From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.bugs Subject: bug#33780: network-stream.el: network-stream-certificate always returns nil Date: Fri, 21 Dec 2018 14:16:57 +0100 Message-ID: References: <36f7918ec93135504092dc856a4490c846f6e947.camel@dracon.is> <97b430dc5524473a7ed3af1b903644880db057ff.camel@dracon.is> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: blaine.gmane.org 1545398173 32100 195.159.176.226 (21 Dec 2018 13:16:13 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 21 Dec 2018 13:16:13 +0000 (UTC) Cc: 33780@debbugs.gnu.org To: Vinothan Shankar Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Dec 21 14:16:09 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gaKeu-0008Fp-4x for geb-bug-gnu-emacs@m.gmane.org; Fri, 21 Dec 2018 14:16:08 +0100 Original-Received: from localhost ([::1]:45687 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gaKh0-00081E-VC for geb-bug-gnu-emacs@m.gmane.org; Fri, 21 Dec 2018 08:18:18 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55758) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gaKgq-0007wz-3Q for bug-gnu-emacs@gnu.org; Fri, 21 Dec 2018 08:18:08 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gaKgk-0001UW-Vg for bug-gnu-emacs@gnu.org; Fri, 21 Dec 2018 08:18:08 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:52962) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gaKgk-0001Si-MA for bug-gnu-emacs@gnu.org; Fri, 21 Dec 2018 08:18:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gaKgk-0002OZ-AK for bug-gnu-emacs@gnu.org; Fri, 21 Dec 2018 08:18:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Robert Pluim Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 21 Dec 2018 13:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 33780 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 33780-submit@debbugs.gnu.org id=B33780.15453982299144 (code B ref 33780); Fri, 21 Dec 2018 13:18:02 +0000 Original-Received: (at 33780) by debbugs.gnu.org; 21 Dec 2018 13:17:09 +0000 Original-Received: from localhost ([127.0.0.1]:57220 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gaKft-0002NQ-0R for submit@debbugs.gnu.org; Fri, 21 Dec 2018 08:17:09 -0500 Original-Received: from mail-wm1-f45.google.com ([209.85.128.45]:51753) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gaKfq-0002Ms-R5 for 33780@debbugs.gnu.org; Fri, 21 Dec 2018 08:17:07 -0500 Original-Received: by mail-wm1-f45.google.com with SMTP id b11so5299155wmj.1 for <33780@debbugs.gnu.org>; Fri, 21 Dec 2018 05:17:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:in-reply-to:message-id:mime-version; bh=2LV/XIGbBjuU7ryNxhEnmQdr9vHjIeAOG9X0koUbf4g=; b=crNWnx52L2dfbUekc3txHmZR2CvYM5hfvsaKz9kqf7t/MOCrZdN5cpK3oHLpdsWXnG v713zBY8cpqQ7+SukfRGSRDUKu8YbDO3q6sByWFG0navsdxbfmDPALpKhet5Zhm0pI9o w3m24y/AdnZgWtRvbr2bonQkCMXgtSgcIahiGhhkx3CoWuwSx8YztbBp0Hz2d/UlZlGD NHCiSvozXO7OgetGokr1LMraT8zb2DNbL+LngFCjIAtOLtdaYZ3TYnUc7cQbVaCDFJjE De4zPY9Ujp7VEKsQvfVEBRx0T0/9gXYDYOnzMNHVbTcAcJP+SQl6umm1lOy4EvDKDs0x Tp5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:mime-version; bh=2LV/XIGbBjuU7ryNxhEnmQdr9vHjIeAOG9X0koUbf4g=; b=XBrXkRg2SJLXVcgr9n567dDXZag0oKbC3MD6dQvW2ryoAYts0JA5U3V8fPtqyXANnf Lqp5Re2gEw7NWgkXea3CuJygq5kbEP5TGoIBa+QI0xxf8ttO9KyqtgeCpZABPuVo9Foy lWY9S8Ji8aSXp0K8yp6ulFfdw+zWCUzZ8Dh93Kye+SnI2ExUJmhDDw3oQ0kp/ycPjmWB nBcoTsZaZKRAVzb34qt0snwc0JpuqlekCpdrU1eVPIgZf+22aLdC1r21mCny4Nc7o8TN V1W7IzirGBjaubTx2bDxWhd6GxtGm7yiDMRYoX9pqCk49ZHRkQ+NPsrMYzG6HOIVULif dmOg== X-Gm-Message-State: AA+aEWZ7nKhjyRjB9dX6pHYaSlf2k7BHVHdSFwcgqyOAncycUz9vc5Pn kTGtHh5YKRQQ+yUUhNguiU6pHqt+ X-Google-Smtp-Source: ALg8bN7ZGVGxSew8nvAyk4aEtnGBaafZCAZDXPnc1tmXLhas8zF6PLNabyQA6hB6c0lgr5AjS7+5Yw== X-Received: by 2002:a1c:6e06:: with SMTP id j6mr2930205wmc.3.1545398220725; Fri, 21 Dec 2018 05:17:00 -0800 (PST) Original-Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id b13sm15055440wrn.28.2018.12.21.05.16.59 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 21 Dec 2018 05:16:59 -0800 (PST) Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: (Robert Pluim's message of "Thu, 20 Dec 2018 19:45:25 +0100") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:153676 