From 94eec43843d5d0225a29d3574f8738719f9e4239 Mon Sep 17 00:00:00 2001
From: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
Date: Mon, 26 Sep 2022 11:08:18 -0400
Subject: [PATCH] fix(gnutls): add possibility of password for key-file

The GnuTLS function

    gnutls_certificate_set_x509_key_file

is replaced by its second version

    gnutls_certificate_set_x509_key_file2

and the definitions of gnutls-boot and gnutls-boot-parameters are
modified to include the :pass and :flags keys, which are additional
parameters in the second version.

Signed-off-by: Nikolaos Chatzikonstantinou <nchatz314@gmail.com>
---
 lisp/net/gnutls.el |  7 +++++++
 src/gnutls.c       | 19 +++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el
index 6e3845aec1..9aab18b8fb 100644
--- a/lisp/net/gnutls.el
+++ b/lisp/net/gnutls.el
@@ -265,6 +265,7 @@ gnutls-boot-parameters
            &key type hostname priority-string
            trustfiles crlfiles keylist min-prime-bits
            verify-flags verify-error verify-hostname-error
+           pass flags
            &allow-other-keys)
   "Return a keyword list of parameters suitable for passing to `gnutls-boot'.
 
@@ -281,6 +282,10 @@ gnutls-boot-parameters
 VERIFY-HOSTNAME-ERROR is a backwards compatibility option for
 putting `:hostname' in VERIFY-ERROR.
 
+PASS is a string, the password of the key.
+
+FLAGS is an ORed sequence of gnutls_pkcs_encrypt_flags_t values.
+
 When VERIFY-ERROR is t or a list containing `:trustfiles', an
 error will be raised when the peer certificate verification fails
 as per GnuTLS' gnutls_certificate_verify_peers2.  Otherwise, only
@@ -358,6 +363,8 @@ gnutls-boot-parameters
                 :keylist ,keylist
                 :verify-flags ,verify-flags
                 :verify-error ,verify-error
+                :pass ,pass
+                :flags ,flags
                 :callbacks nil)))
 
 (defun gnutls--get-files (files)
diff --git a/src/gnutls.c b/src/gnutls.c
index a0de0238c4..c45771c58d 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -121,6 +121,9 @@ DEF_DLL_FN (int, gnutls_certificate_set_x509_crl_file,
 DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file,
 	    (gnutls_certificate_credentials_t, const char *, const char *,
 	     gnutls_x509_crt_fmt_t));
+DEF_DLL_FN (int, gnutls_certificate_set_x509_key_file2,
+	    (gnutls_certificate_credentials_t, const char *, const char *,
+	     gnutls_x509_crt_fmt_t, const char *, unsigned int));
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
 DEF_DLL_FN (int, gnutls_certificate_set_x509_system_trust,
 	    (gnutls_certificate_credentials_t));
@@ -314,6 +317,7 @@ init_gnutls_functions (void)
   LOAD_DLL_FN (library, gnutls_certificate_set_verify_flags);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_crl_file);
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file);
+  LOAD_DLL_FN (library, gnutls_certificate_set_x509_key_file2);
 #  ifdef HAVE_GNUTLS_X509_SYSTEM_TRUST
   LOAD_DLL_FN (library, gnutls_certificate_set_x509_system_trust);
 #  endif
@@ -455,6 +459,7 @@ init_gnutls_functions (void)
 #  define gnutls_certificate_set_verify_flags fn_gnutls_certificate_set_verify_flags
 #  define gnutls_certificate_set_x509_crl_file fn_gnutls_certificate_set_x509_crl_file
 #  define gnutls_certificate_set_x509_key_file fn_gnutls_certificate_set_x509_key_file
+#  define gnutls_certificate_set_x509_key_file2 fn_gnutls_certificate_set_x509_key_file2
 #  define gnutls_certificate_set_x509_system_trust fn_gnutls_certificate_set_x509_system_trust
 #  define gnutls_certificate_set_x509_trust_file fn_gnutls_certificate_set_x509_trust_file
 #  define gnutls_certificate_type_get fn_gnutls_certificate_type_get
@@ -1813,6 +1818,10 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 :complete-negotiation, if non-nil, will make negotiation complete
 before returning even on non-blocking sockets.
 
+:pass, the password of the private key.
+
+:flags, an ORed sequence of gnutls_pkcs_encrypt_flags_t.
+
 The debug level will be set for this process AND globally for GnuTLS.
 So if you set it higher or lower at any point, it affects global
 debugging.
@@ -1848,6 +1857,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   Lisp_Object trustfiles;
   Lisp_Object crlfiles;
   Lisp_Object keylist;
+  Lisp_Object pass;
+  Lisp_Object flags;
   /* Lisp_Object callbacks; */
   Lisp_Object loglevel;
   Lisp_Object hostname;
@@ -1877,6 +1888,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
   crlfiles              = plist_get (proplist, QCcrlfiles);
   loglevel              = plist_get (proplist, QCloglevel);
   prime_bits            = plist_get (proplist, QCmin_prime_bits);
+  pass                  = plist_get (proplist, QCpass);
+  flags                 = plist_get (proplist, QCflags);
 
   if (!STRINGP (hostname))
     {
@@ -2038,8 +2051,8 @@ DEFUN ("gnutls-boot", Fgnutls_boot, Sgnutls_boot, 3, 3, 0,
 	      keyfile = ansi_encode_filename (keyfile);
 	      certfile = ansi_encode_filename (certfile);
 # endif
-	      ret = gnutls_certificate_set_x509_key_file
-		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format);
+	      ret = gnutls_certificate_set_x509_key_file2
+		(x509_cred, SSDATA (certfile), SSDATA (keyfile), file_format, SSDATA (pass), XUFIXNUM (flags));
 
 	      if (ret < GNUTLS_E_SUCCESS)
 		return gnutls_make_error (ret);
@@ -2860,6 +2873,8 @@ syms_of_gnutls (void)
   DEFSYM (QCmin_prime_bits, ":min-prime-bits");
   DEFSYM (QCloglevel, ":loglevel");
   DEFSYM (QCcomplete_negotiation, ":complete-negotiation");
+  DEFSYM (QCpass, ":pass");
+  DEFSYM (QCflags, ":flags");
   DEFSYM (QCverify_flags, ":verify-flags");
   DEFSYM (QCverify_error, ":verify-error");
 
-- 
2.37.3