MSI V2 client-side keys: add e2e + unit tests, fixes, hardware KSP updates

Author: GladwinJohnson

build/template-run-mi-e2e-azurearc.yaml

@@ -37,4 +37,4 @@ steps:
     codeCoverageEnabled: false
     failOnMinTestsNotRun: true
     minimumExpectedTests: '1'
-    testFiltercriteria: 'TestCategory=MI_E2E_AzureArc'
+    testFiltercriteria: '(TestCategory=MI_E2E_AzureArc|TestCategory=MI_E2E_KeyAcquisition_KeyGuard)'

build/template-run-mi-e2e-imds.yaml

@@ -38,4 +38,4 @@ steps:
     runInParallel: false
     failOnMinTestsNotRun: true
     minimumExpectedTests: '1'
-    testFiltercriteria: 'TestCategory=MI_E2E_Imds'
+    testFiltercriteria: '(TestCategory=MI_E2E_Imds|TestCategory=MI_E2E_KeyAcquisition_Hardware)'

src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

@@ -19,6 +19,7 @@ internal class ManagedIdentityAuthRequest : RequestBase
         private readonly AcquireTokenForManagedIdentityParameters _managedIdentityParameters;
         private static readonly SemaphoreSlim s_semaphoreSlim = new SemaphoreSlim(1, 1);
         private readonly ICryptographyManager _cryptoManager;
+        private readonly IManagedIdentityKeyProvider _managedIdentityKeyProvider;
 
         public ManagedIdentityAuthRequest(
             IServiceBundle serviceBundle,
@@ -28,13 +29,17 @@ public ManagedIdentityAuthRequest(
         {
             _managedIdentityParameters = managedIdentityParameters;
             _cryptoManager = serviceBundle.PlatformProxy.CryptographyManager;
+            _managedIdentityKeyProvider = serviceBundle.PlatformProxy.ManagedIdentityKeyProvider;
         }
 
         protected override async Task<AuthenticationResult> ExecuteAsync(CancellationToken cancellationToken)
         {
             AuthenticationResult authResult = null;
             ILoggerAdapter logger = AuthenticationRequestParameters.RequestContext.Logger;
 
+            ManagedIdentityKeyInfo keyInfo = await _managedIdentityKeyProvider.GetOrCreateKeyAsync(
+                logger, cancellationToken).ConfigureAwait(false);
+
             // 1. FIRST, handle ForceRefresh
             if (_managedIdentityParameters.ForceRefresh)
             {

src/client/Microsoft.Identity.Client/ManagedIdentity/KeyProviders/InMemoryManagedIdentityKeyProvider.cs

@@ -80,11 +80,11 @@ public async Task<ManagedIdentityKeyInfo> GetOrCreateKeyAsync(
         private static RSA CreateRsaKeyPair()
         {
             RSA rsa;
-#if NET462 || NET472
+#if NETFRAMEWORK
             // .NET Framework (Windows): use RSACng 
             rsa = new RSACng();
 #else
-            // Cross-platform (.NET Core/8+/Standard)
+            // Cross‑platform: RSA.Create() -> CNG (Windows) / OpenSSL (Linux).
             rsa = RSA.Create();
 #endif
             rsa.KeySize = 2048;

src/client/Microsoft.Identity.Client/ManagedIdentity/KeyProviders/WindowsCngKeyOperations.cs

@@ -17,8 +17,9 @@ namespace Microsoft.Identity.Client.ManagedIdentity.KeyProviders
     /// </summary>
     internal static class WindowsCngKeyOperations
     {
-        private const string ProviderName = "Microsoft Software Key Storage Provider";
-        private const string KeyName = "KeyGuardRSAKey";
+        private const string SoftwareKspName = "Microsoft Software Key Storage Provider";
+        private const string KeyGuardKeyName = "KeyGuardRSAKey";
+        private const string HardwareKeyName = "HardwareRSAKey";
 
         // --- KeyGuard path (RSA) ---
         public static bool TryGetOrCreateKeyGuard(ILoggerAdapter logger, out RSA rsa)
@@ -27,33 +28,51 @@ public static bool TryGetOrCreateKeyGuard(ILoggerAdapter logger, out RSA rsa)
 
             try
             {
-                // Try open by the known name first
+                // Try open by the known name first (Software KSP, user scope, silent)
                 CngKey key;
                 try
                 {
-                    key = CngKey.Open(KeyName, new CngProvider(ProviderName));
+                    key = CngKey.Open(
+                        KeyGuardKeyName,
+                        new CngProvider(SoftwareKspName),
+                        CngKeyOpenOptions.UserKey | CngKeyOpenOptions.Silent);
                 }
                 catch (CryptographicException)
                 {
-                    // Not found -> create fresh
+                    // Not found -> create fresh (helper may return null if VBS unavailable)
                     logger?.Verbose(() => "[MI][WinKeyProvider] KeyGuard key not found; creating fresh.");
                     key = KeyGuardHelper.CreateFresh(logger);
                 }
 
