2 files changed, 46 insertions, 4 deletions
diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 61606fb61e8..78af1aa3ca1 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,3 +1,11 @@
+2011-06-21  Lars Magne Ingebrigtsen  <larsi@gnus.org>
+        * net/network-stream.el (network-stream-open-starttls): Provide
+        support for client certificates both for external and built-in
+        STARTTLS.
+        (auth-source): Require.
+        (open-network-stream): Document the :client-certificate keyword.
 2011-06-21  Michael Albinus  <michael.albinus@gmx.de>
        * net/tramp-cache.el (top): Don't load the persistency file when
diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el
index b17b9ae805c..9c4ca80104d 100644
--- a/lisp/net/network-stream.el
+++ b/lisp/net/network-stream.el
@@ -44,6 +44,7 @@
 (require 'tls)
 (require 'starttls)
+(require 'auth-source)
 (declare-function gnutls-negotiate "gnutls" t t) ; defun*
@@ -110,10 +111,17 @@ values:
  STARTTLS if the server supports STARTTLS, and nil otherwise.
 :always-query-capabilies says whether to query the server for
-capabilities, even if we're doing a `plain' network connection.
+  capabilities, even if we're doing a `plain' network connection.
+:client-certificate should either be a list where the first
+  element is the certificate key file name, and the second
+  element is the certificate file name itself, or `t', which
+  means that `auth-source' will be queried for the key and the
+  certificate.  This parameter will only be used when doing TLS
+  or STARTTLS connections.
 :nowait is a boolean that says the connection should be made
-asynchronously, if possible."
+  asynchronously, if possible."
  (unless (featurep 'make-network-process)
    (error "Emacs was compiled without networking support"))
  (let ((type (plist-get parameters :type))
@@ -152,6 +160,22 @@ asynchronously, if possible."
                  :type         (nth 3 result))
          (car result))))))
+(defun network-stream-certificate (host service parameters)
+  (let ((spec (plist-get :client-certificate parameters)))
+    (cond
+     ((listp spec)
+      ;; Either nil or a list with a key/certificate pair.
+      spec)
+     ((eq spec t)
+      (let* ((auth-info
+              (car (auth-source-search :max 1
+                                       :host host
+                                       :port service)))
+             (key (plist-get auth-info :cert-key))
+             (cert (plist-get auth-info :cert-cert)))
+        (and key cert
+             (list key cert)))))))
 ;;;###autoload
 (defalias 'open-protocol-stream 'open-network-stream)
@@ -201,14 +225,24 @@ asynchronously, if possible."
                    starttls-extra-arguments
                  ;; For opportunistic TLS upgrades, we don't really
                  ;; care about the identity of the peer.
-                  (cons "--insecure" starttls-extra-arguments))))
+                  (cons "--insecure" starttls-extra-arguments)))
+               (cert (network-stream-certificate host service parameters)))
+          ;; There are client certificates requested, so add them to
+          ;; the command line.
+          (when cert
+            (setq starttls-extra-arguments
+                  (nconc (list "--x509keyfile" (nth 0 cert)
+                               "--x509certfile" (nth 1 cert))
+                         starttls-extra-arguments)))
          (setq stream (starttls-open-stream name buffer host service)))
        (network-stream-get-response stream start eoc))
      (when (string-match success-string
                          (network-stream-command stream starttls-command eoc))
        ;; The server said it was OK to begin STARTTLS negotiations.
        (if (fboundp 'open-gnutls-stream)
-            (gnutls-negotiate :process stream :hostname host)
+            (let ((cert (network-stream-certificate host service parameters)))
+              (gnutls-negotiate :process stream :hostname host
+                                :keylist (and cert (list cert))))
          (unless (starttls-negotiate stream)
            (delete-process stream)))
        (if (memq (process-status stream) '(open run))

diff --git a/lisp/ChangeLog b/lisp/ChangeLog index 61606fb61e8..78af1aa3ca1 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog
@@ -1,3 +1,11 @@
		1	2011-06-21 Lars Magne Ingebrigtsen <larsi@gnus.org>
		2
		3	* net/network-stream.el (network-stream-open-starttls): Provide
		4	support for client certificates both for external and built-in
		5	STARTTLS.
		6	(auth-source): Require.
		7	(open-network-stream): Document the :client-certificate keyword.
