fs: Remove unused import

It's probably best not to panic if this fails.

README.md

@@ -1,6 +1,6 @@
 # go-gemini
 
-[![GoDoc](https://godoc.org/git.sr.ht/~adnano/go-gemini?status.svg)](https://godoc.org/git.sr.ht/~adnano/go-gemini)
+[![godocs.io](https://godocs.io/git.sr.ht/~adnano/go-gemini?status.svg)](https://godocs.io/git.sr.ht/~adnano/go-gemini)
 
 Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space) in Go.
 

cert.go

@@ -1,135 +0,0 @@
-package gemini
-
-import (
-	"crypto"
-	"crypto/ed25519"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"math/big"
-	"net"
-	"path/filepath"
-	"strings"
-	"time"
-)
-
-// CertificateStore maps hostnames to certificates.
-// The zero value of CertificateStore is an empty store ready to use.
-type CertificateStore struct {
-	store map[string]tls.Certificate
-}
-
-// Add adds a certificate for the given scope to the store.
-// It tries to parse the certificate if it is not already parsed.
-func (c *CertificateStore) Add(scope string, cert tls.Certificate) {
-	if c.store == nil {
-		c.store = map[string]tls.Certificate{}
-	}
-	// Parse certificate if not already parsed
-	if cert.Leaf == nil {
-		parsed, err := x509.ParseCertificate(cert.Certificate[0])
-		if err == nil {
-			cert.Leaf = parsed
-		}
-	}
-	c.store[scope] = cert
-}
-
-// Lookup returns the certificate for the given scope.
-func (c *CertificateStore) Lookup(scope string) (*tls.Certificate, error) {
-	cert, ok := c.store[scope]
-	if !ok {
-		return nil, ErrCertificateUnknown
-	}
-	// Ensure that the certificate is not expired
-	if cert.Leaf != nil && cert.Leaf.NotAfter.Before(time.Now()) {
-		return &cert, ErrCertificateExpired
-	}
-	return &cert, nil
-}
-
-// Load loads certificates from the given path.
-// The path should lead to a directory containing certificates and private keys
-// in the form scope.crt and scope.key.
-// For example, the hostname "localhost" would have the corresponding files
-// localhost.crt (certificate) and localhost.key (private key).
-func (c *CertificateStore) Load(path string) error {
-	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
-	if err != nil {
-		return err
-	}
-	for _, crtPath := range matches {
-		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
-		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-		if err != nil {
-			continue
-		}
-		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
-		c.Add(scope, cert)
-	}
-	return nil
-}
-
-// CertificateOptions configures how a certificate is created.
-type CertificateOptions struct {
-	IPAddresses []net.IP
-	DNSNames    []string
-	Duration    time.Duration
-}
-
-// CreateCertificate creates a new TLS certificate.
-func CreateCertificate(options CertificateOptions) (tls.Certificate, error) {
-	crt, priv, err := newX509KeyPair(options)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	var cert tls.Certificate
-	cert.Leaf = crt
-	cert.Certificate = append(cert.Certificate, crt.Raw)
-	cert.PrivateKey = priv
-	return cert, nil
-}
-
-// newX509KeyPair creates and returns a new certificate and private key.
-func newX509KeyPair(options CertificateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
-	// Generate an ED25519 private key
-	_, priv, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	public := priv.Public()
-
-	// ED25519 keys should have the DigitalSignature KeyUsage bits set
-	// in the x509.Certificate template
-	keyUsage := x509.KeyUsageDigitalSignature
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	notBefore := time.Now()
-	notAfter := notBefore.Add(options.Duration)
-
-	template := x509.Certificate{
-		SerialNumber:          serialNumber,
-		NotBefore:             notBefore,
-		NotAfter:              notAfter,
-		KeyUsage:              keyUsage,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		IPAddresses:           options.IPAddresses,
-		DNSNames:              options.DNSNames,
-	}
-
-	crt, err := x509.CreateCertificate(rand.Reader, &template, &template, public, priv)
-	if err != nil {
-		return nil, nil, err
-	}
-	cert, err := x509.ParseCertificate(crt)
-	if err != nil {
-		return nil, nil, err
-	}
-	return cert, priv, nil
-}

certificate/certificate.go

@@ -0,0 +1,236 @@
+// Package certificate provides utility functions for TLS certificates.
+package certificate
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+// Dir represents a directory of certificates.
+// The zero value for Dir is an empty directory ready to use.
+//
+// Dir is safe for concurrent use by multiple goroutines.
+type Dir struct {
+	certs map[string]tls.Certificate
+	path  *string
+	mu    sync.RWMutex
+}
+
+// Add adds a certificate for the given scope to the directory.
+// It tries to parse the certificate if it is not already parsed.
+func (d *Dir) Add(scope string, cert tls.Certificate) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	if d.certs == nil {
+		d.certs = map[string]tls.Certificate{}
+	}
+	// Parse certificate if not already parsed
+	if cert.Leaf == nil {
+		parsed, err := x509.ParseCertificate(cert.Certificate[0])
+		if err == nil {
+			cert.Leaf = parsed
+		}
+	}
+
+	if d.path != nil {
+		// Escape slash character
+		scope = strings.ReplaceAll(scope, "/", ":")
+		certPath := filepath.Join(*d.path, scope+".crt")
+		keyPath := filepath.Join(*d.path, scope+".key")
+		if err := Write(cert, certPath, keyPath); err != nil {
+			return err
+		}
+	}
+
+	d.certs[scope] = cert
+	return nil
+}
+
+// Lookup returns the certificate for the provided scope.
+func (d *Dir) Lookup(scope string) (tls.Certificate, bool) {
+	d.mu.RLock()
+	defer d.mu.RUnlock()
+	cert, ok := d.certs[scope]
+	return cert, ok
+}
+
+// Entries returns a map of hostnames to certificates.
+func (d *Dir) Entries() map[string]tls.Certificate {
+	certs := map[string]tls.Certificate{}
+	for key := range d.certs {
+		certs[key] = d.certs[key]
+	}
+	return certs
+}
+
+// Load loads certificates from the provided path.
+// Add will write certificates to this path.
+//
+// The directory should contain certificates and private keys
+// named scope.crt and scope.key respectively, where scope is
+// the scope of the certificate.
+func (d *Dir) Load(path string) error {
+	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
+	if err != nil {
+		return err
+	}
+	for _, crtPath := range matches {
+		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
+		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
+		if err != nil {
+			continue
+		}
+		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
+		// Unescape slash character
+		scope = strings.ReplaceAll(scope, ":", "/")
+		d.Add(scope, cert)
+	}
+	d.SetPath(path)
+	return nil
+}
+
+// SetPath sets the directory path.
+// Add will write certificates to this path.
+func (d *Dir) SetPath(path string) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	d.path = &path
+}
+
+// CreateOptions configures the creation of a TLS certificate.
+type CreateOptions struct {
+	// Subject Alternate Name values.
+	// Should contain the DNS names that this certificate is valid for.
+	// E.g. example.com, *.example.com
+	DNSNames []string
+
+	// Subject Alternate Name values.
+	// Should contain the IP addresses that the certificate is valid for.
+	IPAddresses []net.IP
+
+	// Subject specifies the certificate Subject.
+	//
+	// Subject.CommonName can contain the DNS name that this certificate
+	// is valid for. Server certificates should specify both a Subject
+	// and a Subject Alternate Name.
+	Subject pkix.Name
+
+	// Duration specifies the amount of time that the certificate is valid for.
+	Duration time.Duration
+
+	// Ed25519 specifies whether to generate an Ed25519 key pair.
+	// If false, an ECDSA key will be generated instead.
+	// Ed25519 is not as widely supported as ECDSA.
+	Ed25519 bool
+}
+
+// Create creates a new TLS certificate.
+func Create(options CreateOptions) (tls.Certificate, error) {
+	crt, priv, err := newX509KeyPair(options)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	var cert tls.Certificate
+	cert.Leaf = crt
+	cert.Certificate = append(cert.Certificate, crt.Raw)
+	cert.PrivateKey = priv
+	return cert, nil
+}
+
+// newX509KeyPair creates and returns a new certificate and private key.
+func newX509KeyPair(options CreateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
+	var pub crypto.PublicKey
+	var priv crypto.PrivateKey
+	if options.Ed25519 {
+		// Generate an Ed25519 private key
+		var err error
+		pub, priv, err = ed25519.GenerateKey(rand.Reader)
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		// Generate an ECDSA private key
+		private, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			return nil, nil, err
+		}
+		priv = private
+		pub = &private.PublicKey
+	}
+
+	// ECDSA and Ed25519 keys should have the DigitalSignature KeyUsage bits
+	// set in the x509.Certificate template
+	keyUsage := x509.KeyUsageDigitalSignature
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(options.Duration)
+
+	template := x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              keyUsage,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           options.IPAddresses,
+		DNSNames:              options.DNSNames,
+		Subject:               options.Subject,
+	}
+
+	crt, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+	cert, err := x509.ParseCertificate(crt)
+	if err != nil {
+		return nil, nil, err
+	}
+	return cert, priv, nil
+}
+
+// Write writes the provided certificate and its private key
+// to certPath and keyPath respectively.
+func Write(cert tls.Certificate, certPath, keyPath string) error {
+	certOut, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer certOut.Close()
+	if err := pem.Encode(certOut, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Leaf.Raw,
+	}); err != nil {
+		return err
+	}
+
+	keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer keyOut.Close()
+	privBytes, err := x509.MarshalPKCS8PrivateKey(cert.PrivateKey)
+	if err != nil {
+		return err
+	}
+	return pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
+}