+                // If VBS is unavailable, CreateFresh() returns null. Bail out cleanly.
+                if (key == null)
+                {
+                    logger?.Verbose(() => "[MI][WinKeyProvider] KeyGuard unavailable (VBS off or not supported).");
+                    return false;
+                }
+
                 // Ensure actually KeyGuard-protected; recreate if not
                 if (!KeyGuardHelper.IsKeyGuardProtected(key))
                 {
                     logger?.Verbose(() => "[MI][WinKeyProvider] KeyGuard key found but not protected; recreating.");
                     key.Dispose();
                     key = KeyGuardHelper.CreateFresh(logger);
+
+                    // Check again after recreate; still null or not protected -> give up KeyGuard path
+                    if (key == null || !KeyGuardHelper.IsKeyGuardProtected(key))
+                    {
+                        key?.Dispose();
+                        logger?.Verbose(() => "[MI][WinKeyProvider] Unable to obtain a KeyGuard-protected key.");
+                        return false;
+                    }
                 }
 
                 rsa = new RSACng(key);
                 if (rsa.KeySize < 2048)
                 {
                     try
                     { rsa.KeySize = 2048; }
-                    catch { }
+                    catch { /* some providers don't allow */ }
                 }
                 return true;
             }
@@ -76,39 +95,48 @@ public static bool TryGetOrCreateHardwareRsa(ILoggerAdapter logger, out RSA rsa)
 
             try
             {
-                CngProvider provider = new CngProvider(ProviderName);
-                CngKeyOpenOptions openOpts = CngKeyOpenOptions.UserKey;
-
-                CngKey key = CngKey.Exists(KeyName, provider, openOpts)
-                    ? CngKey.Open(KeyName, provider, openOpts)
-                    : CngKey.Create(
-                        CngAlgorithm.Rsa,
-                        KeyName,
-                        new CngKeyCreationParameters
-                        {
-                            Provider = provider,
-                            KeyUsage = CngKeyUsages.Signing,
-                            ExportPolicy = CngExportPolicies.None,   // non-exportable
-                            KeyCreationOptions = CngKeyCreationOptions.MachineKey
-                        });
+                // PCP (TPM) in USER scope
+                CngProvider provider = new CngProvider(SoftwareKspName);
+                CngKeyOpenOptions openOpts = CngKeyOpenOptions.UserKey | CngKeyOpenOptions.Silent;
+
+                CngKey key = CngKey.Exists(HardwareKeyName, provider, openOpts)
+                    ? CngKey.Open(HardwareKeyName, provider, openOpts)
+                    : CreateUserPcpRsa(provider, HardwareKeyName);
 
                 rsa = new RSACng(key);
 
                 if (rsa.KeySize < 2048)
                 {
                     try
                     { rsa.KeySize = 2048; }
-                    catch { }
+                    catch { /* PCP typically ignores post-create change */ }
                 }
-                
-                logger?.Info("[MI][WinKeyProvider] Using Hardware key (RSA).");
+
+                logger?.Info("[MI][WinKeyProvider] Using Hardware key (RSA, PCP user).");
                 return true;
             }
-            catch (CryptographicException)
+            catch (CryptographicException e)
             {
-                logger?.Verbose(() => "[MI][WinKeyProvider] Exception creating Hardware key.");
+                // Add HResult to make CI diagnostics actionable
+                logger?.Verbose(() => "[MI][WinKeyProvider] Hardware key creation/open failed. " +
+                                       $"HR=0x{e.HResult:X8}. {e.GetType().Name}: {e.Message}");
                 return false;
             }
+
+            static CngKey CreateUserPcpRsa(CngProvider provider, string name)
+            {
+                var p = new CngKeyCreationParameters
+                {
+                    Provider = provider,
+                    KeyUsage = CngKeyUsages.Signing,
+                    ExportPolicy = CngExportPolicies.None,          // non-exportable (expected for TPM)
+                    KeyCreationOptions = CngKeyCreationOptions.None // USER scope
+                };
+
+                p.Parameters.Add(new CngProperty("Length", BitConverter.GetBytes(2048), CngPropertyOptions.None));
+
+                return CngKey.Create(CngAlgorithm.Rsa, name, p);
+            }
         }
     }
 }

src/client/Microsoft.Identity.Client/ManagedIdentity/KeyProviders/WindowsManagedIdentityKeyProvider.cs

@@ -102,7 +102,24 @@ public async Task<ManagedIdentityKeyInfo> GetOrCreateKeyAsync(
                         $"[MI][WinKeyProvider] Exception creating Hardware key: {ex.GetType().Name}");
                 }
 
+                // 3) In-memory fallback (software RSA)
+                logger?.Info("[MI][WinKeyProvider] Falling back to in-memory RSA key (software).");
+                if (ct.IsCancellationRequested)
+                {
+                    logger?.Verbose(() => "[MI][WinKeyProvider] Cancellation requested before in-memory fallback.");
+                    ct.ThrowIfCancellationRequested();
+                }
+
+                var fallback = new InMemoryManagedIdentityKeyProvider();
+                _cached = await fallback.GetOrCreateKeyAsync(logger, ct).ConfigureAwait(false);
+
+                if (messageBuilder.Length > 0)
+                {
+                    logger?.Verbose(() => "[MI][WinKeyProvider] Fallback reasons:\n" + messageBuilder.ToString().Trim());
+                }
+
                 return _cached;
+
             }
             finally
             {

src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityClient.cs

@@ -20,14 +20,11 @@ internal class ManagedIdentityClient
         private const string WindowsHimdsFilePath = "%Programfiles%\\AzureConnectedMachineAgent\\himds.exe";
         private const string LinuxHimdsFilePath = "/opt/azcmagent/bin/himds";
         private readonly AbstractManagedIdentity _identitySource;
-        private readonly IManagedIdentityKeyProvider _provider;
 
         public ManagedIdentityClient(RequestContext requestContext)
         {
             using (requestContext.Logger.LogMethodDuration())
             {
-
-                _provider = requestContext.ServiceBundle.PlatformProxy.ManagedIdentityKeyProvider;
                 _identitySource = SelectManagedIdentitySource(requestContext);
             }
         }

tests/Microsoft.Identity.Test.E2e/ManagedIdentityKeyAcquisitionTests.cs

@@ -0,0 +1,77 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Security.Cryptography;
+using Microsoft.Identity.Client.ManagedIdentity.KeyGuard;
+using Microsoft.Identity.Client.ManagedIdentity.KeyProviders;
+using Microsoft.Identity.Test.Common.Core.Helpers;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Test.E2E
+{
+    [TestClass]
+    public class ManagedIdentityKeyAcquisitionTests
+    {
+        private const string SoftwareKspName = "Microsoft Software Key Storage Provider";
+
+        // Runs on the AzureArc agent: must obtain a VBS/KeyGuard key.
+        [TestMethod]
+        [TestCategory("MI_E2E_KeyAcquisition_KeyGuard")]
+        [RunOnAzureDevOps]
+        public void KeyAcquisition_Fetches_KeyGuard_Key()
+        {
+            if (!OperatingSystem.IsWindows())
+            {
+                Assert.Inconclusive("This test runs on Windows agents only.");
+            }
+
+            bool ok = WindowsCngKeyOperations.TryGetOrCreateKeyGuard(logger: null, out RSA rsa);
+            Assert.IsTrue(ok, "Expected KeyGuard key on AzureArc agent.");
+
+            using (rsa)
+            {
+                var rsacng = rsa as RSACng;
+                Assert.IsNotNull(rsacng, "Expected RSACng for KeyGuard.");
+                Assert.IsTrue(
+                    KeyGuardHelper.IsKeyGuardProtected(rsacng.Key),
+                    "Expected KeyGuard (VBS) protected key on AzureArc agent.");
+            }
+        }
+
+        // Runs on the IMDS agent: must obtain a TPM/PCP hardware key (user scope).
+        [TestMethod]
+        [TestCategory("MI_E2E_KeyAcquisition_Hardware")]
+        [RunOnAzureDevOps]
+        public void KeyAcquisition_Fetches_Hardware_Key()
+        {
+            if (!OperatingSystem.IsWindows())
+            {
+                Assert.Inconclusive("This test runs on Windows agents only.");
+            }
+
+            bool ok = WindowsCngKeyOperations.TryGetOrCreateHardwareRsa(logger: null, out RSA rsa);
+            Assert.IsTrue(ok, "Expected TPM hardware key on IMDS agent.");
+
+            using (rsa)
+            {
+                var rsacng = rsa as RSACng;
+                Assert.IsNotNull(rsacng, "Expected RSACng for hardware key.");
+
+                Assert.AreEqual(
+                    SoftwareKspName,
+                    rsacng.Key.Provider.Provider,
+                    "Expected TPM-backed key via Microsoft Software Key Storage Provider.");
+
+                // TPM keys created with ExportPolicy=None should not allow private export.
+                bool privateExportable = true;
+                try
+                { _ = rsacng.ExportParameters(true); }
+                catch (CryptographicException) { privateExportable = false; }
+                catch (NotSupportedException) { privateExportable = false; }
+
+                Assert.IsFalse(privateExportable, "Hardware (TPM) key should be non-exportable.");
+            }
+        }
+    }
+}