		8
1	2011-06-21 Michael Albinus <michael.albinus@gmx.de>	9	2011-06-21 Michael Albinus <michael.albinus@gmx.de>
2		10
3	* net/tramp-cache.el (top): Don't load the persistency file when	11	* net/tramp-cache.el (top): Don't load the persistency file when


diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el index b17b9ae805c..9c4ca80104d 100644 --- a/lisp/net/network-stream.el +++ b/lisp/net/network-stream.el
@@ -44,6 +44,7 @@
44		44
45	(require 'tls)	45	(require 'tls)
46	(require 'starttls)	46	(require 'starttls)
		47	(require 'auth-source)
47		48
48	(declare-function gnutls-negotiate "gnutls" t t) ; defun*	49	(declare-function gnutls-negotiate "gnutls" t t) ; defun*
49		50
@@ -110,10 +111,17 @@ values:
110	STARTTLS if the server supports STARTTLS, and nil otherwise.	111	STARTTLS if the server supports STARTTLS, and nil otherwise.
111		112
112	:always-query-capabilies says whether to query the server for	113	:always-query-capabilies says whether to query the server for
113	capabilities, even if we're doing a `plain' network connection.	114	capabilities, even if we're doing a `plain' network connection.
		115
		116	:client-certificate should either be a list where the first
		117	element is the certificate key file name, and the second
		118	element is the certificate file name itself, or `t', which
		119	means that `auth-source' will be queried for the key and the
		120	certificate. This parameter will only be used when doing TLS
		121	or STARTTLS connections.
114		122
115	:nowait is a boolean that says the connection should be made	123	:nowait is a boolean that says the connection should be made
116	asynchronously, if possible."	124	asynchronously, if possible."
117	(unless (featurep 'make-network-process)	125	(unless (featurep 'make-network-process)
118	(error "Emacs was compiled without networking support"))	126	(error "Emacs was compiled without networking support"))
119	(let ((type (plist-get parameters :type))	127	(let ((type (plist-get parameters :type))
@@ -152,6 +160,22 @@ asynchronously, if possible."
152	:type (nth 3 result))	160	:type (nth 3 result))
153	(car result))))))	161	(car result))))))
154		162
		163	(defun network-stream-certificate (host service parameters)
		164	(let ((spec (plist-get :client-certificate parameters)))
		165	(cond
		166	((listp spec)
		167	;; Either nil or a list with a key/certificate pair.
		168	spec)
		169	((eq spec t)
		170	(let* ((auth-info
		171	(car (auth-source-search :max 1
		172	:host host
		173	:port service)))
		174	(key (plist-get auth-info :cert-key))
		175	(cert (plist-get auth-info :cert-cert)))
		176	(and key cert
		177	(list key cert)))))))
		178
155	;;;###autoload	179	;;;###autoload
156	(defalias 'open-protocol-stream 'open-network-stream)	180	(defalias 'open-protocol-stream 'open-network-stream)
157		181
@@ -201,14 +225,24 @@ asynchronously, if possible."
201	starttls-extra-arguments	225	starttls-extra-arguments
202	;; For opportunistic TLS upgrades, we don't really	226	;; For opportunistic TLS upgrades, we don't really
203	;; care about the identity of the peer.	227	;; care about the identity of the peer.
204	(cons "--insecure" starttls-extra-arguments))))	228	(cons "--insecure" starttls-extra-arguments)))
		229	(cert (network-stream-certificate host service parameters)))
		230	;; There are client certificates requested, so add them to
		231	;; the command line.
		232	(when cert
		233	(setq starttls-extra-arguments
		234	(nconc (list "--x509keyfile" (nth 0 cert)
		235	"--x509certfile" (nth 1 cert))
		236	starttls-extra-arguments)))
205	(setq stream (starttls-open-stream name buffer host service)))	237	(setq stream (starttls-open-stream name buffer host service)))
206	(network-stream-get-response stream start eoc))	238	(network-stream-get-response stream start eoc))
207	(when (string-match success-string	239	(when (string-match success-string
208	(network-stream-command stream starttls-command eoc))	240	(network-stream-command stream starttls-command eoc))
209	;; The server said it was OK to begin STARTTLS negotiations.	241	;; The server said it was OK to begin STARTTLS negotiations.
210	(if (fboundp 'open-gnutls-stream)	242	(if (fboundp 'open-gnutls-stream)
211	(gnutls-negotiate :process stream :hostname host)	243	(let ((cert (network-stream-certificate host service parameters)))
		244	(gnutls-negotiate :process stream :hostname host
		245	:keylist (and cert (list cert))))
212	(unless (starttls-negotiate stream)	246	(unless (starttls-negotiate stream)
213	(delete-process stream)))	247	(delete-process stream)))
214	(if (memq (process-status stream) '(open run))	248	(if (memq (process-status stream) '(open run))