Sorry for the delayed response. I needed to noodle on this option and talk
to some of the devs who would need to implement this.
1. Setting up an http.Server{} and tls.Config will work. But it is a lot
of effort for devs who want to focus on the business logic.
2. This creates more code the golang users (devs) need to implement and
maintain...which disincentivizes a non-file-based approach.
I've created my own library to do what is suggested in this thread, but I'd
say that as a community we should pursue a better option.
On Monday, September 13, 2021 at 4:14:01 PM UTC-5 bse...@computer.org wrote:
> On Mon, Sep 13, 2021 at 3:03 PM Sam Caldwell <ma...@samcaldwell.net>
> wrote:
>
>> Does anyone have any ideas of an easy path to load certificate and key
>> files from a string rather than a file?
>>
>> *Use Case:*
>> 1. traditionally we all put a cleartext file on disk with our private key
>> and public certificate. If the server is breached, we just regenerate all
>> the things and move on.
>> 2. I would like to store my certificates and keys in a more secure
>> location (AWS SSM Param store, Hashicorp Vault, etc.).
>> 3. The certificate is only read from file at startup as best I can tell,
>> and relocating certificates and keys to an encrypted store would (a) allow
>> better auditing when the content is accessed, (b) restrict access to only
>> authorized processes and (c) make rotating keys and certificates a much
>> easier process.
>>
>> *Analysis:*
>> *Current Functionality:*
>> - We setup a server using ListenAndServeTLS() and pass in a filename for
>> the certificate and key.
>> - In go1.17.1/src/net/http/server.go at 3066, tls.LoadX509KeyPair() loads
>> is called.
>> - LoadX509KeyPair() exists at 230 in src/crypto/tls/tls.go and
>> - It calls os.ReadFile() at 231 and 235.
>> *Possible Solution:*
>> - We cannot break existing things, and within the limitations of golang,
>> it is probably the least-disruptive solution to add a new
>> ListenAndServeTLSFromVar() which would functionally do everything
>> ListenAndServeTLS() does, but instead of reading a file, it would instead
>> accept the input string as the certificate/key content.
>> - Alternatively ListenAndServeTLSFromVar() would accept a boolean
>> parameter which would determine if certificate and key parameters are
>> filenames or content strings. in this case, ListenAndServeTLSFromVar()
>> would support both filenames and content string use cases and provide a
>> path to unifying the approach if the community begins to adopt the use case
>> identified above in large numbers.
>>
>
> You can already do this by creating an http.Server{} with a tls.Config
> initialized from the certificates you have. You have to decode and parse
> the certificates from strings to create the tls.Config.
>
>
>
>>
>> *Conclusion:*
>> I'm willing to do the work and contribute the code to implement the
>> above, but I wanted to solicit opinions first. Ideally the functionality
>> exists already and I am reinventing a wheel. In that case, please point me
>> in the right direction so I can focus my efforts on my current project.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "golang-nuts" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to golang-nuts...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/golang-nuts/6e283ce3-7802-4765-9fd3-156d01c65bbbn%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/golang-nuts/6e283ce3-7802-4765-9fd3-156d01c65bbbn%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/golang-nuts/72cd125f-1b5f-499c-a7a5-2145b7d19202n%40googlegroups.com.
