I'm very new to authentication. I have been trying to read stuff for the past week or so, but it's all pretty overwhelming. I have a client in C++ and server in .NET. Client communicates with server using REST (cpprestsdk). As of today, this is how I'm communicating:
client::http_client_config config;
auto func = [&](const client::native_handle handle)
{
DWORD tlsprotocol{ WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 };
WinHttpSetOption(handle,
WINHTTP_OPTION_SECURE_PROTOCOLS,
&tlsprotocol,
sizeof(tlsprotocol)))
};
config.set_nativesessionhandle_options(func);
auto response = client::http_client(uri, config).request(methods::GET, params).get();
I need to add an authentication layer using client certificates which is validated on the server. I have been having a hard time figuring it out, but this is what I have after doing some reading:
client::http_client_config config;
auto func = [&](const client::native_handle handle)
{
PCCERT_CONTEXT pccertContext = getCertificateContext();
WinHttpSetOption(handle,
WINHTTP_OPTION_CLIENT_CERT_CONTEXT,
(LPVOID)pccertContext,
sizeof(CERT_CONTEXT));
};
config.set_nativehandle_options(func);
auto response = client::http_client(uri, config).request(methods::GET, params).get();
I have a few questions:
- With this approach, I lose the ability to make a TLS 1.2 connection and rely on whatever default is configured for the platform (which I hope is TLS 1.2). Is there a way to keep the TLS 1.2 AND send the client certificate?
- The most important question - will this work? This is my idea of how the server will perform validation:
X509Certificate2 cert = Request.GetClientCertificate();
CertUtility.validate(cert); // Some utility function to validate based on subject name, CA, etc
Does this look reasonable? If not, what am I missing? Highly appreciate your help here!
