You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We can extend the engine to Cloud KMS keys that have key purposes of types ENCRYPT_DECRYPT (i.e. AES) and ASYMMETRIC_DECRYPT (i.e. RSA encryption). Currently, the backing layer is algorithm-agnostic and so most of the backing layer structure should be immediately reusable. The bulk of the work involved would be:
Add the requisite Cloud KMS API calls to the GrpcClient implementation (for example, AsymmetricDecrypt for ASYMMETRIC_DECRYPT keys; Encrypt and Decrypt for ENCRYPT_DECRYPT keys).
Expose those API calls to the bridge layer by adding them to the CryptoKeyHandle implementation.
In the bridge layer, write OpenSSL callbacks for AES / RSA implementations that call the corresponding API methods exposed in CryptoKeyHandle.
For ENCRYPT_DECRYPT keys, add AES functionality to the key loader in the bridge layer. (At the time of writing, all ASYMMETRIC_DECRYPT keys are RSA keys, so those keys should be able to reuse the existing RSA key loader code.)
The engine could also support key generation OpenSSL APIs. For example, the engine currently defines the callback for RSA_meth_set_keygen as a null pointer (since it is unimplemented), but in the future this could be defined to make Cloud KMS API calls to create private keys on the fly.
The text was updated successfully, but these errors were encountered:
We can extend the engine to Cloud KMS keys that have key purposes of types
ENCRYPT_DECRYPT
(i.e. AES) andASYMMETRIC_DECRYPT
(i.e. RSA encryption). Currently, the backing layer is algorithm-agnostic and so most of the backing layer structure should be immediately reusable. The bulk of the work involved would be:GrpcClient
implementation (for example,AsymmetricDecrypt
forASYMMETRIC_DECRYPT
keys;Encrypt
andDecrypt
forENCRYPT_DECRYPT
keys).CryptoKeyHandle
implementation.CryptoKeyHandle
.ENCRYPT_DECRYPT
keys, add AES functionality to the key loader in the bridge layer. (At the time of writing, allASYMMETRIC_DECRYPT
keys are RSA keys, so those keys should be able to reuse the existing RSA key loader code.)The engine could also support key generation OpenSSL APIs. For example, the engine currently defines the callback for
RSA_meth_set_keygen
as a null pointer (since it is unimplemented), but in the future this could be defined to make Cloud KMS API calls to create private keys on the fly.The text was updated successfully, but these errors were encountered: