Golang & openssl

Hi all and nice to see you guys over here also have a Discourse forum :slight_smile:

I am very very new to golang and am more busy with reading the docs, then programming, but I guess that is normal for the start.

I have two topics, in which I would like to ask the community for help.

OpenSSL.

I started reading the doc, but somehow I can’t find the part, where is written, what equivalent goland approaches to the shell are. I really think that would help people move over.

So, what I do is converting the certificate (cer or pem) and key (key or pem) into a PKCS12 (.pfx) file.

My shell commands are:

If “cert” PEM: openssl x509 -in inout_cert.pem -out output_cert.pem
if “cert” DER: openssl x509 -inform der -in input_cert.cer -out output_cert.pem

if “key” PEM: openssl pkcs8 -in input_key.pem -passin pass:PASS -out output_key.pem
if “key” DER: openssl pkcs8 -inform der -in input_key.key -passin pass:PASS -out output_key.pem

Finally:

openssl pkcs12 -export -in output_cert.pem -inkey output_key.pem -out server.pfx -password pass:PASS

That will generate the wanted server.pfx file with the same password as the key (if he had one).

ATM I do this in golang as a wrapper and I indeed execute the command as a shell command and listen for stdout and stderr to capture everything. It is not slow (30ms)… but for multiple reasons (mentioned below) I don’t want this and want to do this in golang directly with the openssl lib.
What I also do is: storing the files temporarily on the server, which I also don’t want, if possible.

So my questions are:

  1. how to analyse a cert with golang openssl? Is it possible to just throw something at it and it tells me “this is a ‘Cert’ in PEM format” or “this is a ‘Key’ in DER format”?
  2. Can I take (from my form upload) the files and not store them as files, but keep them in memory or as []byte variable and convert them like this, so I don’t have to store them?
  3. If I use openssl from golang, does my system need to have openssl installed, or is not not required anymore?

Here the second part:

file

I use the shell program file to identify files independent from their file extension etc. If golang-openssl can identify all certs & keys I don’t need it, but just now I don’t know if it can.
If golang-openssl can not do this, is there a golang library which can do so? For my needs it must be able to differentiate between:

  • cert (der)
  • cert (pem)
  • key (der)
  • key (pem)
  • key (pem - encrypted)

That would be enough for me.

ATM I have these two external libs which I want to get rid of, so my application is 100% go-based and not some sub-shell frankenstein project.

My long term goal

…with golang is, to be able to run my code 100% in golang with no other external dependencies.
I want to do this for multiple reasons:

  • performance
  • security
  • integrity
  • being able to run at docker-scratch

I was able to run my whole application as <10MB docker-image, but I had to disable ALL parts which required “openssl” and “file”. Which means for me, that the application was not really usable, but I am highly impressed by how small such a docker-image can get if you use golang and build your app. I really love this and would like to learn more about golang and the dockerization of golang-based applications :slight_smile:

That’s it for now. I hope some friendly souls here can give me some input or even better examples and how they would do it.

Btw, here the is what I use:

  • golang v1.19.1
  • gin v1.8.1

So for me it is a gin-based webserver.

Best regards.