Unable to use company internal issued certificate in windows certificate store when performing TLS

xiananfan · March 10, 2022, 12:28am

Hi,

I am trying to use K6 to load test our an internal service, that is using a company internally created certificate authority issued certificates. The certificate is stored inside the local machine’s windows certificate store, and it does not allow the export of the private key out.

Using K6 without specifying the “tlsAuth” section inside the “options” will lead to call failure error: “Internal error while receiving credentials” (this error is sent by our server). It seems that K6 won’t able to take the private key out of the windows certificate store.

Even though we don’t have the clear text private key, we do have a private key id file (the thumbprint of the cert, something like this: “engine:e_ncrypt:machine:my:AAAAAABBBBBBCCCCCCDDDDDDEEEEEEFFFFFFGGGG” (the thumbprint is replaced), and access to the PEM file of the public cert. Based on my co-worker, the certificate can be accessed via OpenSSL ncrypt engine (OpenSSL commands with the engine(s) — OpenSSL CNG Engine documentation)

It seems K6 only supports specifying the clear text private key, this is considered insecure to store the private key in clear text. So my questions are:

Is it possible to add support to access windows certificate store giving the private key id and the public cert in pem format?
Is this something can be added via K6 extensions (Go or Javascript)? Or due to authentication is a core functionality of K6, that it can only be added by modifying K6 code base directly?

Thanks a lot!

mstoykov · March 10, 2022, 2:12pm

Hi @xiananfan, welcome to the community forum.

I have basically no idea how " local machine’s windows certificate store" works but it’s likely that it isn’t supported.

As for password protected keys- this also isn’t :(. It has been asked about before but nobody has opened an issue.

All in all I do think tlsAuth is pretty badly designed, and we will need this feature to be implemented in order for this to be more reasonable.

For your particular case maybe a smaller fix can be made to tlsauth so please open an issue (or two separate ones).

mstoykov · March 10, 2022, 2:14pm

I don’t think that is possible or at least it will be really hackish like editing lib.State which likely will be broken in a future update in some way

xiananfan · March 10, 2022, 10:47pm

Hi @mstoykov ,

Thank you for your reply, I will try to create 2 issues: 1. supporting using “passphrase” protected private key 2. for windows platform, add support to access private key from windows certificate store with the id of the private key, so no cleartext private key is needed.

There seems to a be a golang library from google that is doing windows cert store access: just for reference: https://github.com/google/certtostore/blob/master/certtostore_windows.go

Created the following 2 issues:

github.com/grafana/k6

TLS Auth support providing a passphrase for protected private key

opened 11:27PM - 10 Mar 22 UTC

closed 06:34AM - 26 Apr 22 UTC

xiananfan

help wanted good first issue feature

### Feature Description K6 currently only supports providing cleartext public k…ey and private key for TLS Authentication. This is usually considered insecure in a production system. ``` tlsAuth: [ { domains: ['example.com'], cert: open('./mycert.pem'), key: open('./mycert-key.pem'), }, ], ``` Please consider adding an additional field, like "passphrase" in the setting, so the private key is not a cleartext pem file. Then the passphrase can be retrieved from a secret store later on during test runs. So the security can be increased. Something like below: ``` tlsAuth: [ { domains: ['example.com'], cert: open('./mycert.pem'), key: open('./mycert-key.pem'), passphrase: 'SecretPassword' }, ], ``` ### Suggested Solution (optional) _No response_ ### Already existing or connected issues / PRs (optional) _No response_

github.com/grafana/k6

TLS Auth supports accessing windows certificate store for the private key with the id of the private key

opened 10:58PM - 10 Mar 22 UTC

xiananfan

help wanted feature evaluation needed

### Feature Description Currently, the TLS Auth section of the Options inside t…he javascript only supports clear text private key. This is generally considered insecure in a production environment. ``` tlsAuth: [ { domains: ['example.com'], cert: open('./mycert.pem'), key: open('./mycert-key.pem'), }, ] ``` For the Windows platform, usually, the certificate is installed into the windows local certificate store. I would like to request that K6 supports accessing the Windows certificate store for accessing the private key instead of providing a cleartext private key. For example, something like below: ``` tlsAuth: [ { domains: ['example.com'], cert: open('./mycert.pem'), keyid: 'LocalMachine/My/1cdb52270cde175e62e876551bcd56b21bad84c4', }, ], ``` On a Windows machine, this Powershell command can be used to list all the certs installed in the local machine's certificate store: ```Get-ChildItem -path cert:\LocalMachine\My``` And the thumbprint string from above output for a specific cert would be the string to use in the configuration. A library I have found online implemented in GO seems to have this functionality already: https://github.com/google/certtostore/blob/master/certtostore_windows.go ### Suggested Solution (optional) _No response_ ### Already existing or connected issues / PRs (optional) _No response_

Thanks!