sashakoshka/go-gemini
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor server certificates

Browse Source
This commit is contained in:
Adnan Maolood 2020-10-28 14:59:45 -04:00
parent 32f22a3e2c
commit 7f0b1fa8a1
4 changed files with 265 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
examples/auth.go
View File

@ -41,7 +41,7 @@ func main() {
mux.HandleFunc("/logout", logout) mux.HandleFunc("/logout", logout)
var server gemini.Server var server gemini.Server
if err := server.CertificateStore.Load("/var/lib/gemini/certs"); err != nil { if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
log.Fatal(err) log.Fatal(err)
} }
server.Register("localhost", &mux) server.Register("localhost", &mux)

82
examples/server.go
View File

@ -3,54 +3,38 @@
package main package main
import ( import (
"bytes" "crypto"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"io"
"log" "log"
"os" "os"
"time" "time"
gmi "git.sr.ht/~adnano/go-gemini" "git.sr.ht/~adnano/go-gemini"
) )
func main() { func main() {
var server gmi.Server var server gemini.Server
if err := server.CertificateStore.Load("/var/lib/gemini/certs"); err != nil { if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
log.Fatal(err) log.Fatal(err)
} }
server.GetCertificate = func(hostname string, store *gmi.CertificateStore) *tls.Certificate { server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
cert, err := store.Lookup(hostname) fmt.Println("Generating certificate for", hostname)
if err != nil { cert, err := gemini.CreateCertificate(gemini.CertificateOptions{
switch err {
case gmi.ErrCertificateExpired:
// Generate a new certificate if the current one is expired.
log.Print("Old certificate expired, creating new one")
fallthrough
case gmi.ErrCertificateUnknown:
// Generate a certificate if one does not exist.
cert, err := gmi.CreateCertificate(gmi.CertificateOptions{
DNSNames: []string{hostname}, DNSNames: []string{hostname},
Duration: time.Hour, Duration: time.Minute, // for testing purposes
}) })
if err != nil { if err == nil {
// Failed to generate new certificate, abort // Write the new certificate to disk
return nil
}
// Store and return the new certificate
err = writeCertificate("/var/lib/gemini/certs/"+hostname, cert) err = writeCertificate("/var/lib/gemini/certs/"+hostname, cert)
if err != nil {
return nil
} }
store.Add(hostname, cert) return cert, err
return &cert
}
}
return cert
} }
var mux gmi.ServeMux var mux gemini.ServeMux
mux.Handle("/", gmi.FileServer(gmi.Dir("/var/www"))) mux.Handle("/", gemini.FileServer(gemini.Dir("/var/www")))
server.Register("localhost", &mux) server.Register("localhost", &mux)
if err := server.ListenAndServe(); err != nil { if err := server.ListenAndServe(); err != nil {
@ -61,22 +45,13 @@ func main() {
// writeCertificate writes the provided certificate and private key // writeCertificate writes the provided certificate and private key
// to path.crt and path.key respectively. // to path.crt and path.key respectively.
func writeCertificate(path string, cert tls.Certificate) error { func writeCertificate(path string, cert tls.Certificate) error {
crt, err := marshalX509Certificate(cert.Leaf.Raw)
if err != nil {
return err
}
key, err := marshalPrivateKey(cert.PrivateKey)
if err != nil {
return err
}
// Write the certificate // Write the certificate
crtPath := path + ".crt" crtPath := path + ".crt"
crtOut, err := os.OpenFile(crtPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) crtOut, err := os.OpenFile(crtPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil { if err != nil {
return err return err
} }
if _, err := crtOut.Write(crt); err != nil { if err := marshalX509Certificate(crtOut, cert.Leaf.Raw); err != nil {
return err return err
} }
@ -86,30 +61,19 @@ func writeCertificate(path string, cert tls.Certificate) error {
if err != nil { if err != nil {
return err return err
} }
if _, err := keyOut.Write(key); err != nil { return marshalPrivateKey(keyOut, cert.PrivateKey)
return err
}
return nil
} }
// marshalX509Certificate returns a PEM-encoded version of the given raw certificate. // marshalX509Certificate writes a PEM-encoded version of the given certificate.
func marshalX509Certificate(cert []byte) ([]byte, error) { func marshalX509Certificate(w io.Writer, cert []byte) error {
var b bytes.Buffer return pem.Encode(w, &pem.Block{Type: "CERTIFICATE", Bytes: cert})
if err := pem.Encode(&b, &pem.Block{Type: "CERTIFICATE", Bytes: cert}); err != nil {
return nil, err
}
return b.Bytes(), nil
} }
// marshalPrivateKey returns PEM encoded versions of the given certificate and private key. // marshalPrivateKey writes a PEM-encoded version of the given private key.
func marshalPrivateKey(priv interface{}) ([]byte, error) { func marshalPrivateKey(w io.Writer, priv crypto.PrivateKey) error {
var b bytes.Buffer
privBytes, err := x509.MarshalPKCS8PrivateKey(priv) privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
if err != nil { if err != nil {
return nil, err return err
} }
if err := pem.Encode(&b, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil { return pem.Encode(w, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
return nil, err
}
return b.Bytes(), nil
} }

210
mux.go Normal file
View File

@ -0,0 +1,210 @@
package gemini
import (
"net/url"
"path"
"sort"
"strings"
"sync"
)
// The following code is modified from the net/http package.
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// ServeMux is a Gemini request multiplexer.
// It matches the URL of each incoming request against a list of registered
// patterns and calls the handler for the pattern that
// most closely matches the URL.
//
// Patterns name fixed, rooted paths, like "/favicon.ico",
// or rooted subtrees, like "/images/" (note the trailing slash).
// Longer patterns take precedence over shorter ones, so that
// if there are handlers registered for both "/images/"
// and "/images/thumbnails/", the latter handler will be
// called for paths beginning "/images/thumbnails/" and the
// former will receive requests for any other paths in the
// "/images/" subtree.
//
// Note that since a pattern ending in a slash names a rooted subtree,
// the pattern "/" matches all paths not matched by other registered
// patterns, not just the URL with Path == "/".
//
// If a subtree has been registered and a request is received naming the
// subtree root without its trailing slash, ServeMux redirects that
// request to the subtree root (adding the trailing slash). This behavior can
// be overridden with a separate registration for the path without
// the trailing slash. For example, registering "/images/" causes ServeMux
// to redirect a request for "/images" to "/images/", unless "/images" has
// been registered separately.
//
// ServeMux also takes care of sanitizing the URL request path and
// redirecting any request containing . or .. elements or repeated slashes
// to an equivalent, cleaner URL.
type ServeMux struct {
mu sync.RWMutex
m map[string]muxEntry
es []muxEntry // slice of entries sorted from longest to shortest.
}
type muxEntry struct {
r Responder
pattern string
}
// cleanPath returns the canonical path for p, eliminating . and .. elements.
func cleanPath(p string) string {
if p == "" {
return "/"
}
if p[0] != '/' {
p = "/" + p
}
np := path.Clean(p)
// path.Clean removes trailing slash except for root;
// put the trailing slash back if necessary.
if p[len(p)-1] == '/' && np != "/" {
// Fast path for common case of p being the string we want:
if len(p) == len(np)+1 && strings.HasPrefix(p, np) {
np = p
} else {
np += "/"
}
}
return np
}
// Find a handler on a handler map given a path string.
// Most-specific (longest) pattern wins.
func (mux *ServeMux) match(path string) Responder {
// Check for exact match first.
v, ok := mux.m[path]
if ok {
return v.r
}
// Check for longest valid match. mux.es contains all patterns
// that end in / sorted from longest to shortest.
for _, e := range mux.es {
if strings.HasPrefix(path, e.pattern) {
return e.r
}
}
return nil
}
// redirectToPathSlash determines if the given path needs appending "/" to it.
// This occurs when a handler for path + "/" was already registered, but
// not for path itself. If the path needs appending to, it creates a new
// URL, setting the path to u.Path + "/" and returning true to indicate so.
func (mux *ServeMux) redirectToPathSlash(path string, u *url.URL) (*url.URL, bool) {
mux.mu.RLock()
shouldRedirect := mux.shouldRedirectRLocked(path)
mux.mu.RUnlock()
if !shouldRedirect {
return u, false
}
path = path + "/"
u = &url.URL{Path: path, RawQuery: u.RawQuery}
return u, true
}
// shouldRedirectRLocked reports whether the given path and host should be redirected to
// path+"/". This should happen if a handler is registered for path+"/" but
// not path -- see comments at ServeMux.
func (mux *ServeMux) shouldRedirectRLocked(path string) bool {
if _, exist := mux.m[path]; exist {
return false
}
n := len(path)
if n == 0 {
return false
}
if _, exist := mux.m[path+"/"]; exist {
return path[n-1] != '/'
}
return false
}
// Respond dispatches the request to the responder whose
// pattern most closely matches the request URL.
func (mux *ServeMux) Respond(w *ResponseWriter, r *Request) {
path := cleanPath(r.URL.Path)
// If the given path is /tree and its handler is not registered,
// redirect for /tree/.
if u, ok := mux.redirectToPathSlash(path, r.URL); ok {
Redirect(w, u.String())
return
}
if path != r.URL.Path {
u := *r.URL
u.Path = path
Redirect(w, u.String())
return
}
mux.mu.RLock()
defer mux.mu.RUnlock()
resp := mux.match(path)
if resp == nil {
w.WriteStatus(StatusNotFound)
return
}
resp.Respond(w, r)
}
// Handle registers the responder for the given pattern.
// If a responder already exists for pattern, Handle panics.
func (mux *ServeMux) Handle(pattern string, responder Responder) {
mux.mu.Lock()
defer mux.mu.Unlock()
if pattern == "" {
panic("gemini: invalid pattern")
}
if responder == nil {
panic("gemini: nil responder")
}
if _, exist := mux.m[pattern]; exist {
panic("gemini: multiple registrations for " + pattern)
}
if mux.m == nil {
mux.m = make(map[string]muxEntry)
}
e := muxEntry{responder, pattern}
mux.m[pattern] = e
if pattern[len(pattern)-1] == '/' {
mux.es = appendSorted(mux.es, e)
}
}
func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
n := len(es)
i := sort.Search(n, func(i int) bool {
return len(es[i].pattern) < len(e.pattern)
})
if i == n {
return append(es, e)
}
// we now know that i points at where we want to insert
es = append(es, muxEntry{}) // try to grow the slice in place, any entry works.
copy(es[i+1:], es[i:]) // move shorter entries down
es[i] = e
return es
}
// HandleFunc registers the responder function for the given pattern.
func (mux *ServeMux) HandleFunc(pattern string, responder func(*ResponseWriter, *Request)) {
if responder == nil {
panic("gemini: nil responder")
}
mux.Handle(pattern, ResponderFunc(responder))
}

246
server.go
View File

@ -7,11 +7,8 @@ import (
"log" "log"
"net" "net"
"net/url" "net/url"
"path"
"sort"
"strconv" "strconv"
"strings" "strings"
"sync"
"time" "time"
) )
@ -21,13 +18,12 @@ type Server struct {
// If Addr is empty, the server will listen on the address ":1965". // If Addr is empty, the server will listen on the address ":1965".
Addr string Addr string
// CertificateStore contains the certificates used by the server. // Certificates contains the certificates used by the server.
CertificateStore CertificateStore Certificates CertificateStore
// GetCertificate, if not nil, will be called to retrieve the certificate // CreateCertificate, if not nil, will be called to create a new certificate
// to use for a given hostname. // if the current one is expired or missing.
// If the certificate is nil, the connection will be aborted. CreateCertificate func(hostname string) (tls.Certificate, error)
GetCertificate func(hostname string, store *CertificateStore) *tls.Certificate
// registered responders // registered responders
responders map[responderKey]Responder responders map[responderKey]Responder
@ -69,6 +65,9 @@ func (s *Server) Register(pattern string, responder Responder) {
key.wildcard = true key.wildcard = true
} }
if _, ok := s.responders[key]; ok {
panic("gemini: multiple registrations for " + pattern)
}
s.responders[key] = responder s.responders[key] = responder
} }
@ -90,18 +89,11 @@ func (s *Server) ListenAndServe() error {
} }
defer ln.Close() defer ln.Close()
config := &tls.Config{ return s.Serve(tls.NewListener(ln, &tls.Config{
ClientAuth: tls.RequestClientCert, ClientAuth: tls.RequestClientCert,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
GetCertificate: func(h *tls.ClientHelloInfo) (*tls.Certificate, error) { GetCertificate: s.getCertificate,
if s.GetCertificate != nil { }))
return s.GetCertificate(h.ServerName, &s.CertificateStore), nil
}
return s.CertificateStore.Lookup(h.ServerName)
},
}
tlsListener := tls.NewListener(ln, config)
return s.Serve(tlsListener)
} }
// Serve listens for requests on the provided listener. // Serve listens for requests on the provided listener.
@ -135,6 +127,21 @@ func (s *Server) Serve(l net.Listener) error {
} }
} }
func (s *Server) getCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
cert, err := s.Certificates.Lookup(h.ServerName)
switch err {
case ErrCertificateExpired, ErrCertificateUnknown:
if s.CreateCertificate != nil {
cert, err := s.CreateCertificate(h.ServerName)
if err == nil {
s.Certificates.Add(h.ServerName, cert)
}
return &cert, err
}
}
return cert, err
}
// respond responds to a connection. // respond responds to a connection.
func (s *Server) respond(conn net.Conn) { func (s *Server) respond(conn net.Conn) {
r := bufio.NewReader(conn) r := bufio.NewReader(conn)
@ -317,204 +324,3 @@ type ResponderFunc func(*ResponseWriter, *Request)
func (f ResponderFunc) Respond(w *ResponseWriter, r *Request) { func (f ResponderFunc) Respond(w *ResponseWriter, r *Request) {
f(w, r) f(w, r)
} }
// The following code is modified from the net/http package.
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// ServeMux is a Gemini request multiplexer.
// It matches the URL of each incoming request against a list of registered
// patterns and calls the handler for the pattern that
// most closely matches the URL.
//
// Patterns name fixed, rooted paths, like "/favicon.ico",
// or rooted subtrees, like "/images/" (note the trailing slash).
// Longer patterns take precedence over shorter ones, so that
// if there are handlers registered for both "/images/"
// and "/images/thumbnails/", the latter handler will be
// called for paths beginning "/images/thumbnails/" and the
// former will receive requests for any other paths in the
// "/images/" subtree.
//
// Note that since a pattern ending in a slash names a rooted subtree,
// the pattern "/" matches all paths not matched by other registered
// patterns, not just the URL with Path == "/".
//
// If a subtree has been registered and a request is received naming the
// subtree root without its trailing slash, ServeMux redirects that
// request to the subtree root (adding the trailing slash). This behavior can
// be overridden with a separate registration for the path without
// the trailing slash. For example, registering "/images/" causes ServeMux
// to redirect a request for "/images" to "/images/", unless "/images" has
// been registered separately.
//
// ServeMux also takes care of sanitizing the URL request path and
// redirecting any request containing . or .. elements or repeated slashes
// to an equivalent, cleaner URL.
type ServeMux struct {
mu sync.RWMutex
m map[string]muxEntry
es []muxEntry // slice of entries sorted from longest to shortest.
}
type muxEntry struct {
r Responder
pattern string
}
// cleanPath returns the canonical path for p, eliminating . and .. elements.
func cleanPath(p string) string {
if p == "" {
return "/"
}
if p[0] != '/' {
p = "/" + p
}
np := path.Clean(p)
// path.Clean removes trailing slash except for root;
// put the trailing slash back if necessary.
if p[len(p)-1] == '/' && np != "/" {
// Fast path for common case of p being the string we want:
if len(p) == len(np)+1 && strings.HasPrefix(p, np) {
np = p
} else {
np += "/"
}
}
return np
}
// Find a handler on a handler map given a path string.
// Most-specific (longest) pattern wins.
func (mux *ServeMux) match(path string) Responder {
// Check for exact match first.
v, ok := mux.m[path]
if ok {
return v.r
}
// Check for longest valid match. mux.es contains all patterns
// that end in / sorted from longest to shortest.
for _, e := range mux.es {
if strings.HasPrefix(path, e.pattern) {
return e.r
}
}
return nil
}
// redirectToPathSlash determines if the given path needs appending "/" to it.
// This occurs when a handler for path + "/" was already registered, but
// not for path itself. If the path needs appending to, it creates a new
// URL, setting the path to u.Path + "/" and returning true to indicate so.
func (mux *ServeMux) redirectToPathSlash(path string, u *url.URL) (*url.URL, bool) {
mux.mu.RLock()
shouldRedirect := mux.shouldRedirectRLocked(path)
mux.mu.RUnlock()
if !shouldRedirect {
return u, false
}
path = path + "/"
u = &url.URL{Path: path, RawQuery: u.RawQuery}
return u, true
}
// shouldRedirectRLocked reports whether the given path and host should be redirected to
// path+"/". This should happen if a handler is registered for path+"/" but
// not path -- see comments at ServeMux.
func (mux *ServeMux) shouldRedirectRLocked(path string) bool {
if _, exist := mux.m[path]; exist {
return false
}
n := len(path)
if n == 0 {
return false
}
if _, exist := mux.m[path+"/"]; exist {
return path[n-1] != '/'
}
return false
}
// Respond dispatches the request to the responder whose
// pattern most closely matches the request URL.
func (mux *ServeMux) Respond(w *ResponseWriter, r *Request) {
path := cleanPath(r.URL.Path)
// If the given path is /tree and its handler is not registered,
// redirect for /tree/.
if u, ok := mux.redirectToPathSlash(path, r.URL); ok {
Redirect(w, u.String())
return
}
if path != r.URL.Path {
u := *r.URL
u.Path = path
Redirect(w, u.String())
return
}
mux.mu.RLock()
defer mux.mu.RUnlock()
resp := mux.match(path)
if resp == nil {
w.WriteStatus(StatusNotFound)
return
}
resp.Respond(w, r)
}
// Handle registers the responder for the given pattern.
// If a responder already exists for pattern, Handle panics.
func (mux *ServeMux) Handle(pattern string, responder Responder) {
mux.mu.Lock()
defer mux.mu.Unlock()
if pattern == "" {
panic("gemini: invalid pattern")
}
if responder == nil {
panic("gemini: nil responder")
}
if _, exist := mux.m[pattern]; exist {
panic("gemini: multiple registrations for " + pattern)
}
if mux.m == nil {
mux.m = make(map[string]muxEntry)
}
e := muxEntry{responder, pattern}
mux.m[pattern] = e
if pattern[len(pattern)-1] == '/' {
mux.es = appendSorted(mux.es, e)
}
}
func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
n := len(es)
i := sort.Search(n, func(i int) bool {
return len(es[i].pattern) < len(e.pattern)
})
if i == n {
return append(es, e)
}
// we now know that i points at where we want to insert
es = append(es, muxEntry{}) // try to grow the slice in place, any entry works.
copy(es[i+1:], es[i:]) // move shorter entries down
es[i] = e
return es
}
// HandleFunc registers the responder function for the given pattern.
func (mux *ServeMux) HandleFunc(pattern string, responder func(*ResponseWriter, *Request)) {
if responder == nil {
panic("gemini: nil responder")
}
mux.Handle(pattern, ResponderFunc(responder))
}