Generate client password-protected cert with trustme (#1793)

3 files changed, 15 insertions, 56 deletions

diff --git a/dummyserver/certs/client_intermediate.pem b/dummyserver/certs/client_intermediate.pem
deleted file mode 100644
index 23145bcb..00000000
--- a/dummyserver/certs/client_intermediate.pem
+++ /dev/null
@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIChzCCAfCgAwIBAgIUZgix95Zxzc+WryIWanrDezW1VjcwDQYJKoZIhvcNAQEL
-BQAwRDEbMBkGA1UECgwSdHJ1c3RtZSB2MC40LjArZGV2MSUwIwYDVQQLDBxUZXN0
-aW5nIENBICNwN2dEd0tMS3EydlJOajZmMCAXDTAwMDEwMTAwMDAwMFoYDzMwMDAw
-MTAxMDAwMDAwWjBNMRswGQYDVQQKDBJ0cnVzdG1lIHYwLjQuMCtkZXYxLjAsBgNV
-BAsMJVRlc3Rpbmcgc2VydmVyIGNlcnQgI0NPajVGVkxXWEVtcmFHNTQwgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAKeE765+Ws1ZdC86tfZ5LvLTjWluQgmsTx2o
-7xhYAOFmTbZb6qNLCDS07R1VP74ve6UlFD55cV8VbxvEZd8Z3LOADF6nTN61XPbj
-dn2J6GfsSjaHE6+mJDXhCtVrD4EGdD4nXRem48mjsrAkrvJ8v4gQNzGzQ27D2dWT
-B7Ij6mWNAgMBAAGjazBpMB0GA1UdDgQWBBT66uW6I2OfZYacXgQkop4qlX+qJTAM
-BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFESoDYfzVyFP3QHyZG9cvxmlBIGsMBkG
-A1UdEQEB/wQPMA2CC2xvY2FsY2xpZW50MA0GCSqGSIb3DQEBCwUAA4GBAG8zoqW0
-w5ROSuNFE7fi5I4bdC6sbddiFRXX//TkP2vRD3cM11AKp52UjzK2nUrkoigrJ5p8
-xa/PGnPfOVCPiKIb1kzeI/7tyBet6n3q2L0wQo3PR/QCHeSiIpm8lAi1a+8ShXFM
-F2CG+z7IN0cQO4bzcwtkk8MhcCsMP14K5PK2
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICwjCCAiugAwIBAgIUWL7wOmK0BVMR8LM5UBewDZEEuH0wDQYJKoZIhvcNAQEL
-BQAwgYExCzAJBgNVBAYTAkZJMQ4wDAYDVQQIDAVkdW1teTEOMAwGA1UEBwwFZHVt
-bXkxDjAMBgNVBAoMBWR1bW15MQ4wDAYDVQQLDAVkdW1teTERMA8GA1UEAwwIU25h
-a2VPaWwxHzAdBgkqhkiG9w0BCQEWEGR1bW15QHRlc3QubG9jYWwwIBcNMDAwMTAx
-MDAwMDAwWhgPMzAwMDAxMDEwMDAwMDBaMEQxGzAZBgNVBAoMEnRydXN0bWUgdjAu
-NC4wK2RldjElMCMGA1UECwwcVGVzdGluZyBDQSAjcDdnRHdLTEtxMnZSTmo2ZjCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr7134NKsqNQ44gIFElVC5KnGYIYv
-D96Kv+5UgXVAyNNK4NpQXHVFmCZpSuyvlz4UZzFBoykISjU+vcGqbFqwRrYciPwh
-45HVQgtoe0SSpze7sv0qsMJiGNRDK06nVI/aCHP9FRoD5iPq8E7lSNVYipai466G
-1lEvVLb0SGNihAUCAwEAAaNxMG8wHQYDVR0OBBYEFESoDYfzVyFP3QHyZG9cvxml
-BIGsMBIGA1UdEwEB/wQIMAYBAf8CAQgwDgYDVR0PAQH/BAQDAgEGMCoGA1UdJQEB
-/wQgMB4GCCsGAQUFBwMCBggrBgEFBQcDAQYIKwYBBQUHAwMwDQYJKoZIhvcNAQEL
-BQADgYEAEs9EAeL3300UxzmT4zyj2cHB2GQxisteEuz9VcWhrvyNDxQ3ko0BxG04
-4fye7dpElrrbSq8PYkygA1qiBCN2NL+v78XWb2OYd7PptpbPehzaEpCTK37O+Num
-sB4v1c63r2w1mH1lSjZDkJfd1hml+VwntSzuCmGERlroE6PQwf8=
------END CERTIFICATE-----
diff --git a/dummyserver/certs/client_password.key b/dummyserver/certs/client_password.key
deleted file mode 100644
index 0235aab3..00000000
--- a/dummyserver/certs/client_password.key
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,70C641602D5F366DC5DB70645351993D
-
-/Ijrtw+2Rjc1mQCXWoNCtzjbRoIhBHQu9ZbQoCnC4/lHru2megV0vDQju0yYjs2H
-7Y7tnMe0hlR9F21be6AkoKDF4B5Kg2X47fwG5V9SIbHBkz3KClfnPp/ojrhIWLTo
-grtZoXBFkivDnkuF9NO3qRlskP7u//r3kB5uXIG0ZpfUbRwgm13SqHj1oEB9RdYM
-bGhB3tL6dxdIXEgyc9numKBQ0lQu5yYlOH+1aiJSQQdN59ZunreIq//UM1Qc7Uj/
-ILJusFmnec40ArJ+aykENWkToHSKkpeL6no6ZRCnkAYqtUJ84B6zMv9zYhN5UF3O
-WHP/4FAu4AylJvNx9sYxXdGaBb+YcX46B7wQk2mkmCtK6cgkrNV3/bohUbYt3tSe
-K9dH2xe9orxsGQjoKxylwh7+h8o+BwHpk1naFSzliQV4gvi8yBEzXxM98vNU5B4L
-ex8Q2ARWvfNc7OBqboPP0yBMKP/cV9n+fNMwbP0koHxBt71527fVQLoemMiPRb5M
-+rcufc+80AUK4baAA5Nu2sZGRqoiFemQ2vgEAxOzRbt/pHzdheO6OHqLJ5W4IWaW
-Erojm7/ar6gDlIIGwM8IJdbcMG69s7r8u47lD45ONQMq41Io4Svvs0SCgdRhLt/3
-Nb6Smxy7vWFOcrHEJVsv27UD0FViaYHy37DIc6lVvX9s6+VKbdIYuiqxalbaCpKo
-VP8kdQZ4SFBAxV9cgPjFbQKVBXkLBdxJKGPzzK3Jc9khD1uHp5Um8OSM21Kh55N3
-jvDY5h8fQ0cPyJmlZJzRdYi1+8H5TSFvEXd6cqVkYWiJ1ac0gPOoVt7+YAZ6JB2J
------END RSA PRIVATE KEY-----
diff --git a/dummyserver/server.py b/dummyserver/server.py
index 37dd78fc..37e41d75 100755
--- a/dummyserver/server.py
+++ b/dummyserver/server.py
@@ -18,10 +18,13 @@ from datetime import datetime
 
