Check TLS certs against CRL

* lisp/net/gnutls.el (gnutls-boot-parameters): Return
  `gnutls-crlfiles' in `:crlfiles'.
  (gnutls-crlfiles): New defcustom.
  (gnutls--get-files): New defun.
  (gnutls-trustfiles, gnutls-crlfiles): Delegate to
  `gnutls--get-files' to return a list of filenames, accepts glob pattern.
parent 155d7303
...@@ -110,6 +110,7 @@ Security'." ...@@ -110,6 +110,7 @@ Security'."
"/etc/ssl/cert.pem" ; macOS "/etc/ssl/cert.pem" ; macOS
) )
"List of CA bundle location filenames or a function returning said list. "List of CA bundle location filenames or a function returning said list.
If a file path contains glob wildcards, they will be expanded.
The files may be in PEM or DER format, as per the GnuTLS documentation. The files may be in PEM or DER format, as per the GnuTLS documentation.
The files may not exist, in which case they will be ignored." The files may not exist, in which case they will be ignored."
:group 'gnutls :group 'gnutls
...@@ -138,6 +139,19 @@ node `(emacs) Network Security'." ...@@ -138,6 +139,19 @@ node `(emacs) Network Security'."
(integer :tag "Number of bits" 512)) (integer :tag "Number of bits" 512))
:group 'gnutls) :group 'gnutls)
(defcustom gnutls-crlfiles
'(
"/etc/grid-security/certificates/*.crl.pem"
)
"List of CRL file paths or a function returning said list.
If a file path contains glob wildcards, they will be expanded.
The files may be in PEM or DER format, as per the GnuTLS documentation.
The files may not exist, in which case they will be ignored."
:group 'gnutls
:type '(choice (function :tag "Function to produce list of CRL filenames")
(repeat (file :tag "CRL filename")))
:version "27.1")
(defun open-gnutls-stream (name buffer host service &optional nowait) (defun open-gnutls-stream (name buffer host service &optional nowait)
"Open a SSL/TLS connection for a service to a host. "Open a SSL/TLS connection for a service to a host.
Returns a subprocess-object to represent the connection. Returns a subprocess-object to represent the connection.
...@@ -284,6 +298,7 @@ here's a recent version of the list. ...@@ -284,6 +298,7 @@ here's a recent version of the list.
It must be omitted, a number, or nil; if omitted or nil it It must be omitted, a number, or nil; if omitted or nil it
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
(let* ((trustfiles (or trustfiles (gnutls-trustfiles))) (let* ((trustfiles (or trustfiles (gnutls-trustfiles)))
(crlfiles (or crlfiles (gnutls-crlfiles)))
(maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p)) (maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))
":%DUMBFW" ":%DUMBFW"
"")) ""))
...@@ -325,13 +340,18 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." ...@@ -325,13 +340,18 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
:verify-error ,verify-error :verify-error ,verify-error
:callbacks nil))) :callbacks nil)))
(defun gnutls--get-files (files)
(cl-loop for f in files
if f do (setq f (if (functionp f) (funcall f) f))
append (cl-delete-if-not #'file-exists-p (file-expand-wildcards f t))))
(defun gnutls-trustfiles () (defun gnutls-trustfiles ()
"Return a list of usable trustfiles." "Return a list of usable trustfiles."
(delq nil (gnutls--get-files gnutls-trustfiles))
(mapcar (lambda (f) (and f (file-exists-p f) f))
(if (functionp gnutls-trustfiles) (defun gnutls-crlfiles ()
(funcall gnutls-trustfiles) "Return a list of usable CRL files."
gnutls-trustfiles)))) (gnutls--get-files gnutls-crlfiles))
(declare-function gnutls-error-string "gnutls.c" (error)) (declare-function gnutls-error-string "gnutls.c" (error))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment