2020-09-25 16:53:20 -06:00
|
|
|
package gemini
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"bytes"
|
|
|
|
"crypto/sha512"
|
|
|
|
"crypto/x509"
|
|
|
|
"fmt"
|
|
|
|
"io"
|
2020-09-25 21:06:54 -06:00
|
|
|
"os"
|
|
|
|
"path/filepath"
|
2020-09-25 16:53:20 -06:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
2020-09-25 18:22:48 -06:00
|
|
|
"time"
|
2020-09-25 16:53:20 -06:00
|
|
|
)
|
|
|
|
|
2020-09-25 18:22:48 -06:00
|
|
|
// KnownHosts represents a list of known hosts.
|
2020-09-27 12:18:30 -06:00
|
|
|
// The zero value for KnownHosts is an empty list ready to use.
|
2020-09-25 21:06:54 -06:00
|
|
|
type KnownHosts struct {
|
|
|
|
hosts []KnownHost
|
|
|
|
file *os.File
|
|
|
|
}
|
|
|
|
|
2020-09-27 12:18:30 -06:00
|
|
|
// Load loads the known hosts from the default known hosts path, which is
|
|
|
|
// `$XDG_DATA_HOME/gemini/known_hosts`.
|
2020-09-26 11:35:56 -06:00
|
|
|
// It creates the path and any of its parent directories if they do not exist.
|
2020-09-27 12:18:30 -06:00
|
|
|
// KnownHosts will append to the file whenever a certificate is added.
|
|
|
|
func (k *KnownHosts) Load() error {
|
2020-09-26 11:35:56 -06:00
|
|
|
path, err := defaultKnownHostsPath()
|
|
|
|
if err != nil {
|
2020-09-27 12:18:30 -06:00
|
|
|
return err
|
2020-09-26 11:35:56 -06:00
|
|
|
}
|
2020-09-27 12:18:30 -06:00
|
|
|
return k.LoadFrom(path)
|
2020-09-26 11:35:56 -06:00
|
|
|
}
|
|
|
|
|
2020-09-27 12:18:30 -06:00
|
|
|
// LoadFrom loads the known hosts from the provided path.
|
2020-09-25 21:06:54 -06:00
|
|
|
// It creates the path and any of its parent directories if they do not exist.
|
2020-09-27 12:18:30 -06:00
|
|
|
// KnownHosts will append to the file whenever a certificate is added.
|
|
|
|
func (k *KnownHosts) LoadFrom(path string) error {
|
2020-09-25 21:06:54 -06:00
|
|
|
if dir := filepath.Dir(path); dir != "." {
|
|
|
|
err := os.MkdirAll(dir, 0755)
|
|
|
|
if err != nil {
|
2020-09-27 12:18:30 -06:00
|
|
|
return err
|
2020-09-25 21:06:54 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
|
|
|
|
if err != nil {
|
2020-09-27 12:18:30 -06:00
|
|
|
return err
|
2020-09-25 21:06:54 -06:00
|
|
|
}
|
|
|
|
k.Parse(f)
|
|
|
|
f.Close()
|
|
|
|
// Open the file for append-only use
|
|
|
|
f, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644)
|
|
|
|
if err != nil {
|
2020-09-27 12:18:30 -06:00
|
|
|
return err
|
2020-09-25 21:06:54 -06:00
|
|
|
}
|
|
|
|
k.file = f
|
2020-09-27 12:18:30 -06:00
|
|
|
return nil
|
2020-09-25 21:06:54 -06:00
|
|
|
}
|
|
|
|
|
2020-09-27 12:18:30 -06:00
|
|
|
// Add adds a certificate to the list of known hosts.
|
2020-09-25 21:06:54 -06:00
|
|
|
// If KnownHosts was loaded from a file, Add will append to the file.
|
|
|
|
func (k *KnownHosts) Add(cert *x509.Certificate) {
|
2020-09-27 12:22:41 -06:00
|
|
|
// Add an entry per hostname
|
|
|
|
for _, name := range cert.DNSNames {
|
|
|
|
host := NewKnownHost(name, cert)
|
|
|
|
k.hosts = append(k.hosts, host)
|
|
|
|
// Append to the file
|
|
|
|
if k.file != nil {
|
|
|
|
host.Write(k.file)
|
|
|
|
}
|
2020-09-25 21:06:54 -06:00
|
|
|
}
|
|
|
|
}
|
2020-09-25 18:22:48 -06:00
|
|
|
|
2020-09-26 11:27:03 -06:00
|
|
|
// Lookup looks for the provided certificate in the list of known hosts.
|
|
|
|
// If the hostname is in the list, but the fingerprint differs,
|
|
|
|
// Lookup returns ErrCertificateNotTrusted.
|
|
|
|
// If the hostname is not in the list, Lookup returns ErrCertificateUnknown.
|
|
|
|
// If the certificate is found and the fingerprint matches, error will be nil.
|
2020-09-27 13:03:46 -06:00
|
|
|
func (k *KnownHosts) Lookup(hostname string, cert *x509.Certificate) error {
|
2020-09-26 11:27:03 -06:00
|
|
|
now := time.Now().Unix()
|
|
|
|
fingerprint := Fingerprint(cert)
|
|
|
|
for i := range k.hosts {
|
|
|
|
if k.hosts[i].Hostname != hostname {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if k.hosts[i].Expires <= now {
|
|
|
|
// Certificate is expired
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if k.hosts[i].Fingerprint == fingerprint {
|
|
|
|
// Fingerprint matches
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
// Fingerprint does not match
|
|
|
|
return ErrCertificateNotTrusted
|
|
|
|
}
|
|
|
|
return ErrCertificateUnknown
|
|
|
|
}
|
|
|
|
|
2020-09-25 21:06:54 -06:00
|
|
|
// Parse parses the provided reader and adds the parsed known hosts to the list.
