Allow PKCS12 certificates to have non-privatekey aliases (#549)

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java

@@ -3,6 +3,9 @@
 
 package com.microsoft.aad.msal4j;
 
+import lombok.Getter;
+import lombok.experimental.Accessors;
+
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.reflect.InvocationTargetException;
@@ -19,10 +22,11 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
-import java.util.*;
-
-import lombok.Getter;
-import lombok.experimental.Accessors;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.Enumeration;
+import java.util.List;
 
 final class ClientCertificate implements IClientCertificate {
 
@@ -97,14 +101,7 @@ static ClientCertificate create(InputStream pkcs12Certificate, String password)
         final KeyStore keystore = KeyStore.getInstance("PKCS12");
         keystore.load(pkcs12Certificate, password.toCharArray());
 
-        final Enumeration<String> aliases = keystore.aliases();
-        if (!aliases.hasMoreElements()) {
-            throw new IllegalArgumentException("certificate not loaded from input stream");
-        }
-        String alias = aliases.nextElement();
-        if (aliases.hasMoreElements()) {
-            throw new IllegalArgumentException("more than one certificate alias found in input stream");
-        }
+        String alias = getPrivateKeyAlias(keystore);
 
         ArrayList<X509Certificate> publicKeyCertificateChain = new ArrayList<>();
         PrivateKey privateKey = (PrivateKey) keystore.getKey(alias, password.toCharArray());
@@ -123,6 +120,26 @@ static ClientCertificate create(InputStream pkcs12Certificate, String password)
         return new ClientCertificate(privateKey, publicKeyCertificateChain);
     }
 
+    static String getPrivateKeyAlias(KeyStore keystore) throws KeyStoreException {
+        String alias = null;
+        final Enumeration<String> aliases = keystore.aliases();
+        while (aliases.hasMoreElements()) {
+            String currentAlias = aliases.nextElement();
+            if (keystore.entryInstanceOf(currentAlias, KeyStore.PrivateKeyEntry.class)) {
+                if (alias != null) {
+                    throw new IllegalArgumentException("more than one certificate alias found in input stream");
+                }
+                alias = currentAlias;
+            }
+        }
+
+        if (alias == null) {
+            throw new IllegalArgumentException("certificate not loaded from input stream");
+        }
+
+        return alias;
+    }
+
     static ClientCertificate create(final PrivateKey key, final X509Certificate publicKeyCertificate) {
         return new ClientCertificate(key, Arrays.asList(publicKeyCertificate));
     }

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ClientCertificatePkcs12Test.java

@@ -0,0 +1,75 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import org.easymock.EasyMock;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import java.security.KeyStore;
+import java.security.KeyStoreSpi;
+import java.util.Arrays;
+import java.util.Collections;
+
+import static org.testng.AssertJUnit.assertEquals;
+
+@Test
+public class ClientCertificatePkcs12Test extends AbstractMsalTests {
+
+    private KeyStoreSpi keyStoreSpi;
+    private KeyStore keystore;
+
+    @BeforeMethod
+    public void setUp() throws Exception {
+        keyStoreSpi = EasyMock.createMock(KeyStoreSpi.class);
+        keystore = new KeyStore(keyStoreSpi, null, "PKCS12") {};
+        keystore.load(null);
+    }
+
+    @Test(expectedExceptions = IllegalArgumentException.class, expectedExceptionsMessageRegExp = "certificate not loaded from input stream")
+    public void testNoEntries() throws Exception {
+        EasyMock.expect(keyStoreSpi.engineAliases())
+                .andReturn(Collections.enumeration(Collections.emptyList())).times(1);
+        EasyMock.replay(keyStoreSpi);
+
+        ClientCertificate.getPrivateKeyAlias(keystore);
+    }
+
+    @Test(expectedExceptions = IllegalArgumentException.class, expectedExceptionsMessageRegExp = "certificate not loaded from input stream")
+    public void testNoPrivateKey() throws Exception {
+        EasyMock.expect(keyStoreSpi.engineAliases())
+                .andReturn(Collections.enumeration(Arrays.asList("CA_cert1", "CA_cert2"))).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("CA_cert1", KeyStore.PrivateKeyEntry.class)).andReturn(false).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("CA_cert2", KeyStore.PrivateKeyEntry.class)).andReturn(false).times(1);
+        EasyMock.replay(keyStoreSpi);
+
+        ClientCertificate.getPrivateKeyAlias(keystore);
+    }
+
+    @Test(expectedExceptions = IllegalArgumentException.class, expectedExceptionsMessageRegExp = "more than one certificate alias found in input stream")
+    public void testMultiplePrivateKeyAliases() throws Exception {
+        EasyMock.expect(keyStoreSpi.engineAliases())
+                .andReturn(Collections.enumeration(Arrays.asList("private_key1", "private_key2", "CA_cert"))).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("private_key1", KeyStore.PrivateKeyEntry.class)).andReturn(true).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("private_key2", KeyStore.PrivateKeyEntry.class)).andReturn(true).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("CA_cert", KeyStore.PrivateKeyEntry.class)).andReturn(false).times(1);
+        EasyMock.replay(keyStoreSpi);
+
+        ClientCertificate.getPrivateKeyAlias(keystore);
+    }
+
+    @Test
+    public void testMultipleEntriesButOnlyOnePrivateKey() throws Exception {
+        EasyMock.expect(keyStoreSpi.engineAliases())
+                .andReturn(Collections.enumeration(Arrays.asList("CA_cert1", "private_key", "CA_cert2"))).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("CA_cert1", KeyStore.PrivateKeyEntry.class)).andReturn(false).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("private_key", KeyStore.PrivateKeyEntry.class)).andReturn(true).times(1);
+        EasyMock.expect(keyStoreSpi.engineEntryInstanceOf("CA_cert2", KeyStore.PrivateKeyEntry.class)).andReturn(false).times(1);
+        EasyMock.replay(keyStoreSpi);
+
+        String privateKeyAlias = ClientCertificate.getPrivateKeyAlias(keystore);
+        assertEquals("private_key", privateKeyAlias);
+    }
+
+}