NotificationsYou must be signed in to change notification settings
Fork32k
Star67.2k

Commit7c3ddb5

committed

bpo-16487: allow certificates to be specified from memory

1 parente613e6a commit7c3ddb5Copy full SHA for 7c3ddb5

File tree

5 files changed

+521

-77

lines changed

Doc/library
- ssl.rst
Lib
- ssl.py
- test
  - test_ssl.py
Modules
- _ssl.c
- clinic
  - _ssl.c.h

5 files changed

+521

-77

lines changed

`‎Doc/library/ssl.rst`

Lines changed: 10 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1270,13 +1270,13 @@ to speed up repeated connections from the same clients.`
`1270`	`1270`	`..method::SSLContext.load_cert_chain(certfile, keyfile=None, password=None)`
`1271`	`1271`
`1272`	`1272`	`Load a private key and the corresponding certificate. The certfile`
`1273`		`- string must be the path to a single filein PEM format containing the`
	`1273`	`+ string must be the path to a single fileor a file object containing the`
`1274`	`1274`	`certificate as well as any number of CA certificates needed to establish`
`1275`		`- the certificate's authenticity.The keyfile string, if present, must`
`1276`		`-pointto a filecontaining the private key in. Otherwise the private`
`1277`		`- keywill be taken from certfile as well. See the discussion of`
`1278`		-:ref:`ssl-certificates` for more information on how the certificate
`1279`		`- is stored in the certfile.`
	`1275`	`+ the certificate's authenticity, in the PEM format.The keyfile string, if`
	`1276`	`+present, must be the pathto a fileor a file object containing the private`
	`1277`	`+ keyin PEM format. Otherwise the private key will be taken from certfile`
	`1278`	+as well. See the discussion of:ref:`ssl-certificates` for more information
	`1279`	`+on how the certificateis stored in certfile.`
`1280`	`1280`
`1281`	`1281`	`The password argument may be a function to call to get the password for`
`1282`	`1282`	`decrypting the private key. It will only be called if the private key is`
`@@ -1287,6 +1287,10 @@ to speed up repeated connections from the same clients.`
`1287`	`1287`	`as the password argument. It will be ignored if the private key is not`
`1288`	`1288`	`encrypted and no password is needed.`
`1289`	`1289`
	`1290`	`+ If certfile is provided as a file path, keyfile (if given) must be`
	`1291`	`+ provided as a file path as well (mixing file path and file object for these`
	`1292`	`+ arguments is not allowed).`
	`1293`	`+`
`1290`	`1294`	`If the password argument is not specified and a password is required,`
`1291`	`1295`	`OpenSSL's built-in password prompting mechanism will be used to`
`1292`	`1296`	`interactively prompt the user for a password.`

`‎Lib/ssl.py`

Lines changed: 46 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,7 @@`
`95`	`95`	`importre`
`96`	`96`	`importsys`
`97`	`97`	`importos`
	`98`	`+importio`
`98`	`99`	`fromcollectionsimportnamedtuple`
`99`	`100`	`fromenumimportEnumas_Enum,IntEnumas_IntEnum,IntFlagas_IntFlag`
`100`	`101`
`@@ -450,6 +451,51 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):`
`450`	`451`	`self._load_windows_store_certs(storename,purpose)`
`451`	`452`	`self.set_default_verify_paths()`
`452`	`453`
	`454`	`+defload_cert_chain(self,certfile,keyfile=None,password=None):`
	`455`	+# If `certfile` is bytes or string, treat it as file path.
	`456`	`+ifisinstance(certfile,str)orisinstance(certfile,bytes):`
	`457`	`+certfile_path=certfile`
	`458`	`+`
	`459`	+# If no `keyfile` is given, read private key from `certfile`.
	`460`	`+ifkeyfileisNone:`
	`461`	`+keyfile_path=certfile_path`
	`462`	`+else:`
	`463`	+# If `certfile` is bytes or string, expect `keyfile` to be
	`464`	`+# a bytes or string file path, too.`
	`465`	`+keyfile_path=keyfile`
	`466`	`+`
	`467`	`+# Pre CPython 3.7 behavior: let OpenSSL consume the files via`
	`468`	`+# SSL_CTX_use_certificate_chain_file().`
	`469`	`+returnself._load_cert_chain_pem_from_file_paths(`
	`470`	`+certfile_path,keyfile_path,password)`
	`471`	`+`
	`472`	+# Expect `certfile` to be a file object, expect `keyfile` to be `None`
	`473`	`+# or a file object. Read file(s) and prepare OpenSSL memory BIO`
	`474`	`+# objects. If file objects return text, encode it to bytes.`
	`475`	`+`
	`476`	`+certdata=certfile.read()`
	`477`	`+ifisinstance(certdata,str):`
	`478`	`+certdata=certdata.encode('utf-8')`
	`479`	`+`
	`480`	`+ifkeyfileisnotNone:`
	`481`	`+keydata=keyfile.read()`
	`482`	`+ifisinstance(keydata,str):`
	`483`	`+keydata=keydata.encode('utf-8')`
	`484`	`+else:`
	`485`	+# Expect that `certdata` contains the private key, too.
	`486`	`+keydata=certdata`
	`487`	`+`
	`488`	`+certbio=MemoryBIO()`
	`489`	`+certbio.write(certdata)`
	`490`	`+certbio.write_eof()`
	`491`	`+`
	`492`	`+keybio=MemoryBIO()`
	`493`	`+keybio.write(keydata)`
	`494`	`+keybio.write_eof()`
	`495`	`+`
	`496`	`+returnself._load_cert_chain_pem_from_bio(certbio,keybio,password)`
	`497`	`+`
	`498`	`+`
`453`	`499`	`@property`
`454`	`500`	`defoptions(self):`
`455`	`501`	`returnOptions(super().options)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit7c3ddb5

File tree

5 files changed

5 files changed

`‎Doc/library/ssl.rst`

`‎Lib/ssl.py`

0 commit comments