client.go

@@ -2,47 +2,38 @@ package gemini
 
 import (
 	"bufio"
+	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
+	"fmt"
 	"net"
-	"net/url"
-	"path"
 	"strings"
+	"time"
 )
 
 // Client is a Gemini client.
 type Client struct {
-	// KnownHosts is a list of known hosts.
-	KnownHosts KnownHosts
+	// TrustCertificate is called to determine whether the client
+	// should trust the certificate provided by the server.
+	// If TrustCertificate is nil, the client will accept any certificate.
+	// If the returned error is not nil, the certificate will not be trusted
+	// and the request will be aborted.
+	//
+	// For a basic trust on first use implementation, see (*KnownHosts).TOFU
+	// in the tofu submodule.
+	TrustCertificate func(hostname string, cert *x509.Certificate) error
 
-	// Certificates stores client-side certificates.
-	Certificates CertificateStore
-
-	// GetInput is called to retrieve input when the server requests it.
-	// If GetInput is nil or returns false, no input will be sent and
-	// the response will be returned.
-	GetInput func(prompt string, sensitive bool) (input string, ok bool)
-
-	// CheckRedirect determines whether to follow a redirect.
-	// If CheckRedirect is nil, a default policy of no more than 5 consecutive
-	// redirects will be enforced.
-	CheckRedirect func(req *Request, via []*Request) error
-
-	// CreateCertificate is called to generate a certificate upon
-	// the request of a server.
-	// If CreateCertificate is nil or the returned error is not nil,
-	// the request will not be sent again and the response will be returned.
-	CreateCertificate func(hostname, path string) (tls.Certificate, error)
-
-	// TrustCertificate determines whether the client should trust
-	// the provided certificate.
-	// If the returned error is not nil, the connection will be aborted.
-	// If TrustCertificate is nil, the client will check KnownHosts
-	// for the certificate.
-	TrustCertificate func(hostname string, cert *x509.Certificate, knownHosts *KnownHosts) error
+	// Timeout specifies a time limit for requests made by this
+	// Client. The timeout includes connection time and reading
+	// the response body. The timer remains running after
+	// Get and Do return and will interrupt reading of the Response.Body.
+	//
+	// A Timeout of zero means no timeout.
+	Timeout time.Duration
 }
 
-// Get performs a Gemini request for the given url.
+// Get performs a Gemini request for the given URL.
 func (c *Client) Get(url string) (*Response, error) {
 	req, err := NewRequest(url)
 	if err != nil {
@@ -53,127 +44,93 @@ func (c *Client) Get(url string) (*Response, error) {
 
 // Do performs a Gemini request and returns a Gemini response.
 func (c *Client) Do(req *Request) (*Response, error) {
-	return c.do(req, nil)
-}
+	// Extract hostname
+	colonPos := strings.LastIndex(req.Host, ":")
+	if colonPos == -1 {
+		colonPos = len(req.Host)
+	}
+	hostname := req.Host[:colonPos]
 
-func (c *Client) do(req *Request, via []*Request) (*Response, error) {
 	// Connect to the host
 	config := &tls.Config{
 		InsecureSkipVerify: true,
 		MinVersion:         tls.VersionTLS12,
 		GetClientCertificate: func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
-			return c.getClientCertificate(req)
+			if req.Certificate != nil {
+				return req.Certificate, nil
+			}
+			return &tls.Certificate{}, nil
 		},
 		VerifyConnection: func(cs tls.ConnectionState) error {
 			return c.verifyConnection(req, cs)
 		},
+		ServerName: hostname,
 	}
-	conn, err := tls.Dial("tcp", req.Host, config)
+	// Set connection context
+	ctx := req.Context
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
+	start := time.Now()
+	dialer := net.Dialer{
+		Timeout: c.Timeout,
+	}
+
+	netConn, err := dialer.DialContext(ctx, "tcp", req.Host)
 	if err != nil {
 		return nil, err
 	}
-	// TODO: Set connection deadline
 
+	conn := tls.Client(netConn, config)
+
+	// Set connection deadline
+	if c.Timeout != 0 {
+		err := conn.SetDeadline(start.Add(c.Timeout))
+		if err != nil {
+			return nil, fmt.Errorf(
+				"failed to set connection deadline: %w", err)
+		}
+	}
+
+	resp, err := c.do(conn, req)
+	if err != nil {
+		// If we fail to perform the request/response we have
+		// to take responsibility for closing the connection.
+		_ = conn.Close()
+
+		return nil, err
+	}
+
+	// Store connection state
+	resp.TLS = conn.ConnectionState()
+
+	return resp, nil
+}
+
+func (c *Client) do(conn *tls.Conn, req *Request) (*Response, error) {
 	// Write the request
 	w := bufio.NewWriter(conn)
-	req.write(w)
+
+	err := req.Write(w)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to write request data: %w", err)
+	}
+
 	if err := w.Flush(); err != nil {
 		return nil, err
 	}
 
