Client-server authentication using certificates – C++

  authentication, c++, client-certificates, cpprest-sdk, rest

I’m very new to authentication. I have been trying to read stuff for the past week or so, but it’s all pretty overwhelming. I have a client in C++ and server in .NET. Client communicates with server using REST (cpprestsdk). As of today, this is how I’m communicating:

    client::http_client_config config;

    auto func = [&](const client::native_handle handle)
    {
        DWORD tlsprotocol{ WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 };
        WinHttpSetOption(handle,
                         WINHTTP_OPTION_SECURE_PROTOCOLS,
                         &tlsprotocol,
                         sizeof(tlsprotocol)))
    };

    config.set_nativesessionhandle_options(func);

    auto response = client::http_client(uri, config).request(methods::GET, params).get();

I need to add an authentication layer using client certificates which is validated on the server. I have been having a hard time figuring it out, but this is what I have after doing some reading:

    client::http_client_config config;

    auto func = [&](const client::native_handle handle)
    {
        PCCERT_CONTEXT pccertContext = getCertificateContext();

        WinHttpSetOption(handle,
                         WINHTTP_OPTION_CLIENT_CERT_CONTEXT,
                         (LPVOID)pccertContext,
                         sizeof(CERT_CONTEXT));
    };

    config.set_nativehandle_options(func);

    auto response = client::http_client(uri, config).request(methods::GET, params).get();

I have a few questions:

  1. With this approach, I lose the ability to make a TLS 1.2 connection and rely on whatever default is configured for the platform (which I hope is TLS 1.2). Is there a way to keep the TLS 1.2 AND send the client certificate?
  2. The most important question – will this work? This is my idea of how the server will perform validation:
    X509Certificate2 cert = Request.GetClientCertificate();
    CertUtility.validate(cert); // Some utility function to validate based on subject name, CA, etc

Does this look reasonable? If not, what am I missing? Highly appreciate your help here!

Source: Windows Questions C++

LEAVE A COMMENT