add net std support and tests

Author: gladjohn

Directory.Packages.props

@@ -22,6 +22,7 @@
     <PackageVersion Include="System.Runtime.Serialization.Formatters" Version="4.3.0" />
     <PackageVersion Include="System.Runtime.Serialization.Json" Version="4.3.0" />
     <PackageVersion Include="System.Runtime.Serialization.Primitives" Version="4.3.0" />
+    <PackageVersion Include="System.Security.Cryptography.Cng" Version="5.0.0" PrivateAssets="All" />
     <PackageVersion Include="System.Security.Cryptography.ProtectedData" Version="4.5.0" />
     <PackageVersion Include="System.Security.SecureString" Version="4.3.0" />
     <PackageVersion Include="System.ServiceModel.Http" Version="4.5.3" />
@@ -71,7 +72,6 @@
     <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="6.35.0" />
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <PackageVersion Include="System.Reflection.TypeExtensions" Version="4.7.0" />
-    <PackageVersion Include="System.Security.Cryptography.Cng" Version="5.0.0" />
     <PackageVersion Include="System.Text.Json" Version="6.0.10" />
     <PackageVersion Include="System.Threading" Version="4.3.0" />
     <PackageVersion Include="System.Threading.Tasks" Version="4.3.0" />

build/platform_and_feature_flags.props

@@ -8,9 +8,6 @@
   <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop472)' or '$(TargetFramework)' == '$(TargetFrameworkNetStandard)'">
     <DefineConstants>$(DefineConstants);SUPPORTS_MTLS;</DefineConstants>
   </PropertyGroup>
-  <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop472)' or '$(TargetFramework)' == '$(TargetFrameworkNetDesktop462)'">
-    <DefineConstants>$(DefineConstants);SUPPORTS_CNG;</DefineConstants>
-  </PropertyGroup>
   <PropertyGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNetAndroid)'">
     <DefineConstants>$(DefineConstants);ANDROID;SUPPORTS_BROKER</DefineConstants>
   </PropertyGroup>

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

@@ -2,8 +2,6 @@
 // Licensed under the MIT License.
 
 using System.Collections.Generic;
-using System.Net;
-using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.ApiConfig.Parameters;

src/client/Microsoft.Identity.Client/ManagedIdentity/KeyProviders/KeyGuardHelper.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Security.Cryptography;
+using Microsoft.Identity.Client.Core;
 
 namespace Microsoft.Identity.Client.ManagedIdentity.KeyGuard
 {
@@ -13,15 +14,15 @@ internal static class KeyGuardHelper
     {
         private const string ProviderName = "Microsoft Software Key Storage Provider";
         private const string KeyName = "KeyGuardRSAKey";
-#if SUPPORTS_CNG
+
         // KeyGuard + per-boot flags
         private const CngKeyCreationOptions NCryptUseVirtualIsolationFlag = (CngKeyCreationOptions)0x00020000;
         private const CngKeyCreationOptions NCryptUsePerBootKeyFlag = (CngKeyCreationOptions)0x00040000;
 
         /// <summary>
         /// Creates a new RSA-2048 Key Guard key.
         /// </summary>
-        public static CngKey CreateFresh()
+        public static CngKey CreateFresh(ILoggerAdapter logger)
         {
             var p = new CngKeyCreationParameters
             {
@@ -45,12 +46,13 @@ public static CngKey CreateFresh()
             catch (CryptographicException ex)
                 when (IsVbsUnavailable(ex))
             {
-                // wrap in a clearer exception so callers can decide how to react
-                // for MSAL we can just log and fall back to software keys
-                throw new PlatformNotSupportedException(
-                    "Key Guard requires Windows Core Isolation (VBS). " +
-                    "Enable it in Windows Security ► Device Security ► Core isolation.",
-                    ex);
+                logger?.Warning(
+                    "[MI][KeyGuardHelper] VBS key isolation is not available; falling back to software keys. " +
+                    "Ensure that Virtualization Based Security (VBS) is enabled on this machine " +
+                    "(e.g. Credential Guard, Hyper-V, or Windows Defender Application Guard). " +
+                    "Inner exception: " + ex.Message);
+                
+                return null;
             }
         }
 
@@ -72,6 +74,5 @@ private static bool IsVbsUnavailable(CryptographicException ex)
             return ex.HResult == NTE_NOT_SUPPORTED ||
                    ex.Message.Contains("VBS key isolation is not available");
         }
-#endif
     }
 }

src/client/Microsoft.Identity.Client/ManagedIdentity/KeyProviders/WindowsCngKeyOperations.cs

@@ -7,6 +7,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
+using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.ManagedIdentity.KeyGuard;
 
 namespace Microsoft.Identity.Client.ManagedIdentity.KeyProviders
@@ -20,7 +21,7 @@ internal static class WindowsCngKeyOperations
         private const string KeyName = "KeyGuardRSAKey";
 
