3

Is there a way to make HTTP requests over mTLS with private keys stored in Google Cloud Key Management Service?

In this blog post what we need is done in Go. Is it possible to achieve the same in Python? I was hoping that Tink library provides some ready-made solution, but can't find.

Fedor
  • 1,149
  • 1
  • 14
  • 27
  • The closest thing in the Google documentation that I found so far is : Using mutual TLS to obtain short-lived credentials https://cloud.google.com/solutions/using-mutual-tls-to-obtain-short-lived-credentials Preparing an application for Anthos Service Mesh https://cloud.google.com/service-mesh/docs/prepare-app-for-asm It would appear, so far , that translating the code in the link you have provided would be your best option. – Derek Fender Jun 12 '20 at 18:03

1 Answers1

0

After diving into the topic I've made the following "discoveries":

  • All Python HTTP clients seem to rely on OpenSSL
  • OpenSSL has engine interface, which allows offload of the cryptographic functions to a 3rd party (a HSM or something like Google Cloud KMS)
  • With pyOpenSSL it's fairly easy to create SSL context for urlopen, which would use a custom OpenSSL engine. Here is an example: https://github.com/pyca/pyopenssl/issues/203#issuecomment-454900850
  • I wasn't able to find ready-made OpenSSL engine with Google Cloud KMS support

So this seems solvable but requires some efforts.

At the same time I finding that Amazon provides ready-made OpenSSL engine for their AWS CloudHSM, so it should be fairly easy to use for mTLS in Python. But CloudHSM prices are quite high (which is understandable due to custom hardware). Also I found this Rust implementation of OpenSSL engine for AWS KMS, which looks great. And perhaps it's also possible to rework it for Google Cloud KMS... But we may end up switching to AWS KMS or CloudHSM.

Although this is not a very complete answer, I hope it will help others facing with the issue.

Fedor
  • 1,149
  • 1
  • 14
  • 27
  • 1
    Hey there, have you come to a more solid solution for this? I appear to be stuck on the same FIPS3 / HSM requirement. – Ben Coughlan Apr 15 '21 at 10:10
  • @BenCoughlan we've got MTLS working in python with CloudHSM using ready-made OpenSSL engine. Played a bit with Rust OpenSSL engine I've mentioned, but decided not to spend time on building own OpenSSL engine for Google Cloud KMS. – Fedor Apr 15 '21 at 12:38
  • Oh cool! Thanks for your reply. Er, is there a GitHub page that better describes how to do this? – Ben Coughlan Apr 16 '21 at 09:29