X-Git-Url: https://thelambdalab.xyz/gitweb/index.cgi?a=blobdiff_plain;f=elpher.el;h=eb2e52626291949e09d03bf66563a803222290fb;hb=refs%2Fheads%2Fcertificate-management;hp=2ba5e8e42f1220d7ed0c051ac47f2606a11062af;hpb=5982f725ac58e53efe63e47ffa28bc41c8306318;p=elpher.git diff --git a/elpher.el b/elpher.el index 2ba5e8e..eb2e526 100644 --- a/elpher.el +++ b/elpher.el @@ -5,8 +5,8 @@ ;; Author: Tim Vaughan ;; Created: 11 April 2019 -;; Version: 3.4.3 -;; Keywords: comm gopher +;; Version: 3.5.0 +;; Keywords: comm gopher gemini ;; Homepage: https://thelambdalab.xyz/elpher ;; Package-Requires: ((emacs "27.1")) @@ -71,7 +71,7 @@ ;;; Global constants ;; -(defconst elpher-version "3.4.3" +(defconst elpher-version "3.5.0" "Current version of elpher.") (defconst elpher-margin-width 6 @@ -241,6 +241,14 @@ meaningfully." "Label of button used to toggle formatted text." :type '(string)) +(defcustom elpher-certificate-map nil + "Register client certificates to be used for gemini URLs. +This variable contains an alist representing a mapping between gemini +URLs and the names of client certificates which will be automatically +activated for those URLs. Beware that the certificates will also be +active for all subdirectories of the given URLs." + :type '(alist :key-type string :value-type string)) + ;; Face customizations (defgroup elpher-faces nil @@ -793,7 +801,8 @@ ERROR can be either an error object or a string." "If non-nil, use TLS to communicate with gopher servers.") (defvar elpher-client-certificate nil - "If non-nil, contains client certificate details to use for TLS connections.") + "If non-nil, contains details of client certificate to use for TLS connections. +See `elpher-generate-certificate' for further info.") (defun elpher-process-cleanup () "Immediately shut down any extant elpher process and timers." @@ -951,7 +960,8 @@ the host operating system and the local network capabilities.)" ;;; Client-side TLS Certificate Management ;; -(defun elpher-generate-certificate (common-name key-file cert-file &optional temporary) +(defun elpher-generate-certificate (common-name key-file cert-file url-prefix + &optional temporary) "Generate a key and a self-signed client TLS certificate using openssl. The Common Name field of the certificate is set to COMMON-NAME. The @@ -965,7 +975,8 @@ when the certificate is no longer needed for the current session. Otherwise, the certificate will be given a 100 year expiration period and the files will not be deleted. -The function returns a list containing the current host name, the +The function returns a list containing the URL-PREFIX of addresses +for which the certificate should be used in this session, the temporary flag, and the key and cert file names in the form required by `gnutls-boot-parameters`." (let ((exp-key-file (expand-file-name key-file)) @@ -979,56 +990,70 @@ by `gnutls-boot-parameters`." "-subj" (concat "/CN=" common-name) "-keyout" exp-key-file "-out" exp-cert-file) - (list (elpher-address-host (elpher-page-address elpher-current-page)) - temporary exp-key-file exp-cert-file)) + (list url-prefix temporary exp-key-file exp-cert-file)) (error (message "Check that openssl is installed, or customize `elpher-openssl-command`.") (error "Program 'openssl', required for certificate generation, not found"))))) -(defun elpher-generate-throwaway-certificate () +(defun elpher-generate-throwaway-certificate (url-prefix) "Generate and return details of a throwaway certificate. The key and certificate files will be deleted when they are no -longer needed for this session." +longer needed for this session. + +The certificate will be marked as applying to all addresses with URLs +starting with URL-PREFIX." (let* ((file-base (make-temp-name "elpher")) (key-file (concat temporary-file-directory file-base ".key")) (cert-file (concat temporary-file-directory file-base ".crt"))) - (elpher-generate-certificate file-base key-file cert-file t))) + (elpher-generate-certificate file-base key-file cert-file url-prefix t))) -(defun