initial

Author: GladwinJohnson

msal-key-attestation/README.md

@@ -0,0 +1,94 @@
+# msal-key-attestation
+
+KeyGuard attestation support for **MSAL Python** MSI v2 (mTLS Proof-of-Possession).
+
+This package provides the `AttestationClientLib.dll` bindings for Windows
+Credential Guard / KeyGuard key attestation via Azure Attestation (MAA).
+
+## Installation
+
+```bash
+pip install msal msal-key-attestation
+```
+
+## Prerequisites
+
+- **Windows** with Credential Guard / KeyGuard enabled (Azure VM with VBS)
+- **AttestationClientLib.dll** — place it next to your application, or set
+  `ATTESTATION_CLIENTLIB_PATH` environment variable to its full path.
+
+## Usage
+
+```python
+import msal, requests
+
+client = msal.ManagedIdentityClient(
+    msal.SystemAssignedManagedIdentity(),
+    http_client=requests.Session(),
+)
+
+# with_attestation_support=True auto-discovers msal-key-attestation
+result = client.acquire_token_for_client(
+    resource="https://graph.microsoft.com",
+    mtls_proof_of_possession=True,
+    with_attestation_support=True,
+)
+
+if "access_token" in result:
+    print(f"Token type: {result['token_type']}")  # mtls_pop
+    print(f"Cert thumbprint: {result.get('cert_thumbprint_sha256', 'N/A')}")
+else:
+    print(f"Error: {result.get('error_description', result)}")
+```
+
+## How it works
+
+1. MSAL Python's MSI v2 flow creates a KeyGuard-protected RSA key (via NCrypt)
+2. When `with_attestation_support=True`, MSAL auto-imports this package
+3. This package calls `AttestationClientLib.dll` to attest the key with MAA
+4. The attestation JWT is cached in-memory (~90% of its lifetime)
+5. MSAL sends the JWT + CSR to IMDS `/issuecredential`
+6. IMDS returns a short-lived certificate, which MSAL uses for mTLS token
+   acquisition
+
+## Architecture
+
+```
+┌─────────────────────────────────────────┐
+│  msal  (pip install msal)               │
+│                                         │
+│  ManagedIdentityClient                  │
+│    └─ acquire_token_for_client()        │
+│         mtls_proof_of_possession=True   │
+│         with_attestation_support=True   │
+│                                         │
+│  msal.msi_v2  (core flow)              │
+│    - NCrypt KeyGuard key (ctypes)       │
+│    - PKCS#10 CSR builder                │
+│    - IMDS getplatformmetadata           │
+│    - IMDS issuecredential               │
+│    - Crypt32 cert binding               │
+│    - WinHTTP/SChannel mTLS              │
+│    - Certificate cache (in-memory)      │
+└────────────────┬────────────────────────┘
+                 │  auto-discovers via import
+┌────────────────▼────────────────────────┐
+│  msal-key-attestation                   │
+│  (pip install msal-key-attestation)     │
+│                                         │
+│  create_attestation_provider()          │
+│    - AttestationClientLib.dll bindings  │
+│    - MAA token cache (in-memory)        │
+└─────────────────────────────────────────┘
+```
+
+## Environment Variables
+
+| Variable | Description |
+|---|---|
+| `ATTESTATION_CLIENTLIB_PATH` | Full path to `AttestationClientLib.dll` |
+| `MSAL_MSI_V2_ATTESTATION_CACHE` | `"0"` to disable MAA JWT caching |
+
+## License
+
+MIT

msal-key-attestation/msal_key_attestation.egg-info/PKG-INFO

@@ -0,0 +1,118 @@
+Metadata-Version: 2.4
+Name: msal-key-attestation
+Version: 0.1.0
+Summary: KeyGuard attestation support for MSAL Python MSI v2 (mTLS PoP). Provides AttestationClientLib.dll bindings for Windows Credential Guard key attestation.
+Home-page: https://github.com/AzureAD/microsoft-authentication-library-for-python
+Author: Microsoft Corporation
+Author-email: nugetaad@microsoft.com
+License: MIT
+Classifier: Development Status :: 3 - Alpha
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: Microsoft :: Windows
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+Requires-Dist: msal>=1.32.0
+
+# msal-key-attestation
+
+KeyGuard attestation support for **MSAL Python** MSI v2 (mTLS Proof-of-Possession).
+
+This package provides the `AttestationClientLib.dll` bindings for Windows
+Credential Guard / KeyGuard key attestation via Azure Attestation (MAA).
+
+## Installation
+
+```bash
+pip install msal msal-key-attestation
+```
+
+## Prerequisites
+
+- **Windows** with Credential Guard / KeyGuard enabled (Azure VM with VBS)
+- **AttestationClientLib.dll** — place it next to your application, or set
+  `ATTESTATION_CLIENTLIB_PATH` environment variable to its full path.
+
+## Usage
+
+```python
+import msal, requests
+
+client = msal.ManagedIdentityClient(
+    msal.SystemAssignedManagedIdentity(),
+    http_client=requests.Session(),
+)
+
+# with_attestation_support=True auto-discovers msal-key-attestation
+result = client.acquire_token_for_client(
+    resource="https://graph.microsoft.com",
+    mtls_proof_of_possession=True,
+    with_attestation_support=True,
+)
+
+if "access_token" in result:
+    print(f"Token type: {result['token_type']}")  # mtls_pop
+    print(f"Cert thumbprint: {result.get('cert_thumbprint_sha256', 'N/A')}")
+else:
+    print(f"Error: {result.get('error_description', result)}")
+```
+
+## How it works
+
+1. MSAL Python's MSI v2 flow creates a KeyGuard-protected RSA key (via NCrypt)
+2. When `with_attestation_support=True`, MSAL auto-imports this package
+3. This package calls `AttestationClientLib.dll` to attest the key with MAA
+4. The attestation JWT is cached in-memory (~90% of its lifetime)
+5. MSAL sends the JWT + CSR to IMDS `/issuecredential`
+6. IMDS returns a short-lived certificate, which MSAL uses for mTLS token
+   acquisition
+
+## Architecture
+
+```
+┌─────────────────────────────────────────┐
+│  msal  (pip install msal)               │
+│                                         │
+│  ManagedIdentityClient                  │
+│    └─ acquire_token_for_client()        │
+│         mtls_proof_of_possession=True   │
+│         with_attestation_support=True   │
+│                                         │
+│  msal.msi_v2  (core flow)              │
+│    - NCrypt KeyGuard key (ctypes)       │
+│    - PKCS#10 CSR builder                │
+│    - IMDS getplatformmetadata           │
+│    - IMDS issuecredential               │
+│    - Crypt32 cert binding               │
+│    - WinHTTP/SChannel mTLS              │
+│    - Certificate cache (in-memory)      │
+└────────────────┬────────────────────────┘
+                 │  auto-discovers via import
+┌────────────────▼────────────────────────┐
+│  msal-key-attestation                   │
+│  (pip install msal-key-attestation)     │
+│                                         │
+│  create_attestation_provider()          │
+│    - AttestationClientLib.dll bindings  │
+│    - MAA token cache (in-memory)        │
+└─────────────────────────────────────────┘
+```
+
+## Environment Variables
+
+| Variable | Description |
+|---|---|
+| `ATTESTATION_CLIENTLIB_PATH` | Full path to `AttestationClientLib.dll` |
+| `MSAL_MSI_V2_ATTESTATION_CACHE` | `"0"` to disable MAA JWT caching |
+
+## License
+
+MIT

msal-key-attestation/msal_key_attestation.egg-info/SOURCES.txt

@@ -0,0 +1,12 @@
+README.md
+setup.cfg
+setup.py
+msal_key_attestation/__init__.py
+msal_key_attestation/attestation.py
+msal_key_attestation.egg-info/PKG-INFO
+msal_key_attestation.egg-info/SOURCES.txt
+msal_key_attestation.egg-info/dependency_links.txt
+msal_key_attestation.egg-info/requires.txt
+msal_key_attestation.egg-info/top_level.txt
+tests/__init__.py
+tests/test_attestation.py

msal-key-attestation/msal_key_attestation.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

msal-key-attestation/msal_key_attestation.egg-info/requires.txt

@@ -0,0 +1 @@
+msal>=1.32.0

msal-key-attestation/msal_key_attestation.egg-info/top_level.txt

@@ -0,0 +1,2 @@
+msal_key_attestation
+tests

msal-key-attestation/msal_key_attestation/__init__.py

@@ -0,0 +1,40 @@
+# Copyright (c) Microsoft Corporation.
+# All rights reserved.
+#
+# This code is licensed under the MIT License.
+"""
+msal-key-attestation — KeyGuard attestation support for MSAL Python MSI v2.
+
+This package provides the ``create_attestation_provider()`` function that
+returns a callable suitable for the ``attestation_token_provider`` parameter
+in ``msal.msi_v2.obtain_token()``.
+
+It loads the Windows-only ``AttestationClientLib.dll`` (Azure Attestation
+native library) via ctypes and exposes a high-level API that:
+
+- Initializes the native attestation library
+- Calls ``AttestKeyGuardImportKey`` with the CNG key handle
+- Returns the attestation JWT
+- Caches the JWT in-memory until ~90 % of its lifetime
+
+Usage::
+
+    from msal_key_attestation import create_attestation_provider
+
+    # Pass to MSAL's MSI v2 flow:
+    result = client.acquire_token_for_client(
+        resource="https://graph.microsoft.com",
+        mtls_proof_of_possession=True,
+        with_attestation_support=True,  # auto-discovers this package
+    )
+
+    # Or use the provider directly:
+    provider = create_attestation_provider()
+    jwt = provider(attestation_endpoint, key_handle_int, client_id)
+"""
+
+__version__ = "0.1.0"
+
+from .attestation import create_attestation_provider, get_attestation_jwt
+
+__all__ = ["create_attestation_provider", "get_attestation_jwt"]