // By this being called twice we ensure the client assertion is rebuilt once it has expired
 
@@ -184,13 +185,16 @@ private ClientAssertion buildShortJwt(String clientId,
                 .build();
         SignedJWT jwt;
         try {
+            JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.RS256);
+
             List<Base64> certs = new ArrayList<>();
-            for (String cert: credential.getEncodedPublicKeyCertificateOrCertificateChain()) {
+            for (String cert : credential.getEncodedPublicKeyCertificateChain()) {
                 certs.add(new Base64(cert));
             }
-            JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.RS256);
             builder.x509CertChain(certs);
+
             builder.x509CertThumbprint(new Base64URL(credential.publicCertificateHash()));
+
             jwt = new SignedJWT(builder.build(), claimsSet);
             final RSASSASigner signer = new RSASSASigner(credential.privateKey());
             jwt.sign(signer);

src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java

@@ -32,12 +32,10 @@ final class ClientCertificate implements IClientCertificate {
     @Getter
     private final PrivateKey privateKey;
 
-    private final X509Certificate publicKeyCertificate;
-
     private final List<X509Certificate> publicKeyCertificateChain;
 
     ClientCertificate
-            (PrivateKey privateKey, X509Certificate publicKeyCertificate, List<X509Certificate> publicKeyCertificateChain) {
+            (PrivateKey privateKey, List<X509Certificate> publicKeyCertificateChain) {
         if (privateKey == null) {
             throw new NullPointerException("PrivateKey is null or empty");
         }
@@ -68,26 +66,21 @@ final class ClientCertificate implements IClientCertificate {
                             " sun.security.mscapi.RSAPrivateKey");
         }
 
-        this.publicKeyCertificate = publicKeyCertificate;
         this.publicKeyCertificateChain = publicKeyCertificateChain;
     }
 
     public String publicCertificateHash()
             throws CertificateEncodingException, NoSuchAlgorithmException {
 
         return Base64.getEncoder().encodeToString(ClientCertificate
-                .getHash(this.publicKeyCertificate.getEncoded()));
+                    .getHash(publicKeyCertificateChain.get(0).getEncoded()));
     }
 
-    public List<String> getEncodedPublicKeyCertificateOrCertificateChain() throws CertificateEncodingException {
+    public List<String> getEncodedPublicKeyCertificateChain() throws CertificateEncodingException {
         List<String> result = new ArrayList<>();
 
-        if (publicKeyCertificateChain != null && publicKeyCertificateChain.size() > 0) {
-            for (X509Certificate cert : publicKeyCertificateChain) {
-                result.add(Base64.getEncoder().encodeToString(cert.getEncoded()));
-            }
-        } else {
-            result.add(Base64.getEncoder().encodeToString(publicKeyCertificate.getEncoded()));
+        for (X509Certificate cert : publicKeyCertificateChain) {
+            result.add(Base64.getEncoder().encodeToString(cert.getEncoded()));
         }
         return result;
     }
@@ -108,22 +101,26 @@ static ClientCertificate create(final InputStream pkcs12Certificate, final Strin
             throw new IllegalArgumentException("more than one certificate alias found in input stream");
         }
 
-        ArrayList<X509Certificate> publicKeyCertificateChain = null;
+        ArrayList<X509Certificate> publicKeyCertificateChain = new ArrayList<>();;
         PrivateKey privateKey = (PrivateKey) keystore.getKey(alias, password.toCharArray());
+
         X509Certificate publicKeyCertificate = (X509Certificate) keystore.getCertificate(alias);
         Certificate[] chain = keystore.getCertificateChain(alias);
 
-        if (chain != null) {
-            publicKeyCertificateChain = new ArrayList<>();
+        if (chain != null && chain.length > 0) {
             for (Certificate c : chain) {
                 publicKeyCertificateChain.add((X509Certificate) c);
             }
         }
-        return new ClientCertificate(privateKey, publicKeyCertificate, publicKeyCertificateChain);
+        else{
+            publicKeyCertificateChain.add(publicKeyCertificate);
+        }
+
+        return new ClientCertificate(privateKey, publicKeyCertificateChain);
     }
 
     static ClientCertificate create(final PrivateKey key, final X509Certificate publicKeyCertificate) {
-        return new ClientCertificate(key, publicKeyCertificate, null);
+        return new ClientCertificate(key, Arrays.asList(publicKeyCertificate));
     }
 
     private static byte[] getHash(final byte[] inputBytes) throws NoSuchAlgorithmException {

src/main/java/com/microsoft/aad/msal4j/ClientCredentialFactory.java

@@ -10,6 +10,8 @@
 import java.security.cert.X509Certificate;
 import java.util.List;
 
