Open forderud opened 1 year ago
I would love to integrate with OS-specific APIs for their trust stores, but we'd be blazing our own trail a little bit in terms of how we expose them. Would be good to collect information on how Windows does client-side auth and then also do the same for macOS.
I've recently worked a bit on Windows client-side auth. and published some sample code on https://github.com/forderud/WindowsClientAuth . The C# WebClient.cs and C++ CertAccess.hpp sources gives a fairly simple introduction to how to load certificates and use them for client authentication on Windows. My wish for writing similar code also in Python was what triggered this request.
I am currently using Python for performing client authentication on Windows as part of a HTTP request with code like this:
This works fine but has the downside of requiring the client certificate (including private key) to be provided through a PEM file. I would like to avoid this and instead use a certificate directly from the Windows certificate store, so that the private key can be stored non-exportable in the TPM chip for improved security.
Is it possible to use this library for client authentication on Windows?
Desired pseudocode
This is roughly the type of code that I want to write to enable TPM-based client authentication:
This will then utilize the following certificate from the Windows certificate store: