diff --git a/cert.go b/cert.go index c242b96..dad45f3 100644 --- a/cert.go +++ b/cert.go @@ -22,10 +22,18 @@ type CertificateStore struct { } // Add adds a certificate for the given hostname to the store. +// It tries to parse the certificate if it is not already parsed. func (c *CertificateStore) Add(hostname string, cert tls.Certificate) { if c.store == nil { c.store = map[string]tls.Certificate{} } + // Parse certificate if not already parsed + if cert.Leaf == nil { + parsed, err := x509.ParseCertificate(cert.Certificate[0]) + if err == nil { + cert.Leaf = parsed + } + } c.store[hostname] = cert } @@ -48,9 +56,6 @@ func (c *CertificateStore) Lookup(hostname string) (*tls.Certificate, error) { // For example, the hostname "localhost" would have the corresponding files // localhost.crt (certificate) and localhost.key (private key). func (c *CertificateStore) Load(path string) error { - if c.store == nil { - c.store = map[string]tls.Certificate{} - } matches, err := filepath.Glob(filepath.Join(path, "*.crt")) if err != nil { return err @@ -62,7 +67,7 @@ func (c *CertificateStore) Load(path string) error { continue } hostname := strings.TrimSuffix(filepath.Base(crtPath), ".crt") - c.store[hostname] = cert + c.Add(hostname, cert) } return nil } diff --git a/examples/cert.go b/examples/cert.go index 4c08578..d6ab53b 100644 --- a/examples/cert.go +++ b/examples/cert.go @@ -12,7 +12,7 @@ import ( func main() { host := "localhost" - duration := 365 * 24 * time.Hour + duration := 2 * time.Minute crt, key, err := gmi.NewRawCertificate(host, duration) if err != nil { log.Fatal(err) diff --git a/examples/server.go b/examples/server.go index a4ed808..2385c95 100644 --- a/examples/server.go +++ b/examples/server.go @@ -3,7 +3,9 @@ package main import ( + "crypto/tls" "log" + "time" "git.sr.ht/~adnano/gmi" ) @@ -13,6 +15,33 @@ func main() { if err := server.CertificateStore.Load("/var/lib/gemini/certs"); err != nil { log.Fatal(err) } + server.GetCertificate = func(hostname string, store *gmi.CertificateStore) *tls.Certificate { + cert, err := store.Lookup(hostname) + if err != nil { + switch err { + case gmi.ErrInvalidCertificate: + log.Print("Old certificate expired, creating new one") + // Generate a new certificate if the old one is expired. + crt, key, err := gmi.NewRawCertificate(hostname, time.Minute) + if err != nil { + // Failed to generate new certificate, abort + return nil + } + // Store and return the new certificate + err = gmi.WriteX509KeyPair("/var/lib/gemini/certs/"+hostname, crt, key) + if err != nil { + return nil + } + newCert, err := tls.X509KeyPair(crt, key) + if err != nil { + return nil + } + store.Add(hostname, newCert) + return &newCert + } + } + return cert + } var mux gmi.ServeMux mux.Handle("/", gmi.FileServer(gmi.Dir("/var/www"))) diff --git a/server.go b/server.go index a568aed..35c3f4b 100644 --- a/server.go +++ b/server.go @@ -33,7 +33,7 @@ type Server struct { // GetCertificate, if not nil, will be called to retrieve the certificate // to use for a given hostname. // If the certificate is nil, the connection will be aborted. - GetCertificate func(hostname string) *tls.Certificate + GetCertificate func(hostname string, store *CertificateStore) *tls.Certificate // registered handlers handlers map[handlerKey]Handler @@ -96,7 +96,7 @@ func (s *Server) ListenAndServe() error { MinVersion: tls.VersionTLS12, GetCertificate: func(h *tls.ClientHelloInfo) (*tls.Certificate, error) { if s.GetCertificate != nil { - return s.GetCertificate(h.ServerName), nil + return s.GetCertificate(h.ServerName, &s.CertificateStore), nil } return s.CertificateStore.Lookup(h.ServerName) }, diff --git a/tofu.go b/tofu.go index 356e31b..bcbc41a 100644 --- a/tofu.go +++ b/tofu.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "fmt" "io" + "log" "os" "path/filepath" "strconv" @@ -92,6 +93,7 @@ func (k *KnownHosts) Lookup(hostname string, cert *x509.Certificate) error { // Certificate is expired continue } + log.Print(k.hosts[i].Expires, now) if k.hosts[i].Fingerprint == fingerprint { // Fingerprint matches return nil