Support mutual TLS using a certificate from a Windows cert store (#232)

Add the ability to use a client certificate located in a Windows certificate store. Previously, the client certificate and private key had to be passed by filepath or file contents. With this change, certificates and keys stored on TPM devices can be used.

Add new `windows_cert_connect` sample to show this in action.

Author: graebm

docs/assets/js/search.json

@@ -106,6 +106,7 @@ <h3>Methods</h3>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_mtls_builder" class="tsd-kind-icon">new_<wbr>mtls_<wbr>builder</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_mtls_builder_from_path" class="tsd-kind-icon">new_<wbr>mtls_<wbr>builder_<wbr>from_<wbr>path</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_mtls_pkcs11_builder" class="tsd-kind-icon">new_<wbr>mtls_<wbr>pkcs11_<wbr>builder</a></li>
+								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_mtls_windows_cert_store_path_builder" class="tsd-kind-icon">new_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path_<wbr>builder</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_websocket_builder" class="tsd-kind-icon">new_<wbr>websocket_<wbr>builder</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_with_websockets" class="tsd-kind-icon">new_<wbr>with_<wbr>websockets</a></li>
 							</ul>
@@ -654,6 +655,37 @@ <h4 class="tsd-returns-title">Returns <a href="aws_iot.awsiotmqttconnectionconfi
 						</li>
 					</ul>
 				</section>
+				<section class="tsd-panel tsd-member tsd-kind-method tsd-parent-kind-class tsd-is-static">
+					<a name="new_mtls_windows_cert_store_path_builder" class="tsd-anchor"></a>
+					<h3><span class="tsd-flag ts-flagStatic">Static</span> new_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path_<wbr>builder</h3>
+					<ul class="tsd-signatures tsd-kind-method tsd-parent-kind-class tsd-is-static">
+						<li class="tsd-signature tsd-kind-icon">new_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path_<wbr>builder<span class="tsd-signature-symbol">(</span>certificate_path<span class="tsd-signature-symbol">: </span><span class="tsd-signature-type">string</span><span class="tsd-signature-symbol">)</span><span class="tsd-signature-symbol">: </span><a href="aws_iot.awsiotmqttconnectionconfigbuilder.html" class="tsd-signature-type">AwsIotMqttConnectionConfigBuilder</a></li>
+					</ul>
+					<ul class="tsd-descriptions">
+						<li class="tsd-description">
+							<aside class="tsd-sources">
+							</aside>
+							<div class="tsd-comment tsd-typography">
+								<div class="lead">
+									<p>Create a new builder with mTLS using a certificate in a Windows certificate store.</p>
+								</div>
+								<p>NOTE: This configuration only works on Windows devices.</p>
+							</div>
+							<h4 class="tsd-parameters-title">Parameters</h4>
+							<ul class="tsd-parameters">
+								<li>
+									<h5>certificate_path: <span class="tsd-signature-type">string</span></h5>
+									<div class="tsd-comment tsd-typography">
+										<p>Path to certificate in a Windows certificate store.
+											The path must use backslashes and end with the certificate&#39;s thumbprint.
+										Example: <code>CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6</code></p>
+									</div>
+								</li>
+							</ul>
+							<h4 class="tsd-returns-title">Returns <a href="aws_iot.awsiotmqttconnectionconfigbuilder.html" class="tsd-signature-type">AwsIotMqttConnectionConfigBuilder</a></h4>
+						</li>
+					</ul>
+				</section>
 				<section class="tsd-panel tsd-member tsd-kind-method tsd-parent-kind-class tsd-is-static">
 					<a name="new_websocket_builder" class="tsd-anchor"></a>
 					<h3><span class="tsd-flag ts-flagStatic">Static</span> new_<wbr>websocket_<wbr>builder</h3>
@@ -794,6 +826,9 @@ <h4 class="tsd-returns-title">Returns <a href="aws_iot.awsiotmqttconnectionconfi
 							<li class=" tsd-kind-method tsd-parent-kind-class tsd-is-static">
 								<a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_mtls_pkcs11_builder" class="tsd-kind-icon">new_<wbr>mtls_<wbr>pkcs11_<wbr>builder</a>
 							</li>
+							<li class=" tsd-kind-method tsd-parent-kind-class tsd-is-static">
+								<a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_mtls_windows_cert_store_path_builder" class="tsd-kind-icon">new_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path_<wbr>builder</a>
+							</li>
 							<li class=" tsd-kind-method tsd-parent-kind-class tsd-is-static">
 								<a href="aws_iot.awsiotmqttconnectionconfigbuilder.html#new_websocket_builder" class="tsd-kind-icon">new_<wbr>websocket_<wbr>builder</a>
 							</li>

