[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Emacs-diffs] netsec a9f09f7 1/6: Check TLS certs against CRL
From: |
Jimmy Yuen Ho Wong |
Subject: |
[Emacs-diffs] netsec a9f09f7 1/6: Check TLS certs against CRL |
Date: |
Sat, 14 Jul 2018 13:08:08 -0400 (EDT) |
branch: netsec
commit a9f09f721e062c87849a73f06c72e52a0030d027
Author: Jimmy Yuen Ho Wong <address@hidden>
Commit: Jimmy Yuen Ho Wong <address@hidden>
Check TLS certs against CRL
* lisp/net/gnutls.el (gnutls-boot-parameters): Return
`gnutls-crlfiles' in `:crlfiles'.
(gnutls-crlfiles): New defcustom.
(gnutls--get-files): New defun.
(gnutls-trustfiles, gnutls-crlfiles): Delegate to
`gnutls--get-files' to return a list of filenames, accepts glob pattern.
---
lisp/net/gnutls.el | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 315932b..8af34c2 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -110,6 +110,7 @@ Security'."
"/etc/ssl/cert.pem" ; macOS
)
"List of CA bundle location filenames or a function returning said list.
+If a file path contains glob wildcards, they will be expanded.
The files may be in PEM or DER format, as per the GnuTLS documentation.
The files may not exist, in which case they will be ignored."
:group 'gnutls
@@ -138,6 +139,19 @@ node `(emacs) Network Security'."
(integer :tag "Number of bits" 512))
:group 'gnutls)
+(defcustom gnutls-crlfiles
+ '(
+ "/etc/grid-security/certificates/*.crl.pem"
+ )
+ "List of CRL file paths or a function returning said list.
+If a file path contains glob wildcards, they will be expanded.
+The files may be in PEM or DER format, as per the GnuTLS documentation.
+The files may not exist, in which case they will be ignored."
+ :group 'gnutls
+ :type '(choice (function :tag "Function to produce list of CRL filenames")
+ (repeat (file :tag "CRL filename")))
+ :version "27.1")
+
(defun open-gnutls-stream (name buffer host service &optional nowait)
"Open a SSL/TLS connection for a service to a host.
Returns a subprocess-object to represent the connection.
@@ -284,6 +298,7 @@ here's a recent version of the list.
It must be omitted, a number, or nil; if omitted or nil it
defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
(let* ((trustfiles (or trustfiles (gnutls-trustfiles)))
+ (crlfiles (or crlfiles (gnutls-crlfiles)))
(maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p))
":%DUMBFW"
""))
@@ -325,13 +340,18 @@ defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT."
:verify-error ,verify-error
:callbacks nil)))
+(defun gnutls--get-files (files)
+ (cl-loop for f in files
+ if f do (setq f (if (functionp f) (funcall f) f))
+ append (cl-delete-if-not #'file-exists-p (file-expand-wildcards f
t))))
+
(defun gnutls-trustfiles ()
"Return a list of usable trustfiles."
- (delq nil
- (mapcar (lambda (f) (and f (file-exists-p f) f))
- (if (functionp gnutls-trustfiles)
- (funcall gnutls-trustfiles)
- gnutls-trustfiles))))
+ (gnutls--get-files gnutls-trustfiles))
+
+(defun gnutls-crlfiles ()
+ "Return a list of usable CRL files."
+ (gnutls--get-files gnutls-crlfiles))
(declare-function gnutls-error-string "gnutls.c" (error))
- [Emacs-diffs] branch netsec created (now fab6139), Jimmy Yuen Ho Wong, 2018/07/14
- [Emacs-diffs] netsec 023f4c6 2/6: Set standard value of `gnutls-min-primes-bits' to nil, Jimmy Yuen Ho Wong, 2018/07/14
- [Emacs-diffs] netsec fab6139 6/6: Show full issuer and subject distinguished names, Jimmy Yuen Ho Wong, 2018/07/14
- [Emacs-diffs] netsec 534a3d5 3/6: Revamp Network Security manager checks for TLS, Jimmy Yuen Ho Wong, 2018/07/14
- [Emacs-diffs] netsec 682578f 4/6: Add option to bypass NSM TLS checks on local networks, Jimmy Yuen Ho Wong, 2018/07/14
- [Emacs-diffs] netsec 87484dc 5/6: Full certificate chain details for NSM, Jimmy Yuen Ho Wong, 2018/07/14
- [Emacs-diffs] netsec a9f09f7 1/6: Check TLS certs against CRL,
Jimmy Yuen Ho Wong <=