certcache: integrate cache encryption layer

Author: Snawoot

main.go

@@ -177,6 +177,27 @@ type proxyArg struct {
 	value   string
 }
 
+type hexArg struct {
+	value []byte
+}
+
+func (a *hexArg) String() string {
+	return hex.EncodeToString(a.value)
+}
+
+func (a *hexArg) Set(s string) error {
+	b, err := hex.DecodeString(s)
+	if err != nil {
+		return err
+	}
+	a.value = b
+	return nil
+}
+
+func (a *hexArg) Value() []byte {
+	return a.value
+}
+
 type cacheKind int
 
 const (
@@ -210,6 +231,7 @@ type CLIArgs struct {
 	autocertHTTP              string
 	autocertLocalCacheTTL     time.Duration
 	autocertLocalCacheTimeout time.Duration
+	autocertCacheEncKey       hexArg
 	passwd                    string
 	passwdCost                int
 	hmacSign                  bool
@@ -290,6 +312,7 @@ func parse_args() CLIArgs {
 		return nil
 	})
 	flag.StringVar(&args.autocertCacheRedisPrefix, "autocert-cache-redis-prefix", "", "prefix to use for keys in Redis or Redis Cluster cache")
+	flag.Var(&args.autocertCacheEncKey, "autocert-cache-enc-key", "hex-encoded encryption key for cert cache entries")
 	flag.StringVar(&args.autocertACME, "autocert-acme", autocert.DefaultACMEDirectory, "custom ACME endpoint")
 	flag.StringVar(&args.autocertEmail, "autocert-email", "", "email used for ACME registration")
 	flag.StringVar(&args.autocertHTTP, "autocert-http", "", "listen address for HTTP-01 challenges handler of ACME")
@@ -559,6 +582,13 @@ func run() int {
 				return 3
 			}
 		}
+		if len(args.autocertCacheEncKey.Value()) > 0 {
+			certCache, err = certcache.NewEncryptedCache(args.autocertCacheEncKey.Value(), certCache)
+			if err != nil {
+				mainLogger.Critical("unable to construct cache encryption layer: %v", err)
+				return 3
+			}
+		}
 		if args.autocertLocalCacheTTL > 0 {
 			lcc := certcache.NewLocalCertCache(
 				certCache,