Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(samples): add local generation for crypto keys #98

Merged
merged 4 commits into from Aug 3, 2021

Conversation

FrodoTheTrue
Copy link
Contributor

@FrodoTheTrue FrodoTheTrue commented Aug 3, 2021

Thank you for opening a Pull Request! Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

Fixes #<issue_number_goes_here> 馃

@product-auto-label product-auto-label bot added the api: security-privateca Issues related to the googleapis/python-security-private-ca API. label Aug 3, 2021
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Aug 3, 2021
@product-auto-label product-auto-label bot added the samples Issues that are directly related to samples. label Aug 3, 2021
@busunkim96 busunkim96 self-requested a review Aug 3, 2021
# To sign and issue a certificate, a public key is essential. Here, we are making use
# of Cloud KMS to retrieve an already created public key. For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
# Generating keys locally is also possible.
# The public key used to sign the certificate can be generated using any crypto library/framework.
Copy link
Collaborator

@busunkim96 busunkim96 Aug 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it reasonable to expect that customers looking at this customer will already have a public key and/or know of a good way to generate one?

If not, or if there are best practices you'd like to show it may be worth pulling the key generation code up into the sample.

Showing that it's possible to use Cloud KMS to create a key also seems valuable to me - maybe you could keep the KMS sample link in the comments?

Copy link
Contributor Author

@FrodoTheTrue FrodoTheTrue Aug 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I returned comment about Cloud KMS way.

The reasons why we prefer to generate keys locally:

Keys stored in Cloud KMS are not directly exportable, so the only way a customer can use them is by calling the AsymmetricSign/Verify and Encrypt/Decrypt APIs on those keys
however, this suffers from two problems:

  • most applications that need to use the certificate/key don't support accessing the key like this, but instead require direct access to the key on the filesystem.
  • even if they did support that, this would likely introduce too much latency and limit the throughput, so there aren't many scenarios where this would be useful

Leaf certificate keys are almost always generated directly on the machine that will be using them, and never sent anywhere else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: security-privateca Issues related to the googleapis/python-security-private-ca API. cla: yes This human has signed the Contributor License Agreement. samples Issues that are directly related to samples.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants