Support mutual TLS using a certificate from a Windows cert store (#408)

Add the ability to use a client certificate located in a Windows certificate store. Previously, the client certificate and private key had to be passed by filepath or file contents. With this change, certificates and keys stored on TPM devices can be used.

Add new `windows_cert_pub_sub` sample to show this in action.

Author: graebm

.builder/actions/build_samples.py

@@ -20,6 +20,7 @@ def run(self, env):
             'samples/mqtt/basic_pub_sub',
             'samples/mqtt/pkcs11_pub_sub',
             'samples/mqtt/raw_pub_sub',
+            'samples/mqtt/windows_cert_pub_sub',
             'samples/shadow/shadow_sync',
             'samples/greengrass/basic_discovery',
             'samples/identity/fleet_provisioning',

crt/aws-crt-cpp

@@ -2,6 +2,7 @@
 
 * [Basic MQTT Pub-Sub](#basic-mqtt-pub-sub)
 * [PKCS#11 MQTT Pub-Sub](#pkcs11-mqtt-pub-sub)
+* [Windows Certificate MQTT Pub-Sub](#windows-certificate-mqtt-pub-sub)
 * [Raw MQTT Pub-Sub](#raw-mqtt-pub-sub)
 * [Fleet provisioning](#fleet-provisioning)
 * [Shadow](#shadow)
@@ -121,7 +122,7 @@ but the private key for mutual TLS is stored on a PKCS#11 compatible smart card
 
 WARNING: Unix only. Currently, TLS integration with PKCS#11 is only available on Unix devices.
 
-source: `samples/mqtt/pkcs11_pub_sub/main/cpp`
+source: `samples/mqtt/pkcs11_pub_sub/main.cpp`
 
 To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the PKCS#11 device:
 
@@ -144,9 +145,9 @@ To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the
 
     If this spits out an error message, create a config file:
     *   Default location: `~/.config/softhsm2/softhsm2.conf`
-    *   This file must specify token dir, default value is:
+    *   This file must specify a valid token directory:
         ```
-        directories.tokendir = /usr/local/var/lib/softhsm/tokens/
+        directories.tokendir = /path/for/my/softhsm/tokens/
         ```
 
 4)  Create token and import private key.
@@ -167,6 +168,68 @@ To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the
     ./pkcs11-pub-sub --endpoint <xxxx-ats.iot.xxxx.amazonaws.com> --ca_file <AmazonRootCA.pem> --cert <certificate.pem.crt> --pkcs11_lib <libsofthsm2.so> --pin <user-pin> --token_label <token-label> --key_label <key-label>
     ```
 
+## Windows Certificate MQTT Pub-Sub
+
+WARNING: Windows only
+
+This sample is similar to the [Basic Pub-Sub](#basic-mqtt-pub-sub),
+but your certificate and private key are in a
+[Windows certificate store](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/certificate-stores),
+rather than simply being files on disk.
+
+To run this sample you need the path to your certificate in the store,
+which will look something like:
+"CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"
+(where "CurrentUser\MY" is the store and "A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6" is the certificate's thumbprint)
+
+If your certificate and private key are in a
+[TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview),
+you would use them by passing their certificate store path.
+
+source: `samples/mqtt/windows_cert_pub_sub/main.cpp`
+
+To run this sample with a basic certificate from AWS IoT Core:
+
+1)  Create an IoT Thing with a certificate and key if you haven't already.
+
+2)  Combine the certificate and private key into a single .pfx file.
+
+    You will be prompted for a password while creating this file. Remember it for the next step.
+
+    If you have OpenSSL installed:
+    ```powershell
+    openssl pkcs12 -in certificate.pem.crt -inkey private.pem.key -out certificate.pfx
+    ```
+
+    Otherwise use [CertUtil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil).
+    ```powershell
+    certutil -mergePFX certificate.pem.crt,private.pem.key certificate.pfx
+    ```
+
+3)  Add the .pfx file to a Windows certificate store using PowerShell's
+    [Import-PfxCertificate](https://docs.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate)
+
+    In this example we're adding it to "CurrentUser\MY"
+
+    ```powershell
+    $mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
+    Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\MY -Password $mypwd.Password
+    ```
+
+    Note the certificate thumbprint that is printed out:
+    ```
+    Thumbprint                                Subject
+    ----------                                -------
+    A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6  CN=AWS IoT Certificate
+    ```
+
+    So this certificate's path would be: "CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"
+
+4) Now you can run the sample:
+
+    ```
+    .\windows-cert-pub-sub.exe --endpoint xxxx-ats.iot.xxxx.amazonaws.com --ca_file AmazonRootCA.pem --cert CurrentUser\My\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6
+    ```
 
 ## Raw MQTT Pub-Sub
 

samples/README.md

@@ -0,0 +1,25 @@
+cmake_minimum_required(VERSION 3.1)
+# note: cxx-17 requires cmake 3.8, cxx-20 requires cmake 3.12
+project(windows-cert-pub-sub CXX)
+
+file(GLOB SRC_FILES
+       "*.cpp"
+       "../../utils/CommandLineUtils.cpp"
+       "../../utils/CommandLineUtils.h"
+)
+
+add_executable(${PROJECT_NAME} ${SRC_FILES})
+
+set_target_properties(${PROJECT_NAME} PROPERTIES
+    CXX_STANDARD 14)
+
+# set warnings
+if (MSVC)
+    target_compile_options(${PROJECT_NAME} PRIVATE /W4 /WX /wd4068)
+else ()
+    target_compile_options(${PROJECT_NAME} PRIVATE -Wall -Wno-long-long -pedantic -Werror)
+endif ()
+
+find_package(aws-crt-cpp REQUIRED)
+
+target_link_libraries(${PROJECT_NAME} PRIVATE AWS::aws-crt-cpp)