|
2020-09-25 18:55:37 -06:00
|
|
|
// Invalid lines are ignored.
|
2020-09-25 21:06:54 -06:00
|
|
|
func (k *KnownHosts) Parse(r io.Reader) {
|
2020-09-25 16:53:20 -06:00
|
|
|
scanner := bufio.NewScanner(r)
|
|
|
|
for scanner.Scan() {
|
|
|
|
text := scanner.Text()
|
|
|
|
|
|
|
|
parts := strings.Split(text, " ")
|
|
|
|
if len(parts) < 4 {
|
2020-09-25 18:55:37 -06:00
|
|
|
continue
|
2020-09-25 16:53:20 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
hostname := parts[0]
|
|
|
|
algorithm := parts[1]
|
|
|
|
fingerprint := parts[2]
|
2020-09-25 18:22:48 -06:00
|
|
|
expires, err := strconv.ParseInt(parts[3], 10, 0)
|
2020-09-25 16:53:20 -06:00
|
|
|
if err != nil {
|
2020-09-25 18:55:37 -06:00
|
|
|
continue
|
2020-09-25 16:53:20 -06:00
|
|
|
}
|
|
|
|
|
2020-09-25 21:06:54 -06:00
|
|
|
k.hosts = append(k.hosts, KnownHost{
|
2020-09-25 16:53:20 -06:00
|
|
|
Hostname: hostname,
|
|
|
|
Algorithm: algorithm,
|
|
|
|
Fingerprint: fingerprint,
|
2020-09-25 18:22:48 -06:00
|
|
|
Expires: expires,
|
2020-09-25 16:53:20 -06:00
|
|
|
})
|
|
|
|
}
|
2020-09-25 18:55:37 -06:00
|
|
|
}
|
2020-09-25 16:53:20 -06:00
|
|
|
|
2020-09-27 12:18:30 -06:00
|
|
|
// Write writes the known hosts to the provided io.Writer.
|
|
|
|
func (k *KnownHosts) Write(w io.Writer) {
|
|
|
|
for _, h := range k.hosts {
|
|
|
|
h.Write(w)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-25 18:55:37 -06:00
|
|
|
// KnownHost represents a known host.
|
|
|
|
type KnownHost struct {
|
|
|
|
Hostname string // e.g. gemini.circumlunar.space
|
|
|
|
Algorithm string // fingerprint algorithm e.g. SHA-512
|
|
|
|
Fingerprint string // fingerprint in hexadecimal, with ':' between each octet
|
|
|
|
Expires int64 // unix time of certificate notAfter date
|
2020-09-25 16:53:20 -06:00
|
|
|
}
|
|
|
|
|
2020-09-27 12:22:41 -06:00
|
|
|
// NewKnownHost creates a new known host from a hostname and a certificate.
|
|
|
|
func NewKnownHost(hostname string, cert *x509.Certificate) KnownHost {
|
2020-09-25 19:43:13 -06:00
|
|
|
return KnownHost{
|
2020-09-27 12:22:41 -06:00
|
|
|
Hostname: hostname,
|
2020-09-25 19:43:13 -06:00
|
|
|
Algorithm: "SHA-512",
|
|
|
|
Fingerprint: Fingerprint(cert),
|
|
|
|
Expires: cert.NotAfter.Unix(),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-25 18:55:37 -06:00
|
|
|
// Write writes the known host to the provided io.Writer.
|
|
|
|
func (k KnownHost) Write(w io.Writer) (int, error) {
|
2020-09-25 19:43:13 -06:00
|
|
|
s := fmt.Sprintf("%s %s %s %d\n", k.Hostname, k.Algorithm, k.Fingerprint, k.Expires)
|
2020-09-25 18:55:37 -06:00
|
|
|
return w.Write([]byte(s))
|
2020-09-25 18:22:48 -06:00
|
|
|
}
|
|
|
|
|
2020-09-25 16:53:20 -06:00
|
|
|
// Fingerprint returns the SHA-512 fingerprint of the provided certificate.
|
|
|
|
func Fingerprint(cert *x509.Certificate) string {
|
|
|
|
sum512 := sha512.Sum512(cert.Raw)
|
|
|
|
var buf bytes.Buffer
|
|
|
|
for i, f := range sum512 {
|
|
|
|
if i > 0 {
|
|
|
|
fmt.Fprintf(&buf, ":")
|
|
|
|
}
|
|
|
|
fmt.Fprintf(&buf, "%02X", f)
|
|
|
|
}
|
|
|
|
return buf.String()
|
|
|
|
}
|
2020-09-26 11:35:56 -06:00
|
|
|
|
|
|
|
// defaultKnownHostsPath returns the default known_hosts path.
|
|
|
|
// The default path is $XDG_DATA_HOME/gemini/known_hosts
|
|
|
|
func defaultKnownHostsPath() (string, error) {
|
|
|
|
dataDir, err := userDataDir()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return filepath.Join(dataDir, "gemini", "known_hosts"), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// userDataDir returns the user data directory.
|
|
|
|
func userDataDir() (string, error) {
|
|
|
|
dataDir, ok := os.LookupEnv("XDG_DATA_HOME")
|
|
|
|
if ok {
|
|
|
|
return dataDir, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
home, err := os.UserHomeDir()
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return filepath.Join(home, ".local", "share"), nil
|
|
|
|
}
|