Add mTLS PoP architecture doc, fix API calls in docs, add cross-SDK comparison table

- Fix Path 1 API calls: ClientCredentialFactory.createFromCertificate + withMtlsProofOfPossession() (no-arg)
- Add cross-SDK comparison table (msal-java vs dotnet vs go vs node) to mtls-pop.md
- Update mtls-pop-manual-testing.md: fat JAR e2e runner replaces .NET helper smoke-test
- Add mtls-pop-architecture.md: JNA/CNG design, sequence diagrams, key level fallback, cert cache
- Link architecture doc from mtls-pop.md references and mtls-extensions README

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Robbie-Microsoft

msal4j-mtls-extensions/README.md

@@ -6,8 +6,8 @@ The latest code resides in the `dev` branch.
 
 Quick links:
 
-| [Docs](../../msal4j-sdk/docs/mtls-pop.md) | [Manual Testing](../../msal4j-sdk/docs/mtls-pop-manual-testing.md) | [Support](README.md#community-help-and-support) |
-| --- | --- | --- |
+| [Docs](../../msal4j-sdk/docs/mtls-pop.md) | [Manual Testing](../../msal4j-sdk/docs/mtls-pop-manual-testing.md) | [Architecture](../../msal4j-sdk/docs/mtls-pop-architecture.md) | [Support](README.md#community-help-and-support) |
+| --- | --- | --- | --- |
 
