search

GAM-team / GAM

command line management for Google Workspace
https://github.com/GAM-team/GAM/wiki
Apache License 2.0
3.5k stars 470 forks source link

S/MIME certificate provisioning for Gmail CSE #1672

Open roadmapcymbaldev-andrew opened 8 months ago

roadmapcymbaldev-andrew commented 8 months ago

Is your feature request related to a problem? Please describe. Gmail now offers Client Side Encryption (CSE) functionality for S/MIME email exchanges. To configure CSE, the Workspace admin must use the Gmail API to provision "wrapped" certificates for their users (refer to documentation here). Google currently provides a sample Python script for administrators to make these API calls.

Describe the solution you'd like It would be great if GAM could handle CSE Gmail provisioning by making the required Gmail (and key service) API calls. In order to accomplish this, a process needs to take an existing S/MIME certificate (P7 PEM format) for each user, make a call to the key service to "wrap" the certificate, and then make at least two Gmail API calls (one to create the keypair, one to enable it).

Describe alternatives you've considered Some of the key services may provide their own way to populate S/MIME certs for CSE.

Additional context users.settings.cse.keypairs users.settings.cse.identities

taers232c commented 8 months ago

I'm in California (PST) and am generally available starting at 7:30AM. Send me a Meet/Zoom invitation and we can discuss you request.

Ross

Ross Scroggs @.***

On Jan 9, 2024, at 10:29 AM, roadmapcymbaldev-andrew @.***> wrote:

Is your feature request related to a problem? Please describe. Gmail now offers Client Side Encryption https://support.google.com/a/answer/10741897 (CSE) functionality for S/MIME email exchanges. To configure CSE, the Workspace admin must use the Gmail API to provision "wrapped" certificates for their users (refer to documentation here https://support.google.com/a/answer/13069736?fl=1&sjid=15177673855952669729-NC#setup_users). Google currently provides a sample Python script https://support.google.com/a/answer/13069736?fl=1&sjid=15177673855952669729-NC#setup_users&zippy=%2Coptional-use-googles-python-sample-script-to-upload-users-certificates-and-wrapped-private-keys-to-gmail for administrators to make these API calls.

Describe the solution you'd like It would be great if GAM could handle CSE Gmail provisioning by making the required Gmail (and key service) API calls. In order to accomplish this, a process needs to take an existing S/MIME certificate (P7 PEM format) for each user, make a call to the key service to "wrap" the certificate, and then make at least two Gmail API calls (one to create the keypair, one to enable it).

Describe alternatives you've considered Some of the key services may provide their own way to populate S/MIME certs for CSE.

Additional context users.settings.cse.keypairs https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.keypairs users.settings.cse.identities https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.identities — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1672, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL7PCJ24HMTCZXBZ6TTYNWECDAVCNFSM6AAAAABBTRTRROVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3TEOJTGMYDMMY. You are receiving this because you are subscribed to this thread.

roadmapcymbaldev-andrew commented 8 months ago

Sorry I missed this response until now. I will send an invite over.

On Thu, Jan 18, 2024 at 7:56 AM Ross Scroggs @.***> wrote:

I'm in California (PST) and am generally available starting at 7:30AM. Send me a Meet/Zoom invitation and we can discuss you request.

Ross

Ross Scroggs @.***

On Jan 9, 2024, at 10:29 AM, roadmapcymbaldev-andrew @.***> wrote:

Is your feature request related to a problem? Please describe. Gmail now offers Client Side Encryption < https://support.google.com/a/answer/10741897> (CSE) functionality for S/MIME email exchanges. To configure CSE, the Workspace admin must use the Gmail API to provision "wrapped" certificates for their users (refer to documentation here < https://support.google.com/a/answer/13069736?fl=1&sjid=15177673855952669729-NC#setup_users>). Google currently provides a sample Python script < https://support.google.com/a/answer/13069736?fl=1&sjid=15177673855952669729-NC#setup_users&zippy=%2Coptional-use-googles-python-sample-script-to-upload-users-certificates-and-wrapped-private-keys-to-gmail> for administrators to make these API calls.

Describe the solution you'd like It would be great if GAM could handle CSE Gmail provisioning by making the required Gmail (and key service) API calls. In order to accomplish this, a process needs to take an existing S/MIME certificate (P7 PEM format) for each user, make a call to the key service to "wrap" the certificate, and then make at least two Gmail API calls (one to create the keypair, one to enable it).

Describe alternatives you've considered Some of the key services may provide their own way to populate S/MIME certs for CSE.

Additional context users.settings.cse.keypairs < https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.keypairs>

users.settings.cse.identities < https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.identities>

— Reply to this email directly, view it on GitHub < https://github.com/GAM-team/GAM/issues/1672>, or unsubscribe < https://github.com/notifications/unsubscribe-auth/ACCTYL7PCJ24HMTCZXBZ6TTYNWECDAVCNFSM6AAAAABBTRTRROVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3TEOJTGMYDMMY>.

You are receiving this because you are subscribed to this thread.

— Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1672#issuecomment-1898755226, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7SF4B2TYR7KS7KVXTZ5CM3YPFAZ7AVCNFSM6AAAAABBTRTRROVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJYG42TKMRSGY . You are receiving this because you authored the thread.Message ID: @.***>