Check TLS certs against CRL

* lisp/net/gnutls.el (gnutls-boot-parameters): Return `gnutls-crlfiles' in `:crlfiles'. (gnutls-crlfiles): New defcustom. (gnutls--get-files): New defun. (gnutls-trustfiles, gnutls-crlfiles): Delegate to `gnutls--get-files' to return a list of filenames, accepts glob pattern.
author: Jimmy Yuen Ho Wong 2018-07-10 11:18:45 +0100
committer: Jimmy Yuen Ho Wong 2018-07-14 17:50:42 +0100
commit: a9f09f721e062c87849a73f06c72e52a0030d027 (patch)
tree: eef2f51618774603e8a09f4340566596b1a8ffb6
parent: 155d7303808345dd73427302d9a352ec5461c11a (diff)
download: emacs-a9f09f721e062c87849a73f06c72e52a0030d027.tar.gz
emacs-a9f09f721e062c87849a73f06c72e52a0030d027.zip
1 files changed, 25 insertions, 5 deletions
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 315932b7e69..8af34c2a99e 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -110,6 +110,7 @@ Security'."
    "/etc/ssl/cert.pem"                      ; macOS
    )
  "List of CA bundle location filenames or a function returning said list.
+If a file path contains glob wildcards, they will be expanded.
 The files may be in PEM or DER format, as per the GnuTLS documentation.
 The files may not exist, in which case they will be ignored."
  :group 'gnutls
@@ -138,6 +139,19 @@ node `(emacs) Network Security'."
                 (integer :tag "Number of bits" 512))
  :group 'gnutls)
+(defcustom gnutls-crlfiles
+  '(
+    "/etc/grid-security/certificates/*.crl.pem"
+    )
+  "List of CRL file paths or a function returning said list.
+If a file path contains glob wildcards, they will be expanded.
+The files may be in PEM or DER format, as per the GnuTLS documentation.
+The files may not exist, in which case they will be ignored."
+  :group 'gnutls
+  :type '(choice (function :tag "Function to produce list of CRL filenames")
+                 (repeat (file :tag "CRL filename")))
+  :version "27.1")
 (defun open-gnutls-stream (name buffer host service &optional nowait)
  "Open a SSL/TLS connection for a service to a host.
 Returns a subprocess-object to represent the connection.
@@ -284,6 +298,7 @@ here's a recent version of the list.
 It must be omitted, a number, or nil; if omitted or nil it
 defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
  (let* ((trustfiles (or trustfiles (gnutls-trustfiles)))
+         (crlfiles (or crlfiles (gnutls-crlfiles)))
         (maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))
                           ":%DUMBFW"
                         ""))
@@ -325,13 +340,18 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
                :verify-error ,verify-error
                :callbacks nil)))
+(defun gnutls--get-files (files)
+  (cl-loop for f in files
+           if f do (setq f (if (functionp f) (funcall f) f))
+           append (cl-delete-if-not #'file-exists-p (file-expand-wildcards f t))))
 (defun gnutls-trustfiles ()
  "Return a list of usable trustfiles."
-  (delq nil
+  (gnutls--get-files gnutls-trustfiles))
-        (mapcar (lambda (f) (and f (file-exists-p f) f))
-                (if (functionp gnutls-trustfiles)
+(defun gnutls-crlfiles ()
-                    (funcall gnutls-trustfiles)
+  "Return a list of usable CRL files."
-                  gnutls-trustfiles))))
+  (gnutls--get-files gnutls-crlfiles))
 (declare-function gnutls-error-string "gnutls.c" (error))
author	Jimmy Yuen Ho Wong	2018-07-10 11:18:45 +0100
committer	Jimmy Yuen Ho Wong	2018-07-14 17:50:42 +0100
commit	a9f09f721e062c87849a73f06c72e52a0030d027 (patch)
tree	eef2f51618774603e8a09f4340566596b1a8ffb6
parent	155d7303808345dd73427302d9a352ec5461c11a (diff)
download	emacs-a9f09f721e062c87849a73f06c72e52a0030d027.tar.gz emacs-a9f09f721e062c87849a73f06c72e52a0030d027.zip

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 315932b7e69..8af34c2a99e 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el
@@ -110,6 +110,7 @@ Security'."
