Revert "certificate: Remove Subject from CreateOptions"

This reverts commit ce649ecc66.

certificate/store.go

@@ -6,53 +6,58 @@ import (
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
+	"io/fs"
+	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 )
 
-// A Store represents a certificate store.
-// It generates certificates as needed and automatically rotates expired certificates.
+// A Store represents a TLS certificate store.
 // The zero value for Store is an empty store ready to use.
 //
-// Certificate scopes must be registered with Register before calling Get or Load.
-// This prevents the Store from creating or loading unnecessary certificates.
+// Store can be used to store server certificates.
+// Servers should provide a hostname or wildcard pattern as a certificate scope.
+// Servers will most likely use the methods Register, Load and Get.
+//
+// Store can also be used to store client certificates.
+// Clients should provide the hostname and path of a URL as a certificate scope
+// (without a trailing slash).
+// Clients will most likely use the methods Add, Load, and Lookup.
 //
 // Store is safe for concurrent use by multiple goroutines.
 type Store struct {
-	// CreateCertificate, if not nil, is called to create a new certificate
-	// to replace a missing or expired certificate. If CreateCertificate
-	// is nil, a certificate with a duration of 1 year will be created.
+	// CreateCertificate, if not nil, is called by Get to create a new
+	// certificate to replace a missing or expired certificate.
 	// The provided scope is suitable for use in a certificate's DNSNames.
 	CreateCertificate func(scope string) (tls.Certificate, error)
 
-	certs map[string]tls.Certificate
-	path  string
-	mu    sync.RWMutex
+	scopes map[string]struct{}
+	certs  map[string]tls.Certificate
+	path   string
+	mu     sync.RWMutex
 }
 
 // Register registers the provided scope with the certificate store.
 // The scope can either be a hostname or a wildcard pattern (e.g. "*.example.com").
 // To accept all hostnames, use the special pattern "*".
+//
+// Calls to Get will only succeed for registered scopes.
+// Other methods are not affected.
 func (s *Store) Register(scope string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if s.certs == nil {
-		s.certs = make(map[string]tls.Certificate)
+	if s.scopes == nil {
+		s.scopes = make(map[string]struct{})
 	}
-	s.certs[scope] = tls.Certificate{}
+	s.scopes[scope] = struct{}{}
 }
 
-// Add adds a certificate with the given scope to the certificate store.
-// If a certificate for the given scope already exists, Add will overwrite it.
+// Add registers the certificate for the given scope.
+// If a certificate already exists for scope, Add will overwrite it.
 func (s *Store) Add(scope string, cert tls.Certificate) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	if s.certs == nil {
-		s.certs = make(map[string]tls.Certificate)
-	}
-
 	// Parse certificate if not already parsed
 	if cert.Leaf == nil {
 		parsed, err := x509.ParseCertificate(cert.Certificate[0])
@@ -62,42 +67,64 @@ func (s *Store) Add(scope string, cert tls.Certificate) error {
 		cert.Leaf = parsed
 	}
 
+	if err := s.write(scope, cert); err != nil {
+		return err
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.certs == nil {
+		s.certs = make(map[string]tls.Certificate)
+	}
+	s.certs[scope] = cert
+	return nil
+}
+
+func (s *Store) write(scope string, cert tls.Certificate) error {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
 	if s.path != "" {
 		certPath := filepath.Join(s.path, scope+".crt")
 		keyPath := filepath.Join(s.path, scope+".key")
+
+		dir := filepath.Dir(certPath)
+		os.MkdirAll(dir, 0755)
+
 		if err := Write(cert, certPath, keyPath); err != nil {
 			return err
 		}
 	}
-
-	s.certs[scope] = cert
 	return nil
 }
 
 // Get retrieves a certificate for the given hostname.
 // If no matching scope has been registered, Get returns an error.
 // Get generates new certificates as needed and rotates expired certificates.
+// It calls CreateCertificate to create a new certificate if it is not nil,
+// otherwise it creates certificates with a duration of 250 years.
 //
 // Get is suitable for use in a gemini.Server's GetCertificate field.
 func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	s.mu.RLock()
-	defer s.mu.RUnlock()
-	cert, ok := s.certs[hostname]
+	_, ok := s.scopes[hostname]
 	if !ok {
 		// Try wildcard
 		wildcard := strings.SplitN(hostname, ".", 2)
 		if len(wildcard) == 2 {
 			hostname = "*." + wildcard[1]
-			cert, ok = s.certs[hostname]
+			_, ok = s.scopes[hostname]
 		}
 	}
 	if !ok {
 		// Try "*"
-		cert, ok = s.certs["*"]
+		_, ok = s.scopes["*"]
 	}
 	if !ok {
+		s.mu.RUnlock()
 		return nil, errors.New("unrecognized scope")
 	}
+	cert := s.certs[hostname]
+	s.mu.RUnlock()
 
 	// If the certificate is empty or expired, generate a new one.
 	if cert.Leaf == nil || cert.Leaf.NotAfter.Before(time.Now()) {
@@ -114,6 +141,29 @@ func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	return &cert, nil
 }
 
+// Lookup returns the certificate for the provided scope.
+// Lookup also checks for certificates in parent scopes.
+// For example, given the scope "example.com/a/b/c", Lookup will first check
+// "example.com/a/b/c", then "example.com/a/b", then "example.com/a", and
+// finally "example.com" for a certificate. As a result, a certificate with
+// scope "example.com" will match all scopes beginning with "example.com".
+func (s *Store) Lookup(scope string) (tls.Certificate, bool) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	cert, ok := s.certs[scope]
+	if !ok {
+		scope = path.Dir(scope)
+		for scope != "." {
+			cert, ok = s.certs[scope]
+			if ok {
+				break
+			}
+			scope = path.Dir(scope)
+		}
+	}
+	return cert, ok
+}
+
 func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 	if s.CreateCertificate != nil {
 		return s.CreateCertificate(scope)
@@ -123,7 +173,7 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 		Subject: pkix.Name{
 			CommonName: scope,
 		},
-		Duration: 365 * 24 * time.Hour,
+		Duration: 250 * 365 * 24 * time.Hour,
 	})
 }
 
@@ -132,29 +182,34 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 // The path should lead to a directory containing certificates
 // and private keys named "scope.crt" and "scope.key" respectively,
 // where "scope" is the scope of the certificate.
-// Certificates with scopes that have not been registered will be ignored.
 func (s *Store) Load(path string) error {
-	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
-	if err != nil {
-		return err
-	}
+	matches := findCertificates(path)
 	for _, crtPath := range matches {
-		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
-		if _, ok := s.certs[scope]; !ok {
-			continue
-		}
-
 		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
 		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
 		if err != nil {
 			continue
 		}
+
+		scope := strings.TrimPrefix(crtPath, path)
+		scope = strings.TrimPrefix(scope, "/")
+		scope = strings.TrimSuffix(scope, ".crt")
 		s.Add(scope, cert)
 	}
 	s.SetPath(path)
 	return nil
 }
 
+func findCertificates(path string) (matches []string) {
+	filepath.Walk(path, func(path string, _ fs.FileInfo, err error) error {
+		if filepath.Ext(path) == ".crt" {
+			matches = append(matches, path)
+		}
+		return nil
+	})
+	return
+}
+
 // Entries returns a map of scopes to certificates.
 func (s *Store) Entries() map[string]tls.Certificate {
 	s.mu.RLock()

client.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"net"
 	"net/url"
-	"time"
 	"unicode/utf8"
 
 	"golang.org/x/net/idna"
@@ -153,7 +152,7 @@ func (c *Client) do(ctx context.Context, conn net.Conn, req *Request) (*Response
 	}
 
 	// Write the request
-	if err := req.Write(w); err != nil {
+	if _, err := req.WriteTo(w); err != nil {
 		return nil, err
 	}
 
@@ -176,14 +175,6 @@ func (c *Client) dialContext(ctx context.Context, network, addr string) (net.Con
 
 func (c *Client) verifyConnection(cs tls.ConnectionState, hostname string) error {
 	cert := cs.PeerCertificates[0]
-	// Verify hostname
-	if err := verifyHostname(cert, hostname); err != nil {
-		return err
-	}
-	// Check expiration date
-	if !time.Now().Before(cert.NotAfter) {
-		return ErrCertificateExpired
-	}
 	// See if the client trusts the certificate
 	if c.TrustCertificate != nil {
 		return c.TrustCertificate(hostname, cert)

doc.go

@@ -9,7 +9,7 @@ Client is a Gemini client.
 	if err != nil {
 		// handle error
 	}
-	defer resp.Close()
+	defer resp.Body.Close()
 	// ...
 
 Server is a Gemini server.

examples/client.go

@@ -16,7 +16,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"time"
 
 	"git.sr.ht/~adnano/go-gemini"
 	"git.sr.ht/~adnano/go-gemini/tofu"
@@ -61,10 +60,9 @@ Otherwise, this should be safe to trust.
 => `
 
 func trustCertificate(hostname string, cert *x509.Certificate) error {
-	host := tofu.NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := tofu.NewHost(hostname, cert.Raw)
 	knownHost, ok := hosts.Lookup(hostname)
-	if ok && time.Now().Before(knownHost.Expires) {
+	if ok {
 		// Check fingerprint
 		if bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
 			return nil
@@ -103,9 +101,9 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 		return resp, err
 	}
 
-	switch resp.Status().Class() {
+	switch resp.Status.Class() {
 	case gemini.StatusInput:
-		input, ok := getInput(resp.Meta(), resp.Status() == gemini.StatusSensitiveInput)
+		input, ok := getInput(resp.Meta, resp.Status == gemini.StatusSensitiveInput)
 		if !ok {
 			break
 		}
@@ -119,7 +117,7 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 			return resp, errors.New("too many redirects")
 		}
 
-		target, err := url.Parse(resp.Meta())
+		target, err := url.Parse(resp.Meta)
 		if err != nil {
 			return resp, err
 		}
@@ -153,11 +151,11 @@ func main() {
 		fmt.Println(err)
 		os.Exit(1)
 	}
-	defer resp.Close()
+	defer resp.Body.Close()
 
 	// Handle response
-	if resp.Status().Class() == gemini.StatusSuccess {
-		_, err := io.Copy(os.Stdout, resp)
+	if resp.Status.Class() == gemini.StatusSuccess {
+		_, err := io.Copy(os.Stdout, resp.Body)
 		if err != nil {
 			log.Fatal(err)
 		}

examples/server.go

@@ -26,7 +26,7 @@ func main() {
 	mux.Handle("/", gemini.FileServer(os.DirFS("/var/www")))
 
 	server := &gemini.Server{
-		Handler:        logMiddleware(mux),
+		Handler:        LoggingMiddleware(mux),
 		ReadTimeout:    30 * time.Second,
 		WriteTimeout:   1 * time.Minute,
 		GetCertificate: certificates.Get,
@@ -57,22 +57,21 @@ func main() {
 	}
 }
 
-func logMiddleware(h gemini.Handler) gemini.Handler {
+func LoggingMiddleware(h gemini.Handler) gemini.Handler {
 	return gemini.HandlerFunc(func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 		lw := &logResponseWriter{rw: w}
 		h.ServeGemini(ctx, lw, r)
 		host := r.TLS().ServerName
-		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.status, lw.wrote)
+		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.Status, lw.Wrote)
 	})
 }
 
 type logResponseWriter struct {
+	Status      gemini.Status
+	Wrote       int
 	rw          gemini.ResponseWriter
-	status      gemini.Status
-	meta        string
 	mediatype   string
 	wroteHeader bool
-	wrote       int
 }
 
 func (w *logResponseWriter) SetMediaType(mediatype string) {
@@ -84,7 +83,7 @@ func (w *logResponseWriter) Write(b []byte) (int, error) {
 		w.WriteHeader(gemini.StatusSuccess, w.mediatype)
 	}
 	n, err := w.rw.Write(b)
-	w.wrote += n
+	w.Wrote += n
 	return n, err
 }
 
@@ -92,17 +91,12 @@ func (w *logResponseWriter) WriteHeader(status gemini.Status, meta string) {
 	if w.wroteHeader {
 		return
 	}
-	w.status = status
-	w.meta = meta
 	w.wroteHeader = true
+	w.Status = status
+	w.Wrote += len(meta) + 5
 	w.rw.WriteHeader(status, meta)
-	w.wrote += len(meta) + 5
 }
 
 func (w *logResponseWriter) Flush() error {
 	return nil
 }
-
-func (w *logResponseWriter) Close() error {
-	return nil
-}

fs.go

@@ -1,5 +1,3 @@
-// +build go1.16
-
 package gemini
 
 import (

gemini.go

@@ -18,8 +18,6 @@ var (
 	ErrInvalidRequest  = errors.New("gemini: invalid request")
 	ErrInvalidResponse = errors.New("gemini: invalid response")
 
-	ErrCertificateExpired = errors.New("gemini: certificate expired")
-
 	// ErrBodyNotAllowed is returned by ResponseWriter.Write calls
 	// when the response status code does not permit a body.
 	ErrBodyNotAllowed = errors.New("gemini: response status code does not allow body")