docs/classes/aws_iot.awsiotmqttconnectionconfigbuilder.html

@@ -107,6 +107,7 @@ <h3>Properties</h3>
 								<li class="tsd-kind-property tsd-parent-kind-class"><a href="io.tlscontextoptions.html#private_key" class="tsd-kind-icon">private_<wbr>key</a></li>
 								<li class="tsd-kind-property tsd-parent-kind-class"><a href="io.tlscontextoptions.html#private_key_filepath" class="tsd-kind-icon">private_<wbr>key_<wbr>filepath</a></li>
 								<li class="tsd-kind-property tsd-parent-kind-class"><a href="io.tlscontextoptions.html#verify_peer" class="tsd-kind-icon">verify_<wbr>peer</a></li>
+								<li class="tsd-kind-property tsd-parent-kind-class"><a href="io.tlscontextoptions.html#windows_cert_store_path" class="tsd-kind-icon">windows_<wbr>cert_<wbr>store_<wbr>path</a></li>
 							</ul>
 						</section>
 						<section class="tsd-index-section ">
@@ -119,6 +120,7 @@ <h3>Methods</h3>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="io.tlscontextoptions.html#create_client_with_mtls_pkcs11" class="tsd-kind-icon">create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>pkcs11</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="io.tlscontextoptions.html#create_client_with_mtls_pkcs12_from_path" class="tsd-kind-icon">create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>pkcs12_<wbr>from_<wbr>path</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="io.tlscontextoptions.html#create_client_with_mtls_pkcs_from_path" class="tsd-kind-icon">create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>pkcs_<wbr>from_<wbr>path</a></li>
+								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="io.tlscontextoptions.html#create_client_with_mtls_windows_cert_store_path" class="tsd-kind-icon">create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="io.tlscontextoptions.html#create_server_with_mtls_from_path" class="tsd-kind-icon">create_<wbr>server_<wbr>with_<wbr>mtls_<wbr>from_<wbr>path</a></li>
 								<li class="tsd-kind-method tsd-parent-kind-class tsd-is-static"><a href="io.tlscontextoptions.html#create_server_with_mtls_pkcs_from_path" class="tsd-kind-icon">create_<wbr>server_<wbr>with_<wbr>mtls_<wbr>pkcs_<wbr>from_<wbr>path</a></li>
 							</ul>
@@ -381,6 +383,18 @@ <h3>verify_<wbr>peer</h3>
 						set this to true.</p>
 					</div>
 				</section>
+				<section class="tsd-panel tsd-member tsd-kind-property tsd-parent-kind-class">
+					<a name="windows_cert_store_path" class="tsd-anchor"></a>
+					<h3><span class="tsd-flag ts-flagOptional">Optional</span> windows_<wbr>cert_<wbr>store_<wbr>path</h3>
+					<div class="tsd-signature tsd-kind-icon">windows_<wbr>cert_<wbr>store_<wbr>path<span class="tsd-signature-symbol">:</span> <span class="tsd-signature-type">undefined</span><span class="tsd-signature-symbol"> | </span><span class="tsd-signature-type">string</span></div>
+					<aside class="tsd-sources">
+					</aside>
+					<div class="tsd-comment tsd-typography">
+						<div class="lead">
+							<p>Path to certificate in a Windows cert store. Windows only.</p>
+						</div>
+					</div>
+				</section>
 			</section>
 			<section class="tsd-panel-group tsd-member-group ">
 				<h2>Methods</h2>
@@ -616,6 +630,38 @@ <h4 class="tsd-returns-title">Returns <a href="io.tlscontextoptions.html" class=
 						</li>
 					</ul>
 				</section>
+				<section class="tsd-panel tsd-member tsd-kind-method tsd-parent-kind-class tsd-is-static">
+					<a name="create_client_with_mtls_windows_cert_store_path" class="tsd-anchor"></a>
+					<h3><span class="tsd-flag ts-flagStatic">Static</span> create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path</h3>
+					<ul class="tsd-signatures tsd-kind-method tsd-parent-kind-class tsd-is-static">