+import static com.microsoft.aad.msal4j.ParameterValidationUtils.validateNotNull;
+
 /**
  * Factory for creating client credentials used in confidential client flows. For more details, see
  * https://aka.ms/msal4j-client-credentials
@@ -50,6 +52,8 @@ public static IClientCertificate createFromCertificate(final InputStream pkcs12C
      * @return {@link ClientCertificate}
      */
     public static IClientCertificate createFromCertificate(final PrivateKey key, final X509Certificate publicKeyCertificate) {
+        validateNotNull("publicKeyCertificate", publicKeyCertificate);
+
         return ClientCertificate.create(key, publicKeyCertificate);
     }
 
@@ -63,7 +67,7 @@ public static IClientCertificate createFromCertificateChain(PrivateKey key, List
         if(key == null || publicKeyCertificateChain == null || publicKeyCertificateChain.size() == 0){
             throw new IllegalArgumentException("null or empty input parameter");
         }
-        return new ClientCertificate(key, publicKeyCertificateChain.get(0), publicKeyCertificateChain);
+        return new ClientCertificate(key, publicKeyCertificateChain);
     }
 
     /**

src/main/java/com/microsoft/aad/msal4j/ClientInfo.java

@@ -19,18 +19,19 @@ class ClientInfo {
     private String uniqueIdentifier;
 
     @JsonProperty("utid")
-    private String unqiueTenantIdentifier;
+    private String uniqueTenantIdentifier;
 
     public static ClientInfo createFromJson(String clientInfoJsonBase64Encoded){
         if(StringHelper.isBlank(clientInfoJsonBase64Encoded)){
-           return null;
+            return null;
         }
-        byte[] decodedInput =  Base64.getDecoder().decode(clientInfoJsonBase64Encoded.getBytes(StandardCharset.UTF_8));
+
+        byte[] decodedInput = Base64.getUrlDecoder().decode(clientInfoJsonBase64Encoded.getBytes(StandardCharset.UTF_8));
 
         return JsonHelper.convertJsonToObject(new String(decodedInput, StandardCharset.UTF_8), ClientInfo.class);
     }
 
     String toAccountIdentifier(){
-        return uniqueIdentifier + POINT_DELIMITER + unqiueTenantIdentifier;
+        return uniqueIdentifier + POINT_DELIMITER + uniqueTenantIdentifier;
     }
 }

src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -9,6 +9,8 @@
 import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
 import com.nimbusds.oauth2.sdk.auth.Secret;
 import com.nimbusds.oauth2.sdk.id.ClientID;
+import lombok.Getter;
+import lombok.experimental.Accessors;
 import org.slf4j.LoggerFactory;
 
 import java.util.Collections;
@@ -33,6 +35,10 @@ public class ConfidentialClientApplication extends AbstractClientApplicationBase
     private boolean clientCertAuthentication = false;
     private ClientCertificate clientCertificate;
 
+    @Accessors(fluent = true)
+    @Getter
+    private boolean sendX5c;
+
     @Override
     public CompletableFuture<IAuthenticationResult> acquireToken(ClientCredentialParameters parameters) {
 
@@ -62,6 +68,7 @@ public CompletableFuture<IAuthenticationResult> acquireToken(OnBehalfOfParameter
 
     private ConfidentialClientApplication(Builder builder) {
         super(builder);
+        sendX5c = builder.sendX5c;
 
         log = LoggerFactory.getLogger(ConfidentialClientApplication.class);
 
@@ -103,7 +110,8 @@ private ClientAuthentication buildValidClientCertificateAuthority() {
         ClientAssertion clientAssertion = JwtHelper.buildJwt(
                 clientId(),
                 clientCertificate,
-                this.authenticationAuthority.selfSignedJwtAudience());
+                this.authenticationAuthority.selfSignedJwtAudience(),
+                sendX5c);
         return createClientAuthFromClientAssertion(clientAssertion);
     }
 
@@ -136,11 +144,26 @@ public static class Builder extends AbstractClientApplicationBase.Builder<Builde
 
         private IClientCredential clientCredential;
 
+        private boolean sendX5c = true;
+
         private Builder(String clientId, IClientCredential clientCredential) {
             super(clientId);
             this.clientCredential = clientCredential;
         }
 
+        /**
+         * Specifies if the x5c claim (public key of the certificate) should be sent to the STS.
+         * Default value is true
+         *
+         * @param val true if the x5c should be sent. Otherwise false
+         * @return instance of the Builder on which method was called
+         */
+        public ConfidentialClientApplication.Builder sendX5c(boolean val) {
+            this.sendX5c = val;
+
+            return self();
+        }
+
         @Override
         public ConfidentialClientApplication build() {
 

src/main/java/com/microsoft/aad/msal4j/IClientCertificate.java

@@ -37,5 +37,5 @@ public interface IClientCertificate extends IClientCredential{
      * @return base64 encoded string
      * @throws CertificateEncodingException if an encoding error occurs
      */
-    List<String> getEncodedPublicKeyCertificateOrCertificateChain() throws CertificateEncodingException;
+    List<String> getEncodedPublicKeyCertificateChain() throws CertificateEncodingException;
 }

src/main/java/com/microsoft/aad/msal4j/IConfidentialClientApplication.java

@@ -12,6 +12,11 @@
  * For details see https://aka.ms/msal4jclientapplications
  */
 public interface IConfidentialClientApplication extends IClientApplicationBase {
+    /**
+     * @return a boolean value which determines whether x5c claim (public key of the certificate)
+     * will be sent to the STS.
+     */
+    boolean sendX5c();
 
     /**
      * Acquires tokens from the authority configured in the application, for the confidential client

src/main/java/com/microsoft/aad/msal4j/JwtHelper.java

@@ -21,7 +21,7 @@
 final class JwtHelper {
 
     static ClientAssertion buildJwt(String clientId, final ClientCertificate credential,
-            final String jwtAudience) throws MsalClientException {
+            final String jwtAudience, boolean sendX5c) throws MsalClientException {
         if (StringHelper.isBlank(clientId)) {
             throw new IllegalArgumentException("clientId is null or empty");
         }
@@ -45,13 +45,16 @@ static ClientAssertion buildJwt(String clientId, final ClientCertificate credent
 
         SignedJWT jwt;
         try {
-            List<Base64> certs = new ArrayList<>();
-            for(String publicCertificate: credential.getEncodedPublicKeyCertificateOrCertificateChain()) {
-                certs.add(new Base64(publicCertificate));
+            JWSHeader.Builder builder = new Builder(JWSAlgorithm.RS256);
+
+            if(sendX5c){
+                List<Base64> certs = new ArrayList<>();
+                for (String cert: credential.getEncodedPublicKeyCertificateChain()) {
+                    certs.add(new Base64(cert));
+                }
+                builder.x509CertChain(certs);
             }
 
-            JWSHeader.Builder builder = new Builder(JWSAlgorithm.RS256);
-            builder.x509CertChain(certs);
             builder.x509CertThumbprint(new Base64URL(credential.publicCertificateHash()));
 
             jwt = new SignedJWT(builder.build(), claimsSet);

src/samples/cache/sample_cache.json

@@ -38,7 +38,7 @@
       "realm": "contoso",
       "environment": "login.windows.net",
       "credential_type": "IdToken",
-      "secret": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuTSJ9.eyJvaWQiOiAib2JqZWN0MTIzNCIsICJwcmVmZXJyZWRfdXNlcm5hbWUiOiAiSm9obiBEb2UiLCAic3ViIjogInN1YiJ9.signature",
+      "secret": "",
       "client_id": "my_client_id",
       "home_account_id": "uid.utid"
     }

src/samples/msal-b2c-web-sample/pom.xml

@@ -23,7 +23,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>msal4j</artifactId>
-			<version>1.7.0</version>
+			<version>1.7.1</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>

src/samples/msal-obo-sample/pom.xml

@@ -23,7 +23,7 @@
         <dependency>
             <groupId>com.microsoft.azure</groupId>
             <artifactId>msal4j</artifactId>
-            <version>1.7.0</version>
+            <version>1.7.1</version>
         </dependency>
         <dependency>
             <groupId>com.nimbusds</groupId>

src/samples/msal-web-sample/pom.xml

@@ -23,7 +23,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>msal4j</artifactId>
-			<version>1.6.2</version>
+			<version>1.7.1</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>

src/test/java/com/microsoft/aad/msal4j/AccountTest.java

@@ -12,7 +12,8 @@
 
 public class AccountTest {
 
-    @Test
+    // @Test
+    // hardcoded token secrets should not be used to not trigger CredScan
     public void testMultiTenantAccount_AccessTenantProfile() throws IOException, URISyntaxException {
 
         ITokenCacheAccessAspect accountCache = new CachePersistenceIT.TokenPersistence(