go.mod

@@ -1,5 +1,5 @@
 module git.sr.ht/~adnano/go-gemini
 
-go 1.15
+go 1.16
 
 require golang.org/x/net v0.0.0-20210119194325-5f4716e94777

handler.go

@@ -14,11 +14,10 @@ import (
 // ServeGemini should write the response header and data to the ResponseWriter
 // and then return. Returning signals that the request is finished; it is not
 // valid to use the ResponseWriter after or concurrently with the completion
-// of the ServeGemini call. Handlers may also call ResponseWriter.Close to
-// manually close the connection.
+// of the ServeGemini call.
 //
-// The provided context is canceled when the client's connection is closed,
-// when ResponseWriter.Close is called, or when the ServeGemini method returns.
+// The provided context is canceled when the client's connection is closed
+// or the ServeGemini method returns.
 //
 // Handlers should not modify the provided Request.
 type Handler interface {
@@ -80,18 +79,21 @@ func StripPrefix(prefix string, h Handler) Handler {
 //
 // The new Handler calls h.ServeGemini to handle each request, but
 // if a call runs for longer than its time limit, the handler responds with a
-// 40 Temporary Failure error.  After such a timeout, writes by h to
-// its ResponseWriter will return context.DeadlineExceeded.
-func TimeoutHandler(h Handler, dt time.Duration) Handler {
+// 40 Temporary Failure status code and the given message in its response meta.
+// After such a timeout, writes by h to its ResponseWriter will return
+// context.DeadlineExceeded.
+func TimeoutHandler(h Handler, dt time.Duration, message string) Handler {
 	return &timeoutHandler{
-		h:  h,
-		dt: dt,
+		h:   h,
+		dt:  dt,
+		msg: message,
 	}
 }
 
 type timeoutHandler struct {
-	h  Handler
-	dt time.Duration
+	h   Handler
+	dt  time.Duration
+	msg string
 }
 
 func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
@@ -100,7 +102,7 @@ func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *R
 
 	buf := &bytes.Buffer{}
 	tw := &timeoutWriter{
-		wc: &contextWriter{
+		wr: &contextWriter{
 			ctx:    ctx,
 			cancel: cancel,
 			done:   ctx.Done(),
@@ -119,12 +121,12 @@ func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *R
 		w.WriteHeader(tw.status, tw.meta)
 		w.Write(buf.Bytes())
 	case <-ctx.Done():
-		w.WriteHeader(StatusTemporaryFailure, "Timeout")
+		w.WriteHeader(StatusTemporaryFailure, t.msg)
 	}
 }
 
 type timeoutWriter struct {
-	wc          io.WriteCloser
+	wr          io.Writer
 	status      Status
 	meta        string
 	mediatype   string
@@ -139,7 +141,7 @@ func (w *timeoutWriter) Write(b []byte) (int, error) {
 	if !w.wroteHeader {
 		w.WriteHeader(StatusSuccess, w.mediatype)
 	}
-	return w.wc.Write(b)
+	return w.wr.Write(b)
 }
 
 func (w *timeoutWriter) WriteHeader(status Status, meta string) {
@@ -154,7 +156,3 @@ func (w *timeoutWriter) WriteHeader(status Status, meta string) {
 func (w *timeoutWriter) Flush() error {
 	return nil
 }
-
-func (w *timeoutWriter) Close() error {
-	return w.wc.Close()
-}

request.go

@@ -29,6 +29,7 @@ type Request struct {
 	Certificate *tls.Certificate
 
 	conn net.Conn
+	tls  *tls.ConnectionState
 }
 
 // NewRequest returns a new request.
@@ -76,34 +77,53 @@ func ReadRequest(r io.Reader) (*Request, error) {
 	return &Request{URL: u}, nil
 }
 
-// Write writes a Gemini request in wire format.
+// WriteTo writes r to w in the Gemini request format.
 // This method consults the request URL only.
-func (r *Request) Write(w io.Writer) error {
+func (r *Request) WriteTo(w io.Writer) (int64, error) {
 	bw := bufio.NewWriterSize(w, 1026)
 	url := r.URL.String()
 	if len(url) > 1024 {
-		return ErrInvalidRequest
+		return 0, ErrInvalidRequest
 	}
-	if _, err := bw.WriteString(url); err != nil {
-		return err
+	var wrote int64
+	n, err := bw.WriteString(url)
+	wrote += int64(n)
+	if err != nil {
+		return wrote, err
 	}
-	if _, err := bw.Write(crlf); err != nil {
-		return err
+	n, err = bw.Write(crlf)
+	wrote += int64(n)
+	if err != nil {
+		return wrote, err
 	}
-	return bw.Flush()
+	return wrote, bw.Flush()
 }
 
 // Conn returns the network connection on which the request was received.
+// Conn returns nil for client requests.
 func (r *Request) Conn() net.Conn {
 	return r.conn
 }
 
 // TLS returns information about the TLS connection on which the
 // request was received.
+// TLS returns nil for client requests.
 func (r *Request) TLS() *tls.ConnectionState {
-	if tlsConn, ok := r.conn.(*tls.Conn); ok {
-		state := tlsConn.ConnectionState()
-		return &state
+	if r.tls == nil {
+		if tlsConn, ok := r.conn.(*tls.Conn); ok {
+			state := tlsConn.ConnectionState()
+			r.tls = &state
+		}
 	}
-	return nil
+	return r.tls
+}
+
+// ServerName returns the value of the TLS Server Name Indication extension
+// sent by the client.
+// ServerName returns an empty string for client requests.
+func (r *Request) ServerName() string {
+	if tls := r.TLS(); tls != nil {
+		return tls.ServerName
+	}
+	return ""
 }

request_test.go

@@ -119,7 +119,7 @@ func TestWriteRequest(t *testing.T) {
 		t.Logf("%s", test.Req.URL)
 		var b strings.Builder
 		bw := bufio.NewWriter(&b)
-		err := test.Req.Write(bw)
+		_, err := test.Req.WriteTo(bw)
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}

response.go

@@ -3,6 +3,7 @@ package gemini
 import (
 	"bufio"
 	"crypto/tls"
+	"fmt"
 	"io"
 	"net"
 	"strconv"
@@ -15,24 +16,29 @@ const defaultMediaType = "text/gemini; charset=utf-8"
 //
 // The Client returns Responses from servers once the response
 // header has been received. The response body is streamed on demand
-// as the response is read. If the network connection fails or the server
-// terminates the response, Read calls return an error.
-//
-// It is the caller's responsibility to close the response.
+// as the Body field is read.
 type Response struct {
-	status Status
-	meta   string
-	body   io.ReadCloser
-	conn   net.Conn
-}
+	// Status is the response status code.
+	Status Status
 
-// NewResponse returns a new response with the provided status, meta, and body.
-func NewResponse(status Status, meta string, body io.ReadCloser) *Response {
-	return &Response{
-		status: status,
-		meta:   meta,
-		body:   body,
-	}
+	// Meta returns the response meta.
+	// For successful responses, the meta should contain the media type of the response.
+	// For failure responses, the meta should contain a short description of the failure.
+	Meta string
+
+	// Body represents the response body.
+	//
+	// The response body is streamed on demand as the Body field
+	// is read. If the network connection fails or the server
+	// terminates the response, Body.Read calls return an error.
+	//
+	// The Gemini client guarantees that Body is always
+	// non-nil, even on responses without a body or responses with
+	// a zero-length body. It is the caller's responsibility to
+	// close Body.
+	Body io.ReadCloser
+
+	conn net.Conn
 }
 
 // ReadResponse reads a Gemini response from the provided io.ReadCloser.
@@ -49,7 +55,7 @@ func ReadResponse(r io.ReadCloser) (*Response, error) {
 	if err != nil {
 		return nil, ErrInvalidResponse
 	}
-	resp.status = Status(status)
+	resp.Status = Status(status)
 
 	// Read one space
 	if b, err := br.ReadByte(); err != nil {
@@ -69,11 +75,11 @@ func ReadResponse(r io.ReadCloser) (*Response, error) {
 	if len(meta) > 1024 {
 		return nil, ErrInvalidResponse
 	}
-	if resp.status.Class() == StatusSuccess && meta == "" {
+	if resp.Status.Class() == StatusSuccess && meta == "" {
 		// Use default media type
 		meta = defaultMediaType
 	}
-	resp.meta = meta
+	resp.Meta = meta
 
 	// Read terminating newline
 	if b, err := br.ReadByte(); err != nil {
@@ -82,38 +88,15 @@ func ReadResponse(r io.ReadCloser) (*Response, error) {
 		return nil, ErrInvalidResponse
 	}
 
-	if resp.status.Class() == StatusSuccess {
-		resp.body = newBufReadCloser(br, r)
+	if resp.Status.Class() == StatusSuccess {
+		resp.Body = newBufReadCloser(br, r)
 	} else {
-		resp.body = nopReadCloser{}
+		resp.Body = nopReadCloser{}
 		r.Close()
 	}
 	return resp, nil
 }
 
-// Status returns the response status code.
-func (r *Response) Status() Status {
-	return r.status
-}
-
-// Meta returns the response meta.
-// For successful responses, the meta should contain the media type of the response.
-// For failure responses, the meta should contain a short description of the failure.
-func (r *Response) Meta() string {
-	return r.meta
-}
-
-// Read reads data from the response body.
-// The response body is streamed on demand as Read is called.
-func (r *Response) Read(p []byte) (n int, err error) {
-	return r.body.Read(p)
-}
-
-// Close closes the response body.
-func (r *Response) Close() error {
-	return r.body.Close()
-}
-
 // Conn returns the network connection on which the response was received.
 func (r *Response) Conn() net.Conn {
 	return r.conn
@@ -129,6 +112,29 @@ func (r *Response) TLS() *tls.ConnectionState {
 	return nil
 }
 
+// WriteTo writes r to w in the Gemini response format, including the
+// header and body.
+//
+// This method consults the Status, Meta, and Body fields of the response.
+// The Response Body is closed after it is sent.
+func (r *Response) WriteTo(w io.Writer) (int64, error) {
+	var wrote int64
+	n, err := fmt.Fprintf(w, "%02d %s\r\n", r.Status, r.Meta)
+	wrote += int64(n)
+	if err != nil {
+		return wrote, err
+	}
+	if r.Body != nil {
+		defer r.Body.Close()
+		n, err := io.Copy(w, r.Body)
+		wrote += n
+		if err != nil {
+			return wrote, err
+		}
+	}
+	return wrote, nil
+}
+
 // A ResponseWriter interface is used by a Gemini handler to construct
 // a Gemini response.
 //
@@ -165,10 +171,6 @@ type ResponseWriter interface {
 