+						<li class="tsd-signature tsd-kind-icon">create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path<span class="tsd-signature-symbol">(</span>certificate_path<span class="tsd-signature-symbol">: </span><span class="tsd-signature-type">string</span><span class="tsd-signature-symbol">)</span><span class="tsd-signature-symbol">: </span><a href="io.tlscontextoptions.html" class="tsd-signature-type">TlsContextOptions</a></li>
+					</ul>
+					<ul class="tsd-descriptions">
+						<li class="tsd-description">
+							<aside class="tsd-sources">
+							</aside>
+							<div class="tsd-comment tsd-typography">
+								<div class="lead">
+									<p>Create options configured for mutual TLS in client mode,
+									using a certificate in a Windows certificate store.</p>
+								</div>
+								<p>NOTE: Windows only.</p>
+							</div>
+							<h4 class="tsd-parameters-title">Parameters</h4>
+							<ul class="tsd-parameters">
+								<li>
+									<h5>certificate_path: <span class="tsd-signature-type">string</span></h5>
+									<div class="tsd-comment tsd-typography">
+										<p>Path to certificate in a Windows certificate store.
+											The path must use backslashes and end with the certificate&#39;s thumbprint.
+										Example: <code>CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6</code></p>
+									</div>
+								</li>
+							</ul>
+							<h4 class="tsd-returns-title">Returns <a href="io.tlscontextoptions.html" class="tsd-signature-type">TlsContextOptions</a></h4>
+						</li>
+					</ul>
+				</section>
 				<section class="tsd-panel tsd-member tsd-kind-method tsd-parent-kind-class tsd-is-static">
 					<a name="create_server_with_mtls_from_path" class="tsd-anchor"></a>
 					<h3><span class="tsd-flag ts-flagStatic">Static</span> create_<wbr>server_<wbr>with_<wbr>mtls_<wbr>from_<wbr>path</h3>
@@ -806,6 +852,9 @@ <h4 class="tsd-returns-title">Returns <a href="io.tlscontextoptions.html" class=
 							<li class=" tsd-kind-property tsd-parent-kind-class">
 								<a href="io.tlscontextoptions.html#verify_peer" class="tsd-kind-icon">verify_<wbr>peer</a>
 							</li>
+							<li class=" tsd-kind-property tsd-parent-kind-class">
+								<a href="io.tlscontextoptions.html#windows_cert_store_path" class="tsd-kind-icon">windows_<wbr>cert_<wbr>store_<wbr>path</a>
+							</li>
 							<li class=" tsd-kind-method tsd-parent-kind-class">
 								<a href="io.tlscontextoptions.html#override_default_trust_store" class="tsd-kind-icon">override_<wbr>default_<wbr>trust_<wbr>store</a>
 							</li>
@@ -827,6 +876,9 @@ <h4 class="tsd-returns-title">Returns <a href="io.tlscontextoptions.html" class=
 							<li class=" tsd-kind-method tsd-parent-kind-class tsd-is-static">
 								<a href="io.tlscontextoptions.html#create_client_with_mtls_pkcs_from_path" class="tsd-kind-icon">create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>pkcs_<wbr>from_<wbr>path</a>
 							</li>
+							<li class=" tsd-kind-method tsd-parent-kind-class tsd-is-static">
+								<a href="io.tlscontextoptions.html#create_client_with_mtls_windows_cert_store_path" class="tsd-kind-icon">create_<wbr>client_<wbr>with_<wbr>mtls_<wbr>windows_<wbr>cert_<wbr>store_<wbr>path</a>
+							</li>
 							<li class=" tsd-kind-method tsd-parent-kind-class tsd-is-static">
 								<a href="io.tlscontextoptions.html#create_server_with_mtls_from_path" class="tsd-kind-icon">create_<wbr>server_<wbr>with_<wbr>mtls_<wbr>from_<wbr>path</a>
 							</li>

docs/classes/io.tlscontextoptions.html

@@ -31,6 +31,6 @@
     "typescript": "^3.9.7"
   },
   "dependencies": {
-    "aws-crt": "1.11.3"
+    "aws-crt": "1.12.0"
   }
 }

