enterprise-certificate-proxy

module

v0.3.1 Latest Latest Go to latest Published: Sep 21, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/googleapis/enterprise-certificate-proxy

Links

Open Source Insights

README ¶

Google Proxies for Enterprise Certificates (GA)

Certificate-based-access

If you use certificate-based access to protect your Google Cloud resources, the end user device certificate is one of the credentials that is verified before access to a resource is granted. You can configure Google Cloud to use the device certificates in your operating system key store when verifying access to a resource from the gcloud CLI or Terraform by using the enterprise certificates feature.

Google Enterprise Certificate Proxies (ECP)

Google Enterprise Certificate Proxies (ECP) are part of the Google Cloud Zero Trust architecture that enables mutual authentication with client-side certificates. This repository contains a set of proxies/modules that can be used by clients or toolings to interact with certificates that are stored in protected key storage systems.

To interact the client certificates, application code should not need to use most of these proxies within this repository directly. Instead, the application should leverage the clients and toolings provided by Google such as Cloud SDK to have a more convenient developer experience.

Compatibility

The following platforms/keystores are supported by ECP:

MacOS: Keychain
Linux: PKCS#11
Windows: MY

User Guide

Before using ECP with your application/client, you should complete the policy configurations documented in Enable CBA for Enterprise Certificate. The remainder of this README focuses on client configuration.

Quick Start

Install gcloud CLI (Cloud SDK) at: https://cloud.google.com/sdk/docs/install. Install with the bundled python option enabled.
1. Note: gcloud version 416.0 or newer is required. Version 430.0 or newer is recommended.
For macOS and Linux, run the install.sh script after downloading it to complete installation.
```
$ ./google-cloud-sdk/install.sh
```

Install the ECP helper component:

$ gcloud components install enterprise-certificate-proxy

Initialize ECP certificate configuration:
- MacOS $ gcloud auth enterprise-certificate-config create macos --issuer=<CERT_ISSUER>
- Linux $ gcloud auth enterprise-certificate-config create linux --label=<CERT_LABEL> --module=<PKCS11_MODULE_PATH> --slot=<SLOT_ID>
- Windows $ gcloud auth enterprise-certificate-config create windows --issuer=<CERT_ISSUER> --provider=<PROVIDER> --store=<STORE>
Enable usage of client certificates through gcloud CLI config command:
```
$ gcloud config set context_aware/use_client_certificate true
```
You can now use gcloud to access CBA-protected GCP resources. For example:
```
$ gcloud pubsub topics list
```

Manual Certificate Configuration

ECP relies on the certificate_config.json file to read all the metadata information for locating the certificate. It is stored as a JSON file at the following location on the user's device:

Linux and MacOS: ~/.config/gcloud/certificate_config.json
Windows: %APPDATA%\gcloud\certificate_config.json

Below are example configurations:

MacOS (Keychain)

{
  "cert_configs": {
    "macos_keychain": {
      "issuer": "YOUR_CERT_ISSUER"
    }
  },
  "libs": {
      "ecp": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/bin/ecp",
      "ecp_client": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libecp.dylib",
      "tls_offload": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libtls_offload.dylib"
  },
  "version": 1
}

Windows (MyStore)

{
  "cert_configs": {
    "windows_store": {
      "store": "MY",
      "provider": "current_user",
      "issuer": "YOUR_CERT_ISSUER"
    }
  },
  "libs": {
      "ecp": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/bin/ecp.exe",
      "ecp_client": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libecp.dll",
      "tls_offload": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libtls_offload.dll"
  },
  "version": 1
}

Linux (PKCS#11)

{
  "cert_configs": {
    "pkcs11": {
      "label": "YOUR_TOKEN_LABEL",
      "user_pin": "YOUR_PIN",
      "slot": "YOUR_SLOT",
      "module": "The PKCS #11 module library file path"
    }
  },
  "libs": {
      "ecp": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/bin/ecp",
      "ecp_client": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libecp.so",
      "tls_offload": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libtls_offload.so"
  },
  "version": 1
}

Logging

To enable logging set the "ENABLE_ENTERPRISE_CERTIFICATE_LOGS" environment variable.

Example

export ENABLE_ENTERPRISE_CERTIFICATE_LOGS=1 # Now the enterprise-certificate-proxy will output logs to stdout.

Building ECP binaries from source

For amd64 MacOS, run ./build/scripts/darwin_amd64.sh. The binaries will be placed in build/bin/darwin_amd64 folder.

For amd64 Linux, run ./build/scripts/linux_amd64.sh. The binaries will be placed in build/bin/linux_amd64 folder.

For amd64 Windows, in powershell terminal, run .\build\scripts\windows_amd64.ps1. The binaries will be placed in build\bin\windows_amd64 folder. Note that gcc is required for compiling the Windows shared library. The easiest way to get gcc on Windows is to download Mingw64, and add "gcc.exe" to the powershell path.

Contributing

Contributions to this library are always welcome and highly encouraged. See the CONTRIBUTING documentation for more information on how to get started.

License

Apache - See LICENSE for more information.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
client Package client is a cross-platform client for the signer binary (a.k.a."EnterpriseCertSigner").	Package client is a cross-platform client for the signer binary (a.k.a."EnterpriseCertSigner").
util Package util provides helper functions for the client.	Package util provides helper functions for the client.
cshared This package is intended to be compiled into a C shared library for use by non-Golang clients to perform certificate and signing operations.	This package is intended to be compiled into a C shared library for use by non-Golang clients to perform certificate and signing operations.
darwin Package darwin contains a darwin-specific client for accessing the keychain APIs directly, bypassing the RPC mechanism of the universal client.	Package darwin contains a darwin-specific client for accessing the keychain APIs directly, bypassing the RPC mechanism of the universal client.
internal
signer/darwin Signer.go is a net/rpc server that listens on stdin/stdout, exposing methods that perform device certificate signing for Mac OS using keychain utils.	Signer.go is a net/rpc server that listens on stdin/stdout, exposing methods that perform device certificate signing for Mac OS using keychain utils.
signer/darwin/keychain Package keychain contains functions for retrieving certificates from the Darwin Keychain.	Package keychain contains functions for retrieving certificates from the Darwin Keychain.
signer/linux Signer.go is a net/rpc server that listens on stdin/stdout, exposing methods that perform device certificate signing for Linux using PKCS11 shared library.	Signer.go is a net/rpc server that listens on stdin/stdout, exposing methods that perform device certificate signing for Linux using PKCS11 shared library.
signer/linux/pkcs11 pkcs11 provides helpers for working with certificates via PKCS#11 APIs provided by go-pkcs11	pkcs11 provides helpers for working with certificates via PKCS#11 APIs provided by go-pkcs11
signer/test signer.go is a net/rpc server that listens on stdin/stdout, exposing mock methods for testing client.go.	signer.go is a net/rpc server that listens on stdin/stdout, exposing mock methods for testing client.go.
signer/util Package util provides helper functions for the signer.	Package util provides helper functions for the signer.
signer/windows Signer.go is a net/rpc server that listens on stdin/stdout, exposing methods that perform device certificate signing for Windows OS using ncrypt utils.	Signer.go is a net/rpc server that listens on stdin/stdout, exposing methods that perform device certificate signing for Windows OS using ncrypt utils.
signer/windows/ncrypt Package ncrypt provides wrappers around ncrypt.h functions.	Package ncrypt provides wrappers around ncrypt.h functions.
linux Package linux contains a linux-specific client for accessing the PKCS#11 APIs directly, bypassing the RPC-mechanism of the universal client.	Package linux contains a linux-specific client for accessing the PKCS#11 APIs directly, bypassing the RPC-mechanism of the universal client.
windows Package windows contains a windows-specific client for accessing the ncrypt APIs directly, bypassing the RPC-mechanism of the universal client.	Package windows contains a windows-specific client for accessing the ncrypt APIs directly, bypassing the RPC-mechanism of the universal client.