bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Petr Hracek]

HI folks,

I have a question to upstream whether CA directory
could be handled by upstream by default?

(setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")

Or may be how it could be done by emacs packaging in Fedora?

https://bugzilla.redhat.com/show_bug.cgi?id=1131558

-- 
Petr Hracek
Software Engineer
Developer Experience
Red Hat, Inc
Mob: +420777056169
email: phracek@redhat.com

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Eli Zaretskii]

> Date: Thu, 02 Jul 2015 11:57:39 +0200
> From: Petr Hracek <phracek@redhat.com>
> 
> I have a question to upstream whether CA directory
> could be handled by upstream by default?

What do you mean by "upstream"?  Upstream Emacs?

> (setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")

That file name is platform-dependent, and even on Unix the bundle can
be found in several different directories.

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Glenn Morris]

Eli Zaretskii wrote:

>> (setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")

On my RHEL7 system, this isn't a directory.
It is a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem,
a file.

> That file name is platform-dependent, and even on Unix the bundle can
> be found in several different directories.

So let's compile a list of the standard places and default to the first
that exists, similar to what gnutls-trustfiles does. (Does these two
variables duplicate each other?)

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Eli Zaretskii]

> From: Glenn Morris <rgm@gnu.org>
> Cc: Petr Hracek <phracek@redhat.com>,  20960@debbugs.gnu.org
> Date: Thu, 02 Jul 2015 11:38:25 -0400
> 
> So let's compile a list of the standard places and default to the first
> that exists

Is that really TRT?  I don't use Gnus, but smime.el seems to want a
place to keep certificates of people/organizations from which you get
MIME messages.  How probable it is to find them in the bundles
distributed by the OS?

I thought the user is supposed to collect the certificates for this
purpose, and keep them in this directory.  IOW, these are not
system-wide certificates.

> similar to what gnutls-trustfiles does. (Does these two variables
> duplicate each other?)

gnutls-trustfiles should not be needed, except with old versions of
GnuTLS.  The library now finds and uses the system-provided bundle
automatically (and on Windows the system certificates are not kept in
a disk file).

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Stefan Monnier]

> that exists, similar to what gnutls-trustfiles does. (Do these two
> variables duplicate each other?)

Yes, I believe they are duplicates (with smime-CA-directory predating
the gnutls thingy).


        Stefan

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Glenn Morris]

Eli Zaretskii wrote:

>> So let's compile a list of the standard places and default to the first
>> that exists
>
> Is that really TRT?  I don't use Gnus, but smime.el seems to want a
> place to keep certificates of people/organizations from which you get
> MIME messages.  How probable it is to find them in the bundles
> distributed by the OS?

I don't use it either, and have no idea what it is supposed to be for.
But

https://bugzilla.redhat.com/show_bug.cgi?id=1131558

says it helped. But as I say, the value it's being set to isn't a
directory, so it makes little sense to me.

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Lars Ingebrigtsen]

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> that exists, similar to what gnutls-trustfiles does. (Do these two
>> variables duplicate each other?)
>
> Yes, I believe they are duplicates (with smime-CA-directory predating
> the gnutls thingy).

smime-CA-directory should be rewritten to use gnutls-trustfiles (if
gnutls-trustfiles exists).  The minor complication is that the former is
a directory and the latter is a list of files, so it wouldn't be exactly
backwards compatible...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Ted Zlatanov]

On Sat, 26 Dec 2015 21:57:24 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Stefan Monnier <monnier@iro.umontreal.ca> writes:
>>> that exists, similar to what gnutls-trustfiles does. (Do these two
>>> variables duplicate each other?)
>> 
>> Yes, I believe they are duplicates (with smime-CA-directory predating
>> the gnutls thingy).

LI> smime-CA-directory should be rewritten to use gnutls-trustfiles (if
LI> gnutls-trustfiles exists).  The minor complication is that the former is
LI> a directory and the latter is a list of files, so it wouldn't be exactly
LI> backwards compatible...

We can make `gnutls-trustfiles' support directories?

Ted

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> We can make `gnutls-trustfiles' support directories?

Sure, that would help.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Ted Zlatanov]

On Mon, 28 Dec 2015 23:30:05 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> We can make `gnutls-trustfiles' support directories?

