From 3ac0b3c8925183232aa902eadfd09e2ee71c20f0 Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Tue, 6 Jan 2026 10:39:40 +0000
Subject: [PATCH] Suppress CodeQL warning

SHA1 thumbprint in client assertion remains the only recognized way for some IDPs that MSAL supports, like ADFS.
---
 msal/application.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/msal/application.py b/msal/application.py
index 57e40980..b283440c 100644
--- a/msal/application.py
+++ b/msal/application.py
@@ -77,9 +77,9 @@ def _extract_cert_and_thumbprints(cert):
             [1:-1]  # Strip the "--- header ---" and "--- footer ---"
         )
     ]
-    # https://cryptography.io/en/latest/x509/reference/#x-509-certificate-object
-    sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex()  # Requires cryptography 0.7+
-    sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex()  # Requires cryptography 0.7+
+    # https://cryptography.io/en/latest/x509/reference/#x-509-certificate-object - Requires cryptography 0.7+
+    sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex() 
+    sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex()  # CodeQL [SM02167] for legacy support such as ADFS
     return sha256_thumbprint, sha1_thumbprint, x5c
 
 def _parse_pfx(pfx_path, passphrase_bytes):