examples/server: Generate new certificates when they expire

cert.go

@@ -22,10 +22,18 @@ type CertificateStore struct {
 }
 
 // Add adds a certificate for the given hostname to the store.
+// It tries to parse the certificate if it is not already parsed.
 func (c *CertificateStore) Add(hostname string, cert tls.Certificate) {
 	if c.store == nil {
 		c.store = map[string]tls.Certificate{}
 	}
+	// Parse certificate if not already parsed
+	if cert.Leaf == nil {
+		parsed, err := x509.ParseCertificate(cert.Certificate[0])
+		if err == nil {
+			cert.Leaf = parsed
+		}
+	}
 	c.store[hostname] = cert
 }
 
@@ -48,9 +56,6 @@ func (c *CertificateStore) Lookup(hostname string) (*tls.Certificate, error) {
 // For example, the hostname "localhost" would have the corresponding files
 // localhost.crt (certificate) and localhost.key (private key).
 func (c *CertificateStore) Load(path string) error {
-	if c.store == nil {
-		c.store = map[string]tls.Certificate{}
-	}
 	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
 	if err != nil {
 		return err
@@ -62,7 +67,7 @@ func (c *CertificateStore) Load(path string) error {
 			continue
 		}
 		hostname := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
-		c.store[hostname] = cert
+		c.Add(hostname, cert)
 	}
 	return nil
 }

examples/cert.go

@@ -12,7 +12,7 @@ import (
 func main() {
 	host := "localhost"
 
-	duration := 365 * 24 * time.Hour
+	duration := 2 * time.Minute
 	crt, key, err := gmi.NewRawCertificate(host, duration)
 	if err != nil {
 		log.Fatal(err)

examples/server.go

@@ -3,7 +3,9 @@
 package main
 
 import (
+	"crypto/tls"
 	"log"
+	"time"
 
 	"git.sr.ht/~adnano/gmi"
 )
@@ -13,6 +15,33 @@ func main() {
 	if err := server.CertificateStore.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
+	server.GetCertificate = func(hostname string, store *gmi.CertificateStore) *tls.Certificate {
+		cert, err := store.Lookup(hostname)
+		if err != nil {
+			switch err {
+			case gmi.ErrInvalidCertificate:
+				log.Print("Old certificate expired, creating new one")
+				// Generate a new certificate if the old one is expired.
+				crt, key, err := gmi.NewRawCertificate(hostname, time.Minute)
+				if err != nil {
+					// Failed to generate new certificate, abort
+					return nil
+				}
+				// Store and return the new certificate
+				err = gmi.WriteX509KeyPair("/var/lib/gemini/certs/"+hostname, crt, key)
+				if err != nil {
+					return nil
+				}
+				newCert, err := tls.X509KeyPair(crt, key)
+				if err != nil {
+					return nil
+				}
+				store.Add(hostname, newCert)
+				return &newCert
+			}
+		}
+		return cert
+	}
 
 	var mux gmi.ServeMux
 	mux.Handle("/", gmi.FileServer(gmi.Dir("/var/www")))

server.go

@@ -33,7 +33,7 @@ type Server struct {
 	// GetCertificate, if not nil, will be called to retrieve the certificate
 	// to use for a given hostname.
 	// If the certificate is nil, the connection will be aborted.
-	GetCertificate func(hostname string) *tls.Certificate
+	GetCertificate func(hostname string, store *CertificateStore) *tls.Certificate
 
 	// registered handlers
 	handlers map[handlerKey]Handler
@@ -96,7 +96,7 @@ func (s *Server) ListenAndServe() error {
 		MinVersion:         tls.VersionTLS12,
 		GetCertificate: func(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
 			if s.GetCertificate != nil {
-				return s.GetCertificate(h.ServerName), nil
+				return s.GetCertificate(h.ServerName, &s.CertificateStore), nil
 			}
 			return s.CertificateStore.Lookup(h.ServerName)
 		},

tofu.go

@@ -7,6 +7,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
+	"log"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -92,6 +93,7 @@ func (k *KnownHosts) Lookup(hostname string, cert *x509.Certificate) error {
 			// Certificate is expired
 			continue
 		}
+		log.Print(k.hosts[i].Expires, now)
 		if k.hosts[i].Fingerprint == fingerprint {
 			// Fingerprint matches
 			return nil