#!/usr/bin/env python3
# dlitz 2026

from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.serialization import (
    Encoding,
    load_pem_private_key,
    load_pem_public_key,
    PrivateFormat,
)
from cryptography.hazmat.primitives.serialization import (
    pkcs12,
    BestAvailableEncryption,
    KeySerializationEncryption,
)

from pathlib import Path

privkey_obj = load_pem_private_key(Path("x-private.pem").read_bytes(), password=None)
cert_obj = x509.load_pem_x509_certificate(Path("x-cert.pem").read_bytes())
chain_objs = x509.load_pem_x509_certificates(Path("threecerts.pem").read_bytes())


def pkcs12_pbes(password: bytes) -> KeySerializationEncryption:
    return (
        PrivateFormat.PKCS12.encryption_builder()
        .kdf_rounds(50000)
        .key_cert_algorithm(pkcs12.PBES.PBESv2SHA256AndAES256CBC)
        .hmac_hash(hashes.SHA256())
        .build(password)
    )


p12 = pkcs12.serialize_key_and_certificates(
    name=b"friendly-name",
    key=privkey_obj,
    cert=cert_obj,
    cas=chain_objs,
    encryption_algorithm=pkcs12_pbes(b"secret"),
)

Path("out.p12").write_bytes(p12)