Support for client side certificate in tls.init_context

Author: mylh

hyper/contrib.py

@@ -16,6 +16,7 @@
 
 from hyper.common.connection import HTTPConnection
 from hyper.compat import urlparse
+from hyper.tls import init_context
 
 
 class HTTP20Adapter(HTTPAdapter):
@@ -39,17 +40,8 @@ def get_connection(self, host, port, scheme, cert=None):
             port = 80 if not secure else 443
 
         ssl_context = None
-
         if cert is not None:
-            ssl_context = init_context()
-            try:
-                basestring
-            except NameError:
-                basestring = str
-            if not isinstance(cert, basestring):
-                ssl_context.load_cert_chain(cert[0], cert[1])
-            else:
-                ssl_context.load_cert_chain(cert)
+            ssl_context = init_context(cert=cert)
 
         try:
             conn = self.connections[(host, port, scheme, cert)]

hyper/tls.py

@@ -63,7 +63,7 @@ def wrap_socket(sock, server_hostname, ssl_context=None):
     return (ssl_sock, proto)
 
 
-def init_context(cert_path=None):
+def init_context(cert_path=None, cert=None, cert_password=None):
     """
     Create a new ``SSLContext`` that is correctly set up for an HTTP/2 connection.
     This SSL context object can be customized and passed as a parameter to the
@@ -72,7 +72,24 @@ def init_context(cert_path=None):
     certificate. The path to the certificate can be absolute or relative
     to your working directory.
 
-    :param cert_path: (optional) The path to the certificate file.
+    :param cert_path: (optional) The path to the certificate file of
+        “certification authority” (CA) certificates
+    :param cert: (optional) if string, path to ssl client cert file (.pem).
+        If tuple, ('cert', 'key') pair.
+        The certfile string must be the path to a single file in PEM format
+        containing the certificate as well as any number of CA certificates
+        needed to establish the certificate’s authenticity. The keyfile string,
+        if present, must point to a file containing the private key in.
+        Otherwise the private key will be taken from certfile as well.
+    :param cert_password: (optional) The password argument may be a function to
+        call to get the password for decrypting the private key. It will only
+        be called if the private key is encrypted and a password is necessary.
+        It will be called with no arguments, and it should return a string,
+        bytes, or bytearray. If the return value is a string it will be
+        encoded as UTF-8 before using it to decrypt the key. Alternatively a
+        string, bytes, or bytearray value may be supplied directly as the
+        password argument. It will be ignored if the private key is not
+        encrypted and no password is needed.
     :returns: An ``SSLContext`` correctly set up for HTTP/2.
     """
     context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
@@ -90,4 +107,14 @@ def init_context(cert_path=None):
     # required by the spec
     context.options |= ssl.OP_NO_COMPRESSION
 
+    if cert is not None:
+        try:
+            basestring
+        except NameError:
+            basestring = str
+        if not isinstance(cert, basestring):
+            context.load_cert_chain(cert[0], cert[1], cert_password)
+        else:
+            context.load_cert_chain(cert, password=cert_password)
+
     return context

test/test_SSLContext.py

@@ -2,11 +2,21 @@
 """
 Tests the hyper SSLContext.
 """
+import os
+
 import hyper
 from hyper.common.connection import HTTPConnection
 from hyper.compat import ssl
+
 import pytest
 
+
+TEST_DIR = os.path.abspath(os.path.dirname(__file__))
+TEST_CERTS_DIR = os.path.join(TEST_DIR, 'certs')
+CLIENT_CERT_FILE = os.path.join(TEST_CERTS_DIR, 'client.crt')
+CLIENT_KEY_FILE = os.path.join(TEST_CERTS_DIR, 'client.key')
+
+
 class TestSSLContext(object):
     """
     Tests default and custom SSLContext
@@ -47,3 +57,8 @@ def test_HTTPConnection_with_custom_context(self):
         assert conn.ssl_context.check_hostname == True
         assert conn.ssl_context.verify_mode == ssl.CERT_REQUIRED
         assert conn.ssl_context.options & ssl.OP_NO_COMPRESSION != 0
+
+
+    def test_client_certificates(self):
+        context = hyper.tls.init_context(
+            cert=(CLIENT_CERT_FILE, CLIENT_KEY_FILE), cert_password='abc123')