 	// Flush sends any buffered data to the client.
 	Flush() error
-
-	// Close closes the connection.
-	// Any blocked Write operations will be unblocked and return errors.
-	Close() error
 }
 
 type responseWriter struct {
@@ -179,10 +181,9 @@ type responseWriter struct {
 	bodyAllowed bool
 }
 
-func newResponseWriter(w io.WriteCloser) *responseWriter {
+func newResponseWriter(w io.Writer) *responseWriter {
 	return &responseWriter{
 		bw: bufio.NewWriter(w),
-		cl: w,
 	}
 }
 
@@ -228,7 +229,3 @@ func (w *responseWriter) Flush() error {
 	// Write errors from WriteHeader will be returned here.
 	return w.bw.Flush()
 }
-
-func (w *responseWriter) Close() error {
-	return w.cl.Close()
-}

response_test.go

@@ -2,7 +2,6 @@ package gemini
 
 import (
 	"io"
-	"io/ioutil"
 	"strings"
 	"testing"
 )
@@ -38,6 +37,15 @@ func TestReadWriteResponse(t *testing.T) {
 			Meta:      "/redirect",
 			SkipWrite: true, // skip write test since result won't match Raw
 		},
+		{
+			Raw:    "32 " + maxURL + "\r\n",
+			Status: 32,
+			Meta:   maxURL,
+		},
+		{
+			Raw: "33 " + maxURL + "xxxx" + "\r\n",
+			Err: ErrInvalidResponse,
+		},
 		{
 			Raw:    "99 Unknown status code\r\n",
 			Status: 99,
@@ -83,21 +91,21 @@ func TestReadWriteResponse(t *testing.T) {
 
 	for _, test := range tests {
 		t.Logf("%#v", test.Raw)
-		resp, err := ReadResponse(ioutil.NopCloser(strings.NewReader(test.Raw)))
+		resp, err := ReadResponse(io.NopCloser(strings.NewReader(test.Raw)))
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
-		if test.Err != nil {
+		if err != nil {
 			// No response
 			continue
 		}
-		if resp.status != test.Status {
-			t.Errorf("expected status = %d, got %d", test.Status, resp.status)
+		if resp.Status != test.Status {
+			t.Errorf("expected status = %d, got %d", test.Status, resp.Status)
 		}
-		if resp.meta != test.Meta {
-			t.Errorf("expected meta = %s, got %s", test.Meta, resp.meta)
+		if resp.Meta != test.Meta {
+			t.Errorf("expected meta = %s, got %s", test.Meta, resp.Meta)
 		}
-		b, _ := ioutil.ReadAll(resp.body)
+		b, _ := io.ReadAll(resp.Body)
 		body := string(b)
 		if body != test.Body {
 			t.Errorf("expected body = %#v, got %#v", test.Body, body)

server.go

@@ -282,14 +282,17 @@ func (srv *Server) serve(ctx context.Context, l net.Listener) error {
 			return err
 		}
 		tempDelay = 0
-		go srv.ServeConn(ctx, rw)
+		go srv.serveConn(ctx, rw, false)
 	}
 }
 
-func (srv *Server) trackConn(conn *net.Conn, cancel context.CancelFunc) bool {
+func (srv *Server) trackConn(conn *net.Conn, cancel context.CancelFunc, external bool) bool {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
-	if srv.closed && !srv.shutdown {
+	// Reject the connection under the following conditions:
+	// - Shutdown or Close has been called and conn is external (from ServeConn)
+	// - Close (not Shutdown) has been called and conn is internal (from Serve)
+	if srv.closed && (external || !srv.shutdown) {
 		return false
 	}
 	if srv.conns == nil {
@@ -309,15 +312,17 @@ func (srv *Server) deleteConn(conn *net.Conn) {
 // It closes the connection when the response has been completed.
 // If the provided context expires before the response has completed,
 // ServeConn closes the connection and returns the context's error.
-//
-// Note that ServeConn can be used during a Shutdown.
 func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
+	return srv.serveConn(ctx, conn, true)
+}
+
+func (srv *Server) serveConn(ctx context.Context, conn net.Conn, external bool) error {
 	defer conn.Close()
 
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
-	if !srv.trackConn(&conn, cancel) {
+	if !srv.trackConn(&conn, cancel, external) {
 		return context.Canceled
 	}
 	defer srv.tryCloseDone()
@@ -332,7 +337,7 @@ func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
 
 	errch := make(chan error, 1)
 	go func() {
-		errch <- srv.serveConn(ctx, conn)
+		errch <- srv.goServeConn(ctx, conn)
 	}()
 
 	select {
@@ -343,7 +348,7 @@ func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
 	}
 }
 
