Auto-detection of PEM / DER is rather complicated and may not always
work reliable. All PEM parsers (that I know) ignore extra data before
and after the BEGIN/END block. Some data may look like DER at the
beginning and then turn out to be PEM later. Instead of guessing the
format, how about a format argument with PEM as default? Most people
will use PEM anyway.

Related to that, OpenSSL has a file format "TRUSTED CERTIFICATE", which
is a standard PEM + additional AUX data at the end of the certificate
blob. With a format argument, we can easily support additional formats
for load and dump.

The certificate class can only load the first certificate from a PEM
bundle. Except for trivial test cases, a chain and CA bundle are made up
from multiple certs. IMO dedicated load methods for chain and batch of
certs would be useful for multiple reasons. It's easier and more
efficient to use existing load functions extract all certs from a PEM
bundle. A chain bundle can contain private key, too. With a dedicated
function we can avoid to load the private key into Python memory. And
OpenSSL makes it a bit more awkward because it loads the EE cert
differently than the rest of the chain,
https://github.com/openssl/openssl/blob/master/ssl/ssl_rsa.c#L619

Signed-off-by: Christian Heimes [email protected]

TODO

• Document that PEM parser should ignore all non-supported blocks as well as extra noise
• Add support for RSA/RCC dual mode configuration
• Add TLS configuration for ECDH curves?
• Add APIs for uni-directional and quiet shutdown? OpenSSL > 1.1.0 needs at least a quiet shutdown for session handling. Quiet shutdown does not send any messages. Unidirectional shutdown just sends CLOSE NOTIFY and doesn't wait for confirmation.
• Fix grammar and spelling