Does anyone have any ideas of an easy path to load certificate and key files from a string rather than a file?
*Use Case:* 1. traditionally we all put a cleartext file on disk with our private key and public certificate. If the server is breached, we just regenerate all the things and move on. 2. I would like to store my certificates and keys in a more secure location (AWS SSM Param store, Hashicorp Vault, etc.). 3. The certificate is only read from file at startup as best I can tell, and relocating certificates and keys to an encrypted store would (a) allow better auditing when the content is accessed, (b) restrict access to only authorized processes and (c) make rotating keys and certificates a much easier process. *Analysis:* *Current Functionality:* - We setup a server using ListenAndServeTLS() and pass in a filename for the certificate and key. - In go1.17.1/src/net/http/server.go at 3066, tls.LoadX509KeyPair() loads is called. - LoadX509KeyPair() exists at 230 in src/crypto/tls/tls.go and - It calls os.ReadFile() at 231 and 235. *Possible Solution:* - We cannot break existing things, and within the limitations of golang, it is probably the least-disruptive solution to add a new ListenAndServeTLSFromVar() which would functionally do everything ListenAndServeTLS() does, but instead of reading a file, it would instead accept the input string as the certificate/key content. - Alternatively ListenAndServeTLSFromVar() would accept a boolean parameter which would determine if certificate and key parameters are filenames or content strings. in this case, ListenAndServeTLSFromVar() would support both filenames and content string use cases and provide a path to unifying the approach if the community begins to adopt the use case identified above in large numbers. *Conclusion:* I'm willing to do the work and contribute the code to implement the above, but I wanted to solicit opinions first. Ideally the functionality exists already and I am reinventing a wheel. In that case, please point me in the right direction so I can focus my efforts on my current project. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/6e283ce3-7802-4765-9fd3-156d01c65bbbn%40googlegroups.com.
