truststore icon indicating copy to clipboard operation
truststore copied to clipboard

Published 20 hours ago verified publisher icon sethmlarson

Client authentication on Windows?

Open forderud opened this issue 2 years ago • 2 comments

I am currently using Python for performing client authentication on Windows as part of a HTTP request with code like this:

import http.client, ssl

# load clientAuth cert (with private key) from file
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.load_default_certs()
context.load_cert_chain(certfile="MyClientCert.pem")

# submit HTTP request
conn = http.client.HTTPSConnection(hostname, port=443, context=context)
conn.request('GET', '/')

# print response
r = conn.getresponse()

This works fine but has the downside of requiring the client certificate (including private key) to be provided through a PEM file. I would like to avoid this and instead use a certificate directly from the Windows certificate store, so that the private key can be stored non-exportable in the TPM chip for improved security.

Is it possible to use this library for client authentication on Windows?

Desired pseudocode

This is roughly the type of code that I want to write to enable TPM-based client authentication:

import socket, ssl, truststore

# Load clientAuth cert named "MyClientCert" from "CurrentUser/My" store
ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.load_cert_chain("MyClientCert", "My", StoreLocation.CurrentUser)

# Connect and initiate TLS handshake with client auth.
sock = socket.create_connection((hostname, 443))
sock = ctx.wrap_socket(sock, server_hostname=hostname)
...

This will then utilize the following certificate from the Windows certificate store: image

forderud avatar Sep 23 '22 09:09 forderud

I would love to integrate with OS-specific APIs for their trust stores, but we'd be blazing our own trail a little bit in terms of how we expose them. Would be good to collect information on how Windows does client-side auth and then also do the same for macOS.

sethmlarson avatar Oct 24 '22 16:10 sethmlarson

I've recently worked a bit on Windows client-side auth. and published some sample code on https://github.com/forderud/WindowsClientAuth . The C# WebClient.cs and C++ CertAccess.hpp sources gives a fairly simple introduction to how to load certificates and use them for client authentication on Windows. My wish for writing similar code also in Python was what triggered this request.

forderud avatar Oct 24 '22 18:10 forderud