Re: need help with certificate bundles for ALL the platforms Emacs supports

[Ted Zlatanov <tzz@lifelogs.com>]

On Sun, 12 Feb 2012 22:28:24 -0500 Stefan Monnier <monnier@IRO.UMontreal.CA> wrote: 

>> +(defcustom gnutls-trustfiles '(
>> +                               ;; Debian, Ubuntu, Gentoo and Arch Linux
>> +                               "/etc/ssl/certs/ca-certificates.crt"
>> +                               ;; Fedora and RHEL
>> +                               "/etc/pki/tls/certs/ca-bundle.crt"
>> +                               ;; Suse
>> +                               "/etc/ssl/ca-bundle.pem"
>> +                               )
>> +  "List of functions or filenames yielding CA bundle locations.
>> +The files may be in PEM or DER format, as per the GnuTLS documentation.
>> +The files may not exist, in which case they will be ignored.
>> +Functions will be called and may return a filename or a list of filenames."
>> +  :group 'gnutls
>> +  :type '(repeat (choice (function :tag "Function")
>> +                         (file :tag "Bundle filename"))))

SM> How 'bout something like

(defcustom gnutls-trustfile
    (let ((file (if (boundp 'cert-bundle-location)
                    cert-bundle-location))
          (candidates 
           '("/etc/ssl/certs/ca-certificates.crt" ; Debian, Gentoo, Arch.
             "/etc/pki/tls/certs/ca-bundle.crt"   ; Fedora and RHEL.
             "/etc/ssl/ca-bundle.pem"             ; Suse.
             )))
      (while candidates
        (if (file-readable-p (car candidates))
            (setq file (car candidate) candidates nil)
          (setq candidates (cdr candidates))))
      file)
  "Name of the CA bundle file.
The file may be in PEM or DER format, as per the GnuTLS documentation."
  :group 'gnutls
  :type '(choice (const nil) (file :tag "Bundle filename")))

The trustfiles parameter is a list of files, all the way through to
gnutls.c.  I don't think it should be demoted to a single file in the
customization interface, and it still needs a function choice.

Also I don't want to decide the default bundle file names at the time
the defcustom is evaluated.  Since `gnutls-trustfiles' can contain
function calls, I'd like it to be called when it's needed.  For
instance, it's very common to store certificates as PEM files in a
directory, and the user should be able to choose that approach instead
of managing a concatenated bundle.  If we built the file list only once,
the modular approach would fail.  Another situation is on W32, where the
cert bundle has to be dynamically built (which will require some caching
but should still be done as close to using the bundle as possible).

Ted