elpher-generate-persistent-certificate (file-base common-name) +(defun elpher-generate-persistent-certificate (file-base common-name url-prefix) "Generate and return details of a persistent certificate. The argument FILE-BASE is used as the base for the key and certificate files, while COMMON-NAME specifies the common name field of the certificate. -The key and certificate files are written to in `elpher-certificate-directory'." +The key and certificate files are written to in `elpher-certificate-directory'. + +In this session, the certificate will remain active for all addresses +having URLs starting with URL-PREFIX." (let* ((key-file (concat elpher-certificate-directory file-base ".key")) (cert-file (concat elpher-certificate-directory file-base ".crt"))) - (elpher-generate-certificate common-name key-file cert-file))) + (elpher-generate-certificate common-name key-file cert-file url-prefix))) -(defun elpher-get-existing-certificate (file-base) +(defun elpher-get-existing-certificate (file-base url-prefix) "Return a certificate object corresponding to an existing certificate. It is assumed that the key files FILE-BASE.key and FILE-BASE.crt exist in -the directory `elpher-certificate-directory'." +the directory `elpher-certificate-directory'. + +In this session, the certificate will remain active for all addresses +having URLs starting with URL-PREFIX." (let* ((key-file (concat elpher-certificate-directory file-base ".key")) (cert-file (concat elpher-certificate-directory file-base ".crt"))) - (list (elpher-address-host (elpher-page-address elpher-current-page)) + (list url-prefix nil (expand-file-name key-file) (expand-file-name cert-file)))) -(defun elpher-install-and-use-existing-certificate (key-file-src cert-file-src file-base) +(defun elpher-install-certificate (key-file-src cert-file-src file-base url-prefix) "Install a key+certificate file pair in `elpher-certificate-directory'. The strings KEY-FILE-SRC and CERT-FILE-SRC are the existing key and certificate files to install. The argument FILE-BASE is used as the -base for the installed key and certificate files." +base for the installed key and certificate files. + +In this session, the certificate will remain active for all addresses +having URLs starting with URL-PREFIX." (let* ((key-file (concat elpher-certificate-directory file-base ".key")) (cert-file (concat elpher-certificate-directory file-base ".crt"))) (if (or (file-exists-p key-file) (file-exists-p cert-file)) (error "A certificate with base name %s is already installed" file-base)) + (unless (and (file-exists-p key-file-src) + (file-exists-p cert-file-src)) + (error "Either of the key or certificate files do not exist")) (copy-file key-file-src key-file) (copy-file cert-file-src cert-file) - (list (elpher-address-host (elpher-page-address elpher-current-page)) + (list url-prefix nil (expand-file-name key-file) (expand-file-name cert-file)))) @@ -1054,7 +1079,7 @@ are also deleted." (when (cadr elpher-client-certificate) (delete-file (elt elpher-client-certificate 2)) (delete-file (elt elpher-client-certificate 3))) - (setq elpher-client-certificate nil) + (setq-local elpher-client-certificate nil) (if (called-interactively-p 'any) (message "Client certificate forgotten."))))) @@ -1062,14 +1087,14 @@ are also deleted." "Retrieve the `gnutls-boot-parameters'-compatable keylist. This is obtained from the client certificate described by -`elpher-current-certificate', if one is available and the host for -that certificate matches the host in ADDRESS. +`elpher-current-certificate', if one is available and the +URL prefix for that certificate matches ADDRESS. -If `elpher-current-certificate' is non-nil, and its host name doesn't +If `elpher-current-certificate' is non-nil, and its URL prefix doesn't match that of ADDRESS, the certificate is forgotten." (if elpher-client-certificate - (if (string= (car elpher-client-certificate) - (elpher-address-host address)) + (if (string-prefix-p (car elpher-client-certificate) + (elpher-address-to-url address)) (list (cddr elpher-client-certificate)) (elpher-forget-current-certificate) (message "Disabling client certificate for new host") @@ -1392,28 +1417,51 @@ that the response was malformed." (auto-fill-mode 1) (elpher-gemini-insert-text response-meta)) (let ((chosen-certificate - (with-local-quit (elpher-choose-client-certificate)))) + (with-local-quit + (elpher-acquire-client-certificate)))) (unless chosen-certificate (error "Gemini server requires a client certificate and none was provided")) - (setq elpher-client-certificate chosen-certificate)) + (setq-local elpher-client-certificate chosen-certificate)) (elpher-with-clean-buffer) (elpher-get-gemini-response (elpher-page-address elpher-current-page) renderer)) (_other (error "Gemini server response unknown: %s %s" response-code response-meta)))))) +(defun elpher-acquire-client-certificate () + "Select and activate a pre-defined client certificate or prompt for one. +In this case, \"pre-defined\" means a certificate provided by +the `elpher-certificate-map' variable." + (let* ((current-url (elpher-address-to-url (elpher-page-address elpher-current-page))) + (entry (assoc current-url + elpher-certificate-map + #'string-prefix-p))) + (if entry + (let ((cert-url-regex (car entry)) + (cert-name (cadr entry))) + (message "Using certificate \"%s\" specified in elpher-certificate-map with prefix \"%s\"" + cert-name cert-url-regex) + (elpher-get-existing-certificate cert-name cert-url-regex)) + (elpher-prompt-for-client-certificate current-url)))) + (defun elpher--read-answer-polyfill (question answers) "Polyfill for `read-answer' in Emacs 26.1. QUESTION is a string containing a question, and ANSWERS -is a list of possible answers." - (completing-read question (mapcar 'identity answers))) +is a list of possible answers, or an alist whose keys +are the possible answers." + (completing-read question answers)) (if (fboundp 'read-answer) (defalias 'elpher-read-answer 'read-answer) (defalias 'elpher-read-answer 'elpher--read-answer-polyfill)) -(defun elpher-choose-client-certificate () - "Prompt for a client certificate to use to establish a TLS connection." + + +(defun elpher-prompt-for-client-certificate (url-prefix) + "Prompt for a client certificate to use to establish a TLS connection. + +In this session, the chosen certificate will remain active for all +addresses with URLs matching URL-PREFIX." (let* ((read-answer-short t)) (pcase (read-answer "What do you want to do? " '(("throwaway" ?t @@ -1423,7 +1471,7 @@ is a list of possible answers." ("abort" ?a "stop immediately"))) ("throwaway" - (setq elpher-client-certificate (elpher-generate-throwaway-certificate))) + (setq-local elpher-client-certificate (elpher-generate-throwaway-certificate url-prefix))) ("persistent" (let* ((existing-certificates (elpher-list-existing-certificates)) (file-base (completing-read @@ -1432,8 +1480,8 @@ is a list of possible answers." (if (string-empty-p (string-trim file-base)) nil (if (member file-base existing-certificates) - (setq elpher-client-certificate - (elpher-get-existing-certificate file-base)) + (setq-local elpher-client-certificate + (elpher-get-existing-certificate file-base url-prefix)) (pcase (read-answer "Generate new certificate or install externally-generated one? " '(("new" ?n "generate new certificate") @@ -1446,15 +1494,16 @@ is a list of possible answers." file-base))) (message "New key and self-signed certificate written to %s" elpher-certificate-directory) - (elpher-generate-persistent-certificate file-base common-name))) + (elpher-generate-persistent-certificate file-base + common-name + url-prefix))) ("install" (let* ((cert-file (read-file-name "Certificate file: " nil nil t)) (key-file (read-file-name "Key file: " nil nil t))) (message "Key and certificate installed in %s for future use" elpher-certificate-directory) - (elpher-install-and-use-existing-certificate key-file - cert-file - file-base))) + (elpher-install-certificate key-file cert-file file-base + url-prefix))) ("abort" nil)))))) ("abort" nil))))