Add support for password-protected client keyfiles

[sethmlarson]

The standard library supports passing text or binary passwords to SSLContext so we should also support that for PyOpenSSLContext/SecureTransportContext objects. This PR adds support for that and tests for all situations where this functionality is supported.

Currently the only way we support this is via creating your own SSLContext and calling load_cert_chain() yourself. Adding the key_password parameter to HTTPSConnectionPool allows this to be defined from the PoolManager level without having to create your own SSLContext.

Another problem that I encountered first-hand is that if OpenSSL encounters an encrypted keyfile but the password parameter is not given:

If the password argument is not specified and a password is required, OpenSSL’s built-in password prompting mechanism will be used to interactively prompt the user for a password.

which basically means if you try using an encrypted keyfile without a password your program just straight up blocks which breaks a lot of things in non-interactive contexts. (PyCharm locks up irreversibly, pytest appears to be blocking indefinitely due to swallowing stdout). I was wondering if there's a way for us to stop this bad behavior on our side and raise an exception instead? Besides detecting an encrypted keyfile within ssl_wrap_socket I don't know what else we can do here. :(

Closes #1275.

[codecov-io]

Codecov Report

Merging #1489 into master will decrease coverage by 2%.
The diff coverage is 68.42%.

@@            Coverage Diff             @@
##           master    #1489      +/-   ##
==========================================
- Coverage   66.84%   64.84%   -2.01%     
==========================================
  Files          22       22              
  Lines        2760     2904     +144     
==========================================
+ Hits         1845     1883      +38     
- Misses        915     1021     +106

Impacted Files	Coverage Δ
src/urllib3/poolmanager.py	61.39% <ø> (-15.93%)	⬇️
src/urllib3/connectionpool.py	59.72% <100%> (-2.75%)	⬇️
src/urllib3/connection.py	54.19% <100%> (-1.55%)	⬇️
src/urllib3/util/ssl_.py	35.8% <57.14%> (-0.84%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f80ff34...6756504. Read the comment docs.

[sethmlarson]

The commit I just pushed implements simple logic to detect an encrypted key file and raise a helpful error message before OpenSSL has a chance to block indefinitely. If there's other ideas or we decide against landing that commit I can roll it back.

[sigmavirus24]

cc @alex

[shazow]

Looks sensible to me.

I'm not super familiar with the latest developments of the pyopenssl/SSLContext APIs so I can't speak to whether there's a better way to do this.

Soft 👍

[alex]

Quick skim looks fine to me.

[sethmlarson]

Thanks all!

[jco-odoo]

@sethmlarson There would not be a way to put this in a try...except or something? We want to avoid files or temporary files and we put a special HTTPAdapter to pass the contents immediately instead of the files, but then it tracebacks at this point. Ideally, there would be support for passing the data immediately instead of opening files.

[sethmlarson]

@jco-odoo Can you open a separate issue for this?

[jco-odoo]

#2508