adding parameter --ssl-password to decrypt ssl key file #776
Conversation
|
Let's go! Could you please merge? |
There was a problem hiding this comment.
Sounds like an acceptable feature to add, yup. I left a naming suggestion which I think we should address before merging this.
Also, looks like we should add a test to our test suite, at least to verify that the config ingestion logic works well?
Eg we've got fixtures for a certfile and a keyfile in conftest.py. So we can probably add an ENCRYPTED_PRIVATE_KEY that's an encrypted version of PRIVATE_KEY, and then make sure our config is able to load that properly into the ssl_context, by updating test_config.py?
| @@ -79,6 +79,7 @@ Options: | |||
| 5] | |||
| --ssl-keyfile TEXT SSL key file | |||
| --ssl-certfile TEXT SSL certificate file | |||
| --ssl-password TEXT SSL key file password | |||
There was a problem hiding this comment.
Thoughts on naming this --ssl-keyfile-password? Both for extra explicitness that this is related to --ssl-keyfile, as well as visually hinting that "this is a more advanced option, since its name is longer" :-)
| --ssl-password TEXT SSL key file password | |
| --ssl-keyfile-password TEXT SSL key file password |
| if password: | ||
|
|
||
| def getpassword(): | ||
| return password | ||
|
|
||
| ctx.load_cert_chain(certfile, keyfile, getpassword) | ||
| else: | ||
| ctx.load_cert_chain(certfile, keyfile) |
There was a problem hiding this comment.
(Nit) Dunno if we could go for a more compact form - hopefully this is readable enough? Or can we not pass None as the password argument? (The Python docs aren't very explicit about that.)
| if password: | |
| def getpassword(): | |
| return password | |
| ctx.load_cert_chain(certfile, keyfile, getpassword) | |
| else: | |
| ctx.load_cert_chain(certfile, keyfile) | |
| password = (lambda: password) if password else None | |
| ctx.load_cert_chain(certfile, keyfile, password) |
|
Thanks @florimondmanca for the review , allow me some time to get back to you. |
|
thanks a lot @remster85, I built on your PR in #808 and added the tests etc using trustme. |
|
Thanks so much @euri10 ! |
Add parameter
--ssl-passwordto be able to decrypt the ssl keyIf provided, this parameter will be passed to load_cert_chain as password.
The password argument may be a function to call to get the password for decrypting the private key. It will only be called if the private key is encrypted and a password is necessary. It will be called with no arguments, and it should return a string, bytes, or bytearray. If the return value is a string it will be encoded as UTF-8 before using it to decrypt the key. Alternatively a string, bytes, or bytearray value may be supplied directly as the password argument. It will be ignored if the private key is not encrypted and no password is needed.
https://docs.python.org/3.3/library/ssl.html#ssl.SSLContext.load_cert_chain
This issue required a pull request #581
Fixes #581