 	// Read the response
-	resp := &Response{}
-	if err := resp.read(conn); err != nil {
+	resp, err := ReadResponse(conn)
+	if err != nil {
 		return nil, err
 	}
-	// Store connection state
-	resp.TLS = conn.ConnectionState()
 
-	switch {
-	case resp.Status == StatusCertificateRequired:
-		// Check to see if a certificate was already provided to prevent an infinite loop
-		if req.Certificate != nil {
-			return resp, nil
-		}
-
-		hostname, path := req.URL.Hostname(), strings.TrimSuffix(req.URL.Path, "/")
-		if c.CreateCertificate != nil {
-			cert, err := c.CreateCertificate(hostname, path)
-			if err != nil {
-				return resp, err
-			}
-			c.Certificates.Add(hostname+path, cert)
-			return c.do(req, via)
-		}
-		return resp, ErrCertificateRequired
-
-	case resp.Status.Class() == StatusClassInput:
-		if c.GetInput != nil {
-			input, ok := c.GetInput(resp.Meta, resp.Status == StatusSensitiveInput)
-			if ok {
-				req.URL.ForceQuery = true
-				req.URL.RawQuery = url.QueryEscape(input)
-				return c.do(req, via)
-			}
-		}
-		return resp, ErrInputRequired
-
-	case resp.Status.Class() == StatusClassRedirect:
-		if via == nil {
-			via = []*Request{}
-		}
-		via = append(via, req)
-
-		target, err := url.Parse(resp.Meta)
-		if err != nil {
-			return resp, err
-		}
-		target = req.URL.ResolveReference(target)
-		redirect, err := NewRequestFromURL(target)
-		if err != nil {
-			return resp, err
-		}
-
-		if c.CheckRedirect != nil {
-			if err := c.CheckRedirect(redirect, via); err != nil {
-				return resp, err
-			}
-		} else if len(via) > 5 {
-			// Default policy of no more than 5 redirects
-			return resp, ErrTooManyRedirects
-		}
-		return c.do(redirect, via)
-	}
-
-	resp.Request = req
 	return resp, nil
 }
 
-func (c *Client) getClientCertificate(req *Request) (*tls.Certificate, error) {
-	// Request certificates have the highest precedence
-	if req.Certificate != nil {
-		return req.Certificate, nil
-	}
-
-	// Search recursively for the certificate
-	scope := req.URL.Hostname() + strings.TrimSuffix(req.URL.Path, "/")
-	for {
-		cert, err := c.Certificates.Lookup(scope)
-		if err == nil {
-			return cert, err
-		}
-		if err == ErrCertificateExpired {
-			break
-		}
-		scope = path.Dir(scope)
-		if scope == "." {
-			break
-		}
-	}
-
-	return &tls.Certificate{}, nil
-}
-
 func (c *Client) verifyConnection(req *Request, cs tls.ConnectionState) error {
 	// Verify the hostname
 	var hostname string
@@ -186,12 +143,14 @@ func (c *Client) verifyConnection(req *Request, cs tls.ConnectionState) error {
 	if err := verifyHostname(cert, hostname); err != nil {
 		return err
 	}
-	// Check that the client trusts the certificate
-	var err error
-	if c.TrustCertificate != nil {
-		return c.TrustCertificate(hostname, cert, &c.KnownHosts)
-	} else {
-		err = c.KnownHosts.Lookup(hostname, cert)
+	// Check expiration date
+	if !time.Now().Before(cert.NotAfter) {
+		return errors.New("gemini: certificate expired")
 	}
-	return err
+
+	// See if the client trusts the certificate
+	if c.TrustCertificate != nil {
+		return c.TrustCertificate(hostname, cert)
+	}
+	return nil
 }

doc.go

@@ -1,59 +1,27 @@
 /*
 Package gemini implements the Gemini protocol.
 
-Get makes a Gemini request:
+Client is a Gemini client.
 
-	resp, err := gemini.Get("gemini://example.com")
-	if err != nil {
-		// handle error
-	}
-	// ...
-
-The client must close the response body when finished with it:
-
-	resp, err := gemini.Get("gemini://example.com")
-	if err != nil {
-		// handle error
-	}
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	// ...
-
-For control over client behavior, create a Client:
-
-	var client gemini.Client
+	client := &gemini.Client{}
 	resp, err := client.Get("gemini://example.com")
 	if err != nil {
 		// handle error
 	}
+	if resp.Body != nil {
+		defer resp.Body.Close()
+		// ...
+	}
 	// ...
 
-Clients can load their own list of known hosts:
-
-	err := client.KnownHosts.Load("path/to/my/known_hosts")
-	if err != nil {
-		// handle error
-	}
-
-Clients can control when to trust certificates with TrustCertificate:
-
-	client.TrustCertificate = func(hostname string, cert *x509.Certificate, knownHosts *gemini.KnownHosts) error {
-		return knownHosts.Lookup(hostname, cert)
-	}
-
-Clients can create client certificates upon the request of a server:
-
-	client.CreateCertificate = func(hostname, path string) (tls.Certificate, error) {
-		return gemini.CreateCertificate(gemini.CertificateOptions{
-			Duration: time.Hour,
-		})
-	}
-
 Server is a Gemini server.
 
-	var server gemini.Server
+	server := &gemini.Server{
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
 
-Servers must be configured with certificates:
+Servers should be configured with certificates:
 
 	err := server.Certificates.Load("/var/lib/gemini/certs")
 	if err != nil {

examples/auth.go

@@ -3,140 +3,89 @@
 package main
 
 import (
+	"crypto/sha512"
+	"crypto/tls"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"fmt"
 	"log"
+	"time"
 
 	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )
 
-type user struct {
-	password string // TODO: use hashes
-	admin    bool
-}
-
-type session struct {
-	username   string
-	authorized bool // whether or not the password was supplied
+type User struct {
+	Name string
 }
 
 var (
-	// Map of usernames to user data
-	logins = map[string]user{
-		"admin": {"p@ssw0rd", true}, // NOTE: These are bad passwords!
-		"user1": {"password1", false},
-		"user2": {"password2", false},
-	}
-
-	// Map of certificate fingerprints to sessions
-	sessions = map[string]*session{}
+	// Map of certificate hashes to users
+	users = map[string]*User{}
 )
 
 func main() {
 	var mux gemini.ServeMux
-	mux.HandleFunc("/", login)
-	mux.HandleFunc("/password", loginPassword)
-	mux.HandleFunc("/profile", profile)
-	mux.HandleFunc("/admin", admin)
-	mux.HandleFunc("/logout", logout)
+	mux.HandleFunc("/", profile)
+	mux.HandleFunc("/username", changeUsername)
 
 	var server gemini.Server
 	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
-	server.Register("localhost", &mux)
+	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
+		return certificate.Create(certificate.CreateOptions{
+			Subject: pkix.Name{
+				CommonName: hostname,
+			},
+			DNSNames: []string{hostname},
+			Duration: time.Hour,
+		})
+	}
+	server.Handle("localhost", &mux)
 