 from urllib3.exceptions import HTTPWarning
 
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
 import tornado.httpserver
 import tornado.ioloop
 import tornado.netutil
 import tornado.web
+import trustme
 
 
 log = logging.getLogger(__name__)
@@ -33,11 +36,6 @@ DEFAULT_CERTS = {
     "cert_reqs": ssl.CERT_OPTIONAL,
     "ca_certs": os.path.join(CERTS_PATH, "cacert.pem"),
 }
-CLIENT_INTERMEDIATE_PEM = "client_intermediate.pem"
-CLIENT_NO_INTERMEDIATE_PEM = "client_no_intermediate.pem"
-CLIENT_INTERMEDIATE_KEY = "client_intermediate.key"
-CLIENT_CERT = os.path.join(CERTS_PATH, CLIENT_INTERMEDIATE_PEM)
-PASSWORD_CLIENT_KEYFILE = os.path.join(CERTS_PATH, "client_password.key")
 DEFAULT_CA = os.path.join(CERTS_PATH, "cacert.pem")
 DEFAULT_CA_KEY = os.path.join(CERTS_PATH, "cacert.key")
 DEFAULT_CA_BAD = os.path.join(CERTS_PATH, "client_bad.pem")
@@ -174,3 +172,15 @@ if __name__ == "__main__":
     server_thread = run_loop_in_thread(io_loop)
 
     print("Listening on http://{host}:{port}".format(host=host, port=port))
+
+
+def encrypt_key_pem(private_key_pem, password):
+    private_key = serialization.load_pem_private_key(
+        private_key_pem.bytes(), password=None, backend=default_backend()
+    )
+    encrypted_key = private_key.private_bytes(
+        serialization.Encoding.PEM,
+        serialization.PrivateFormat.TraditionalOpenSSL,
+        serialization.BestAvailableEncryption(password),
+    )
+    return trustme.Blob(encrypted_key)