-func (srv *Server) serveConn(ctx context.Context, conn net.Conn) error {
+func (srv *Server) goServeConn(ctx context.Context, conn net.Conn) error {
 	ctx, cancel := context.WithCancel(ctx)
 	done := ctx.Done()
 	cw := &contextWriter{

tofu/tofu.go

@@ -14,7 +14,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"
 )
 
 // KnownHosts represents a list of known hosts.
@@ -143,22 +142,17 @@ func (k *KnownHosts) Parse(r io.Reader) error {
 // TOFU implements basic trust on first use.
 //
 // If the host is not on file, it is added to the list.
-// If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (k *KnownHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := k.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		k.Add(host)
 		return nil
 	}
-
-	// Check fingerprint
 	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
-
 	return nil
 }
 
@@ -266,21 +260,16 @@ func (p *PersistentHosts) Entries() []Host {
 // TOFU implements trust on first use with a persistent set of known hosts.
 //
 // If the host is not on file, it is added to the list.
-// If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (p *PersistentHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := p.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		return p.Add(host)
 	}
-
-	// Check fingerprint
 	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
-
 	return nil
 }
 
@@ -294,19 +283,17 @@ type Host struct {
 	Hostname    string      // hostname
 	Algorithm   string      // fingerprint algorithm e.g. SHA-512
 	Fingerprint Fingerprint // fingerprint
-	Expires     time.Time   // unix time of the fingerprint expiration date
 }
 
 // NewHost returns a new host with a SHA-512 fingerprint of
 // the provided raw data.
-func NewHost(hostname string, raw []byte, expires time.Time) Host {
+func NewHost(hostname string, raw []byte) Host {
 	sum := sha512.Sum512(raw)
 
 	return Host{
 		Hostname:    hostname,
 		Algorithm:   "SHA-512",
 		Fingerprint: sum[:],
-		Expires:     expires,
 	}
 }
 
@@ -325,8 +312,6 @@ func (h Host) String() string {
 	b.WriteString(h.Algorithm)
 	b.WriteByte(' ')
 	b.WriteString(h.Fingerprint.String())
-	b.WriteByte(' ')
-	b.WriteString(strconv.FormatInt(h.Expires.Unix(), 10))
 	return b.String()
 }
 
@@ -335,7 +320,7 @@ func (h *Host) UnmarshalText(text []byte) error {
 	const format = "hostname algorithm hex-fingerprint expiry-unix-ts"
 
 	parts := bytes.Split(text, []byte(" "))
-	if len(parts) != 4 {
+	if len(parts) != 3 {
 		return fmt.Errorf("expected the format %q", format)
 	}
 
@@ -371,13 +356,6 @@ func (h *Host) UnmarshalText(text []byte) error {
 
 	h.Fingerprint = fingerprint
 
-	unix, err := strconv.ParseInt(string(parts[3]), 10, 0)
-	if err != nil {
-		return fmt.Errorf("invalid unix timestamp: %w", err)
-	}
-
-	h.Expires = time.Unix(unix, 0)
-
 	return nil
 }
 

