Use of Windows certificate store for authentication#900
Use of Windows certificate store for authentication#900JacobBarthelmeh wants to merge 7 commits into
Conversation
bd1396d to
ca912b0
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds Windows Certificate Store integration to wolfSSH so host keys and client authentication keys can be sourced from the Windows cert store (including CI coverage on Windows).
Changes:
- Add a Windows-only API to load a private key by locating a certificate in the Windows Certificate Store, and use CNG to sign during SSH handshakes/auth.
- Extend cert manager plumbing and wolfsshd configuration to support system/user CA loading and cert-store-based host keys.
- Update Windows build projects and add a GitHub Actions workflow to exercise file-vs-store interop permutations.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfssh/test.h | Prefer wolfCrypt Base16 when available; otherwise keep local Base16 decode helper. |
| wolfssh/ssh.h | Add wolfSSH_CTX_UsePrivateKey_fromStore() Windows-only public API. |
| wolfssh/internal.h | Add CTX private-key metadata for cert-store backed keys and internal helper prototypes. |
| wolfssh/certman.h | Expose cert-manager setter and Windows cert-store spec parser API. |
| src/ssh.c | Implement loading a CTX private key from the Windows Certificate Store. |
| src/internal.c | Add cert-store signing path (CNG) and cert-derived RSA public-key extraction for KEX/auth flows. |
| src/certman.c | Implement wolfSSH_SetCertManager() and wolfSSH_ParseCertStoreSpec(). |
| ide/winvs/wolfsshd/wolfsshd.vcxproj | Link against crypt32/ncrypt for cert-store features. |
| ide/winvs/wolfssh/wolfssh.vcxproj | Link against crypt32/ncrypt for cert-store features. |
| ide/winvs/wolfsftp-client/wolfsftp-client.vcxproj | Link against crypt32/ncrypt for cert-store features. |
| ide/winvs/unit-test/unit-test.vcxproj | Link against crypt32/ncrypt for cert-store features; normalize XML header. |
| ide/winvs/echoserver/echoserver.vcxproj | Link against crypt32/ncrypt for cert-store features. |
| ide/winvs/client/client.vcxproj | Link against crypt32/ncrypt for cert-store features. |
| ide/winvs/api-test/api-test.vcxproj | Link against crypt32/ncrypt for cert-store features; normalize XML header. |
| examples/sftpclient/sftpclient.c | Add -W store:subject:flags support for client key from Windows cert store. |
| examples/echoserver/echoserver.c | Add -W support for server host key from Windows cert store; skip key-file root search when using store. |
| examples/client/common.h | Declare helper functions for cert-store key loading/auth setup. |
| examples/client/common.c | Implement cert-store key loading wrapper + auth globals setup for x509v3 publickey auth. |
| apps/wolfsshd/wolfsshd.c | Add host-key-from-store support and optional system/user CA store loading into wolfSSH cert manager. |
| apps/wolfsshd/configuration.h | Add config getters for host-key store and Windows user-CA store options. |
| apps/wolfsshd/configuration.c | Add parsing/storage for new config directives and defaults. |
| .github/workflows/windows-cert-store-test.yml | Add Windows CI workflow to validate store/file combinations. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 21 out of 22 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
66c8726 to
b545c32
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 22 out of 23 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
b545c32 to
de28863
Compare
add Windows cert store test case add windows build link with ncrypt for cert store use make windows cert feature default disabled and simplify macro guard
de28863 to
6b8a1ca
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #900
Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #900
Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
No description provided.