LI> Sure, that would help.

It should be fairly easy to add... just two questions:

Would it be enough to use `directory-files' with the .pem and .crt
extensions, case-insensitively? Should it be recursive?

Thanks
Ted

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> Would it be enough to use `directory-files' with the .pem and .crt
> extensions, case-insensitively? Should it be recursive?

Hm...  I don't know whether it should be recursive, but if it should,
that's easy with `directory-files-recursively'.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Sat, 26 Dec 2015 21:57:24 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 
>
> LI> Stefan Monnier <monnier@iro.umontreal.ca> writes:
>>>> that exists, similar to what gnutls-trustfiles does. (Do these two
>>>> variables duplicate each other?)
>>> 
>>> Yes, I believe they are duplicates (with smime-CA-directory predating
>>> the gnutls thingy).
>
> LI> smime-CA-directory should be rewritten to use gnutls-trustfiles (if
> LI> gnutls-trustfiles exists).  The minor complication is that the former is
> LI> a directory and the latter is a list of files, so it wouldn't be exactly
> LI> backwards compatible...
>
> We can make `gnutls-trustfiles' support directories?

On the other hand, this is the only place smime-CA-directory is used:

(defun smime-verify-region (b e)
  "Verify S/MIME message in region between B and E.
Returns non-nil on success.
Any details (stdout and stderr) are left in the buffer specified by
`smime-details-buffer'."
  (smime-new-details-buffer)
  (let ((CAs (append (if smime-CA-file
			 (list "-CAfile"
			       (expand-file-name smime-CA-file)))
		     (if smime-CA-directory
			 (list "-CApath"
			       (expand-file-name smime-CA-directory))))))

And:

       -CAfile file
           a file containing trusted CA certificates, only used with -verify.

       -CApath dir
           a directory containing trusted CA certificates, only used with
           -verify. This directory must be a standard certificate directory:
           that is a hash of each subject name (using x509 -hash) should be
           linked to each certificate.

Is a list of CA files, and can be in different directories, so there's,
like, no way to used them interchangeably.

So...  I dunno.  Somebody could just rewrite that function to use all
the files from (gnutls-trustfiles) and see if one of them are OK.  I
never use smime, though, so I'm not that person.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Ted Zlatanov]

On Thu, 26 Jan 2017 20:24:16 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Is a list of CA files, and can be in different directories, so there's,
LI> like, no way to used them interchangeably.

LI> So...  I dunno.  Somebody could just rewrite that function to use all
LI> the files from (gnutls-trustfiles) and see if one of them are OK.  I
LI> never use smime, though, so I'm not that person.

I'm lost. Should we support directories or not?

Ted

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Thu, 26 Jan 2017 20:24:16 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 
>
> LI> Is a list of CA files, and can be in different directories, so there's,
> LI> like, no way to used them interchangeably.
>
> LI> So...  I dunno.  Somebody could just rewrite that function to use all
> LI> the files from (gnutls-trustfiles) and see if one of them are OK.  I
> LI> never use smime, though, so I'm not that person.
>
> I'm lost. Should we support directories or not?

Because of the way the inputs for the smime commands are structured,
making gnutls-trustfiles support directories doesn't help us.  I think.
I may be misreading the man pages or having a brain fart.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Ted Zlatanov]

On Tue, 31 Jan 2017 17:27:56 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:

>> I'm lost. Should we support directories or not?

LI> Because of the way the inputs for the smime commands are structured,
LI> making gnutls-trustfiles support directories doesn't help us.  I think.
LI> I may be misreading the man pages or having a brain fart.  :-)

Since it's less work, I concur and procrastination wins again.

Ted

bug#20960: handling /etc/ssl/certs/ca-bundle.crt by default in emacs

[Lars Ingebrigtsen]

Petr Hracek <phracek@redhat.com> writes:

> I have a question to upstream whether CA directory
> could be handled by upstream by default?
>
> (setq smime-CA-directory "/etc/ssl/certs/ca-bundle.crt")
>
> Or may be how it could be done by emacs packaging in Fedora?

(I'm going through old bug reports that unfortunately weren't resolved
at the time.)

In Emacs 29, I've made smime-CA-file default to the value from
`gnutls-trustfiles', so that this should basically work out of the box
on most systems now.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no