Re: need help with certificate bundles for ALL the platforms Emacs supports

[Ted Zlatanov]

On Mon, 13 Feb 2012 10:12:17 -0500 Stefan Monnier <address@hidden> wrote: 

>> Also I don't want to decide the default bundle file names at the time
>> the defcustom is evaluated.  Since `gnutls-trustfiles' can contain
>> function calls, I'd like it to be called when it's needed.  For
>> instance, it's very common to store certificates as PEM files in a
>> directory, and the user should be able to choose that approach instead
>> of managing a concatenated bundle.  If we built the file list only once,
>> the modular approach would fail.  Another situation is on W32, where the
>> cert bundle has to be dynamically built (which will require some caching
>> but should still be done as close to using the bundle as possible).

SM> OK, but the variable should not be a "list of (function or filename)".
SM> That's ugly.

I see how it's confusing.

SM> Maybe we can have it be "a function or a list of files".

OK.  Patch attached for your review.  The code is simpler now and the
list flattening function is not needed.

If approved I think I should also write a manual entry for this new
variable.  Should I make a new manual subsection for GnuTLS-related
things?  Where?

Now we'll have three customizable variables in gnutls.el
(`gnutls-algorithm-priority', `gnutls-trustfiles', and
`gnutls-min-prime-bits') which is tipping the scales I think.  Plus it
will be good to explain what gnutls.el+gnutls.c do and how to debug
problems with them, since most users and developers don't know how
widely they are used in Emacs 24.

Thanks!
Ted

=== modified file 'lisp/net/gnutls.el'
--- lisp/net/gnutls.el  2012-02-12 21:40:25 +0000
+++ lisp/net/gnutls.el  2012-02-13 16:20:13 +0000
@@ -51,6 +51,19 @@
   :type '(choice (const nil)
                 string))
 
+(defcustom gnutls-trustfiles
+  '(
+    "/etc/ssl/certs/ca-certificates.crt" ; Debian, Ubuntu, Gentoo and Arch 
Linux
+    "/etc/pki/tls/certs/ca-bundle.crt"   ; Fedora and RHEL
+    "/etc/ssl/ca-bundle.pem"             ; Suse
+    )
+  "List of CA bundle location filenames or a function returning said list.
+The files may be in PEM or DER format, as per the GnuTLS documentation.
+The files may not exist, in which case they will be ignored."
+  :group 'gnutls
+  :type '(choice (function :tag "Function to produce list of bundle filenames")
+                 (repeat (file :tag "Bundle filename"))))
+
 ;;;###autoload
 (defcustom gnutls-min-prime-bits nil
   "The minimum number of bits to be used in Diffie-Hellman key exchange.
@@ -118,7 +131,7 @@
 PROCESS is a process returned by `open-network-stream'.
 HOSTNAME is the remote hostname.  It must be a valid string.
 PRIORITY-STRING is as per the GnuTLS docs, default is \"NORMAL\".
-TRUSTFILES is a list of CA bundles.
+TRUSTFILES is a list of CA bundles.  It defaults to `gnutls-trustfiles'.
 CRLFILES is a list of CRL files.
 KEYLIST is an alist of (client key file, client cert file) pairs.
 MIN-PRIME-BITS is the minimum acceptable size of Diffie-Hellman keys
@@ -156,10 +169,12 @@
 It must be omitted, a number, or nil; if omitted or nil it
 defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
   (let* ((type (or type 'gnutls-x509pki))
-         (default-trustfile "/etc/ssl/certs/ca-certificates.crt")
          (trustfiles (or trustfiles
-                         (when (file-exists-p default-trustfile)
-                           (list default-trustfile))))
+                         (delq nil
+                               (mapcar (lambda (f) (and f (file-exists-p f) f))
+                                       (if (functionp gnutls-trustfiles)
+                                           (funcall gnutls-trustfiles)
+                                         gnutls-trustfiles)))))
          (priority-string (or priority-string
                               (cond
                                ((eq type 'gnutls-anon)