         // --- KeyGuard path (RSA) ---
-        public static bool TryGetOrCreateKeyGuard(out RSA rsa)
+        public static bool TryGetOrCreateKeyGuard(ILoggerAdapter logger, out RSA rsa)
         {
             rsa = default(RSA);
 
@@ -34,15 +35,17 @@ public static bool TryGetOrCreateKeyGuard(out RSA rsa)
                 }
                 catch (CryptographicException)
                 {
-                    // Not found -> create fresh 
-                    key = KeyGuardHelper.CreateFresh();
+                    // Not found -> create fresh
+                    logger?.Verbose(() => "[MI][WinKeyProvider] KeyGuard key not found; creating fresh.");
+                    key = KeyGuardHelper.CreateFresh(logger);
                 }
 
                 // Ensure actually KeyGuard-protected; recreate if not
                 if (!KeyGuardHelper.IsKeyGuardProtected(key))
                 {
+                    logger?.Verbose(() => "[MI][WinKeyProvider] KeyGuard key found but not protected; recreating.");
                     key.Dispose();
-                    key = KeyGuardHelper.CreateFresh();
+                    key = KeyGuardHelper.CreateFresh(logger);
                 }
 
                 rsa = new RSACng(key);
@@ -57,6 +60,7 @@ public static bool TryGetOrCreateKeyGuard(out RSA rsa)
             catch (PlatformNotSupportedException)
             {
                 // VBS/Core Isolation not available => KeyGuard unavailable
+                logger?.Verbose(() => "[MI][WinKeyProvider] Exception creating KeyGuard key.");
                 return false;
             }
             catch (CryptographicException)
@@ -66,7 +70,7 @@ public static bool TryGetOrCreateKeyGuard(out RSA rsa)
         }
 
         // --- Hardware (TPM/KSP) path (RSA) ---
-        public static bool TryGetOrCreateHardwareRsa(out RSA rsa)
+        public static bool TryGetOrCreateHardwareRsa(ILoggerAdapter logger, out RSA rsa)
         {
             rsa = default(RSA);
 
@@ -96,11 +100,13 @@ public static bool TryGetOrCreateHardwareRsa(out RSA rsa)
                     { rsa.KeySize = 2048; }
                     catch { }
                 }
-
+                
+                logger?.Info("[MI][WinKeyProvider] Using Hardware key (RSA).");
                 return true;
             }
             catch (CryptographicException)
             {
+                logger?.Verbose(() => "[MI][WinKeyProvider] Exception creating Hardware key.");
                 return false;
             }
         }

src/client/Microsoft.Identity.Client/ManagedIdentity/KeyProviders/WindowsManagedIdentityKeyProvider.cs

@@ -51,12 +51,12 @@ public async Task<ManagedIdentityKeyInfo> GetOrCreateKeyAsync(
                 }
 
                 var messageBuilder = new StringBuilder();
-#if SUPPORTS_CNG
+
                 // 1) KeyGuard (RSA-2048 under VBS isolation)
                 try
                 {
                     logger.Info("[MI][WinKeyProvider] Trying KeyGuard key.");
-                    if (WindowsCngKeyOperations.TryGetOrCreateKeyGuard(out RSA kgRsa))
+                    if (WindowsCngKeyOperations.TryGetOrCreateKeyGuard(logger, out RSA kgRsa))
                     {
                         messageBuilder.AppendLine("KeyGuard RSA key created successfully.");
                         _cached = new ManagedIdentityKeyInfo(kgRsa, ManagedIdentityKeyType.KeyGuard, messageBuilder.ToString());
@@ -81,7 +81,7 @@ public async Task<ManagedIdentityKeyInfo> GetOrCreateKeyAsync(
                 try
                 {
                     logger?.Verbose(() => "[MI][WinKeyProvider] Trying Hardware (TPM/KSP) key.");
-                    if (WindowsCngKeyOperations.TryGetOrCreateHardwareRsa(out RSA hwRsa))
+                    if (WindowsCngKeyOperations.TryGetOrCreateHardwareRsa(logger, out RSA hwRsa))
                     {
                         messageBuilder.AppendLine("Hardware RSA key created successfully.");
                         _cached = new ManagedIdentityKeyInfo(hwRsa, ManagedIdentityKeyType.Hardware, messageBuilder.ToString());
@@ -101,22 +101,6 @@ public async Task<ManagedIdentityKeyInfo> GetOrCreateKeyAsync(
                         $"[MI][WinKeyProvider] Exception creating Hardware key: {ex}",
                         $"[MI][WinKeyProvider] Exception creating Hardware key: {ex.GetType().Name}");
                 }
-#endif
-                // 3) Fallback to portable in-memory provider
-                logger?.Verbose(() => "[MI][WinKeyProvider] Falling back to InMemory key provider.");
-                messageBuilder.AppendLine("Falling back to in-memory RSA key provider.");
-
-                var memProvider = new InMemoryManagedIdentityKeyProvider();
-                ManagedIdentityKeyInfo memKeyInfo = await memProvider.GetOrCreateKeyAsync(logger, ct).ConfigureAwait(false);
-
-                if (!string.IsNullOrEmpty(memKeyInfo.ProviderMessage))
-                {
-                    messageBuilder.AppendLine(memKeyInfo.ProviderMessage.TrimEnd());
-                }
-
-                _cached = new ManagedIdentityKeyInfo(memKeyInfo.Key, ManagedIdentityKeyType.InMemory, messageBuilder.ToString());
-
-                logger?.Info($"[MI][WinKeyProvider] Using InMemory key. Success={(memKeyInfo.Key != null)}.");
 