 ## Installation
 

msal4j-sdk/docs/mtls-pop-architecture.md

@@ -0,0 +1,154 @@
+# mTLS PoP Architecture — Deep Dive
+
+This document describes the internal architecture of the mTLS Proof of Possession implementation in MSAL4J. For the user-facing API guide, see [mtls-pop.md](mtls-pop.md).
+
+---
+
+## Flow Diagrams
+
+### Path 1 — Confidential Client (SNI Certificate)
+
+```mermaid
+sequenceDiagram
+    participant App
+    participant MSAL as MSAL4J
+    participant mtlsauth as {region}.mtlsauth.microsoft.com
+
+    App->>MSAL: acquireToken(withMtlsProofOfPossession())
+    MSAL->>MSAL: Resolve region → build mTLS endpoint URL
+    MSAL->>MSAL: MtlsSslContextHelper.createSslSocketFactory(key, cert)
+    MSAL->>mtlsauth: POST /{tenant}/oauth2/v2.0/token<br/>(TLS handshake with caller cert — no client_assertion)
+    mtlsauth-->>MSAL: token_type=mtls_pop, access_token
+    MSAL-->>App: IAuthenticationResult{accessToken, bindingCertificate}
+    Note over App: Subsequent calls → TokenSource=Cache
+```
+
+### Path 2 — Managed Identity (IMDSv2)
+
+```mermaid
+sequenceDiagram
+    participant App
+    participant Ext as MtlsMsiClient (msal4j-mtls-extensions)
+    participant IMDS as IMDS (169.254.169.254)
+    participant CNG as Windows CNG via JNA (ncrypt.dll)
+    participant Attest as AttestationClientLib.dll → MAA
+    participant Token as mTLS Token Endpoint
+
+    App->>Ext: acquireToken(resource, "SystemAssigned", withAttestation)
+    Ext->>IMDS: GET /metadata/identity/getplatformmetadata
+    IMDS-->>Ext: clientID, tenantID, cuID, attestationEndpoint
+    Ext->>CNG: GetOrCreateManagedIdentityKey(MSALMtlsKey_{cuID})
+    Note over CNG: KeyGuard (VBS) → Hardware → InMemory
+    CNG-->>Ext: RSA-2048 key handle (CngKey)
+    Ext->>Ext: Build PKCS#10 CSR (Pkcs10Builder via JNA)
+    Ext->>Attest: AttestKeyGuardImportKey(attestationEndpoint, keyHandle)
+    Attest-->>Ext: MAA JWT (proves VBS KeyGuard protection)
+    Ext->>IMDS: POST /metadata/identity/issuecredential {csr, attestation_token}
+    IMDS-->>Ext: binding_certificate + mtls_authentication_endpoint
+    Ext->>Ext: Cache binding cert (expires 5 min before NotAfter)
+    Ext->>Token: POST /{tenant}/oauth2/v2.0/token<br/>(TLS handshake with binding cert via CngSignatureSpi)
+    Token-->>Ext: token_type=mtls_pop, access_token
+    Ext-->>App: MtlsMsiHelperResult{accessToken, bindingCertificate}
+    Note over App: Subsequent calls → cert cache hit, then token cache hit
+```
+
+---
+
+## 1. How Java Uses Windows CNG Without JNI Headers
+
+Java has no built-in C FFI, but [JNA (Java Native Access)](https://github.com/java-native-access/jna) provides dynamic binding to native DLLs using pure Java interfaces — no C headers, no `javah`, no native compilation step beyond the DLL itself.
+
+```java
+// JNA interface — maps directly to ncrypt.dll exports
+interface NCrypt extends Library {
+    int NCryptOpenStorageProvider(PointerByReference phProvider, String pszProviderName, int dwFlags);
+    int NCryptCreatePersistedKey(Pointer hProvider, PointerByReference phKey,
+                                  String pszAlgId, String pszKeyName, int dwLegacyKeySpec, int dwFlags);
+    int NCryptSetProperty(Pointer hObject, String pszProperty, byte[] pbInput, int cbInput, int dwFlags);
+    int NCryptFinalizeKey(Pointer hKey, int dwFlags);
+    int NCryptSignHash(Pointer hKey, Pointer pPaddingInfo, byte[] pbHashValue, int cbHashValue,
+                       byte[] pbSignature, int cbSignature, PointerByReference pcbResult, int dwFlags);
+}
+```
+
+The key flag that enables KeyGuard VBS isolation:
+```java
+private static final int NCRYPT_VBS_KEYISOLATION_FLAG = 0x00010000;
+NCrypt.INSTANCE.NCryptFinalizeKey(hKey, NCRYPT_VBS_KEYISOLATION_FLAG);
+```
+
+This is the same flag used by msal-dotnet (via `CngKey`) and msal-go (via `syscall.NewLazyDLL`).
+
+---
+
+## 2. Custom `java.security.Provider` for CNG-Backed TLS
+
+Java's JSSE TLS stack calls `java.security.Signature` for the TLS `CertificateVerify` handshake message. A standard Java `PrivateKey` from `SunMSCAPI` cannot wrap a CNG KeyGuard key handle.
+
+The solution: a custom `java.security.Provider` (`CngProvider`) that registers `CngSignatureSpi` — a `Signature` implementation that delegates signing to `NCryptSignHash` via JNA, keeping the key handle inside the VBS enclave.
+
+```
+JSSE TLS handshake
+  └─► KeyManager.getPrivateKey()         → returns CngPrivateKey (opaque handle)
+  └─► Signature.getInstance("SHA256withRSA", CngProvider)
+  └─► CngSignatureSpi.engineInitSign(CngPrivateKey)
+  └─► CngSignatureSpi.engineSign()
+        └─► NCryptSignHash(hKey, BCRYPT_PKCS1_PADDING, hash, ...) via JNA
+              └─► ncrypt.dll (in-process, VBS KeyGuard boundary)
+```
+
+`engineInitVerify` throws `InvalidKeyException` intentionally — this causes JSSE's provider selection to fall through to `SunRsaSign`, which handles server certificate verification correctly. `CngSignatureSpi` only intercepts signing operations with the KeyGuard key.
+
+---
+
+## 3. Certificate Caching
+
+The binding certificate (issued by `managedidentitysnissuer.login.microsoft.com`) is cached in-memory with a 5-minute pre-expiry buffer:
+
+```
+certCache key: cuID (compute unit ID from IMDS platform metadata)
+certCache value: {bindingCert, expiry = cert.NotAfter - 5min}
+```
+
+The CNG key is persisted in the Microsoft Software Key Storage Provider under the name `MSALMtlsKey_{cuID}` (user scope). On subsequent calls, the key is opened with `NCryptOpenKey` rather than re-created, ensuring the same public key is presented in the CSR and that the cached binding certificate remains valid.
+
+---
+
+## 4. Cross-SDK Architecture Comparison
+
+| Concern | msal-java | msal-dotnet | msal-go | msal-node |
+|---------|-----------|-------------|---------|-----------|
+| CNG key creation | JNA → `ncrypt.dll` | `CngKey` (.NET) | `syscall.NewLazyDLL` | Subprocess (exe) |
+| TLS with CNG key | `CngSignatureSpi` + JSSE | Schannel (`NCRYPT_KEY_HANDLE`) | `crypto.Signer` interface | .NET subprocess |
+| CSR generation | `Pkcs10Builder` (pure Java ASN.1) | `CertificateRequest` (.NET) | `encoding/asn1` (Go stdlib) | Subprocess |
+| Attestation | JNA → `AttestationClientLib.dll` | Native NuGet package | `syscall` → DLL | Subprocess |
+| In-process | ✅ | ✅ | ✅ | ❌ |
+| .NET required | ❌ | ✅ (runtime) | ❌ | ✅ (subprocess) |
+
+---
+
+## 5. Why Path 1 Does Not Need JNA
+
+Path 1 (SNI / Confidential Client) uses a certificate the caller already owns — typically loaded from a PKCS12 file or PKCS11 hardware token. Java's standard `KeyManagerFactory` and JSSE handle this transparently. The custom `SSLSocketFactory` built by `MtlsSslContextHelper` sets up the client certificate for the TLS handshake — no CNG involved.
+
+---
+
+## 6. Key Source Names
+
+| Key Source | Description |
+|------------|-------------|
+| `KeyGuard` | Full VBS isolation — requires Credential Guard running |
+| `Hardware` | TPM-backed but not VBS-isolated |
+| `InMemory` | Software key — no hardware protection |
+
+For production use, `KeyGuard` is required (`xms_tbflags: 2` in the token). `Hardware` or `InMemory` keys will result in `AADSTS392196` or similar errors from AAD.
+
+---
+
+## References
+
+- [mTLS PoP API Guide](mtls-pop.md)
+- [mTLS PoP Manual Testing](mtls-pop-manual-testing.md)
+- [RFC 8705 — OAuth 2.0 Mutual-TLS Client Authentication](https://www.rfc-editor.org/rfc/rfc8705)
+- [JNA (Java Native Access)](https://github.com/java-native-access/jna)
+- [NCrypt API (MSDN)](https://docs.microsoft.com/en-us/windows/win32/api/ncrypt/)

