socketpair
commented
1 month ago Any progress on that ? @forderud have you found any solution ?
Open forderud opened 1 year ago
socketpair
commented
1 month ago Any progress on that ? @forderud have you found any solution ?
forderud
commented
1 month ago Any progress on that ? @forderud have you found any solution ?
I'm unfortunately not aware of any OpenSSL progress in this area. I'm therefore instead using the Win32 CNG or .Net CertificateStores APIs for mTLS authentication if the keys are in secure storage - like e.g. TPM. You'll find sample code for doing so on https://github.com/forderud/WindowsClientAuth
reiniert
commented
1 month ago Sorry, I did not notice this thread earlier and I am not active in this area anymore. I did manage to set up a TLS connection with authentication using opaque NCrypt keys to work a while ago, in combination with asio. It was hacky -- you can see what I did in this branch in my personal fork. Although the concept works, I do not think that the related OpenSSL functionality is sufficiently documented and/or maintained for this to be used in any serious setting.
I'm interesting in performing mutual TLS (mTLS)-based client authentication with CNG-stored private keys. The private keys will be stored in a Trusted Platform Module (TPM) for hardware-enforced non-exportability.
It's nice to see that this project can be used to access certificates in the Windows certificate store based on thumbprint with
openssl storeutl -certs -out cert.pem cert:/CurrentUser/My/<thumbprint>. The correspondingopenssl storeutl -keys -out cert.key cert:/CurrentUser/My/<thumbprint>seem to give an opaque NCrypt handle instead of the actual private key. This is kind of expected since the private key is non-exportable. However, I still don't really understand how to use it for crypto purposes like a mTLS handshake.I've already tried using the public key & opaque NCrypt handle for mTLS authentication with
openssl s_client -connect localhost:443 -cert cert.pem -key cert.key -state -debug, but am then encountering a "unable to load client certificate private key file" error. I guess the reason is thats_clientisn't extended with awareness of the opaque NCrypt handle format(?)Is there any support for using the opaque NCrypt handle to perform a mTLS handshake, either in this repo or associated OpenSSL repo(s)?