Fix manual prompt in pyopenssl adapter for private key password

- If pyopenssl adapter was used with password protected private key,
  the manual entry option was not given, only a fail due to
  invalid password. The password callback was triggered also
  in the case where the private_key_password was None.

- Added Callable type as possible private_key_password argument

Author: jatalahd

cheroot/ssl/__init__.py

@@ -1,6 +1,7 @@
 """Implementation of the SSL adapter base interface."""
 
 from abc import ABC, abstractmethod
+from getpass import getpass as _ask_for_password_interactively
 from warnings import warn as _warn
 
 
@@ -48,6 +49,11 @@ def bind(self, sock):
         )
         return sock
 
+    def prompt_for_tls_password(self) -> str:
+        """Define interactive prompt for encrypted private key password."""
+        prompt = 'Enter PEM pass phrase:'
+        return _ask_for_password_interactively(prompt)
+
     @abstractmethod
     def wrap(self, sock):
         """Wrap the given socket and return WSGI environ entries."""

cheroot/ssl/__init__.pyi

@@ -6,8 +6,9 @@ class Adapter(ABC):
     private_key: _t.Any
     certificate_chain: _t.Any
     ciphers: _t.Any
-    private_key_password: str | bytes | None
+    private_key_password: str | bytes | _t.Callable[[], bytes | str] | None
     context: _t.Any
+
     @abstractmethod
     def __init__(
         self,
@@ -19,6 +20,7 @@ class Adapter(ABC):
         private_key_password: str | bytes | None = ...,
     ): ...
     def bind(self, sock): ...
+    def prompt_for_tls_password(self): ...
     @abstractmethod
     def wrap(self, sock): ...
     @abstractmethod

cheroot/ssl/builtin.py

@@ -247,6 +247,9 @@ def __init__(
             private_key_password=private_key_password,
         )
 
+        if private_key_password is None:
+            private_key_password = self.prompt_for_tls_password
+
         self.context = ssl.create_default_context(
             purpose=ssl.Purpose.CLIENT_AUTH,
             cafile=certificate_chain,

cheroot/ssl/builtin.pyi

@@ -14,7 +14,10 @@ class BuiltinSSLAdapter(Adapter):
         certificate_chain: _t.Any | None = ...,
         ciphers: _t.Any | None = ...,
         *,
-        private_key_password: str | bytes | None = ...,
+        private_key_password: str
+        | bytes
+        | _t.Callable[[], bytes | str]
+        | None = ...,
     ) -> None: ...
     @property
     def context(self): ...

cheroot/ssl/pyopenssl.py

@@ -347,11 +347,20 @@ def wrap(self, sock):
     def _password_callback(
         self,
         password_max_length,
-        _verify_twice,
-        password,
+        verify_twice,
+        password_or_callback,
         /,
     ):
         """Pass a passphrase to password protected private key."""
+        if callable(password_or_callback):
+            password = password_or_callback()
+            if verify_twice and password != password_or_callback():
+                raise ValueError(
+                    'Verification failed: entered passwords do not match',
+                ) from None
+        else:
+            password = password_or_callback
+
         b_password = b''  # returning a falsy value communicates an error
         if isinstance(password, str):
             b_password = password.encode('utf-8')
@@ -376,6 +385,8 @@ def get_context(self):
         """
         # See https://code.activestate.com/recipes/442473/
         c = SSL.Context(SSL.SSLv23_METHOD)
+        if self.private_key_password is None:
+            self.private_key_password = self.prompt_for_tls_password
         c.set_passwd_cb(self._password_callback, self.private_key_password)
         c.use_privatekey_file(self.private_key)
         if self.certificate_chain:

cheroot/ssl/pyopenssl.pyi

@@ -32,14 +32,20 @@ class pyOpenSSLAdapter(Adapter):
         certificate_chain: _t.Any | None = ...,
         ciphers: _t.Any | None = ...,
         *,
-        private_key_password: str | bytes | None = ...,
+        private_key_password: str
+        | bytes
+        | _t.Callable[[], bytes | str]
+        | None = ...,
     ) -> None: ...
     def wrap(self, sock): ...
     def _password_callback(
         self,
         password_max_length: int,
-        _verify_twice: bool,
-        password: bytes | str | None,
+        verify_twice: bool,
+        password_or_callback: str
+        | bytes
+        | _t.Callable[[], bytes | str]
+        | None,
         /,
     ) -> bytes: ...
     def get_environ(self): ...

cheroot/test/test_ssl.py

@@ -26,6 +26,7 @@
     load_pem_private_key,
 )
 
+import cheroot.ssl as _cheroot_ssl
 from cheroot.ssl import Adapter
 
 from .._compat import (
@@ -149,10 +150,15 @@ def make_tls_http_server(bind_addr, ssl_adapter, request):
     return httpserver
 
 
+def get_key_password():
+    """Provide hardcoded password for private key as callable."""
+    return 'криївка'
+
+
 @pytest.fixture(scope='session')
 def private_key_password():
     """Provide hardcoded password for private key."""
-    return 'криївка'
+    return get_key_password()
 
 
 @pytest.fixture
@@ -810,8 +816,8 @@ def test_http_over_https_error(
 )
 @pytest.mark.parametrize(
     'password_as_bytes',
-    (True, False),
-    ids=('with-bytes-password', 'with-str-password'),
+    (True, False, None),
+    ids=('with-bytes-password', 'with-str-password', 'with-callable-password'),
 )
 # pylint: disable-next=too-many-positional-arguments
 def test_ssl_adapters_with_private_key_password(
@@ -833,9 +839,13 @@ def test_ssl_adapters_with_private_key_password(
         else tls_certificate_private_key_pem_path
     )
     key_pass = (
-        private_key_password.encode('utf-8')
+        private_key_password.encode('utf-8')  # use bytes
         if password_as_bytes
-        else private_key_password
+        else (
+            get_key_password  # use callable
+            if password_as_bytes is None
+            else private_key_password  # use str
+        )
     )
 
     tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
@@ -924,6 +934,50 @@ def test_openssl_adapter_with_false_key_password(
         )
 
 
+@pytest.mark.parametrize(
+    'adapter_type',
+    ('pyopenssl', 'builtin'),
+)
+# pylint: disable-next=too-many-positional-arguments
+def test_openssl_adapter_with_none_key_password(
+    http_request_timeout,
+    tls_certificate_chain_pem_path,
+    tls_certificate_passwd_private_key_pem_path,
+    tls_ca_certificate_pem_path,
+    tls_http_server,
+    private_key_password,
+    adapter_type,
+    monkeypatch,
+):
+    """Check that openssl ssl-adapter prompts password when set as None."""
+    tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
+    monkeypatch.setattr(
+        _cheroot_ssl,
+        '_ask_for_password_interactively',
+        lambda prompt: private_key_password,
+    )
+    tls_adapter = tls_adapter_cls(
+        certificate=tls_certificate_chain_pem_path,
+        private_key=tls_certificate_passwd_private_key_pem_path,
+    )
+
+    interface, _host, port = _get_conn_data(
+        tls_http_server(
+            (ANY_INTERFACE_IPV4, EPHEMERAL_PORT),
+            tls_adapter,
+        ).bind_addr,
+    )
+
+    resp = requests.get(
+        f'https://{interface!s}:{port!s}/',
+        timeout=http_request_timeout,
+        verify=tls_ca_certificate_pem_path,
+    )
+
+    assert resp.status_code == 200
+    assert resp.text == 'Hello world!'
+
+
 @pytest.fixture
 def dummy_adapter(monkeypatch):
     """Provide a dummy SSL adapter instance."""

docs/changelog-fragments.d/798.bugfix.rst

@@ -0,0 +1,6 @@
+Fixed prompting for the encrypted private key password interactively,
+when the password in not set in the :py:attr:`private_key_password attribute
+<cheroot.ssl.pyopenssl.pyOpenSSLAdapter.private_key>` in the
+:py:class:`pyOpenSSL TLS adapter <cheroot.ssl.pyopenssl.pyOpenSSLAdapter>`.
+Also improved the private key password to accept Callable type.
+-- by :user:`jatalahd`