vendor.go

@@ -1,212 +0,0 @@
-// Hostname verification code from the crypto/x509 package.
-// Modified to allow Common Names in the short term, until new certificates
-// can be issued with SANs.
-
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package gemini
-
-import (
-	"crypto/x509"
-	"net"
-	"strings"
-	"unicode/utf8"
-)
-
-var oidExtensionSubjectAltName = []int{2, 5, 29, 17}
-
-func hasSANExtension(c *x509.Certificate) bool {
-	for _, e := range c.Extensions {
-		if e.Id.Equal(oidExtensionSubjectAltName) {
-			return true
-		}
-	}
-	return false
-}
-
-func validHostnamePattern(host string) bool { return validHostname(host, true) }
-func validHostnameInput(host string) bool   { return validHostname(host, false) }
-
-// validHostname reports whether host is a valid hostname that can be matched or
-// matched against according to RFC 6125 2.2, with some leniency to accommodate
-// legacy values.
-func validHostname(host string, isPattern bool) bool {
-	if !isPattern {
-		host = strings.TrimSuffix(host, ".")
-	}
-	if len(host) == 0 {
-		return false
-	}
-
-	for i, part := range strings.Split(host, ".") {
-		if part == "" {
-			// Empty label.
-			return false
-		}
-		if isPattern && i == 0 && part == "*" {
-			// Only allow full left-most wildcards, as those are the only ones
-			// we match, and matching literal '*' characters is probably never
-			// the expected behavior.
-			continue
-		}
-		for j, c := range part {
-			if 'a' <= c && c <= 'z' {
-				continue
-			}
-			if '0' <= c && c <= '9' {
-				continue
-			}
-			if 'A' <= c && c <= 'Z' {
-				continue
-			}
-			if c == '-' && j != 0 {
-				continue
-			}
-			if c == '_' {
-				// Not a valid character in hostnames, but commonly
-				// found in deployments outside the WebPKI.
-				continue
-			}
-			return false
-		}
-	}
-
-	return true
-}
-
-// commonNameAsHostname reports whether the Common Name field should be
-// considered the hostname that the certificate is valid for. This is a legacy
-// behavior, disabled by default or if the Subject Alt Name extension is present.
-//
-// It applies the strict validHostname check to the Common Name field, so that
-// certificates without SANs can still be validated against CAs with name
-// constraints if there is no risk the CN would be matched as a hostname.
-// See NameConstraintsWithoutSANs and issue 24151.
-func commonNameAsHostname(c *x509.Certificate) bool {
-	return !hasSANExtension(c) && validHostnamePattern(c.Subject.CommonName)
-}
-
-func matchExactly(hostA, hostB string) bool {
-	if hostA == "" || hostA == "." || hostB == "" || hostB == "." {
-		return false
-	}
-	return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
-}
-
-func matchHostnames(pattern, host string) bool {
-	pattern = toLowerCaseASCII(pattern)
-	host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
-
-	if len(pattern) == 0 || len(host) == 0 {
-		return false
-	}
-
-	patternParts := strings.Split(pattern, ".")
-	hostParts := strings.Split(host, ".")
-
-	if len(patternParts) != len(hostParts) {
-		return false
-	}
-
-	for i, patternPart := range patternParts {
-		if i == 0 && patternPart == "*" {
-			continue
-		}
-		if patternPart != hostParts[i] {
-			return false
-		}
-	}
-
-	return true
-}
-
-// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
-// an explicitly ASCII function to avoid any sharp corners resulting from
-// performing Unicode operations on DNS labels.
-func toLowerCaseASCII(in string) string {
-	// If the string is already lower-case then there's nothing to do.
-	isAlreadyLowerCase := true
-	for _, c := range in {
-		if c == utf8.RuneError {
-			// If we get a UTF-8 error then there might be
-			// upper-case ASCII bytes in the invalid sequence.
-			isAlreadyLowerCase = false
-			break
-		}
-		if 'A' <= c && c <= 'Z' {
-			isAlreadyLowerCase = false
-			break
-		}
-	}
-
-	if isAlreadyLowerCase {
-		return in
-	}
-
-	out := []byte(in)
-	for i, c := range out {
-		if 'A' <= c && c <= 'Z' {
-			out[i] += 'a' - 'A'
-		}
-	}
-	return string(out)
-}
-
-// verifyHostname returns nil if c is a valid certificate for the named host.
-// Otherwise it returns an error describing the mismatch.
-//
-// IP addresses can be optionally enclosed in square brackets and are checked
-// against the IPAddresses field. Other names are checked case insensitively
-// against the DNSNames field. If the names are valid hostnames, the certificate
-// fields can have a wildcard as the left-most label.
-//
-// The legacy Common Name field is ignored unless it's a valid hostname, the
-// certificate doesn't have any Subject Alternative Names, and the GODEBUG
-// environment variable is set to "x509ignoreCN=0". Support for Common Name is
-// deprecated will be entirely removed in the future.
-func verifyHostname(c *x509.Certificate, h string) error {
-	// IP addresses may be written in [ ].
-	candidateIP := h
-	if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' {
-		candidateIP = h[1 : len(h)-1]
-	}
-	if ip := net.ParseIP(candidateIP); ip != nil {
-		// We only match IP addresses against IP SANs.
-		// See RFC 6125, Appendix B.2.
-		for _, candidate := range c.IPAddresses {
-			if ip.Equal(candidate) {
-				return nil
-			}
-		}
-		return x509.HostnameError{c, candidateIP}
-	}
-
-	names := c.DNSNames
-	if commonNameAsHostname(c) {
-		names = []string{c.Subject.CommonName}
-	}
-
-	candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
-	validCandidateName := validHostnameInput(candidateName)
-
-	for _, match := range names {
-		// Ideally, we'd only match valid hostnames according to RFC 6125 like
-		// browsers (more or less) do, but in practice Go is used in a wider
-		// array of contexts and can't even assume DNS resolution. Instead,
-		// always allow perfect matches, and only apply wildcard and trailing
-		// dot processing to valid hostnames.
-		if validCandidateName && validHostnamePattern(match) {
-			if matchHostnames(match, candidateName) {
-				return nil
-			}
-		} else {
-			if matchExactly(match, candidateName) {
-				return nil
-			}
-		}
-	}
-
-	return x509.HostnameError{c, h}
-}