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Robert Pluim writes: > Vinothan Shankar writes: > >> OK, so a few minutes into the process of trying to do this, I came >> across a snag: the syntax for using certificates in authinfo files >> doesn't appear to be documented anywhere; I had to extract it from a >> stackexchange question. Docs bug, or lack of search-fu? Moving on... > > It=CA=BCs in the smptmail info manual, node 'Encryption'. It is linked fr= om > the main Emacs manual, from the 'Mail Sending' node, but there appears > to be no description of the syntax in the auth-source manual. Patches > welcome :-) > I was looking there anyway, so I updated the manual. Proposed patch attached. At this time it just enables taking into account ':client-certificate t' in calls to 'open-network-stream' and applying any client certificates found, it doesn=CA=BCt change the default behaviour. I=CA=BCll follow up on emacs-devel afterwards about that. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-Check-for-client-certificates-when-using-GnuTLS.patch >From 2f13e12882a32246d9b1d57e111ad17e0773ff54 Mon Sep 17 00:00:00 2001 From: Robert Pluim Date: Fri, 21 Dec 2018 11:58:00 +0100 Subject: [PATCH] Check for client certificates when using GnuTLS To: emacs-devel@gnu.org This fixes Bug#33780, and extends the documentation to describe how to enable use of client certificates. * lisp/net/network-stream.el (network-stream-certificate): Correct order of parameters to plist-get. (network-stream-open-tls): Pass all received parameters to open-gnutls-stream, not just :nowait. * lisp/net/gnutls.el (open-gnutls-stream): Add optional plist to arglist. Derive client certificate(s) and keys(s) from plist (maybe via auth-source) and pass to gnutls-boot-parameters and gnutls-negotiate. (network-stream-certificate): Add declare-function form for it. * doc/misc/auth.texi (Help for users): Describe format to use for client key/cert specification. * doc/misc/emacs-gnutls.texi (Help For Developers): Describe usage of new optional plist argument. Add crossref to description of .authinfo format for client key/cert specification. * etc/NEWS: Describe new client certificate functionality for 'open-network-stream' --- doc/misc/auth.texi | 9 +++++++++ doc/misc/emacs-gnutls.texi | 12 +++++++++++- etc/NEWS | 7 +++++++ lisp/net/gnutls.el | 31 +++++++++++++++++++++---------- lisp/net/network-stream.el | 5 +++-- 5 files changed, 51 insertions(+), 13 deletions(-) diff --git a/doc/misc/auth.texi b/doc/misc/auth.texi index fcbc83ead5..68b8553d58 100644 --- a/doc/misc/auth.texi +++ b/doc/misc/auth.texi @@ -109,6 +109,15 @@ Help for users @code{auth-source-search} queries. You can also use @code{login} and @code{account}. +You can also use this file to specify client certificates to use when +setting up TLS connections. The format is: +@example +machine @var{mymachine} port @var{myport} key "@var{key}" cert "@var{cert}" +@end example + +@var{key} and @var{cert} are filenames containing the key and +certificate to use respectively. + You can use spaces inside a password or other token by surrounding the token with either single or double quotes. diff --git a/doc/misc/emacs-gnutls.texi b/doc/misc/emacs-gnutls.texi index a690ccfcce..90c2d217e2 100644 --- a/doc/misc/emacs-gnutls.texi +++ b/doc/misc/emacs-gnutls.texi @@ -179,7 +179,7 @@ Help For Developers You should not have to use the @file{gnutls.el} functions directly. But you can test them with @code{open-gnutls-stream}. -@defun open-gnutls-stream name buffer host service &optional nowait +@defun open-gnutls-stream name buffer host service &optional nowait parameters This function creates a buffer connected to a specific @var{host} and @var{service} (port number or service name). The parameters and their syntax are the same as those given to @code{open-network-stream} @@ -191,6 +191,16 @@ Help For Developers asynchronous, and the connection process will be returned to the caller before TLS negotiation has happened. +@var{parameters} is a plist which is currently checked only for +@code{:client-certificate}. Any resulting client certificates are +passed down to the lower TLS layers. Set @code{:client certificate t} +to trigger looking up of the certificates using the auth-source +library. The format used by @file{.authinfo} to specify the +per-server keys is described in @xref{Help for users,,auth-source, +auth, Emacs auth-source Library}. + +Example calls: + @lisp ;; open a HTTPS connection (open-gnutls-stream "tls" "tls-buffer" "yourserver.com" "https") diff --git a/etc/NEWS b/etc/NEWS index 0624c5690b..74943fb2ff 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -199,6 +199,13 @@ issued), you can either set 'network-security-protocol-checks' to nil, or adjust the elements in that variable to only happen on the 'high' security level (assuming you use the 'medium' level). ++++ +** Native GnuTLS connections can now use client certificates. +Previously, this support was only available when using the external +gnutls-cli command. Call 'open-network-stream' with +':client-certificate t' to trigger looking up of per-server +certificates via 'auth-source'. + +++ ** New function 'fill-polish-nobreak-p', to be used in 'fill-nobreak-predicate'. It blocks line breaking after a one-letter word, also in the case when diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 315932b7e6..30f933fa48 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -38,6 +38,9 @@ (require 'cl-lib) (require 'puny) +(declare-function network-stream-certificate "network-stream" + (host service parameters)) + (defgroup gnutls nil "Emacs interface to the GnuTLS library." :version "24.1" @@ -138,7 +141,7 @@ gnutls-min-prime-bits (integer :tag "Number of bits" 512)) :group 'gnutls) -(defun open-gnutls-stream (name buffer host service &optional nowait) +(defun open-gnutls-stream (name buffer host service &optional nowait parameters) "Open a SSL/TLS connection for a service to a host. Returns a subprocess-object to represent the connection. Input and output work as for subprocesses; `delete-process' closes it. @@ -155,6 +158,10 @@ open-gnutls-stream Fifth arg NOWAIT (which is optional) means that the socket should be opened asynchronously. The connection process will be returned to the caller before TLS negotiation has happened. +Sixth arg PARAMETERS is an optional property list. It is currently +checked for :client-certificate only. This allows specifying the +client certificates and keys used to set up the connection. +See `open-network-stream' for a complete description. Usage example: @@ -168,19 +175,23 @@ open-gnutls-stream documentation for the specific parameters you can use to open a GnuTLS connection, including specifying the credential type, trust and key files, and priority string." - (let ((process (open-network-stream - name buffer host service - :nowait nowait - :tls-parameters - (and nowait - (cons 'gnutls-x509pki - (gnutls-boot-parameters - :type 'gnutls-x509pki - :hostname (puny-encode-domain host))))))) + (let* ((cert (network-stream-certificate host service parameters)) + (keylist (and cert (list cert))) + (process (open-network-stream + name buffer host service + :nowait nowait + :tls-parameters + (and nowait + (cons 'gnutls-x509pki + (gnutls-boot-parameters + :type 'gnutls-x509pki + :keylist keylist + :hostname (puny-encode-domain host))))))) (if nowait process (gnutls-negotiate :process process :type 'gnutls-x509pki + :keylist keylist :hostname (puny-encode-domain host))))) (define-error 'gnutls-error "GnuTLS error") diff --git a/lisp/net/network-stream.el b/lisp/net/network-stream.el index a0589e25a4..26f92d5aa8 100644 --- a/lisp/net/network-stream.el +++ b/lisp/net/network-stream.el @@ -196,7 +196,7 @@ open-network-stream (car result)))))) (defun network-stream-certificate (host service parameters) - (let ((spec (plist-get :client-certificate parameters))) + (let ((spec (plist-get parameters :client-certificate))) (cond ((listp spec) ;; Either nil or a list with a key/certificate pair. @@ -389,7 +389,8 @@ network-stream-open-tls (stream (if (gnutls-available-p) (open-gnutls-stream name buffer host service - (plist-get parameters :nowait)) + (plist-get parameters :nowait) + parameters) (require 'tls) (open-tls-stream name buffer host service))) (eoc (plist-get parameters :end-of-command))) -- 2.19.1.816.gcd69ec8cde.dirty --=-=-=--