[Emacs-diffs] /srv/bzr/emacs/trunk r104662: Add support for client certi

emacs-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Emacs-diffs] /srv/bzr/emacs/trunk r104662: Add support for client certi

From:	Lars Magne Ingebrigtsen
Subject:	[Emacs-diffs] /srv/bzr/emacs/trunk r104662: Add support for client certificates for built-in and external STARTTLS.
Date:	Tue, 21 Jun 2011 22:39:08 +0200
User-agent:	Bazaar (2.3.1)

------------------------------------------------------------
revno: 104662
committer: Lars Magne Ingebrigtsen <address@hidden>
branch nick: trunk
timestamp: Tue 2011-06-21 22:39:08 +0200
message:
  Add support for client certificates for built-in and external STARTTLS.
modified:
  lisp/ChangeLog
  lisp/net/network-stream.el

=== modified file 'lisp/ChangeLog'
--- a/lisp/ChangeLog    2011-06-21 19:51:26 +0000
+++ b/lisp/ChangeLog    2011-06-21 20:39:08 +0000
@@ -1,3 +1,11 @@
+2011-06-21  Lars Magne Ingebrigtsen  <address@hidden>
+
+       * net/network-stream.el (network-stream-open-starttls): Provide
+       support for client certificates both for external and built-in
+       STARTTLS.
+       (auth-source): Require.
+       (open-network-stream): Document the :client-certificate keyword.
+
 2011-06-21  Michael Albinus  <address@hidden>
 
        * net/tramp-cache.el (top): Don't load the persistency file when

=== modified file 'lisp/net/network-stream.el'
--- a/lisp/net/network-stream.el        2011-06-15 20:44:45 +0000
+++ b/lisp/net/network-stream.el        2011-06-21 20:39:08 +0000
@@ -44,6 +44,7 @@
 
 (require 'tls)
 (require 'starttls)
+(require 'auth-source)
 
 (declare-function gnutls-negotiate "gnutls" t t) ; defun*
 
@@ -110,10 +111,17 @@
   STARTTLS if the server supports STARTTLS, and nil otherwise.
 
 :always-query-capabilies says whether to query the server for
-capabilities, even if we're doing a `plain' network connection.
+  capabilities, even if we're doing a `plain' network connection.
+
+:client-certificate should either be a list where the first
+  element is the certificate key file name, and the second
+  element is the certificate file name itself, or `t', which
+  means that `auth-source' will be queried for the key and the
+  certificate.  This parameter will only be used when doing TLS
+  or STARTTLS connections.
 
 :nowait is a boolean that says the connection should be made
-asynchronously, if possible."
+  asynchronously, if possible."
   (unless (featurep 'make-network-process)
     (error "Emacs was compiled without networking support"))
   (let ((type (plist-get parameters :type))
@@ -152,6 +160,22 @@
                  :type         (nth 3 result))
          (car result))))))
 
+(defun network-stream-certificate (host service parameters)
+  (let ((spec (plist-get :client-certificate parameters)))
+    (cond
+     ((listp spec)
+      ;; Either nil or a list with a key/certificate pair.
+      spec)
+     ((eq spec t)
+      (let* ((auth-info
+             (car (auth-source-search :max 1
+                                      :host host
+                                      :port service)))
+            (key (plist-get auth-info :cert-key))
+            (cert (plist-get auth-info :cert-cert)))
+       (and key cert
+            (list key cert)))))))
+
 ;;;###autoload
 (defalias 'open-protocol-stream 'open-network-stream)
 
@@ -201,14 +225,24 @@
                    starttls-extra-arguments
                  ;; For opportunistic TLS upgrades, we don't really
                  ;; care about the identity of the peer.
-                 (cons "--insecure" starttls-extra-arguments))))
+                 (cons "--insecure" starttls-extra-arguments)))
+              (cert (network-stream-certificate host service parameters)))
+         ;; There are client certificates requested, so add them to
+         ;; the command line.
+         (when cert
+           (setq starttls-extra-arguments
+                 (nconc (list "--x509keyfile" (nth 0 cert)
+                              "--x509certfile" (nth 1 cert))
+                        starttls-extra-arguments)))
          (setq stream (starttls-open-stream name buffer host service)))
        (network-stream-get-response stream start eoc))
       (when (string-match success-string
                          (network-stream-command stream starttls-command eoc))
        ;; The server said it was OK to begin STARTTLS negotiations.
        (if (fboundp 'open-gnutls-stream)
-           (gnutls-negotiate :process stream :hostname host)
+           (let ((cert (network-stream-certificate host service parameters)))
+             (gnutls-negotiate :process stream :hostname host
+                               :keylist (and cert (list cert))))
          (unless (starttls-negotiate stream)
            (delete-process stream)))
        (if (memq (process-status stream) '(open run))

[Prev in Thread]

Current Thread

[Next in Thread]

[Emacs-diffs] /srv/bzr/emacs/trunk r104662: Add support for client certificates for built-in and external STARTTLS., Lars Magne Ingebrigtsen <=

Prev by Date: [Emacs-diffs] /srv/bzr/emacs/trunk r104661: * net/tramp-cache.el (top): Don't load the persistency file when
Next by Date: [Emacs-diffs] /srv/bzr/emacs/trunk r104664: (network-stream-certificate): Change cert-cert to cert and cert-key to key.
Previous by thread: [Emacs-diffs] /srv/bzr/emacs/trunk r104661: * net/tramp-cache.el (top): Don't load the persistency file when
Next by thread: [Emacs-diffs] /srv/bzr/emacs/trunk r104664: (network-stream-certificate): Change cert-cert to cert and cert-key to key.
Index(es):
- Date
- Thread