Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Client authentication on Windows? #78

Open
forderud opened this issue Sep 23, 2022 · 2 comments
Open

Client authentication on Windows? #78

forderud opened this issue Sep 23, 2022 · 2 comments

Comments

@forderud
Copy link

forderud commented Sep 23, 2022

I am currently using Python for performing client authentication on Windows as part of a HTTP request with code like this:

import http.client, ssl

# load clientAuth cert (with private key) from file
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.load_default_certs()
context.load_cert_chain(certfile="MyClientCert.pem")

# submit HTTP request
conn = http.client.HTTPSConnection(hostname, port=443, context=context)
conn.request('GET', '/')

# print response
r = conn.getresponse()

This works fine but has the downside of requiring the client certificate (including private key) to be provided through a PEM file. I would like to avoid this and instead use a certificate directly from the Windows certificate store, so that the private key can be stored non-exportable in the TPM chip for improved security.

Is it possible to use this library for client authentication on Windows?

Desired pseudocode

This is roughly the type of code that I want to write to enable TPM-based client authentication:

import socket, ssl, truststore

# Load clientAuth cert named "MyClientCert" from "CurrentUser/My" store
ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.load_cert_chain("MyClientCert", "My", StoreLocation.CurrentUser)

# Connect and initiate TLS handshake with client auth.
sock = socket.create_connection((hostname, 443))
sock = ctx.wrap_socket(sock, server_hostname=hostname)
...

This will then utilize the following certificate from the Windows certificate store:
image

@sethmlarson
Copy link
Owner

I would love to integrate with OS-specific APIs for their trust stores, but we'd be blazing our own trail a little bit in terms of how we expose them. Would be good to collect information on how Windows does client-side auth and then also do the same for macOS.

@forderud
Copy link
Author

forderud commented Oct 24, 2022

I've recently worked a bit on Windows client-side auth. and published some sample code on https://github.com/forderud/WindowsClientAuth . The C# WebClient.cs and C++ CertAccess.hpp
sources gives a fairly simple introduction to how to load certificates and use them for client authentication on Windows. My wish for writing similar code also in Python was what triggered this request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants