Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Client certs #44

Open
davisagli opened this issue May 2, 2022 · 3 comments
Open

Client certs #44

davisagli opened this issue May 2, 2022 · 3 comments

Comments

@davisagli
Copy link
Collaborator

@jacobian pointed out that it would be nice if truststore could also use client certs from the system trust store, particularly on devices that provide device identity by creating certs using a private key stored in a Trusted Platform Module. I suspect this may require actually using system APIs for encrypting the data stream and not just for cert validation though.

@bjvetter
Copy link

Hopefully, client certificate support doesn't take as long nor end up in the same state as https://bugs.python.org/issue16487

@sethmlarson
Copy link
Owner

@bjvetter Happy that you're interested in this feature. If you'd like to lend a hand doing research or creating an implementation we can help you get started. Remember that we and Python core developers are all volunteers so it's tough to provide timely updates given the demands of life.

Regarding the issue you linked, that doesn't have much to do with system trust stores but rather with being able to load certificates from bytes instead of a filesystem location. Is there something I'm missing there?

@bjvetter
Copy link

bjvetter commented Aug 31, 2022

My link to that issue is that we have a need to store client TLS credentials somewhere, presumably safe. The current python implementation is just a path to an unencrypted pem file - not hardly safe. One solution was to store the credential in a "vault" somewhere, then extract it when necessary into the process's memory and use it for a client credential - but that doesn't work as the underlying urllib3 requires a path to a file and not an in memory "file"/buffer.

An alternative thought is what if we could extract it to a "safer" store like the truststore of the server itself. The alias name is pretty much a "path", albeit a reference to a 'pem"-like credential in the truststore and not an actual path to a file as in the current python implementation.

If there is something specific I can help with here, I can probably find some time. I don't tool around inside the python internals much, but ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants