Patch for tls.el to ask for passphrase in open-tls-stream

[Friedrich Delgado Friedrichs]

Hi!

In order to authenticate to a website that requires an ssl client
certificate, the appropriate parameters have to be set in the
tls-program customisation-variable (-cert and -key with "openssl
s_client connect) and after that is done, openssl will display a
passphrase prompt which causes open-tls-stream to hang.

I've made some modifications to that function which enable
open-tls-stream to provide the ssl client certificate passphrase:

-------------------
Index: tls.el
===================================================================
RCS file: /cvsroot/emacs/emacs/lisp/net/tls.el,v
retrieving revision 1.12
diff -u -b -w -r1.12 tls.el
--- tls.el      21 Jan 2007 03:02:10 -0000      1.12
+++ tls.el      25 Jan 2007 16:49:50 -0000
@@ -82,6 +82,15 @@
   :type 'regexp
   :group 'tls)
 
+(defcustom tls-passphrase-prompt "Enter \\(PEM\\|DER\\) pass ?phrase:?$"
+  "*Regular expression for detecting the prompt for a client certificate pass 
phrase."
+  :version "22.1" ;; Is this correct?
+  :type 'regexp
+  :group 'tls)
+
+(defvar tls-process-ssl-passphrase nil
+  "*Cached passphrase for SSL connections.")
+
 (defcustom tls-certtool-program (executable-find "certtool")
   "Name of  GnuTLS certtool.
 Used by `tls-certificate-information'."
@@ -140,14 +149,24 @@
                                (int-to-string port)
                              port)))))
             response)
-       (while (and process
+        (let ((passphrase-sent nil))
+          (while
+              (and process
                    (memq (process-status process) '(open run))
                    (save-excursion
                      (set-buffer buffer) ;; XXX "blue moon" nntp.el bug
                      (goto-char (point-min))
+                     (when (and (not passphrase-sent)
+                                (re-search-forward tls-passphrase-prompt nil 
t))
+                       (when (not (stringp tls-process-ssl-passphrase))
+                         (setq tls-process-ssl-passphrase (read-passwd 
(match-string 0))))
+                       (ignore-errors
+                         (process-send-string process
+                                              (concat 
tls-process-ssl-passphrase "\n"))
+                         (setq passphrase-sent t)))
                      (not (setq done (re-search-forward tls-success nil t)))))
          (accept-process-output process 1)
-         (sit-for 1))
+          (sit-for 1)))
        (message "Opening TLS connection with `%s'...%s" cmd
                 (if done "done" "failed"))
        (if done
-------------------

Of course this works only with the openssl client command at the
moment and it also assumes that there is only *one* global client
certificate.

If the need arises to have more than one client certificate in w3,
I'll submit a slightly more complicated patch for that purpose.
(Basically, we'd need a list of client certificates and keys that are
tried in order and upon success are stored together with
websites/passphrases in alists.)

Also note that the passphrase resides in the variable
tls-process-ssl-passphrase, so if a security hole in emacs would
enable an attacker to read emacs variables, the passphrase could be
leaked. I'm not aware of any such bug at the moment.

It also would be nice (i.e. a little less insecure) to expire the
passphrase after a certain time. I might do this later.

Kind regards
     FDF
-- 
Friedrich Delgado Friedrichs (IT-Services)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

smime.p7s
Description: S/MIME cryptographic signature