refactor(azure): Extract SSH key cert handling to new certs module

[peytonr18]

Proposed Commit Message

refactor(azure): Extract SSH key cert handling to new certs module

Refactor x509 certificate and SSH key handling logic from 
OpenSSLManager and DataSourceAzure into a new dedicated 
module cloudinit/sources/azure/certs.py with three utility functions:

  - is_openssh_formatted(): Validates OpenSSH format keys
  - is_x509_certificate(): Validates x509 certificates via openssl
  - convert_x509_to_openssh(): Converts x509 certs to OpenSSH keys

This refactoring maintains existing functionality without changes while 
preparing the codebase for upcoming work to support x509 certificates 
from Azure IMDS.

Additional Context

Purpose:
Refactors x509 certificate and SSH key handling logic from OpenSSLManager and DataSourceAzure into a dedicated module (cloudinit/sources/azure/certs.py).

Changes:

• New module: cloudinit/sources/azure/certs.py with three functions:
• is_openssh_formatted() - Validates OpenSSH format keys
• is_x509_certificate() - Validates x509 certificates using openssl
• convert_x509_to_openssh() - Converts x509 certs to OpenSSH keys
• Updated: cloudinit/sources/helpers/azure.py --> _get_ssh_key_from_cert() now uses new module
• Updated: cloudinit/sources/DataSourceAzure.py --> _key_is_openssh_formatted() now uses new module

Test Coverage:

• Unit tests for OpenSSH key validation and basic checks (various types, edge cases, markers, empty strings)
• Integration tests with openssl for x509 validation & with openssl + ssh-keygen for cert conversion
• Mocked tests for error handling (openssl/ssh-keygen failures)

Merge type

• Squash merge using "Proposed Commit Message"

---

[peytonr18]

The following was discussed offline, and these changes are reflected in the most recent commit:

Re: The current parse_certificates() really extracts the x509 certificate from whatever bundle it might be in, I'm inclined to think the safest bet is to essentially extract this into another interface:
extract_x509_certificate(key_data: str) -> str | None:

def parse_certificates(self, certificates_xml):

        """Given the Certificates XML document, return a dictionary of
        fingerprints and associated SSH keys derived from the certs."""
        out = self._decrypt_certs_from_xml(certificates_xml)
        current = []
        keys = {}
        for line in out.splitlines():
            current.append(line)
            if re.match(r"[-]+END .*?KEY[-]+$", line):
                # ignore private_keys
                current = []
            elif re.match(r"[-]+END .*?CERTIFICATE[-]+$", line):
                certificate = "\n".join(current)
                ssh_key = self._get_ssh_key_from_cert(certificate)
                fingerprint = self._get_fingerprint_from_cert(certificate)
                keys[fingerprint] = ssh_key
                current = []
        return keys

[holmanb]

It looks like this is waiting for updates per the latest review, so I'll hold off on reviewing it for now.

[github-actions]

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging blackboxsw, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag blackboxsw to reopen it.)

[peytonr18]

We are making changes on our end before reviewing this one to make sure our testing infrastructure is prepared to handle this change. Once those are finished, I'll reopen this PR for review.

[peytonr18]

@blackboxsw Looking to reopen this PR now that we have completed the basework, so I can continue working on it. Thanks!