Security News
Weekly Downloads Now Available in npm Package Search Results
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
github.com/googleapis/enterprise-certificate-proxy
If you use certificate-based access to protect your Google Cloud resources, the end user device certificate is one of the credentials that is verified before access to a resource is granted. You can configure Google Cloud to use the device certificates in your operating system key store when verifying access to a resource from the gcloud CLI or Terraform by using the enterprise certificates feature.
Google Enterprise Certificate Proxies (ECP) are part of the Google Cloud Zero Trust architecture that enables mutual authentication with client-side certificates. This repository contains a set of proxies/modules that can be used by clients or toolings to interact with certificates that are stored in protected key storage systems.
To interact the client certificates, application code should not need to use most of these proxies within this repository directly. Instead, the application should leverage the clients and toolings provided by Google such as Cloud SDK to have a more convenient developer experience.
The following platforms/keystores are supported by ECP:
Before using ECP with your application/client, you should complete the policy configurations documented in Enable CBA for Enterprise Certificate. The remainder of this README focuses on client configuration.
Install gcloud CLI (Cloud SDK) at: https://cloud.google.com/sdk/docs/install. Install with the bundled python option enabled.
For macOS and Linux, run the install.sh script after downloading it to complete installation.
$ ./google-cloud-sdk/install.sh
Install the ECP helper component:
$ gcloud components install enterprise-certificate-proxy
Initialize ECP certificate configuration:
MacOS $ gcloud auth enterprise-certificate-config create macos --issuer=<CERT_ISSUER>
Linux $ gcloud auth enterprise-certificate-config create linux --label=<CERT_LABEL> --module=<PKCS11_MODULE_PATH> --slot=<SLOT_ID>
Windows $ gcloud auth enterprise-certificate-config create windows --issuer=<CERT_ISSUER> --provider=<PROVIDER> --store=<STORE>
Enable usage of client certificates through gcloud CLI config command:
$ gcloud config set context_aware/use_client_certificate true
You can now use gcloud to access CBA-protected GCP resources. For example:
$ gcloud pubsub topics list
ECP relies on a certificate configuration JSON file to read all the metadata information for locating the certificate.
By default, it is named certificate_config.json
and stored at the following location on the user's device:
~/.config/gcloud/certificate_config.json
%APPDATA%\gcloud\certificate_config.json
You can put the JSON file in the location of your choice and set the path to it using:
$ gcloud config set context_aware/certificate_config_file_path "<json file path>"
Another approach for setting the JSON file location is with the GOOGLE_API_CERTIFICATE_CONFIG
environment variable.
$ export GOOGLE_API_CERTIFICATE_CONFIG="<json file path>"
Below are examples of the certificate configuration file:
{
"cert_configs": {
"macos_keychain": {
"issuer": "YOUR_CERT_ISSUER"
}
},
"libs": {
"ecp": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/bin/ecp",
"ecp_client": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libecp.dylib",
"tls_offload": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libtls_offload.dylib"
},
"version": 1
}
{
"cert_configs": {
"windows_store": {
"store": "MY",
"provider": "current_user",
"issuer": "YOUR_CERT_ISSUER"
}
},
"libs": {
"ecp": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/bin/ecp.exe",
"ecp_client": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libecp.dll",
"tls_offload": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libtls_offload.dll"
},
"version": 1
}
{
"cert_configs": {
"pkcs11": {
"label": "YOUR_TOKEN_LABEL",
"user_pin": "YOUR_PIN",
"slot": "YOUR_SLOT",
"module": "The PKCS #11 module library file path"
}
},
"libs": {
"ecp": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/bin/ecp",
"ecp_client": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libecp.so",
"tls_offload": "[GCLOUD-INSTALL-LOCATION]/google-cloud-sdk/platform/enterprise_cert/libtls_offload.so"
},
"version": 1
}
To enable logging set the ENABLE_ENTERPRISE_CERTIFICATE_LOGS
environment variable.
$ export ENABLE_ENTERPRISE_CERTIFICATE_LOGS=1 # Now the enterprise-certificate-proxy will output logs to stdout.
For amd64 MacOS, run ./build/scripts/darwin_amd64.sh
. The binaries will be placed in build/bin/darwin_amd64
folder.
For amd64 Linux, run ./build/scripts/linux_amd64.sh
. The binaries will be placed in build/bin/linux_amd64
folder.
For amd64 Windows, in powershell terminal, run .\build\scripts\windows_amd64.ps1
. The binaries will be placed in build\bin\windows_amd64
folder.
Note that gcc is required for compiling the Windows shared library. The easiest way to get gcc on Windows is to download Mingw64, and add "gcc.exe" to the powershell path.
Contributions to this library are always welcome and highly encouraged. See the CONTRIBUTING documentation for more information on how to get started.
Apache - See LICENSE for more information.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.
Security News
A Stanford study reveals 9.5% of engineers contribute almost nothing, costing tech $90B annually, with remote work fueling the rise of "ghost engineers."
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.