search

sethmlarson / truststore

Verify certificates using OS trust stores
https://truststore.readthedocs.io
MIT License
151 stars 18 forks source link

Client authentication on Windows? #78

Open forderud opened 1 year ago

forderud commented 1 year ago

I am currently using Python for performing client authentication on Windows as part of a HTTP request with code like this:

import http.client, ssl

# load clientAuth cert (with private key) from file
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.load_default_certs()
context.load_cert_chain(certfile="MyClientCert.pem")

# submit HTTP request
conn = http.client.HTTPSConnection(hostname, port=443, context=context)
conn.request('GET', '/')

# print response
r = conn.getresponse()

This works fine but has the downside of requiring the client certificate (including private key) to be provided through a PEM file. I would like to avoid this and instead use a certificate directly from the Windows certificate store, so that the private key can be stored non-exportable in the TPM chip for improved security.

Is it possible to use this library for client authentication on Windows?

Desired pseudocode

This is roughly the type of code that I want to write to enable TPM-based client authentication:

import socket, ssl, truststore

# Load clientAuth cert named "MyClientCert" from "CurrentUser/My" store
ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.load_cert_chain("MyClientCert", "My", StoreLocation.CurrentUser)

# Connect and initiate TLS handshake with client auth.
sock = socket.create_connection((hostname, 443))
sock = ctx.wrap_socket(sock, server_hostname=hostname)
...

This will then utilize the following certificate from the Windows certificate store: image

sethmlarson commented 1 year ago

I would love to integrate with OS-specific APIs for their trust stores, but we'd be blazing our own trail a little bit in terms of how we expose them. Would be good to collect information on how Windows does client-side auth and then also do the same for macOS.

forderud commented 1 year ago

I've recently worked a bit on Windows client-side auth. and published some sample code on https://github.com/forderud/WindowsClientAuth . The C# WebClient.cs and C++ CertAccess.hpp sources gives a fairly simple introduction to how to load certificates and use them for client authentication on Windows. My wish for writing similar code also in Python was what triggered this request.