Adjust SNI behavior around .pfx files

Author: Avery-Dunn

msal/application.py

@@ -91,12 +91,19 @@ def _parse_pfx(pfx_path, passphrase_bytes):
     # Cert concepts https://security.stackexchange.com/a/226758/125264
     from cryptography.hazmat.primitives.serialization import pkcs12
     with open(pfx_path, 'rb') as f:
-        private_key, cert, _ = pkcs12.load_key_and_certificates(  # cryptography 2.5+
+        private_key, cert, additional_certs = pkcs12.load_key_and_certificates(
+            # cryptography 2.5+
             # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates
             f.read(), passphrase_bytes)
     if not (private_key and cert):
         raise ValueError("Your PFX file shall contain both private key and cert")
     sha256_thumbprint, sha1_thumbprint, x5c = _extract_cert_and_thumbprints(cert)
+    # Per RFC 7515 §4.1.6, x5c should include the full certificate chain
+    # (leaf first, then intermediates) for SNI (Subject Name/Issuer) auth.
+    if additional_certs:
+        for extra_cert in additional_certs:
+            _, _, extra_x5c = _extract_cert_and_thumbprints(extra_cert)
+            x5c.extend(extra_x5c)
     return private_key, sha256_thumbprint, sha1_thumbprint, x5c
 
 

tests/test_agentic_e2e.py

@@ -6,10 +6,6 @@
 3. Full 3-leg flow: FMI → assertion → user_fic → user-scoped token
 4. Cache isolation between app-only and user-scoped tokens
 
-Corresponds to:
-- .NET: Agentic.cs
-- Java: AgenticIT.java
-
 Test configuration uses the same lab infrastructure as test_fmi_e2e.py.
 Requires LAB_APP_CLIENT_CERT_PFX_PATH environment variable.
 """
@@ -28,7 +24,7 @@
 logging.basicConfig(level=logging.DEBUG if "-v" in sys.argv else logging.INFO)
 
 # =============================================================================
-# Test configuration — matches .NET/Java agentic test constants
+# Test configuration — shared lab app registrations for agentic scenarios
 # =============================================================================
 _TENANT_ID = "10c419d4-4a50-45b2-aa4e-919fb84df24f"
 _BLUEPRINT_CLIENT_ID = "aab5089d-e764-47e3-9f28-cc11c2513821"
@@ -43,14 +39,14 @@
 
 
 # =============================================================================
-# Helpers — mirror .NET GetAppCredentialAsync / Java acquireFmiCredentialForAgent
+# Helpers
 # =============================================================================
 
 def _acquire_fmi_credential_for_agent(agent_app_id):
     """Leg 1: Blueprint app acquires FMI credential (T1) for the given agent.
 
     Uses certificate authentication with SNI (sendX5C) and fmi_path set to
-    the agent app ID — matching .NET and Java helper methods.
+    the agent app ID.
     """
     blueprint_app = msal.ConfidentialClientApplication(
         _BLUEPRINT_CLIENT_ID,
@@ -70,7 +66,7 @@ def _acquire_fmi_credential_for_agent(agent_app_id):
 def _acquire_fmi_credential_from_rma():
     """Acquire an FMI credential from the RMA app using certificate credentials.
 
-    Mirrors Java's acquireFmiCredentialFromRma and Python's test_fmi_e2e helper.
+    Uses the same RMA pattern as test_fmi_e2e._get_fmi_credential_from_rma().
     Used for assertion callback context tests where the callback just needs to
     return a valid FMI token (not specifically for an agent app).
     """
@@ -118,10 +114,7 @@ def _acquire_instance_token_for_agent():
 # =============================================================================
 
 class TestAssertionCallbackContext(LabBasedTestCase):
-    """Verify assertion callback receives correct context when fmi_path is set.
-
-    Corresponds to Java's assertionCallback_ReceivesFmiPathContext.
-    """
+    """Verify assertion callback receives correct context when fmi_path is set."""
 
     def test_assertion_callback_receives_fmi_path(self):
         captured_context = {}
@@ -155,9 +148,6 @@ def assertion_callback(context):
 class TestAgentAppToken(LabBasedTestCase):
     """Agent acquires app-only token for Graph using FMI-sourced assertion.
 
-    Corresponds to .NET's AgentGetsAppTokenForGraphTest and
-    Java's agentGetsAppToken_UsingFmiAssertion.
-
     Flow: Blueprint → T1 (assertion callback) → Agent CCA → app token
     """
 
@@ -183,9 +173,6 @@ def assertion_provider(context):
 class TestAgentUserIdentity(LabBasedTestCase):
     """Full 3-leg agent identity flow: FMI → assertion → user_fic → user token.
 
-    Corresponds to .NET's AgentUserIdentityGetsTokenForGraphTest and
-    Java's agentUserIdentity_GetsTokenForGraph.
-
     Flow:
     1. Blueprint → T1 (FMI credential)
     2. Agent uses T1 → T2 (instance token)
@@ -234,10 +221,7 @@ def assertion_provider(context):
 
 
 class TestAgentCacheIsolation(LabBasedTestCase):
-    """App-only and user-scoped tokens are isolated in cache on the same CCA.
-
-    Corresponds to Java's agentCca_AppAndUserTokens_CacheIsolation.
-    """
+    """App-only and user-scoped tokens are isolated in cache on the same CCA."""
 
     def test_app_and_user_tokens_are_isolated(self):
         def assertion_provider(context):