Currently, python requires that the private key be provided in the form of a file, which may or may not be password protected. When developing for IOT devices, this is not ideal as the private key needs to be stored on the file system. Ideally, we would be able to make use of a HSM that keeps the private key securely stored within it and then have python/openssl delegate the private key verification to the HSM, which securely verifies a private key without ever exposing it.
You can load and configure an ENGINE with an OpenSSL config file. That’s is already possible by setting OPENSSL_CONF env var. But you also have to configure the context to use the engine. Python’s ssl module does not allow you to set a client cert engine with SSL_CTX_set_client_cert_engine(). I created an issue for the feature a while ago, Issue 28695: Add SSL_CTX_set_client_cert_engine - Python tracker
I need to come up with a good API and a approach to verify the API in CI.
The CI part is hardest and most complex step. For Linux there are OpenSC libp11 with openssl-pkcs11 engine, p11-kit, and SoftHSM2 from OpenDNSSEC. OpenSSL comes with a CAPI engine for Windows’ crypt32 API. All solutions are tricky to set up and maintain.
I for one would really like to see this but I understand it is probably not very high on the list of priorities, especially if it is difficult to maintain. Let me know if there is any way I can help. Implementing this would be beyond my experience but I am happy to test if that is of use.