package-lock.json

@@ -2,12 +2,13 @@
 
 * [pub_sub](#nodepub_sub)
 * [pub_sub_js](#nodepub_sub_js)
-* [basic_connect](#basic_connect)
-* [websocket_connect](#websocket_connect)
-* [pkcs11_connect](#websocket_pkcs11)
+* [basic_connect](#nodebasic_connect)
+* [websocket_connect](#nodewebsocket_connect)
+* [pkcs11_connect](#nodepkcs11_connect)
+* [windows_cert_connect](#nodewindows_cert_connect)
 * [shadow](#nodeshadow)
 * [fleet provisioning](#fleet-provisioning)
-* [basic discovery](#nodebasic_discovery)
+* [basic discovery](#greengrass-discovery-basic-discovery)
 
 ## Note
 
@@ -28,7 +29,7 @@ To:
     }
 ```
 
-## Node/Pub_sub
+## Node/pub_sub
 
 This sample uses the
 [Message Broker](https://docs.aws.amazon.com/iot/latest/developerguide/iot-message-broker.html)
@@ -101,7 +102,7 @@ npm install
 node index.js --endpoint <endpoint> --ca_file <file> --cert <file> --key <file>
 ```
 
-## Node/Basic_Connect
+## Node/basic_connect
 
 This sample creates a basic MQTT connection using a certificate and key file.
 On startup, the device connects and then disconnects from the AWS server. This
@@ -139,7 +140,7 @@ and receive.
 </pre>
 </details>
 
-## Node/Websocket_Connect
+## Node/websocket_connect
 
 This sample creates a basic MQTT connection using websockets.
 On startup, the device connects and then disconnects from the AWS server. This
@@ -177,7 +178,7 @@ and receive.
 </pre>
 </details>
 
-## Node/Pkcs11_Connect
+## Node/pkcs11_connect
 
 This sample is similar to the basic connect sample, but the private key for mutual TLS is stored on
 a PKCS#11 compatible smart card or hardware security module (HSM).
@@ -270,6 +271,70 @@ and receive.
 </pre>
 </details>
 
+## Node/windows_cert_connect
+
+WARNING: Windows only
+
+This sample is similar to the basic connect sample, but your certificate and private key are in a
+[Windows certificate store](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/certificate-stores),
+rather than simply being files on disk.
+
+To run this sample you need the path to your certificate in the store,
+which will look something like:
+"CurrentUser\My\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"
+(where "CurrentUser\My" is the store and "A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6" is the certificate's thumbprint)
+
+If your certificate and private key are in a
+[TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview),
+you would use them by passing their certificate store path.
+
+source: `samples/node/windows_cert_connect`
+
+To run this sample with a basic certificate from AWS IoT Core:
+
+1)  Create an IoT Thing with a certificate and key if you haven't already.
+
+2)  Combine the certificate and private key into a single .pfx file.
+
+    You will be prompted for a password while creating this file. Remember it for the next step.
+
+    If you have OpenSSL installed:
+    ```powershell
+    openssl pkcs12 -in certificate.pem.crt -inkey private.pem.key -out certificate.pfx
+    ```
+
+    Otherwise use [CertUtil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil).
+    ```powershell
+    certutil -mergePFX certificate.pem.crt,private.pem.key certificate.pfx
+    ```
+
+3)  Add the .pfx file to a Windows certificate store using PowerShell's
+    [Import-PfxCertificate](https://docs.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate)
+
+    In this example we're adding it to "CurrentUser\My"
+
+    ```powershell
+    $mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
+    Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\My -Password $mypwd.Password
+    ```
+
+    Note the certificate thumbprint that is printed out:
+    ```
+    Thumbprint                                Subject
+    ----------                                -------
+    A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6  CN=AWS IoT Certificate
+    ```
+
+    So this certificate's path would be: "CurrentUser\My\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"
+
+4) Now you can run the sample:
+
+    ```
+    npm install
+    node dist\index.js --endpoint xxxx-ats.iot.xxxx.amazonaws.com --ca_file AmazonRootCA1.pem --cert CurrentUser\My\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6
+    ```
+
+
 ## Node/shadow
 
 This sample uses the AWS IoT