On Mon, Sep 13, 2021 at 3:03 PM Sam Caldwell <m...@samcaldwell.net> wrote:
> Does anyone have any ideas of an easy path to load certificate and key
> files from a string rather than a file?
>
> *Use Case:*
> 1. traditionally we all put a cleartext file on disk with our private key
> and public certificate. If the server is breached, we just regenerate all
> the things and move on.
> 2. I would like to store my certificates and keys in a more secure
> location (AWS SSM Param store, Hashicorp Vault, etc.).
> 3. The certificate is only read from file at startup as best I can tell,
> and relocating certificates and keys to an encrypted store would (a) allow
> better auditing when the content is accessed, (b) restrict access to only
> authorized processes and (c) make rotating keys and certificates a much
> easier process.
>
> *Analysis:*
> *Current Functionality:*
> - We setup a server using ListenAndServeTLS() and pass in a filename for
> the certificate and key.
> - In go1.17.1/src/net/http/server.go at 3066, tls.LoadX509KeyPair() loads
> is called.
> - LoadX509KeyPair() exists at 230 in src/crypto/tls/tls.go and
> - It calls os.ReadFile() at 231 and 235.
> *Possible Solution:*
> - We cannot break existing things, and within the limitations of golang,
> it is probably the least-disruptive solution to add a new
> ListenAndServeTLSFromVar() which would functionally do everything
> ListenAndServeTLS() does, but instead of reading a file, it would instead
> accept the input string as the certificate/key content.
> - Alternatively ListenAndServeTLSFromVar() would accept a boolean
> parameter which would determine if certificate and key parameters are
> filenames or content strings. in this case, ListenAndServeTLSFromVar()
> would support both filenames and content string use cases and provide a
> path to unifying the approach if the community begins to adopt the use case
> identified above in large numbers.
>
You can already do this by creating an http.Server{} with a tls.Config
initialized from the certificates you have. You have to decode and parse
the certificates from strings to create the tls.Config.
>
> *Conclusion:*
> I'm willing to do the work and contribute the code to implement the above,
> but I wanted to solicit opinions first. Ideally the functionality exists
> already and I am reinventing a wheel. In that case, please point me in the
> right direction so I can focus my efforts on my current project.
>
> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/golang-nuts/6e283ce3-7802-4765-9fd3-156d01c65bbbn%40googlegroups.com
> <https://groups.google.com/d/msgid/golang-nuts/6e283ce3-7802-4765-9fd3-156d01c65bbbn%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/CAMV2RqoUG4XoXs%2BCfDdDeNqdtv9QXAX5mZ2En-P2jKL6zbSFpw%40mail.gmail.com.
