Mutual TLS in Python using Google Cloud KMS

Question

Is there a way to make HTTP requests over mTLS with private keys stored in Google Cloud Key Management Service?

In this blog post what we need is done in Go. Is it possible to achieve the same in Python? I was hoping that Tink library provides some ready-made solution, but can't find.

Answer 1

After diving into the topic I've made the following "discoveries":

• All Python HTTP clients seem to rely on OpenSSL
• OpenSSL has engine interface, which allows offload of the cryptographic functions to a 3rd party (a HSM or something like Google Cloud KMS)
• With pyOpenSSL it's fairly easy to create SSL context for urlopen, which would use a custom OpenSSL engine. Here is an example: https://github.com/pyca/pyopenssl/issues/203#issuecomment-454900850
• I wasn't able to find ready-made OpenSSL engine with Google Cloud KMS support

So this seems solvable but requires some efforts.

At the same time I finding that Amazon provides ready-made OpenSSL engine for their AWS CloudHSM, so it should be fairly easy to use for mTLS in Python. But CloudHSM prices are quite high (which is understandable due to custom hardware). Also I found this Rust implementation of OpenSSL engine for AWS KMS, which looks great. And perhaps it's also possible to rework it for Google Cloud KMS... But we may end up switching to AWS KMS or CloudHSM.

Although this is not a very complete answer, I hope it will help others facing with the issue.