Always check for client-certificates

* lisp/net/network-stream.el (network-stream-use-client-certificates): New user option. (open-network-stream): If 'network-stream-use-client-certificates' is t, and the user hasn't specified :client-certificate, do certificate lookups via 'auth-source'. (network-stream-certificate): Only return key and certificate files that exist. * doc/lispref/processes.texi (Network): Document new client-certificate behavior. * etc/NEWS: Document 'network-stream-use-client-certificates'.
author: Robert Pluim 2019-01-24 14:35:30 +0100
committer: Robert Pluim 2019-11-05 09:32:51 +0100
commit: 91c732f687a61ba130acf38d5142bec6369ebd68 (patch)
tree: 2b64b552456aad27899a148940d3188b88f52743 /lisp
parent: 3843711abd8d599206acbcc0aa97dae708285416 (diff)
download: emacs-91c732f687a61ba130acf38d5142bec6369ebd68.tar.gz
emacs-91c732f687a61ba130acf38d5142bec6369ebd68.zip
1 files changed, 24 insertions, 2 deletions
diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el
index 2b3292b71ba..4050c83eb0c 100644
--- a/lisp/net/network-stream.el
+++ b/lisp/net/network-stream.el
@@ -58,6 +58,21 @@
 (defvar starttls-gnutls-program)
 (defvar starttls-program)
+(defcustom network-stream-use-client-certificates t
+  "Whether to use client certificates for network connections.
+When non-nil, `open-network-stream' will automatically look for
+matching client certificates (via 'auth-source') for a
+destination server, if it is called without a :client-certificate
+keyword.
+Set to nil to disable this lookup globally.  To disable on a
+per-connection basis, specify ':client-certificate nil' when
+calling `open-network-stream'."
+  :group 'network
+  :type 'boolean
+  :version "27.1")
 ;;;###autoload
 (defun open-network-stream (name buffer host service &rest parameters)
  "Open a TCP connection to HOST, optionally with encryption.
@@ -132,7 +147,9 @@ values:
  element is the certificate file name itself, or t, which
  means that `auth-source' will be queried for the key and the
  certificate.  This parameter will only be used when doing TLS
-  or STARTTLS connections.
+  or STARTTLS connections.  If :client-certificate is not
+  specified, behave as if it were t, customize
+  `network-stream-use-client-certificates' to change this.
 :use-starttls-if-possible is a boolean that says to do opportunistic
 STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality.
@@ -181,6 +198,11 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
                       ((memq type '(tls ssl)) 'network-stream-open-tls)
                       ((eq type 'shell) 'network-stream-open-shell)
                       (t (error "Invalid connection type %s" type))))
+            (parameters
+               (if (and network-stream-use-client-certificates
+                        (not (plist-member parameters :client-certificate)))
+                   (plist-put parameters :client-certificate t)
+                 parameters))
            result)
        (unwind-protect
            (setq result (funcall fun name work-buffer host service parameters))
@@ -209,7 +231,7 @@ gnutls-boot (as returned by `gnutls-boot-parameters')."
                                       :port service)))
             (key (plist-get auth-info :key))
             (cert (plist-get auth-info :cert)))
-        (and key cert
+        (and key cert (file-readable-p key) (file-readable-p cert)
             (list key cert)))))))
 ;;;###autoload
author	Robert Pluim	2019-01-24 14:35:30 +0100
committer	Robert Pluim	2019-11-05 09:32:51 +0100
commit	91c732f687a61ba130acf38d5142bec6369ebd68 (patch)
tree	2b64b552456aad27899a148940d3188b88f52743 /lisp
parent	3843711abd8d599206acbcc0aa97dae708285416 (diff)
download	emacs-91c732f687a61ba130acf38d5142bec6369ebd68.tar.gz emacs-91c732f687a61ba130acf38d5142bec6369ebd68.zip