snapshot

p12test.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+# dlitz 2026
+
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.serialization import (
+    Encoding,
+    load_pem_private_key,
+    load_pem_public_key,
+    PrivateFormat,
+)
+from cryptography.hazmat.primitives.serialization import (
+    pkcs12,
+    BestAvailableEncryption,
+    KeySerializationEncryption,
+)
+
+from pathlib import Path
+
+privkey_obj = load_pem_private_key(Path("x-private.pem").read_bytes(), password=None)
+cert_obj = x509.load_pem_x509_certificate(Path("x-cert.pem").read_bytes())
+chain_objs = x509.load_pem_x509_certificates(Path("threecerts.pem").read_bytes())
+
+
+def pkcs12_pbes(password: bytes) -> KeySerializationEncryption:
+    return (
+        PrivateFormat.PKCS12.encryption_builder()
+        .kdf_rounds(50000)
+        .key_cert_algorithm(pkcs12.PBES.PBESv2SHA256AndAES256CBC)
+        .hmac_hash(hashes.SHA256())
+        .build(password)
+    )
+
+
+p12 = pkcs12.serialize_key_and_certificates(
+    name=b"friendly-name",
+    key=privkey_obj,
+    cert=cert_obj,
+    cas=chain_objs,
+    encryption_algorithm=pkcs12_pbes(b"secret"),
+)
+
+Path("out.p12").write_bytes(p12)