Encrypting and decrypting key and cert files

[createyourpersonalaccount]

Hello,

I would like to add the feature of circe being able to use encrypted .pem files.

The circe-network-options variable has the option to give a function for :pass. https://github.com/emacs-circe/circe/blob/77e16de3b9fbaa0417b56a9acc70a9bca17c4ad0/circe.el#L159-L160 This function can decrypt a file to retrieve the password. It would be a useful feature to have for the key and cert in :tls-keylist as well. I have tried to locate where the circe-tls-keylist variable is used in the source code, but I could not understand who is responsible for reading the contents of the key and cert files.

Can someone please help me spot it? I started my search here: https://github.com/emacs-circe/circe/blob/77e16de3b9fbaa0417b56a9acc70a9bca17c4ad0/circe.el#L1287

[wasamasa]

See irc.el for this. The key list is passed on as is to gnutls-boot-parameters. While it would be possible to write a function that generates a list of unencrypted file names, I doubt it makes much sense to leave unencrypted files on the disk to accomodate that interface. Instead the time would be better spent enhancing Emacs' gnutls integration to support encrypted files.

[wasamasa]

I've looked into gnutls.c, apparently Emacs uses gnutls_certificate_set_x509_key_file instead of gnutls_certificate_set_x509_key_file2 (which is what the GnuTLS manual recommends). The latter supports a password argument for decrypting the key. This confirms my initial suspicion that this is best solved inside Emacs. If you happen to write/merge such a patch for Emacs or even convince the Emacs developers that this feature is important enough to bother with, feel free to let me know about it by submitting a link.

[wasamasa]

Relevant emacs-devel discussion: https://lists.gnu.org/archive/html/bug-gnu-emacs/2021-09/msg00858.html