msal4j-sdk/docs/mtls-pop-manual-testing.md

@@ -64,11 +64,11 @@ import java.util.*;
 
 public class TestMtlsPop {
     public static void main(String[] args) throws Exception {
-        // Load certificate
-        InputStream certStream = new FileInputStream("test-cert.p12");
-        ClientCertificate cert = ClientCertificate.create(certStream, "changeit");
+        // Load certificate (PKCS12)
+        IClientCertificate cert = ClientCredentialFactory.createFromCertificate(
+            new FileInputStream("test-cert.p12"), "changeit");
 
-        // Build app
+        // Build app — tenanted authority and region required
         ConfidentialClientApplication app = ConfidentialClientApplication
             .builder("your-client-id", cert)
             .authority("https://login.microsoftonline.com/your-tenant-id")
@@ -79,7 +79,7 @@ public class TestMtlsPop {
         Set<String> scopes = Collections.singleton("https://graph.microsoft.com/.default");
         ClientCredentialParameters params = ClientCredentialParameters
             .builder(scopes)
-            .withMtlsProofOfPossession(true)
+            .withMtlsProofOfPossession()
             .build();
 
         IAuthenticationResult result = app.acquireToken(params).get();
@@ -108,8 +108,8 @@ Access token:     eyJ0eXAiOiJKV1QiLCJub25jZSI6...
 Call `acquireToken` again immediately — the second call should not make a network request:
 
 ```java
-long t0 = System.currentTimeMillis();
 IAuthenticationResult r1 = app.acquireToken(params).get();
+long t0 = System.currentTimeMillis();
 IAuthenticationResult r2 = app.acquireToken(params).get();
 System.out.println("Same token: " + r1.accessToken().equals(r2.accessToken())); // true
 System.out.println("Elapsed: " + (System.currentTimeMillis() - t0) + "ms");    // should be <50ms
@@ -277,7 +277,7 @@ IAuthenticationResult bearerResult = app.acquireToken(bearerParams).get();
 // Acquire mTLS PoP token
 ClientCredentialParameters mtlsParams = ClientCredentialParameters
     .builder(scopes)
-    .withMtlsProofOfPossession(true)
+    .withMtlsProofOfPossession()
     .build();
 IAuthenticationResult mtlsResult = app.acquireToken(mtlsParams).get();
 

msal4j-sdk/docs/mtls-pop.md

@@ -11,7 +11,20 @@ MSAL4J supports two mTLS PoP acquisition paths:
 | Path | Application Type | Certificate Source | Attestation |
 |------|-----------------|-------------------|-------------|
 | **SNI (Subject Name Indication)** | `ConfidentialClientApplication` | Any PKCS12/PEM cert or hardware token (PKCS11) | Not required |
-| **Managed Identity** | `ManagedIdentityApplication` | IMDS-issued KeyGuard-backed certificate | Optional (IMDS-attested) |
+| **Managed Identity** | `MtlsMsiClient` (via `msal4j-mtls-extensions`) | IMDS-issued KeyGuard-backed certificate | Optional (Trusted Launch VMs) |
+
+---
+
+## Cross-SDK Implementation Comparison
+
+| Library | TLS Stack | CNG Support | Approach |
+|---------|-----------|-------------|----------|
+| **msal-java** | JSSE + custom `SSLSocketFactory` (Path 1); JNA → `ncrypt.dll` (Path 2) | ✅ Via JNA | In-process |
+| **msal-dotnet** | Schannel (.NET) | ✅ Native | In-process |
+| **msal-go** | `crypto/tls` (pure Go) | ✅ Via `crypto.Signer` | In-process |
+| **msal-node** | OpenSSL (Node.js) | ❌ None | .NET subprocess (`MsalMtlsMsiHelper.exe`) |
+
+No subprocess is needed in msal-java.
 
 ---
 
@@ -52,22 +65,26 @@ This makes mTLS PoP suitable for high-value API access from server-side applicat
 ### Quick Start
 
 ```java
-// 1. Load your certificate
-InputStream certStream = new FileInputStream("/path/to/cert.p12");
-ClientCertificate cert = ClientCertificate.create(certStream, "password");
+import com.microsoft.aad.msal4j.*;
+import java.io.FileInputStream;
+import java.util.*;
+
+// 1. Load your certificate (PKCS12)
+IClientCertificate cert = ClientCredentialFactory.createFromCertificate(
+    new FileInputStream("/path/to/cert.p12"), "password");
 
 // 2. Build the app (tenanted authority + region required)
 ConfidentialClientApplication app = ConfidentialClientApplication
     .builder("your-client-id", cert)
     .authority("https://login.microsoftonline.com/your-tenant-id")
-    .azureRegion("eastus")     // or AzureRegion.AUTO_DISCOVER_REGION
+    .azureRegion("eastus")     // or autoDetectRegion(true)
     .build();
 
 // 3. Request an mTLS PoP token
 Set<String> scopes = Collections.singleton("https://graph.microsoft.com/.default");
 ClientCredentialParameters params = ClientCredentialParameters
     .builder(scopes)
-    .withMtlsProofOfPossession(true)
+    .withMtlsProofOfPossession()
     .build();
 
 IAuthenticationResult result = app.acquireToken(params).get();
@@ -87,13 +104,11 @@ KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11Provider);
 ks.load(null, "pin".toCharArray());
 
 PrivateKey privateKey = (PrivateKey) ks.getKey("my-key-alias", null);
-X509Certificate[] certChain = ...;  // from ks.getCertificateChain()
+X509Certificate cert = (X509Certificate) ks.getCertificate("my-key-alias");
 
-ClientCertificate cert = ClientCertificate.create(privateKey, certChain);
+IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, cert);
 ```
 
-The `MtlsSslContextHelper` handles the PKCS12 in-memory KeyStore setup transparently.
-
 ### Token Endpoint
 
 For public cloud, MSAL4J constructs:
@@ -183,7 +198,7 @@ ManagedIdentityApplication app = ManagedIdentityApplication
 
 | Method | Description |
 |--------|-------------|
-| `.withMtlsProofOfPossession(boolean)` | When `true`, acquires an `mtls_pop` token instead of Bearer |
+| `.withMtlsProofOfPossession()` | Acquires an `mtls_pop` token instead of Bearer |
 
 ### `ManagedIdentityParameters`
 
@@ -236,6 +251,7 @@ Standard Bearer tokens use a 6-segment key (no `keyId`). The two token types nev
 ## References
 
 - [mTLS PoP Manual Testing Guide](mtls-pop-manual-testing.md)
+- [mTLS PoP Architecture](mtls-pop-architecture.md)
 - [msal4j-mtls-extensions README](../../msal4j-mtls-extensions/README.md)
 - [MSAL.js mTLS PoP](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/8476)
 - [MSAL.NET mTLS PoP](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/tree/main/docs)