osquery support client TLS certificates with

--tls_client_cert

and

--tls_client_key

. However, I do not want this sensitive information sitting as files on my device. Can we add a feature to pass these directly on command line as base64 encoded strings? Something like:

--tls_client_cert_base64

and

--tls_client_key_base64

? Or any other ideas how to keep the TLS certificate secure?

It's taking a bit but I'm in the process of implementing Windows certificate store and macOS keychain access, as a custom OpenSSL provider.

Do you have an issue/branch for this?

No not yet; it's been a while since there has been such movements and contributions (which I'm happy about)! I'll open something tomorrow. For the macOS part I still have to properly check all the APIs and see if it's possible to use the newer APIs that might not be affected with the keychain corruption issue. But in general the idea is that since we use boost beast to do http request, we are passing through openssl, and so a custom provider (engines, in openssl 1.x) can provide functionality for some selected functions (decided by your custom provider), like opening a store of certificates and looping it, sign a message digest, verify a message digest. In that way you write a custom providers that for instance on Windows uses the CNG API to access the certificate store, and construct a CA chain store, and find a client certificate via Thumbprint (which is the hash of the whole cert), with the private key staying safe in its storage.

Yes, macOS

/Library/Keychains/System.keychain

is accessible using non-deprecated API methods. What would be the osquery options for getting the certificates from the keychain? I imagine something like:

--tls_client_keychain=System // maybe not needed, can be hardcoded
--tls_client_cert_keychain_name
--tls_client_key_keychain_name

So, on Windows it's enough to pass the hash of the client certificate to obtain the associated private key

So you're just storing the key, and certificate is still in the file system?

No the cert is in the certificate store; the Windows API let you retrieve a handle to the private key of that certificate, to be then used with other Windows APIs to sign and verify signatures

So when admin puts the certificate and key into Windows certificate store, they need to save the hash so they can pass it to osquery?

Yes; the Thumbprint is also visible via UI in Windows

Ok. I don't think mac has something like that. I think we find the cert/key by label. https://developer.apple.com/documentation/security/ksecattrlabel

so certificates in macOS have the Fingerprint which is the same thing

Is that the SecPublicKeyHash? https://developer.apple.com/documentation/security/secpublickeyhash

Do you mean like having a custom keychain with a single certificate and private key in it, which is the client cert specifically for osquery? Here I was unsure how people normally do their setups, and that seems a bit specific, while the hash is more generic, and it's always obtainable.

I'd like to discuss this issue at today's office hours. For macOS, the most secure approach is to use the Apple APIs to sign the client certificate without having to extract the private key from the keychain. Can you point me to the doc where I can put this on the agenda?

The #C6PNW4528 channel will have the link to an hackmd to write our agenda in. Seph is creating those. That being said, that's what I want to do, which is the same that's being done on Windows.