Client certs

[davisagli]

@jacobian pointed out that it would be nice if truststore could also use client certs from the system trust store, particularly on devices that provide device identity by creating certs using a private key stored in a Trusted Platform Module. I suspect this may require actually using system APIs for encrypting the data stream and not just for cert validation though.

[bjvetter]

Hopefully, client certificate support doesn't take as long nor end up in the same state as https://bugs.python.org/issue16487

[sethmlarson]

@bjvetter Happy that you're interested in this feature. If you'd like to lend a hand doing research or creating an implementation we can help you get started. Remember that we and Python core developers are all volunteers so it's tough to provide timely updates given the demands of life.

Regarding the issue you linked, that doesn't have much to do with system trust stores but rather with being able to load certificates from bytes instead of a filesystem location. Is there something I'm missing there?

[bjvetter]

My link to that issue is that we have a need to store client TLS credentials somewhere, presumably safe. The current python implementation is just a path to an unencrypted pem file - not hardly safe. One solution was to store the credential in a "vault" somewhere, then extract it when necessary into the process's memory and use it for a client credential - but that doesn't work as the underlying urllib3 requires a path to a file and not an in memory "file"/buffer.

An alternative thought is what if we could extract it to a "safer" store like the truststore of the server itself. The alias name is pretty much a "path", albeit a reference to a 'pem"-like credential in the truststore and not an actual path to a file as in the current python implementation.

If there is something specific I can help with here, I can probably find some time. I don't tool around inside the python internals much, but ...