Scenarios: 3
FFI Functions: ~20
Status: Planned
This category covers all scenarios for certificate-based authentication. mTLS client auth, smart card login, and SSO integration.
| ID | Scenario | Description | Complexity | Status | |
|---|---|---|---|---|---|
| 9.1 | mTLS Client Auth | Client certificate for API access | * | Planned | | 9.2 | Smart Card Login | PIV/PKCS#11 based login | | Planned | | 9.3 | SSO Integration | SAML/OIDC with certificates | | Planned | —- ===== Authentication Architecture ===== <mermaid> flowchart TB subgraph CLIENT[„Client“] CERT[Client Certificate] KEY[Private Key] end subgraph AUTH[„Authentication“] TLS[TLS Handshake] VERIFY[Verify Certificate] AUTHZ[Authorization] end subgraph ACCESS[„Access“] API[API/Service] USER[User Context] end CLIENT –> TLS TLS –> VERIFY VERIFY –> AUTHZ AUTHZ –> ACCESS style VERIFY fill:#e3f2fd style AUTHZ fill:#e8f5e9 </mermaid> —- ===== Authentication Methods ===== ^ Method ^ Description ^ Use Case ^ | mTLS | Mutual TLS with client certificate | API access, service-to-service | | Smart Card | PIV/PKCS#11 card | Workstation login | | FIDO2/WebAuthn | Hardware token | Web applications | | Certificate-based SSO | SAML/OIDC with X.509 | Enterprise SSO | —- ===== mTLS Flow ===== <mermaid> sequenceDiagram participant C as Client participant S as Server C→>S: ClientHello S→>C: ServerHello + ServerCert S→>C: CertificateRequest C→>S: ClientCert + CertificateVerify Note over S: Validate certificate S→>S: Check chain + revocation S→>C: Finished C→>S: API Request (authenticated) </mermaid> —- ===== Industry-Specific Requirements ===== ^ Industry ^ Method ^ Specifics ^ | Healthcare | Smart Card (eHBA) | gematik connector integration | | Energy/SCADA | mTLS | Device identity, IEC 62351 | | Automotive | Certificate (V2X) | Pseudonym certificates | | Industry 4.0** | mTLS + OPC UA | Machine identity |
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; // Load client certificate and key var clientCert = ctx.LoadCertificate("client.crt.pem"); var clientKey = ctx.LoadPrivateKey("client.key.pem", password); // Configure HttpClient with mTLS var handler = new HttpClientHandler(); handler.ClientCertificates.Add( ctx.CreateX509Certificate2(clientCert, clientKey) ); var httpClient = new HttpClient(handler); // API call with client certificate var response = await httpClient.GetAsync("https://api.example.com/secure/data");
// In ASP.NET Core Startup services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme) .AddCertificate(options => { options.AllowedCertificateTypes = CertificateTypes.All; options.RevocationMode = X509RevocationMode.Online; options.Events = new CertificateAuthenticationEvents { OnCertificateValidated = context => { // Additional PQ validation var cert = context.ClientCertificate; var isValid = ctx.ValidateCertificate(cert, trustStore); if (isValid) { // Extract claims from certificate var claims = new[] { new Claim(ClaimTypes.Name, cert.Subject), new Claim("cert_thumbprint", cert.Thumbprint) }; context.Principal = new ClaimsPrincipal( new ClaimsIdentity(claims, context.Scheme.Name) ); context.Success(); } return Task.CompletedTask; } }; });
| Category | Relationship |
|---|---|
| 3. Issuing Certificates | Create client certificates |
| 10. TLS/mTLS | TLS configuration |
| 5. Validation | Certificate validation |
« <- 8. Digital Signatures | ^ Scenarios | 10. TLS/mTLS -> »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional