After diving into the topic I've made the following "discoveries":
- All Python HTTP clients seem to rely on OpenSSL
- OpenSSL has engine interface, which allows offload of the cryptographic functions to a 3rd party (a HSM or something like Google Cloud KMS)
- With pyOpenSSL it's fairly easy to create SSL context for
urlopen
, which would use a custom OpenSSL engine. Here is an example: https://github.com/pyca/pyopenssl/issues/203#issuecomment-454900850
- I wasn't able to find ready-made OpenSSL engine with Google Cloud KMS support
So this seems solvable but requires some efforts.
At the same time I finding that Amazon provides ready-made OpenSSL engine for their AWS CloudHSM, so it should be fairly easy to use for mTLS in Python. But CloudHSM prices are quite high (which is understandable due to custom hardware). Also I found this Rust implementation of OpenSSL engine for AWS KMS, which looks great. And perhaps it's also possible to rework it for Google Cloud KMS... But we may end up switching to AWS KMS or CloudHSM.
Although this is not a very complete answer, I hope it will help others facing with the issue.