Allow SSL client certificate private key verification to be delegated to a HSM

Ideas
#1

when using client certificates (mutual TLS) in python you need to create a SSL context:

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.load_cert_chain(certfile=certificate_file, keyfile=key_file)

Currently, python requires that the private key be provided in the form of a file, which may or may not be password protected. When developing for IOT devices, this is not ideal as the private key needs to be stored on the file system. Ideally, we would be able to make use of a HSM that keeps the private key securely stored within it and then have python/openssl delegate the private key verification to the HSM, which securely verifies a private key without ever exposing it.

Openssl supports this through the use of engines, which are often provided by the HSM manufacturer. For example, the zymkey for raspberry pi ( ZYMKEY 4i, Security Module for Raspberry Pi – zymbit) allows you to use the “zymkey_ssl” engine ( AWS IoT - TLS Client Certificate Authentication using Zymkey 4i - ZYMKEY4 / Other - Zymbit Community

As far as i’m aware, the python layer does not support this functionality.

#2

No, it’s not possible at the moment.

You can load and configure an ENGINE with an OpenSSL config file. That’s is already possible by setting OPENSSL_CONF env var. But you also have to configure the context to use the engine. Python’s ssl module does not allow you to set a client cert engine with SSL_CTX_set_client_cert_engine(). I created an issue for the feature a while ago, Issue 28695: Add SSL_CTX_set_client_cert_engine - Python tracker

1 Like
#3

That’s a shame! Would it be difficult to do?

#4

It’s not terribly complicated to implement.

I need to come up with a good API and a approach to verify the API in CI.

The CI part is hardest and most complex step. For Linux there are OpenSC libp11 with openssl-pkcs11 engine, p11-kit, and SoftHSM2 from OpenDNSSEC. OpenSSL comes with a CAPI engine for Windows’ crypt32 API. All solutions are tricky to set up and maintain.

#5

I for one would really like to see this but I understand it is probably not very high on the list of priorities, especially if it is difficult to maintain. Let me know if there is any way I can help. Implementing this would be beyond my experience but I am happy to test if that is of use.