                 return _cached;
             }

src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityKeyProviderFactory.cs

@@ -55,22 +55,15 @@ internal static IManagedIdentityKeyProvider GetOrCreateProvider(ILoggerAdapter l
         /// </summary>
         private static IManagedIdentityKeyProvider CreateProviderCore(ILoggerAdapter logger)
         {
-#if !SUPPORTS_CNG
-            // When CNG support (KeyGuard / TPM) is not compiled in, we only have the in-memory provider.
-            logger?.Verbose(() => "[MI][KeyProviderFactory] CNG not supported - using InMemory provider.");
-            return new InMemoryManagedIdentityKeyProvider();
-#else
-            // SUPPORTS_CNG defined: we can attempt Windows-specific providers if on Windows.
             if (DesktopOsHelper.IsWindows())
             {
                 logger?.Info("[MI][KeyProviderFactory] Windows detected with CNG support - using Windows managed identity key provider.");
                 return new WindowsManagedIdentityKeyProvider();
             }
 
-            // Non-Windows OS with SUPPORTS_CNG defined still falls back to in-memory implementation.
+            // Non-Windows OS - we will fall back to in-memory implementation.
             logger?.Info("[MI][KeyProviderFactory] Non-Windows platform (with CNG) - using InMemory provider.");
             return new InMemoryManagedIdentityKeyProvider();
-#endif
         }
     }
 }

src/client/Microsoft.Identity.Client/Microsoft.Identity.Client.csproj

@@ -80,7 +80,6 @@
     <Compile Include="$(PathToMsalSources)\**\*.cs" Exclude="$(PathToMsalSources)\obj\**\*.*" />
     <Compile Remove="$(PathToMsalSources)\Platforms\**\*.*;$(PathToMsalSources)\Resources\*.cs" />
     <Compile Remove="$(PathToMsalSources)\PlatformsCommon\PlatformNotSupported\ApiConfig\SystemWebViewOptions.cs" />
-    <Compile Remove="$(PathToMsalSources)\ManagedIdentity\KeyProviders\WindowsCngKeyOperations.cs" />
     <EmbeddedResource Include="$(PathToMsalSources)\Properties\Microsoft.Identity.Client.rd.xml" />
     <None Include="$(PathToMsalSources)\..\..\..\README.md" Pack="true" PackagePath="\" />
     <None Include="Platforms\net\JsonObjectAttribute.cs" />
@@ -95,6 +94,7 @@
     <Compile Include="$(PathToMsalSources)\Platforms\Features\OpenTelemetry\**\*.cs" />
 
     <PackageReference Include="System.Diagnostics.DiagnosticSource" />
+    <PackageReference Include="System.Security.Cryptography.Cng" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == '$(TargetFrameworkNet)'">
@@ -103,7 +103,6 @@
     <Compile Include="$(PathToMsalSources)\Platforms\Features\DefaultOSBrowser\**\*.cs" />
     <Compile Include="$(PathToMsalSources)\Platforms\Features\DesktopOS\**\*.cs" />
     <Compile Include="$(PathToMsalSources)\Platforms\Features\OpenTelemetry\**\*.cs" />
-    <Compile Include="$(PathToMsalSources)\ManagedIdentity\KeyProviders\WindowsCngKeyOperations.cs" />
 
     <!--System.Text.Json replaces internal NewtonSoft for NET -->
     <Compile Remove="$(PathToMsalSources)\json\**\*.*" />
@@ -127,7 +126,6 @@
     <Compile Include="$(PathToMsalSources)\Platforms\Features\DefaultOSBrowser\**\*.cs" />
     <Compile Include="$(PathToMsalSources)\Platforms\Features\WinFormsLegacyWebUi\**\*.cs" />
     <Compile Include="$(PathToMsalSources)\Platforms\Features\DesktopOS\**\*.cs" />
-    <Compile Include="$(PathToMsalSources)\ManagedIdentity\KeyProviders\WindowsCngKeyOperations.cs" />
 
     <Reference Include="System" />
     <Reference Include="System.Core" />