Support for mTLS authentication with CNG-stored keys? #46
Description
I'm interesting in performing mutual TLS (mTLS)-based client authentication with CNG-stored private keys. The private keys will be stored in a Trusted Platform Module (TPM) for hardware-enforced non-exportability.
It's nice to see that this project can be used to access certificates in the Windows certificate store based on thumbprint with openssl storeutl -certs -out cert.pem cert:/CurrentUser/My/<thumbprint>. The corresponding openssl storeutl -keys -out cert.key cert:/CurrentUser/My/<thumbprint> seem to give an opaque NCrypt handle instead of the actual private key. This is kind of expected since the private key is non-exportable. However, I still don't really understand how to use it for crypto purposes like a mTLS handshake.
I've already tried using the public key & opaque NCrypt handle for mTLS authentication with openssl s_client -connect localhost:443 -cert cert.pem -key cert.key -state -debug, but am then encountering a "unable to load client certificate private key file" error. I guess the reason is that s_client isn't extended with awareness of the opaque NCrypt handle format(?)
Is there any support for using the opaque NCrypt handle to perform a mTLS handshake, either in this repo or associated OpenSSL repo(s)?