Add support for loading TLS keys with passwords.

Closes #409 Closes #576 Thanks to Thomas Zahari.

Add support for loading TLS keys with passwords.
Closes #409 Closes #576 Thanks to Thomas Zahari.
116e97ab · Roger A. Light · 8598f878 · 116e97ab · 116e97ab · 116e97ab
4 changed file
--- a/src/paho/mqtt/client.py
+++ b/src/paho/mqtt/client.py
@@ -764,7 +764,7 @@ class Client(object):
        if hasattr(context, 'check_hostname'):
            self._tls_insecure = not context.check_hostname

-    def tls_set(self, ca_certs=None, certfile=None, keyfile=None, cert_reqs=None, tls_version=None, ciphers=None):
+    def tls_set(self, ca_certs=None, certfile=None, keyfile=None, cert_reqs=None, tls_version=None, ciphers=None, keyfile_password=None):
        """Configure network encryption and authentication options. Enables SSL/TLS support.

        ca_certs : a string path to the Certificate Authority certificate files
@@ -784,8 +784,11 @@ class Client(object):
        None then they will be used as client information for TLS based
        authentication.  Support for this feature is broker dependent. Note
        that if either of these files in encrypted and needs a password to
-        decrypt it, Python will ask for the password at the command line. It is
-        not currently possible to define a callback to provide the password.
+        decrypt it, then this can be passed using the keyfile_password
+        argument - you should take precautions to ensure that your password is
+        not hard coded into your program by loading the password from a file
+        for example. If you do not provide keyfile_password, the password will
+        be requested to be typed in at a terminal window.

        cert_reqs allows the certificate requirements that the client imposes
        on the broker to be changed. By default this is ssl.CERT_REQUIRED,
@@ -822,7 +825,7 @@ class Client(object):

        # Configure context
        if certfile is not None:
-            context.load_cert_chain(certfile, keyfile)
+            context.load_cert_chain(certfile, keyfile, keyfile_password)

        if cert_reqs == ssl.CERT_NONE and hasattr(context, 'check_hostname'):
            context.check_hostname = False

--- a/test/lib/08-ssl-connect-cert-auth-pw.py
+++ b/test/lib/08-ssl-connect-cert-auth-pw.py
+#!/usr/bin/env python3
+
+# Test whether a client produces a correct connect and subsequent disconnect when using SSL.
+# Client must provide a certificate - the private key is encrypted with a password.
+
+# The client should connect to port 1888 with keepalive=60, clean session set,
+# and client id 08-ssl-connect-crt-auth
+# It should use the CA certificate ssl/all-ca.crt for verifying the server.
+# The test will send a CONNACK message to the client with rc=0. Upon receiving
+# the CONNACK and verifying that rc=0, the client should send a DISCONNECT
+# message. If rc!=0, the client should exit with an error.
+
+import context
+import paho_test
+from paho_test import ssl
+
+context.check_ssl()
+
+rc = 1
+keepalive = 60
+connect_packet = paho_test.gen_connect("08-ssl-connect-crt-auth-pw", keepalive=keepalive)
+connack_packet = paho_test.gen_connack(rc=0)
+disconnect_packet = paho_test.gen_disconnect()
+
+ssock = paho_test.create_server_socket_ssl(cert_reqs=ssl.CERT_REQUIRED)
+
+client = context.start_client()
+
+try:
+    (conn, address) = ssock.accept()
+    conn.settimeout(10)
+
+    if paho_test.expect_packet(conn, "connect", connect_packet):
+        conn.send(connack_packet)
+
+        if paho_test.expect_packet(conn, "disconnect", disconnect_packet):
+            rc = 0
+
+    conn.close()
+finally:
+    client.terminate()
+    client.wait()
+    ssock.close()
+
+exit(rc)
--- a/test/lib/Makefile
+++ b/test/lib/Makefile
@@ -29,4 +29,5 @@ test :
 	$(PYTHON) ./04-retain-qos0.py python/04-retain-qos0.test
 	$(PYTHON) ./08-ssl-connect-no-auth.py python/08-ssl-connect-no-auth.test
 	$(PYTHON) ./08-ssl-connect-cert-auth.py python/08-ssl-connect-cert-auth.test
+	$(PYTHON) ./08-ssl-connect-cert-auth-pw.py python/08-ssl-connect-cert-auth-pw.test
 	$(PYTHON) ./08-ssl-bad-cacert.py python/08-ssl-bad-cacert.test
--- a/test/lib/python/08-ssl-connect-cert-auth-pw.test
+++ b/test/lib/python/08-ssl-connect-cert-auth-pw.test
+#!/usr/bin/env python3
+
+import os
+import subprocess
+import socket
+import sys
+import time
+from struct import *
+
+import paho.mqtt.client as mqtt
+
+if sys.version_info < (2, 7, 9):
+    print("WARNING: SSL/TLS not supported on Python 2.6")
+    exit(0)
+
+
+def on_connect(mqttc, obj, flags, rc):
+    if rc != 0:
+        exit(rc)
+    else:
+        mqttc.disconnect()
+
+def on_disconnect(mqttc, obj, rc):
+    obj = rc
+
+
+run = -1
+mqttc = mqtt.Client("08-ssl-connect-crt-auth-pw", run)
+mqttc.tls_set("../ssl/all-ca.crt", "../ssl/client-pw.crt", "../ssl/client-pw.key", keyfile_password="password")
+mqttc.on_connect = on_connect
+mqttc.on_disconnect = on_disconnect
+
+mqttc.connect("localhost", 1888)
+while run == -1:
+    mqttc.loop()
+
+exit(run)