uvicorn.Config does not allow to pass string/byte objects to ssl_keyfile or ssl_certfile

[Torxed]

Due to the nature of how the SSL context is called:

uvicorn/uvicorn/config.py

Lines 400 to 408 in 14ffba8

	self.ssl: ssl.SSLContext | None = create_ssl_context(
	keyfile=self.ssl_keyfile,
	certfile=self.ssl_certfile,
	password=self.ssl_keyfile_password,
	ssl_version=self.ssl_version,
	cert_reqs=self.ssl_cert_reqs,
	ca_certs=self.ssl_ca_certs,
	ciphers=self.ssl_ciphers,
	)

And created:

uvicorn/uvicorn/config.py

Lines 111 to 113 in 14ffba8

	ctx = ssl.SSLContext(ssl_version)
	get_password = (lambda: password) if password else None
	ctx.load_cert_chain(certfile, keyfile, get_password)

There's no way to pass a certificate and private key object into the TLS context creation.
Albeit a some what niche, there are some use cases where certificates and more importantly private keys are loaded from vaults/stores or during startup of certain applications - where there's no possibility for writing to disk (read-only file systems etc).

It would in such cases, be desirable to either:

1. Pass privkey/cert objects or PEM formatted strings directly to uvicorn.Config
2. Be able to pass a ssl.SSLContex() directly and let uvicorn consume said context without questions. (also useful for TLS debugging)

A minimal example to produce option 1 would be:

import uvicorn
import fastapi

import datetime
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa

app = fastapi.FastAPI()

key = rsa.generate_private_key(
	public_exponent=65537,
	key_size=2048,
)
# Write our key to disk for safe keeping
privkey = key.private_bytes(
	encoding=serialization.Encoding.PEM,
	format=serialization.PrivateFormat.TraditionalOpenSSL,
	encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase"),
)

subject = issuer = x509.Name([
	x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
	x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"),
	x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"),
	x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"),
	x509.NameAttribute(NameOID.COMMON_NAME, "mysite.com"),
])
cert = x509.CertificateBuilder().subject_name(
	subject
).issuer_name(
	issuer
).public_key(
	key.public_key()
).serial_number(
	x509.random_serial_number()
).not_valid_before(
	datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
	# Our certificate will be valid for 10 days
	datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
	x509.SubjectAlternativeName([x509.DNSName("localhost")]),
	critical=False,
# Sign our certificate with our private key
).sign(key, hashes.SHA256())
# Write our certificate out to disk.

certificate = cert.public_bytes(serialization.Encoding.PEM)

uvicorn = uvicorn.Server(
	uvicorn.Config(
		app,
		host="127.0.0.1",
		port=1789,
		ssl_keyfile=privkey,
		ssl_certfile=certificate,
		log_level="info",
		reload=False
	)
)

uvicorn.run()

To work around the current implementation to facilitate the second option, we could attempt to use OpenSSL.SSL.Context which would allow us to create our own TLS context from strings using load_certificate. uvicorn would however need to push a change to uvloop (at least on Linux, not sure what loop is used on windows) to bypass:

  File "uvloop/loop.pyx", line 1715, in create_server
TypeError: ssl argument must be an SSLContext or None

Here's how that could look like:

import uvicorn
import fastapi
import datetime

from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from OpenSSL import SSL
from OpenSSL.crypto import load_certificate, load_privatekey, FILETYPE_PEM

app = fastapi.FastAPI()

key = rsa.generate_private_key(
	public_exponent=65537,
	key_size=2048,
)
# Write our key to disk for safe keeping
privkey = key.private_bytes(
	encoding=serialization.Encoding.PEM,
	format=serialization.PrivateFormat.TraditionalOpenSSL,
	encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase"),
)

subject = issuer = x509.Name([
	x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
	x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "California"),
	x509.NameAttribute(NameOID.LOCALITY_NAME, "San Francisco"),
	x509.NameAttribute(NameOID.ORGANIZATION_NAME, "My Company"),
	x509.NameAttribute(NameOID.COMMON_NAME, "mysite.com"),
])
cert = x509.CertificateBuilder().subject_name(
	subject
).issuer_name(
	issuer
).public_key(
	key.public_key()
).serial_number(
	x509.random_serial_number()
).not_valid_before(
	datetime.datetime.now(datetime.timezone.utc)
).not_valid_after(
	# Our certificate will be valid for 10 days
	datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
).add_extension(
	x509.SubjectAlternativeName([x509.DNSName("localhost")]),
	critical=False,
# Sign our certificate with our private key
).sign(key, hashes.SHA256())
# Write our certificate out to disk.

certificate = cert.public_bytes(serialization.Encoding.PEM)

config = uvicorn.Config(
	app,
	host="127.0.0.1",
	port=1789,
	# Needs to be disabled for .load() to complete successfully
	#ssl_keyfile=privkey,
	#ssl_certfile=certificate,
	log_level="info",
	reload=False
)

ctx = SSL.Context(SSL.TLS_SERVER_METHOD)
ctx.use_certificate(load_certificate(FILETYPE_PEM, certificate))
ctx.use_privatekey(load_privatekey(FILETYPE_PEM, privkey))

config.load() # Manually calling the .load()
config.ssl = ctx

uvicorn = uvicorn.Server(
	config
)

uvicorn.run()

[Torxed]

At a glance, this sounds related but isn't due to the lack of ability to create a context from in-memory: #806

[frobnitzem]

Why not allow the uvicorn programmatic API to receive an ssl.SSLContext directly? Then lots of customizations like this become easier to support. I had to monkey-patch create_ssl_context to work around this currently in the certified package.