refactor(azure): Extract SSH key cert handling to new certs module

[peytonr18]

Proposed Commit Message

refactor(azure): Extract SSH key cert handling to new certs module

Refactor x509 certificate and SSH key handling logic from 
OpenSSLManager and DataSourceAzure into a new dedicated 
module cloudinit/sources/azure/certs.py with three utility functions:

  - is_openssh_formatted(): Validates OpenSSH format keys
  - is_x509_certificate(): Validates x509 certificates via opensslprobert
  - convert_x509_to_openssh(): Converts x509 certs to OpenSSH keys

This refactoring maintains existing functionality without changes while 
preparing the codebase for upcoming work to support x509 certificates 
from Azure IMDS.

Additional Context

Purpose:
Refactors x509 certificate and SSH key handling logic from OpenSSLManager and DataSourceAzure into a dedicated module (cloudinit/sources/azure/certs.py).

Changes:

• New module: cloudinit/sources/azure/certs.py with three functions:
• is_openssh_formatted() - Validates OpenSSH format keys
• is_x509_certificate() - Validates x509 certificates using openssl
• convert_x509_to_openssh() - Converts x509 certs to OpenSSH keys
• Updated: cloudinit/sources/helpers/azure.py --> _get_ssh_key_from_cert() now uses new module
• Updated: cloudinit/sources/DataSourceAzure.py --> _key_is_openssh_formatted() now uses new module

Test Coverage:

• Unit tests for OpenSSH key validation and basic checks (various types, edge cases, markers, empty strings)
• Integration tests with openssl for x509 validation & with openssl + ssh-keygen for cert conversion
• Mocked tests for error handling (openssl/ssh-keygen failures)

Merge type

• Squash merge using "Proposed Commit Message"

---

Replaces #6561

[cjp256]

what happens with AuthKeyLineParser if \r\n is found in the middle of the key? does it still validate?

[peytonr18]

Edit: I've updated in the latest commit: instead of rejecting keys with embedded \r\n, we now sanitize them by stripping the CRLF sequences before validation. This handles the Azure-generated key case (LP: #1910835) where \r\n gets injected into the base64 data.

The flow in _get_public_ssh_keys_from_imds() is now:

1. Collect raw keys from IMDS
2. Sanitize any keys containing \r\n via sanitize_openssh_key()
3. Validate with is_openssh_formatted()
4. Return clean, validated keys

For example, a key like ssh-rsa AAAA\r\nBBBB comment gets sanitized to ssh-rsa AAAABBBB comment, validated, and returned cleanly for authorized_keys.

[bpryan99]

LGTM! Good test coverage.

[cjp256]

LGTM, thanks Peyton!

[cjp256]

@blackboxsw this is ready for review when you get a chance, thanks!

[github-actions]

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging blackboxsw, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag blackboxsw to reopen it.)

[peytonr18]

Hi @blackboxsw, this one is on track to be marked stale whenever you get a chance - thank you!