ability to disable pkcs12 support at compile time

[kruskall]

Feature Request

azidentity is calling x/crypto/pkcs12 at

azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go

Line 20 in 3f308de

"golang.org/x/crypto/pkcs12"

this is problematic for fips compliance and doesn't allow consumers to fully use the go 1.24 fips support because x/crypto is not covered (https://go.dev/doc/security/fips140)

Would it be possible to move loadPKCS12Cert to a separate file and use an empty implementation if a build tag is passed to avoid linking x/crypto in the final binary ?

[chlowell]

How do you determine compliance? The last time this came up, I came away believing an application could stay compliant by never calling into x/crypto/pkcs12, which is easy to do: if you authenticate with a certificate, make sure it's in PEM format or parse it yourself (#23354 (comment))

[github-actions]

Hi @kruskall. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[kruskall]

How do you determine compliance? The last time this came up, I came away believing an application could stay compliant by never calling into x/crypto/pkcs12, which is easy to do: if you authenticate with a certificate, make sure it's in PEM format or parse it yourself (#23354 (comment))

Never calling x/crypto helps but the dependency is still included in the binary which creates maintenance burden, especially if there are more transitive dependency using the azure sdk.
Even if one verifies all the dependencies using the azure sdk to not call into pkcs12, they would need to revalidate such assumption on each dependency update/change.
On the other hand, "disabling" the import at compile time is a more proactive measure which allows x/crypto to not to be linked in the binary at all.