110	"/etc/ssl/cert.pem" ; macOS	110	"/etc/ssl/cert.pem" ; macOS
111	)	111	)
112	"List of CA bundle location filenames or a function returning said list.	112	"List of CA bundle location filenames or a function returning said list.
		113	If a file path contains glob wildcards, they will be expanded.
113	The files may be in PEM or DER format, as per the GnuTLS documentation.	114	The files may be in PEM or DER format, as per the GnuTLS documentation.
114	The files may not exist, in which case they will be ignored."	115	The files may not exist, in which case they will be ignored."
115	:group 'gnutls	116	:group 'gnutls
@@ -138,6 +139,19 @@ node `(emacs) Network Security'."
138	(integer :tag "Number of bits" 512))	139	(integer :tag "Number of bits" 512))
139	:group 'gnutls)	140	:group 'gnutls)
140		141
		142	(defcustom gnutls-crlfiles
		143	'(
		144	"/etc/grid-security/certificates/*.crl.pem"
		145	)
		146	"List of CRL file paths or a function returning said list.
		147	If a file path contains glob wildcards, they will be expanded.
		148	The files may be in PEM or DER format, as per the GnuTLS documentation.
		149	The files may not exist, in which case they will be ignored."
		150	:group 'gnutls
		151	:type '(choice (function :tag "Function to produce list of CRL filenames")
		152	(repeat (file :tag "CRL filename")))
		153	:version "27.1")
		154
141	(defun open-gnutls-stream (name buffer host service &optional nowait)	155	(defun open-gnutls-stream (name buffer host service &optional nowait)
142	"Open a SSL/TLS connection for a service to a host.	156	"Open a SSL/TLS connection for a service to a host.
143	Returns a subprocess-object to represent the connection.	157	Returns a subprocess-object to represent the connection.
@@ -284,6 +298,7 @@ here's a recent version of the list.
284	It must be omitted, a number, or nil; if omitted or nil it	298	It must be omitted, a number, or nil; if omitted or nil it
285	defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."	299	defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
286	(let* ((trustfiles (or trustfiles (gnutls-trustfiles)))	300	(let* ((trustfiles (or trustfiles (gnutls-trustfiles)))
		301	(crlfiles (or crlfiles (gnutls-crlfiles)))
287	(maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))	302	(maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))
288	":%DUMBFW"	303	":%DUMBFW"
289	""))	304	""))
@@ -325,13 +340,18 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
325	:verify-error ,verify-error	340	:verify-error ,verify-error
326	:callbacks nil)))	341	:callbacks nil)))
327		342
		343	(defun gnutls--get-files (files)
		344	(cl-loop for f in files
		345	if f do (setq f (if (functionp f) (funcall f) f))
		346	append (cl-delete-if-not #'file-exists-p (file-expand-wildcards f t))))
		347
328	(defun gnutls-trustfiles ()	348	(defun gnutls-trustfiles ()
329	"Return a list of usable trustfiles."	349	"Return a list of usable trustfiles."
330	(delq nil	350	(gnutls--get-files gnutls-trustfiles))
331	(mapcar (lambda (f) (and f (file-exists-p f) f))	351
332	(if (functionp gnutls-trustfiles)	352	(defun gnutls-crlfiles ()
333	(funcall gnutls-trustfiles)	353	"Return a list of usable CRL files."
334	gnutls-trustfiles))))	354	(gnutls--get-files gnutls-crlfiles))
335		355
336	(declare-function gnutls-error-string "gnutls.c" (error))	356	(declare-function gnutls-error-string "gnutls.c" (error))
337		357