Skip to content

Use of Windows certificate store for authentication#900

Open
JacobBarthelmeh wants to merge 7 commits into
wolfSSL:masterfrom
JacobBarthelmeh:winSysCerts
Open

Use of Windows certificate store for authentication#900
JacobBarthelmeh wants to merge 7 commits into
wolfSSL:masterfrom
JacobBarthelmeh:winSysCerts

Conversation

@JacobBarthelmeh

Copy link
Copy Markdown
Contributor

No description provided.

@JacobBarthelmeh JacobBarthelmeh self-assigned this Mar 25, 2026
Copilot AI review requested due to automatic review settings March 25, 2026 12:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Windows Certificate Store integration to wolfSSH so host keys and client authentication keys can be sourced from the Windows cert store (including CI coverage on Windows).

Changes:

  • Add a Windows-only API to load a private key by locating a certificate in the Windows Certificate Store, and use CNG to sign during SSH handshakes/auth.
  • Extend cert manager plumbing and wolfsshd configuration to support system/user CA loading and cert-store-based host keys.
  • Update Windows build projects and add a GitHub Actions workflow to exercise file-vs-store interop permutations.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
wolfssh/test.h Prefer wolfCrypt Base16 when available; otherwise keep local Base16 decode helper.
wolfssh/ssh.h Add wolfSSH_CTX_UsePrivateKey_fromStore() Windows-only public API.
wolfssh/internal.h Add CTX private-key metadata for cert-store backed keys and internal helper prototypes.
wolfssh/certman.h Expose cert-manager setter and Windows cert-store spec parser API.
src/ssh.c Implement loading a CTX private key from the Windows Certificate Store.
src/internal.c Add cert-store signing path (CNG) and cert-derived RSA public-key extraction for KEX/auth flows.
src/certman.c Implement wolfSSH_SetCertManager() and wolfSSH_ParseCertStoreSpec().
ide/winvs/wolfsshd/wolfsshd.vcxproj Link against crypt32/ncrypt for cert-store features.
ide/winvs/wolfssh/wolfssh.vcxproj Link against crypt32/ncrypt for cert-store features.
ide/winvs/wolfsftp-client/wolfsftp-client.vcxproj Link against crypt32/ncrypt for cert-store features.
ide/winvs/unit-test/unit-test.vcxproj Link against crypt32/ncrypt for cert-store features; normalize XML header.
ide/winvs/echoserver/echoserver.vcxproj Link against crypt32/ncrypt for cert-store features.
ide/winvs/client/client.vcxproj Link against crypt32/ncrypt for cert-store features.
ide/winvs/api-test/api-test.vcxproj Link against crypt32/ncrypt for cert-store features; normalize XML header.
examples/sftpclient/sftpclient.c Add -W store:subject:flags support for client key from Windows cert store.
examples/echoserver/echoserver.c Add -W support for server host key from Windows cert store; skip key-file root search when using store.
examples/client/common.h Declare helper functions for cert-store key loading/auth setup.
examples/client/common.c Implement cert-store key loading wrapper + auth globals setup for x509v3 publickey auth.
apps/wolfsshd/wolfsshd.c Add host-key-from-store support and optional system/user CA store loading into wolfSSH cert manager.
apps/wolfsshd/configuration.h Add config getters for host-key store and Windows user-CA store options.
apps/wolfsshd/configuration.c Add parsing/storage for new config directives and defaults.
.github/workflows/windows-cert-store-test.yml Add Windows CI workflow to validate store/file combinations.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/internal.c Outdated
Comment thread src/certman.c
Comment thread src/certman.c
Comment thread wolfssh/internal.h Outdated
Comment thread src/ssh.c Outdated
Comment thread src/ssh.c
Comment thread src/ssh.c
Comment thread src/internal.c
Copilot AI review requested due to automatic review settings April 14, 2026 03:24

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 22 changed files in this pull request and generated 5 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfssh/certman.h
Comment thread src/ssh.c Outdated
Comment thread src/ssh.c
Comment thread apps/wolfsshd/wolfsshd.c
Comment thread apps/wolfsshd/configuration.c

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 23 changed files in this pull request and generated 9 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfssh/ssh.h
Comment thread wolfssh/internal.h Outdated
Comment thread src/ssh.c
Comment thread src/internal.c Outdated
Comment thread src/internal.c Outdated
Comment thread apps/wolfsshd/wolfsshd.c Outdated
Comment thread configure.ac Outdated
Comment thread .github/workflows/windows-cert-store-test.yml
Comment thread src/internal.c
add Windows cert store test case

add windows build link with ncrypt for cert store use

make windows cert feature default disabled and simplify macro guard

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #900

Scan targets checked: wolfssh-bugs, wolfssh-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 23 changed files in this pull request and generated 8 comments.

Comment thread src/internal.c Outdated
Comment thread src/ssh.c
Comment thread src/ssh.c
Comment thread wolfssh/internal.h Outdated
Comment thread src/internal.c
Comment thread src/internal.c
Comment thread src/internal.c
Comment thread src/internal.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #900

Scan targets checked: wolfssh-bugs, wolfssh-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/ssh.c
@JacobBarthelmeh JacobBarthelmeh marked this pull request as ready for review July 2, 2026 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants