Move cert.go to a subpackage

certificate/certificate.go

@@ -1,4 +1,5 @@
-package gemini
+// Package certificate provides utility functions for TLS certificates.
+package certificate
 
 import (
 	"crypto"
@@ -19,27 +20,23 @@ import (
 	"time"
 )
 
-// CertificateDir maps certificate scopes to certificates.
+// Dir represents a directory of certificates.
-type CertificateStore map[string]tls.Certificate
+// The zero value of Dir is an empty directory ready to use.
-
-// CertificateDir represents a certificate store optionally loaded from a directory.
-// The zero value of CertificateDir is an empty store ready to use.
 //
-// CertificateDir is safe for concurrent use by multiple goroutines.
+// Dir is safe for concurrent use by multiple goroutines.
-type CertificateDir struct {
+type Dir struct {
-	CertificateStore
+	certs map[string]tls.Certificate
-	dir  bool
+	path  *string
-	path string
+	mu    sync.RWMutex
-	mu   sync.RWMutex
 }
 
-// Add adds a certificate for the given scope to the store.
+// Add adds a certificate for the given scope to the directory.
 // It tries to parse the certificate if it is not already parsed.
-func (c *CertificateDir) Add(scope string, cert tls.Certificate) {
+func (d *Dir) Add(scope string, cert tls.Certificate) error {
-	c.mu.Lock()
+	d.mu.Lock()
-	defer c.mu.Unlock()
+	defer d.mu.Unlock()
-	if c.CertificateStore == nil {
+	if d.certs == nil {
-		c.CertificateStore = CertificateStore{}
+		d.certs = map[string]tls.Certificate{}
 	}
 	// Parse certificate if not already parsed
 	if cert.Leaf == nil {
@@ -48,30 +45,26 @@ func (c *CertificateDir) Add(scope string, cert tls.Certificate) {
 			cert.Leaf = parsed
 		}
 	}
-	c.CertificateStore[scope] = cert
-}
 
-// Write writes the provided certificate to the certificate directory.
+	if d.path != nil {
-func (c *CertificateDir) Write(scope string, cert tls.Certificate) error {
-	c.mu.RLock()
-	defer c.mu.RUnlock()
-	if c.dir {
 		// Escape slash character
 		scope = strings.ReplaceAll(scope, "/", ":")
-		certPath := filepath.Join(c.path, scope+".crt")
+		certPath := filepath.Join(*d.path, scope+".crt")
-		keyPath := filepath.Join(c.path, scope+".key")
+		keyPath := filepath.Join(*d.path, scope+".key")
-		if err := WriteCertificate(cert, certPath, keyPath); err != nil {
+		if err := Write(cert, certPath, keyPath); err != nil {
 			return err
 		}
 	}
+
+	d.certs[scope] = cert
 	return nil
 }
 
-// Lookup returns the certificate for the given scope.
+// Lookup returns the certificate for the provided scope.
-func (c *CertificateDir) Lookup(scope string) (tls.Certificate, bool) {
+func (d *Dir) Lookup(scope string) (tls.Certificate, bool) {
-	c.mu.RLock()
+	d.mu.RLock()
-	defer c.mu.RUnlock()
+	defer d.mu.RUnlock()
-	cert, ok := c.CertificateStore[scope]
+	cert, ok := d.certs[scope]
 	return cert, ok
 }
 
@@ -81,7 +74,7 @@ func (c *CertificateDir) Lookup(scope string) (tls.Certificate, bool) {
 // For example, the hostname "localhost" would have the corresponding files
 // localhost.crt (certificate) and localhost.key (private key).
 // New certificates will be written to this directory.
-func (c *CertificateDir) Load(path string) error {
+func (d *Dir) Load(path string) error {
 	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
 	if err != nil {
 		return err
@@ -95,31 +88,30 @@ func (c *CertificateDir) Load(path string) error {
 		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
 		// Unescape slash character
 		scope = strings.ReplaceAll(scope, ":", "/")
-		c.Add(scope, cert)
+		d.Add(scope, cert)
 	}
-	c.SetDir(path)
+	d.SetPath(path)
 	return nil
 }
 
-// SetDir sets the directory that new certificates will be written to.
+// SetPath sets the directory that new certificates will be written to.
-func (c *CertificateDir) SetDir(path string) {
+func (d *Dir) SetPath(path string) {
-	c.mu.Lock()
+	d.mu.Lock()
-	defer c.mu.Unlock()
+	defer d.mu.Unlock()
-	c.dir = true
+	d.path = &path
-	c.path = path
 }
 
-// CertificateOptions configures the creation of a certificate.
+// CreateOptions configures the creation of a TLS certificate.
-type CertificateOptions struct {
+type CreateOptions struct {
-	// Subject Alternate Name values.
-	// Should contain the IP addresses that the certificate is valid for.
-	IPAddresses []net.IP
-
 	// Subject Alternate Name values.
 	// Should contain the DNS names that this certificate is valid for.
 	// E.g. example.com, *.example.com
 	DNSNames []string
 
+	// Subject Alternate Name values.
+	// Should contain the IP addresses that the certificate is valid for.
+	IPAddresses []net.IP
+
 	// Subject specifies the certificate Subject.
 	//
 	// Subject.CommonName can contain the DNS name that this certificate
@@ -136,8 +128,8 @@ type CertificateOptions struct {
 	Ed25519 bool
 }
 
-// CreateCertificate creates a new TLS certificate.
+// Create creates a new TLS certificate.
-func CreateCertificate(options CertificateOptions) (tls.Certificate, error) {
+func Create(options CreateOptions) (tls.Certificate, error) {
 	crt, priv, err := newX509KeyPair(options)
 	if err != nil {
 		return tls.Certificate{}, err
@@ -150,7 +142,7 @@ func CreateCertificate(options CertificateOptions) (tls.Certificate, error) {
 }
 
 // newX509KeyPair creates and returns a new certificate and private key.
-func newX509KeyPair(options CertificateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
+func newX509KeyPair(options CreateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
 	var pub crypto.PublicKey
 	var priv crypto.PrivateKey
 	if options.Ed25519 {
@@ -206,9 +198,9 @@ func newX509KeyPair(options CertificateOptions) (*x509.Certificate, crypto.Priva
 	return cert, priv, nil
 }
 
-// WriteCertificate writes the provided certificate and private key
+// Write writes the provided certificate and its private key
 // to certPath and keyPath respectively.
-func WriteCertificate(cert tls.Certificate, certPath, keyPath string) error {
+func Write(cert tls.Certificate, certPath, keyPath string) error {
 	certOut, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err

server.go

@@ -7,6 +7,8 @@ import (
 	"net"
 	"strings"
 	"time"
+
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )
 
 // Server is a Gemini server.
@@ -23,7 +25,7 @@ type Server struct {
 	WriteTimeout time.Duration
 
 	// Certificates contains the certificates used by the server.
-	Certificates CertificateDir
+	Certificates certificate.Dir
 
 	// CreateCertificate, if not nil, will be called to create a new certificate
 	// if the current one is expired or missing.
@@ -157,8 +159,7 @@ func (s *Server) getCertificateFor(hostname string) (*tls.Certificate, error) {
 		if s.CreateCertificate != nil {
 			cert, err := s.CreateCertificate(hostname)
 			if err == nil {
-				s.Certificates.Add(hostname, cert)
+				if err := s.Certificates.Add(hostname, cert); err != nil {
-				if err := s.Certificates.Write(hostname, cert); err != nil {
 					s.logf("gemini: Failed to write new certificate for %s: %s", hostname, err)
 				}
 			}