bpo-16487: allow certificates to be specified from memory

Author: jgehrcke

Doc/library/ssl.rst

@@ -1270,13 +1270,13 @@ to speed up repeated connections from the same clients.
 .. method:: SSLContext.load_cert_chain(certfile, keyfile=None, password=None)
 
    Load a private key and the corresponding certificate.  The *certfile*
-   string must be the path to a single file in PEM format containing the
+   string must be the path to a single file or a file object containing the
    certificate as well as any number of CA certificates needed to establish
-   the certificate's authenticity.  The *keyfile* string, if present, must
-   point to a file containing the private key in.  Otherwise the private
-   key will be taken from *certfile* as well.  See the discussion of
-   :ref:`ssl-certificates` for more information on how the certificate
-   is stored in the *certfile*.
+   the certificate's authenticity, in the PEM format. The *keyfile* string, if
+   present, must be the path to a file or a file object containing the private
+   key in PEM format. Otherwise the private key will be taken from *certfile*
+   as well. See the discussion of :ref:`ssl-certificates` for more information
+   on how the certificate is stored in *certfile*.
 
    The *password* argument may be a function to call to get the password for
    decrypting the private key.  It will only be called if the private key is
@@ -1287,6 +1287,10 @@ to speed up repeated connections from the same clients.
    as the *password* argument.  It will be ignored if the private key is not
    encrypted and no password is needed.
 
+   If *certfile* is provided as a file path, *keyfile* (if given) must be
+   provided as a file path as well (mixing file path and file object for these
+   arguments is not allowed).
+
    If the *password* argument is not specified and a password is required,
    OpenSSL's built-in password prompting mechanism will be used to
    interactively prompt the user for a password.

Lib/ssl.py

@@ -95,6 +95,7 @@
 import re
 import sys
 import os
+import io
 from collections import namedtuple
 from enum import Enum as _Enum, IntEnum as _IntEnum, IntFlag as _IntFlag
 
@@ -450,6 +451,51 @@ def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
                 self._load_windows_store_certs(storename, purpose)
         self.set_default_verify_paths()
 
+    def load_cert_chain(self, certfile, keyfile=None, password=None):
+       # If `certfile` is bytes or string, treat it as file path.
+       if isinstance(certfile, str) or isinstance(certfile, bytes):
+           certfile_path = certfile
+
+           # If no `keyfile` is given, read private key from `certfile`.
+           if keyfile is None:
+               keyfile_path = certfile_path
+           else:
+               # If `certfile` is bytes or string, expect `keyfile` to be
+               # a bytes or string file path, too.
+               keyfile_path = keyfile
+
+           # Pre CPython 3.7 behavior: let OpenSSL consume the files via
+           # SSL_CTX_use_certificate_chain_file().
+           return self._load_cert_chain_pem_from_file_paths(
+               certfile_path, keyfile_path, password)
+
+       # Expect `certfile` to be a file object, expect `keyfile` to be `None`
+       # or a file object. Read file(s) and prepare OpenSSL memory BIO
+       # objects. If file objects return text, encode it to bytes.
+
+       certdata = certfile.read()
+       if isinstance(certdata, str):
+           certdata = certdata.encode('utf-8')
+
+       if keyfile is not None:
+           keydata = keyfile.read()
+           if isinstance(keydata, str):
+               keydata = keydata.encode('utf-8')
+       else:
+           # Expect that `certdata` contains the private key, too.
+           keydata = certdata
+
+       certbio = MemoryBIO()
+       certbio.write(certdata)
+       certbio.write_eof()
+
+       keybio = MemoryBIO()
+       keybio.write(keydata)
+       keybio.write_eof()
+
+       return self._load_cert_chain_pem_from_bio(certbio, keybio, password)
+
+
     @property
     def options(self):
         return Options(super().options)