Set SendCertificateChain option in KeyVaultReader to enable SN+I authentication

src/NuGet.Services.KeyVault/KeyVaultReader.cs

@@ -13,13 +13,16 @@ namespace NuGet.Services.KeyVault
 {
     /// <summary>
     /// Reads secretes from KeyVault.
-    /// Authentication with KeyVault is done using either a managed identity or a certificate in location:LocalMachine store name:My 
+    /// Authentication with KeyVault is done using either a managed identity or a certificate in location:LocalMachine store name:My
     /// </summary>
     public class KeyVaultReader : ISecretReader
     {
         private readonly KeyVaultConfiguration _configuration;
         private readonly Lazy<SecretClient> _keyVaultClient;
 
+        // This is used to determine if the client is using SendX5c for unit testing purposes
+        internal bool isUsingSendX5c;
+
         protected SecretClient KeyVaultClient => _keyVaultClient.Value;
 
         public KeyVaultReader(KeyVaultConfiguration configuration)
@@ -85,6 +88,7 @@ private static ISecret MapSecret(string secretName, AzureSecurityKeyVaultSecret
         private SecretClient InitializeClient()
         {
             TokenCredential credential = null;
+            isUsingSendX5c = false;
 
             if (_configuration.UseManagedIdentity)
             {
@@ -99,8 +103,23 @@ private SecretClient InitializeClient()
             }
             else
             {
-                credential = new ClientCertificateCredential(_configuration.TenantId, _configuration.ClientId, _configuration.Certificate);
+                if (_configuration.SendX5c)
+                {
+                    var clientCredentialOptions = new ClientCertificateCredentialOptions
+                    {
+                        SendCertificateChain = true
+                    };
+
+                    credential = new ClientCertificateCredential(_configuration.TenantId, _configuration.ClientId, _configuration.Certificate, clientCredentialOptions);
+                    isUsingSendX5c = true;
+                }
+                else
+                {
+                    credential = new ClientCertificateCredential(_configuration.TenantId, _configuration.ClientId, _configuration.Certificate);
+
+                }
             }
+
             return new SecretClient(GetKeyVaultUri(_configuration), credential);
         }
 

src/NuGet.Services.KeyVault/Properties/AssemblyInfo.cs

@@ -0,0 +1,10 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Runtime.CompilerServices;
+
+#if SIGNED_BUILD
+[assembly: InternalsVisibleTo("NuGet.Services.KeyVault.Tests,PublicKey=0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9")]
+#else
+[assembly: InternalsVisibleTo("NuGet.Services.KeyVault.Tests")]
+#endif

tests/NuGet.Services.KeyVault.Tests/KeyVaultReaderFacts.cs

@@ -0,0 +1,34 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Threading.Tasks;
+using Azure.Security.KeyVault.Secrets
+using Moq;
+using Xunit;
+
+namespace NuGet.Services.KeyVault.Tests
+{
+    public class SecretReaderFacts
+    {
+        [Fact]
+        public void GetSecretObjectWithSendX5c()
+        {
+            // Arrange
+            const string vaultName = "vaultName";
+            const string tenantId = "tenantId";
+            const string clientId = "clientId";
+            const string secret = "secretvalue";
+
+            X509Certificate2 certificate = new X509Certificate2();
+
+            KeyVaultConfiguration keyVaultConfiguration = new KeyVaultConfiguration("vaultName", "tenantId", "clientId", certificate, sendX5c:true);
+
+            // Act
+            var keyvaultReader = new KeyVaultReader(keyVaultConfiguration);
+
+            // Assert
+            Assert.True(keyvaultReader.isUsingSendX5c);
+        }
+    }
+}