Question: how do I use PrivateKey?
Closed this issue · 7 comments
I am trying to satisfy the Rustls::ServerConfig builder pattern.
Using the CertStore, I am able to extract the cert that I need with a specific fingerprint, but how do I actually utilize the private key to satisfy fn set_single_cert()?
let server_opt = find_cert(&rest_fingerprint);
let cert_context = match server_opt {
Some(context) => context,
None => {
return Err(format!{"cert not found {}", rest_fingerprint});
}
};
let cert_friendly = cert_context.friendly_name().unwrap_or("<unknown>".to_string());
let mut sc = ServerConfig::new(NoClientAuth::new());
loop {
let cert = match cert_context.to_pem() {
Ok(pem) => rustls::Certificate(pem.into_bytes()),
Err(e) => {
warn!{"unable to convert {} to pem. error {:?}", &cert_friendly, e};
break;
}
};
let der = cert_context.to_der();
let pkey = match cert_context.private_key().acquire() {
Ok(key) => key,
Err(e) => {
error!("unable to acquire private key for cert {}, error {:?}", &cert_friendly, e);
break;
}
};
let key = match pkey {
PrivateKey::NcryptKey(key) => key,
PrivateKey::CryptProv(_prov) => {
error!("unable to acquire private key for cert {}", &cert_friendly);
break;
}
};
warn!{"private key found for {:?}", cert};
// the following doesn't work, I believe that I need to somehow use key above
let private_key = rustls::PrivateKey(der.to_vec());
match sc.set_single_cert(vec!{cert}, private_key) {
Ok(()) => {
}
Err(e) => {
error!{"couldn't set cert {}, error {:?}", &cert_friendly, e};
}
}
break;
}
I believe what you want to do is not possible at the moment, except through a very bumpy detour via an in-memory certificate store and export_pkcs12.
Also keep in mind that if you're selecting certificates from the windows certificate store,
they might be stored as not exportable, which would make any such approach fail
(.acquire would throw an error).
Thanks @steffengy.
The issue is sharing certs between a legacy Windows application using Crypto APIs and my Rust application.
It does look like PFXExportCertStoreEx() would probably work if the cert is created as exportable.
After a bit more work, it seems the best approach is to generate the certs and then import them into the Windows Store, so I can have direct access to the private key file from Rust. I have tested this using a python script / openssl to create the certs, they can be shared correctly in that case.
FYI: I have abandoned trying to use rustls, at least for now, in favor of the more complicated openssl crate to provide more flexibility. My concern with rustls is that it hasn't undergone any security audit (AFAIK), while with openssl, they provide mozilla_intermediate() as a way to use an accepted set of ciphers with TLS 1.2 and TLS 1.3.
Hi. I was just considering of changing from rust openssl to rustls because I do not want to have the pem files laying around any more.
schannel-rs provides a certificate context and an ncryptkey when read from windows store.
I haven't found a way though, importing these to the rust openssl SslAcceptorBuilder.
How do you use them in openssl?
After four years, this is still an issue; importing a certificate with its key from windows store to some tls communication.
@VassilisM
If you just need the public key you can take a look at how e.g. https://github.com/rustls/rustls-native-certs/blob/main/src/windows.rs does it.
If not and talking ncrypt handle specifically, you should be able to get e.g. NCryptExportKey to export into a format you like on the underlying handle - if talking about certificates marked exportable in store at all.
In general such an use isnt recommended, as essentially you're losing all the additional security the certificate store in the first place can provide to protect private keys (vs using schannel bindings insteadof rustls/openssl).
I will check it out, thank you. --> UPDATE: Yes, I had seen this. I couldn't find out how to use the store and this helped. This provides no keys though.
NcryptKey handle is very difficult to... handle. No idea how to.
It is customer requirement, I have read that it is not that secure. But isn't is better than having the certificate and private key files laying around where the application files are?
I have tried locally with an imported pfx certificate created from those files with non-exportable key (trying to export it back, the private key is grayed out).
The "CertContext::private_key().acquire()" does not throw an error. Instead I get a NcryptKey back. Also mysterious.
Btw, is there a way to get the Thumbprint from the context? :-D
Tiny bit more secure. Cert-store, openssl using native cert store or hardware module is always better.
You'll want the underlying handle through NcryptKey::as_ptr() then likely run a NcryptExportKey.
In general the windows representations arent really 1:1 to openssl side, so need a few steps of conversion.
Some examples illustrating some of the ways that can be used to do so:
https://stackoverflow.com/questions/69909118/how-to-export-rsa-keys-generated-from-cng-api
https://stackoverflow.com/questions/59313462/how-to-convert-cng-key-to-openssl-evp-pkey-and-vice-versa/59345986#59345986
https://github.com/netxms/netxms/blob/e8872bebd9823411a174ee9d176e740201026c30/src/agent/core/cng_engine.cpp#L170
You'll still need to construct the key and feed to SslAcceptorBuilder::set_private_key on openssl-(wrapper = crate) side.
=> Not recommending this as you can see this isnt easy and likely will break, e.g. if switching from RSA to ECDSA certs.
Thanks again. I will check these out tomorrow.
UPDATE:
These are deep into cryptography. I am not an expert.
I found a solution using the rustls-cng!