 	if err := server.ListenAndServe(); err != nil {
 		log.Fatal(err)
 	}
 }
 
-func getSession(crt *x509.Certificate) (*session, bool) {
-	fingerprint := gemini.Fingerprint(crt)
-	session, ok := sessions[fingerprint]
-	return session, ok
-}
-
-func login(w *gemini.ResponseWriter, r *gemini.Request) {
-	cert, ok := gemini.Certificate(w, r)
-	if !ok {
-		return
-	}
-	username, ok := gemini.Input(w, r, "Username")
-	if !ok {
-		return
-	}
-	fingerprint := gemini.Fingerprint(cert)
-	sessions[fingerprint] = &session{
-		username: username,
-	}
-	gemini.Redirect(w, "/password")
-}
-
-func loginPassword(w *gemini.ResponseWriter, r *gemini.Request) {
-	cert, ok := gemini.Certificate(w, r)
-	if !ok {
-		return
-	}
-	session, ok := getSession(cert)
-	if !ok {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
-	}
-
-	password, ok := gemini.SensitiveInput(w, r, "Password")
-	if !ok {
-		return
-	}
-	expected := logins[session.username].password
-	if password == expected {
-		session.authorized = true
-		gemini.Redirect(w, "/profile")
-	} else {
-		gemini.SensitiveInput(w, r, "Wrong password. Try again")
-	}
-}
-
-func logout(w *gemini.ResponseWriter, r *gemini.Request) {
-	cert, ok := gemini.Certificate(w, r)
-	if !ok {
-		return
-	}
-	fingerprint := gemini.Fingerprint(cert)
-	delete(sessions, fingerprint)
-	fmt.Fprintln(w, "Successfully logged out.")
+func fingerprint(cert *x509.Certificate) string {
+	b := sha512.Sum512(cert.Raw)
+	return string(b[:])
 }
 
 func profile(w *gemini.ResponseWriter, r *gemini.Request) {
-	cert, ok := gemini.Certificate(w, r)
-	if !ok {
+	if r.Certificate == nil {
+		w.Status(gemini.StatusCertificateRequired)
 		return
 	}
-	session, ok := getSession(cert)
+	fingerprint := fingerprint(r.Certificate.Leaf)
+	user, ok := users[fingerprint]
 	if !ok {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
+		user = &User{}
+		users[fingerprint] = user
 	}
-	user := logins[session.username]
-	fmt.Fprintln(w, "Username:", session.username)
-	fmt.Fprintln(w, "Admin:", user.admin)
-	fmt.Fprintln(w, "=> /logout Logout")
+	fmt.Fprintln(w, "Username:", user.Name)
+	fmt.Fprintln(w, "=> /username Change username")
 }
 
-func admin(w *gemini.ResponseWriter, r *gemini.Request) {
-	cert, ok := gemini.Certificate(w, r)
+func changeUsername(w *gemini.ResponseWriter, r *gemini.Request) {
+	if r.Certificate == nil {
+		w.Status(gemini.StatusCertificateRequired)
+		return
+	}
+
+	username, err := gemini.QueryUnescape(r.URL.RawQuery)
+	if err != nil || username == "" {
+		w.Header(gemini.StatusInput, "Username")
+		return
+	}
+	fingerprint := fingerprint(r.Certificate.Leaf)
+	user, ok := users[fingerprint]
 	if !ok {
-		return
+		user = &User{}
+		users[fingerprint] = user
 	}
-	session, ok := getSession(cert)
-	if !ok {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
-	}
-	user := logins[session.username]
-	if !user.admin {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
-	}
-	fmt.Fprintln(w, "Welcome to the admin portal.")
+	user.Name = username
+	w.Header(gemini.StatusRedirect, "/")
 }

examples/cert.go

@@ -1,18 +1,17 @@
 // +build ignore
 
+// This example illustrates a certificate generation tool.
+
 package main
 
 import (
-	"bytes"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
+	"crypto/x509/pkix"
 	"fmt"
 	"log"
 	"os"
 	"time"
 
-	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )
 
 func main() {
@@ -25,71 +24,20 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	options := gemini.CertificateOptions{
+	options := certificate.CreateOptions{
+		Subject: pkix.Name{
+			CommonName: host,
+		},
 		DNSNames: []string{host},
 		Duration: duration,
 	}
-	cert, err := gemini.CreateCertificate(options)
+	cert, err := certificate.Create(options)
 	if err != nil {
 		log.Fatal(err)
 	}
-	if err := writeCertificate(host, cert); err != nil {
+	certPath := host + ".crt"
+	keyPath := host + ".key"
+	if err := certificate.Write(cert, certPath, keyPath); err != nil {
 		log.Fatal(err)
 	}
 }
-
-// writeCertificate writes the provided certificate and private key
-// to path.crt and path.key respectively.
-func writeCertificate(path string, cert tls.Certificate) error {
-	crt, err := marshalX509Certificate(cert.Leaf.Raw)
-	if err != nil {
-		return err
-	}
-	key, err := marshalPrivateKey(cert.PrivateKey)
-	if err != nil {
-		return err
-	}
-
-	// Write the certificate
-	crtPath := path + ".crt"
-	crtOut, err := os.OpenFile(crtPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	if _, err := crtOut.Write(crt); err != nil {
-		return err
-	}
-
-	// Write the private key
-	keyPath := path + ".key"
-	keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	if _, err := keyOut.Write(key); err != nil {
-		return err
-	}
-	return nil
-}
-
-// marshalX509Certificate returns a PEM-encoded version of the given raw certificate.
-func marshalX509Certificate(cert []byte) ([]byte, error) {
-	var b bytes.Buffer
-	if err := pem.Encode(&b, &pem.Block{Type: "CERTIFICATE", Bytes: cert}); err != nil {
-		return nil, err
-	}
-	return b.Bytes(), nil
-}
-
-// marshalPrivateKey returns PEM encoded versions of the given certificate and private key.
-func marshalPrivateKey(priv interface{}) ([]byte, error) {
-	var b bytes.Buffer
-	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
-	if err != nil {
-		return nil, err
-	}
-	if err := pem.Encode(&b, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
-		return nil, err
-	}
-	return b.Bytes(), nil
-}

examples/client.go

@@ -1,91 +1,50 @@
 // +build ignore
 
+// This example illustrates a Gemini client.
+
 package main
 
 import (
 	"bufio"
-	"crypto/tls"
+	"bytes"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
+	"log"
+	"net/url"
 	"os"
+	"path/filepath"
 	"time"
 
 	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/tofu"
+	"git.sr.ht/~adnano/go-xdg"
 )
 
 var (
-	scanner = bufio.NewScanner(os.Stdin)
-	client  = &gemini.Client{}
+	hosts     tofu.KnownHosts
+	hostsfile *tofu.HostWriter
+	scanner   *bufio.Scanner
 )
 
 func init() {
-	client.KnownHosts.LoadDefault()
-	client.TrustCertificate = func(hostname string, cert *x509.Certificate, knownHosts *gemini.KnownHosts) error {
-		err := knownHosts.Lookup(hostname, cert)
-		if err != nil {
-			switch err {
-			case gemini.ErrCertificateNotTrusted:
-				// Alert the user that the certificate is not trusted
-				fmt.Printf("Warning: Certificate for %s is not trusted!\n", hostname)
-				fmt.Println("This could indicate a Man-in-the-Middle attack.")
-			case gemini.ErrCertificateUnknown:
-				// Prompt the user to trust the certificate
-				trust := trustCertificate(cert)
-				switch trust {
-				case trustOnce:
-					// Temporarily trust the certificate
-					knownHosts.AddTemporary(hostname, cert)
-					return nil
-				case trustAlways:
-					// Add the certificate to the known hosts file
-					knownHosts.Add(hostname, cert)
-					return nil
-				}
-			}
-		}
-		return err
-	}
-	client.CreateCertificate = func(hostname, path string) (tls.Certificate, error) {
-		fmt.Println("Generating client certificate for", hostname, path)
-		return gemini.CreateCertificate(gemini.CertificateOptions{
-			Duration: time.Hour,
-		})
-	}
-	client.GetInput = func(prompt string, sensitive bool) (string, bool) {
-		fmt.Printf("%s: ", prompt)
-		scanner.Scan()
-		return scanner.Text(), true
-	}
-}
-
-func doRequest(req *gemini.Request) error {
-	resp, err := client.Do(req)
+	// Load known hosts file
+	path := filepath.Join(xdg.DataHome(), "gemini", "known_hosts")
+	err := hosts.Load(path)
 	if err != nil {
-		return err
+		log.Fatal(err)
 	}
 
-	if resp.Status.Class() == gemini.StatusClassSuccess {
-		body, err := ioutil.ReadAll(resp.Body)
-		resp.Body.Close()
-		if err != nil {
-			return err
-		}
-		fmt.Print(string(body))
-		return nil
+	hostsfile, err = tofu.NewHostsFile(path)
+	if err != nil {
+		log.Fatal(err)
 	}
-	return fmt.Errorf("request failed: %d %s: %s", resp.Status, resp.Status.Message(), resp.Meta)
+
+	scanner = bufio.NewScanner(os.Stdin)
 }
 
-type trust int
-
-const (
-	trustAbort trust = iota
-	trustOnce
-	trustAlways
-)
-
-const trustPrompt = `The certificate offered by this server is of unknown trust. Its fingerprint is:
+const trustPrompt = `The certificate offered by %s is of unknown trust. Its fingerprint is:
 %s
 
 If you knew the fingerprint to expect in advance, verify that this matches.
@@ -94,28 +53,86 @@ Otherwise, this should be safe to trust.
 [t]rust always; trust [o]nce; [a]bort
 => `
 
-func trustCertificate(cert *x509.Certificate) trust {
-	fmt.Printf(trustPrompt, gemini.Fingerprint(cert))
+func trustCertificate(hostname string, cert *x509.Certificate) error {
+	host := tofu.NewHost(hostname, cert.Raw, cert.NotAfter)
+
+	knownHost, ok := hosts.Lookup(hostname)
+	if ok && time.Now().Before(knownHost.Expires) {
+		// Check fingerprint
+		if bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+			return nil
+		}
+		return errors.New("error: fingerprint does not match!")
+	}
+
+	fmt.Printf(trustPrompt, hostname, host.Fingerprint)
 	scanner.Scan()
 	switch scanner.Text() {
 	case "t":
-		return trustAlways
+		hosts.Add(host)
+		hostsfile.WriteHost(host)
+		return nil
 	case "o":
-		return trustOnce
+		hosts.Add(host)
+		return nil
 	default:
-		return trustAbort
+		return errors.New("certificate not trusted")
 	}
 }
 
+func getInput(prompt string, sensitive bool) (input string, ok bool) {
+	fmt.Printf("%s ", prompt)
+	scanner.Scan()
+	return scanner.Text(), true
+}
+
+func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
+	client := gemini.Client{
+		TrustCertificate: trustCertificate,
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return resp, err
+	}
+
+	switch resp.Status.Class() {
+	case gemini.StatusClassInput:
+		input, ok := getInput(resp.Meta, resp.Status == gemini.StatusSensitiveInput)
+		if !ok {
+			break
+		}
+		req.URL.ForceQuery = true
+		req.URL.RawQuery = gemini.QueryEscape(input)
+		return do(req, via)
+
+	case gemini.StatusClassRedirect:
+		via = append(via, req)
+		if len(via) > 5 {
+			return resp, errors.New("too many redirects")
+		}
+
+		target, err := url.Parse(resp.Meta)
+		if err != nil {
+			return resp, err
+		}
+		target = req.URL.ResolveReference(target)
+		redirect := *req
+		redirect.URL = target
+		return do(&redirect, via)
+	}
+
+	return resp, err
+}
+
 func main() {
 	if len(os.Args) < 2 {
-		fmt.Printf("usage: %s gemini://... [host]", os.Args[0])
+		fmt.Printf("usage: %s <url> [host]\n", os.Args[0])
 		os.Exit(1)
 	}
 
+	// Do the request
 	url := os.Args[1]
 	req, err := gemini.NewRequest(url)
-
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
@@ -123,9 +140,22 @@ func main() {
 	if len(os.Args) == 3 {
 		req.Host = os.Args[2]
 	}
-
-	if err := doRequest(req); err != nil {
+	resp, err := do(req, nil)
+	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
 	}
+
+	// Handle response
+	if resp.Status.Class() == gemini.StatusClassSuccess {
+		defer resp.Body.Close()
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			log.Fatal(err)
+		}
+		fmt.Print(string(body))
+	} else {
+		fmt.Printf("%d %s\n", resp.Status, resp.Meta)
+		os.Exit(1)
+	}
 }

examples/html.go

@@ -7,84 +7,77 @@ package main
 import (
 	"fmt"
 	"html"
-	"strings"
+	"io"
+	"os"
 
 	"git.sr.ht/~adnano/go-gemini"
 )
 
 func main() {
-	text := gemini.Text{
-		gemini.LineHeading1("Hello, world!"),
-		gemini.LineText("This is a gemini text document."),
+	hw := HTMLWriter{
+		out: os.Stdout,
 	}
-
-	html := textToHTML(text)
-	fmt.Print(html)
+	gemini.ParseLines(os.Stdin, hw.Handle)
+	hw.Finish()
 }
 
-// textToHTML returns the Gemini text response as HTML.
-func textToHTML(text gemini.Text) string {
-	var b strings.Builder
-	var pre bool
-	var list bool
-	for _, l := range text {
-		if _, ok := l.(gemini.LineListItem); ok {
-			if !list {
-				list = true
-				fmt.Fprint(&b, "<ul>\n")
-			}
-		} else if list {
-			list = false
-			fmt.Fprint(&b, "</ul>\n")
-		}
-		switch l.(type) {
-		case gemini.LineLink:
-			link := l.(gemini.LineLink)
-			url := html.EscapeString(link.URL)
-			name := html.EscapeString(link.Name)
-			if name == "" {
-				name = url
-			}
-			fmt.Fprintf(&b, "<p><a href='%s'>%s</a></p>\n", url, name)
-		case gemini.LinePreformattingToggle:
-			pre = !pre
-			if pre {
-				fmt.Fprint(&b, "<pre>\n")
-			} else {
-				fmt.Fprint(&b, "</pre>\n")
-			}
-		case gemini.LinePreformattedText:
-			text := string(l.(gemini.LinePreformattedText))
-			fmt.Fprintf(&b, "%s\n", html.EscapeString(text))
-		case gemini.LineHeading1:
-			text := string(l.(gemini.LineHeading1))
-			fmt.Fprintf(&b, "<h1>%s</h1>\n", html.EscapeString(text))
-		case gemini.LineHeading2:
-			text := string(l.(gemini.LineHeading2))
-			fmt.Fprintf(&b, "<h2>%s</h2>\n", html.EscapeString(text))
-		case gemini.LineHeading3:
-			text := string(l.(gemini.LineHeading3))
-			fmt.Fprintf(&b, "<h3>%s</h3>\n", html.EscapeString(text))
-		case gemini.LineListItem:
-			text := string(l.(gemini.LineListItem))
-			fmt.Fprintf(&b, "<li>%s</li>\n", html.EscapeString(text))
-		case gemini.LineQuote:
-			text := string(l.(gemini.LineQuote))
-			fmt.Fprintf(&b, "<blockquote>%s</blockquote>\n", html.EscapeString(text))
-		case gemini.LineText:
-			text := string(l.(gemini.LineText))
-			if text == "" {
-				fmt.Fprint(&b, "<br>\n")
-			} else {
-				fmt.Fprintf(&b, "<p>%s</p>\n", html.EscapeString(text))
-			}
-		}
-	}
-	if pre {
-		fmt.Fprint(&b, "</pre>\n")
-	}
-	if list {
-		fmt.Fprint(&b, "</ul>\n")
-	}
-	return b.String()
+type HTMLWriter struct {
+	out  io.Writer
+	pre  bool
+	list bool
+}
+
+func (h *HTMLWriter) Handle(line gemini.Line) {
+	if _, ok := line.(gemini.LineListItem); ok {
+		if !h.list {
+			h.list = true
+			fmt.Fprint(h.out, "<ul>\n")
+		}
+	} else if h.list {
+		h.list = false
+		fmt.Fprint(h.out, "</ul>\n")
+	}
+	switch line := line.(type) {
+	case gemini.LineLink:
+		url := html.EscapeString(line.URL)
+		name := html.EscapeString(line.Name)
+		if name == "" {
+			name = url
+		}
+		fmt.Fprintf(h.out, "<p><a href='%s'>%s</a></p>\n", url, name)
+	case gemini.LinePreformattingToggle:
+		h.pre = !h.pre
+		if h.pre {
+			fmt.Fprint(h.out, "<pre>\n")
+		} else {
+			fmt.Fprint(h.out, "</pre>\n")
+		}
+	case gemini.LinePreformattedText:
+		fmt.Fprintf(h.out, "%s\n", html.EscapeString(string(line)))
+	case gemini.LineHeading1:
+		fmt.Fprintf(h.out, "<h1>%s</h1>\n", html.EscapeString(string(line)))
+	case gemini.LineHeading2:
+		fmt.Fprintf(h.out, "<h2>%s</h2>\n", html.EscapeString(string(line)))
+	case gemini.LineHeading3:
+		fmt.Fprintf(h.out, "<h3>%s</h3>\n", html.EscapeString(string(line)))
+	case gemini.LineListItem:
+		fmt.Fprintf(h.out, "<li>%s</li>\n", html.EscapeString(string(line)))
+	case gemini.LineQuote:
+		fmt.Fprintf(h.out, "<blockquote>%s</blockquote>\n", html.EscapeString(string(line)))
+	case gemini.LineText:
+		if line == "" {
+			fmt.Fprint(h.out, "<br>\n")
+		} else {
+			fmt.Fprintf(h.out, "<p>%s</p>\n", html.EscapeString(string(line)))
+		}
+	}
+}
+
+func (h *HTMLWriter) Finish() {
+	if h.pre {
+		fmt.Fprint(h.out, "</pre>\n")
+	}
+	if h.list {
+		fmt.Fprint(h.out, "</ul>\n")
+	}
 }

examples/server.go

@@ -1,80 +1,41 @@
 // +build ignore
 
+// This example illustrates a Gemini server.
+
 package main
 
 import (
-	"crypto"
 	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"io"
+	"crypto/x509/pkix"
 	"log"
-	"os"
 	"time"
 
 	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )
 
 func main() {
 	var server gemini.Server
+	server.ReadTimeout = 30 * time.Second
+	server.WriteTimeout = 1 * time.Minute
 	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
 	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
-		fmt.Println("Generating certificate for", hostname)
-		cert, err := gemini.CreateCertificate(gemini.CertificateOptions{
+		return certificate.Create(certificate.CreateOptions{
+			Subject: pkix.Name{
+				CommonName: hostname,
+			},
 			DNSNames: []string{hostname},
-			Duration: time.Minute, // for testing purposes
+			Duration: 365 * 24 * time.Hour,
 		})
-		if err == nil {
-			// Write the new certificate to disk
-			err = writeCertificate("/var/lib/gemini/certs/"+hostname, cert)
-		}
-		return cert, err
 	}
 
 	var mux gemini.ServeMux
 	mux.Handle("/", gemini.FileServer(gemini.Dir("/var/www")))
 
-	server.Register("localhost", &mux)
+	server.Handle("localhost", &mux)
 	if err := server.ListenAndServe(); err != nil {
 		log.Fatal(err)
 	}
 }
-
-// writeCertificate writes the provided certificate and private key
-// to path.crt and path.key respectively.
-func writeCertificate(path string, cert tls.Certificate) error {
-	// Write the certificate
-	crtPath := path + ".crt"
-	crtOut, err := os.OpenFile(crtPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	if err := marshalX509Certificate(crtOut, cert.Leaf.Raw); err != nil {
-		return err
-	}
-
-	// Write the private key
-	keyPath := path + ".key"
-	keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	return marshalPrivateKey(keyOut, cert.PrivateKey)
-}
-
-// marshalX509Certificate writes a PEM-encoded version of the given certificate.
-func marshalX509Certificate(w io.Writer, cert []byte) error {
-	return pem.Encode(w, &pem.Block{Type: "CERTIFICATE", Bytes: cert})
-}
-
-// marshalPrivateKey writes a PEM-encoded version of the given private key.
-func marshalPrivateKey(w io.Writer, priv crypto.PrivateKey) error {
-	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
-	if err != nil {
-		return err
-	}
-	return pem.Encode(w, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
-}

examples/stream.go

@@ -0,0 +1,71 @@
+// +build ignore
+
+// This example illustrates a streaming Gemini server.
+
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509/pkix"
+	"fmt"
+	"log"
+	"time"
+
+	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
+)
+
+func main() {
+	var server gemini.Server
+	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
+		log.Fatal(err)
+	}
+	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
+		return certificate.Create(certificate.CreateOptions{
+			Subject: pkix.Name{
+				CommonName: hostname,
+			},
+			DNSNames: []string{hostname},
+			Duration: 365 * 24 * time.Hour,
+		})
+	}
+
+	server.HandleFunc("localhost", stream)
+	if err := server.ListenAndServe(); err != nil {
+		log.Fatal(err)
+	}
+}
+
+// stream writes an infinite stream to w.
+func stream(w *gemini.ResponseWriter, r *gemini.Request) {
+	ch := make(chan string)
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func(ctx context.Context) {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+				ch <- fmt.Sprint(time.Now().UTC())
+			}
+			time.Sleep(time.Second)
+		}
+		// Close channel when finished.
+		// In this example this will never be reached.
+		close(ch)
+	}(ctx)
+
+	for {
+		s, ok := <-ch
+		if !ok {
+			break
+		}
+		fmt.Fprintln(w, s)
+		if err := w.Flush(); err != nil {
+			cancel()
+			return
+		}
+	}
+}

fs.go

@@ -14,7 +14,9 @@ func init() {
 }
 
 // FileServer takes a filesystem and returns a Responder which uses that filesystem.
-// The returned Responder sanitizes paths before handling them.
+// The returned Responder cleans paths before handling them.
+//
+// TODO: Use io/fs.FS when available.
 func FileServer(fsys FS) Responder {
 	return fsHandler{fsys}
 }
@@ -27,23 +29,27 @@ func (fsh fsHandler) Respond(w *ResponseWriter, r *Request) {
 	p := path.Clean(r.URL.Path)
 	f, err := fsh.Open(p)
 	if err != nil {
-		w.WriteStatus(StatusNotFound)
+		w.Status(StatusNotFound)
 		return
 	}
 	// Detect mimetype
 	ext := path.Ext(p)
 	mimetype := mime.TypeByExtension(ext)
-	w.SetMimetype(mimetype)
+	w.Meta(mimetype)
 	// Copy file to response writer
-	io.Copy(w, f)
+	_, _ = io.Copy(w, f)
 }
 
-// TODO: replace with io/fs.FS when available
+// FS represents a filesystem.
+//
+// TODO: Replace with io/fs.FS when available.
 type FS interface {
 	Open(name string) (File, error)
 }
 
-// TODO: replace with io/fs.File when available
+// File represents a file.
+//
+// TODO: Replace with io/fs.File when available.
 type File interface {
 	Stat() (os.FileInfo, error)
 	Read([]byte) (int, error)
@@ -51,6 +57,8 @@ type File interface {
 }
 
 // Dir implements FS using the native filesystem restricted to a specific directory.
+//
+// TODO: replace with os.DirFS when available.
 type Dir string
 
 // Open tries to open the file with the given name.
@@ -62,19 +70,20 @@ func (d Dir) Open(name string) (File, error) {
 
 // ServeFile responds to the request with the contents of the named file
 // or directory.
+//
 // TODO: Use io/fs.FS when available.
 func ServeFile(w *ResponseWriter, fs FS, name string) {
 	f, err := fs.Open(name)
 	if err != nil {
-		w.WriteStatus(StatusNotFound)
+		w.Status(StatusNotFound)
 		return
 	}
 	// Detect mimetype
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
-	w.SetMimetype(mimetype)
+	w.Meta(mimetype)
 	// Copy file to response writer
-	io.Copy(w, f)
+	_, _ = io.Copy(w, f)
 }
 
 func openFile(p string) (File, error) {
@@ -96,9 +105,9 @@ func openFile(p string) (File, error) {
 			if stat.Mode().IsRegular() {
 				return f, nil
 			}
-			return nil, ErrNotAFile
+			return nil, os.ErrNotExist
 		} else if !stat.Mode().IsRegular() {
-			return nil, ErrNotAFile
+			return nil, os.ErrNotExist
 		}
 	}
 	return f, nil

gemini.go

@@ -1,59 +1,15 @@
 package gemini
 
 import (
-	"crypto/tls"
-	"crypto/x509"
 	"errors"
-	"sync"
-	"time"
 )
 
 var crlf = []byte("\r\n")
 
 // Errors.
 var (
-	ErrInvalidURL            = errors.New("gemini: invalid URL")
-	ErrInvalidResponse       = errors.New("gemini: invalid response")
-	ErrCertificateUnknown    = errors.New("gemini: unknown certificate")
-	ErrCertificateExpired    = errors.New("gemini: certificate expired")
-	ErrCertificateNotTrusted = errors.New("gemini: certificate is not trusted")
-	ErrNotAFile              = errors.New("gemini: not a file")
-	ErrNotAGeminiURL         = errors.New("gemini: not a Gemini URL")
-	ErrBodyNotAllowed        = errors.New("gemini: response status code does not allow for body")
-	ErrTooManyRedirects      = errors.New("gemini: too many redirects")
-	ErrInputRequired         = errors.New("gemini: input required")
-	ErrCertificateRequired   = errors.New("gemini: certificate required")
+	ErrInvalidURL      = errors.New("gemini: invalid URL")
+	ErrInvalidRequest  = errors.New("gemini: invalid request")
+	ErrInvalidResponse = errors.New("gemini: invalid response")
+	ErrBodyNotAllowed  = errors.New("gemini: response body not allowed")
 )
-
-// DefaultClient is the default client. It is used by Get and Do.
-//
-// On the first request, DefaultClient loads the default list of known hosts.
-var DefaultClient Client
-
-// Get performs a Gemini request for the given url.
-//
-// Get is a wrapper around DefaultClient.Get.
-func Get(url string) (*Response, error) {
-	return DefaultClient.Get(url)
-}
-
-// Do performs a Gemini request and returns a Gemini response.
-//
-// Do is a wrapper around DefaultClient.Do.
-func Do(req *Request) (*Response, error) {
-	return DefaultClient.Do(req)
-}
-
-var defaultClientOnce sync.Once
-
-func init() {
-	DefaultClient.TrustCertificate = func(hostname string, cert *x509.Certificate, knownHosts *KnownHosts) error {
-		defaultClientOnce.Do(func() { knownHosts.LoadDefault() })
-		return knownHosts.Lookup(hostname, cert)
-	}
-	DefaultClient.CreateCertificate = func(hostname, path string) (tls.Certificate, error) {
-		return CreateCertificate(CertificateOptions{
-			Duration: time.Hour,
-		})
-	}
-}

mux.go

@@ -138,14 +138,14 @@ func (mux *ServeMux) Respond(w *ResponseWriter, r *Request) {
 	// If the given path is /tree and its handler is not registered,
 	// redirect for /tree/.
 	if u, ok := mux.redirectToPathSlash(path, r.URL); ok {
-		Redirect(w, u.String())
+		w.Header(StatusRedirect, u.String())
 		return
 	}
 
 	if path != r.URL.Path {
 		u := *r.URL
 		u.Path = path
-		Redirect(w, u.String())
+		w.Header(StatusRedirect, u.String())
 		return
 	}
 
@@ -154,7 +154,7 @@ func (mux *ServeMux) Respond(w *ResponseWriter, r *Request) {
 
 	resp := mux.match(path)
 	if resp == nil {
-		w.WriteStatus(StatusNotFound)
+		w.Status(StatusNotFound)
 		return
 	}
 	resp.Respond(w, r)

query.go

@@ -0,0 +1,18 @@
+package gemini
+
+import (
+	"net/url"
+	"strings"
+)
+
+// QueryEscape escapes a string for use in a Gemini URL query.
+// It is like url.PathEscape except that it also replaces plus signs
+// with their percent-encoded counterpart.
+func QueryEscape(query string) string {
+	return strings.ReplaceAll(url.PathEscape(query), "+", "%2B")
+}
+
+// QueryUnescape is identical to url.PathUnescape.
+func QueryUnescape(query string) (string, error) {
+	return url.PathUnescape(query)
+}

request.go

@@ -2,7 +2,9 @@ package gemini
 
 import (
 	"bufio"
+	"context"
 	"crypto/tls"
+	"io"
 	"net"
 	"net/url"
 )
@@ -14,23 +16,31 @@ type Request struct {
 
 	// For client requests, Host specifies the host on which the URL is sought.
 	// Host must contain a port.
+	//
 	// This field is ignored by the server.
 	Host string
 
 	// Certificate specifies the TLS certificate to use for the request.
-	// Request certificates take precedence over client certificates.
-	// This field is ignored by the server.
+	//
+	// On the server side, if the client provided a certificate then
+	// Certificate.Leaf is guaranteed to be non-nil.
 	Certificate *tls.Certificate
 
 	// RemoteAddr allows servers and other software to record the network
 	// address that sent the request.
+	//
 	// This field is ignored by the client.
 	RemoteAddr net.Addr
 
 	// TLS allows servers and other software to record information about the TLS
 	// connection on which the request was received.
+	//
 	// This field is ignored by the client.
 	TLS tls.ConnectionState
+
+	// Context specifies the context to use for client requests.
+	// If Context is nil, the background context will be used.
+	Context context.Context
 }
 
 // NewRequest returns a new request. The host is inferred from the URL.
@@ -39,15 +49,15 @@ func NewRequest(rawurl string) (*Request, error) {
 	if err != nil {
 		return nil, err
 	}
-	return NewRequestFromURL(u)
+	return NewRequestFromURL(u), nil
 }
 
 // NewRequestFromURL returns a new request for the given URL.
 // The host is inferred from the URL.
-func NewRequestFromURL(url *url.URL) (*Request, error) {
-	if url.Scheme != "" && url.Scheme != "gemini" {
-		return nil, ErrNotAGeminiURL
-	}
+//
+// Callers should be careful that the URL query is properly escaped.
+// See the documentation for QueryEscape for more information.
+func NewRequestFromURL(url *url.URL) *Request {
 	host := url.Host
 	if url.Port() == "" {
 		host += ":1965"
@@ -55,11 +65,42 @@ func NewRequestFromURL(url *url.URL) (*Request, error) {
 	return &Request{
 		URL:  url,
 		Host: host,
-	}, nil
+	}
 }
 
-// write writes the Gemini request to the provided buffered writer.
-func (r *Request) write(w *bufio.Writer) error {
+// ReadRequest reads a Gemini request from the provided io.Reader
+func ReadRequest(r io.Reader) (*Request, error) {
+	// Read URL
+	br := bufio.NewReader(r)
+	rawurl, err := br.ReadString('\r')
+	if err != nil {
+		return nil, err
+	}
+	// Read terminating line feed
+	if b, err := br.ReadByte(); err != nil {
+		return nil, err
+	} else if b != '\n' {
+		return nil, ErrInvalidRequest
+	}
+	// Trim carriage return
+	rawurl = rawurl[:len(rawurl)-1]
+	// Validate URL
+	if len(rawurl) > 1024 {
+		return nil, ErrInvalidRequest
+	}
+	u, err := url.Parse(rawurl)
+	if err != nil {
+		return nil, err
+	}
+	if u.User != nil {
+		// User is not allowed
+		return nil, ErrInvalidURL
+	}
+	return &Request{URL: u}, nil
+}
+
+// Write writes the Gemini request to the provided buffered writer.
+func (r *Request) Write(w *bufio.Writer) error {
 	url := r.URL.String()
 	// User is invalid
 	if r.URL.User != nil || len(url) > 1024 {

response.go

@@ -9,11 +9,11 @@ import (
 
 // Response is a Gemini response.
 type Response struct {
-	// Status represents the response status.
+	// Status contains the response status code.
 	Status Status
 
 	// Meta contains more information related to the response status.
-	// For successful responses, Meta should contain the mimetype of the response.
+	// For successful responses, Meta should contain the media type of the response.
 	// For failure responses, Meta should contain a short description of the failure.
 	// Meta should not be longer than 1024 bytes.
 	Meta string
@@ -21,25 +21,24 @@ type Response struct {
 	// Body contains the response body for successful responses.
 	Body io.ReadCloser
 
-	// Request is the request that was sent to obtain this Response.
-	Request *Request
-
 	// TLS contains information about the TLS connection on which the response
 	// was received.
 	TLS tls.ConnectionState
 }
 
-// read reads a Gemini response from the provided io.ReadCloser.
-func (resp *Response) read(rc io.ReadCloser) error {
+// ReadResponse reads a Gemini response from the provided io.ReadCloser.
+func ReadResponse(rc io.ReadCloser) (*Response, error) {
+	resp := &Response{}
 	br := bufio.NewReader(rc)
+
 	// Read the status
 	statusB := make([]byte, 2)
 	if _, err := br.Read(statusB); err != nil {
-		return err
+		return nil, err
 	}
 	status, err := strconv.Atoi(string(statusB))
 	if err != nil {
-		return err
+		return nil, err
 	}
 	resp.Status = Status(status)
 
@@ -47,40 +46,46 @@ func (resp *Response) read(rc io.ReadCloser) error {
 	const minStatus, maxStatus = 1, 6
 	statusClass := resp.Status.Class()
 	if statusClass < minStatus || statusClass > maxStatus {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
 	}
 
 	// Read one space
 	if b, err := br.ReadByte(); err != nil {
-		return err
+		return nil, err
 	} else if b != ' ' {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
 	}
 
 	// Read the meta
 	meta, err := br.ReadString('\r')
 	if err != nil {
-		return err
+		return nil, err
 	}
 	// Trim carriage return
 	meta = meta[:len(meta)-1]
 	// Ensure meta is less than or equal to 1024 bytes
 	if len(meta) > 1024 {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
+	}
+	// Default mime type of text/gemini; charset=utf-8
+	if statusClass == StatusClassSuccess && meta == "" {
+		meta = "text/gemini; charset=utf-8"
 	}
 	resp.Meta = meta
 
 	// Read terminating newline
 	if b, err := br.ReadByte(); err != nil {
-		return err
+		return nil, err
 	} else if b != '\n' {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
 	}
 
 	if resp.Status.Class() == StatusClassSuccess {
 		resp.Body = newReadCloserBody(br, rc)
+	} else {
+		rc.Close()
 	}
-	return nil
+	return resp, nil
 }
 
 type readCloserBody struct {
@@ -109,3 +114,92 @@ func (b *readCloserBody) Read(p []byte) (n int, err error) {
 	}
 	return b.ReadCloser.Read(p)
 }
+
+// ResponseWriter is used to construct a Gemini response.
+type ResponseWriter struct {
+	b           *bufio.Writer
+	status      Status
+	meta        string
+	setHeader   bool
+	wroteHeader bool
+	bodyAllowed bool
+}
+
+// NewResponseWriter returns a ResponseWriter that uses the provided io.Writer.
+func NewResponseWriter(w io.Writer) *ResponseWriter {
+	return &ResponseWriter{
+		b: bufio.NewWriter(w),
+	}
+}
+
+// Header sets the response header.
+func (w *ResponseWriter) Header(status Status, meta string) {
+	w.status = status
+	w.meta = meta
+}
+
+// Status sets the response status code.
+// It also sets the response meta to status.Meta().
+func (w *ResponseWriter) Status(status Status) {
+	w.status = status
+	w.meta = status.Meta()
+}
+
+// Meta sets the response meta.
+//
+// For successful responses, meta should contain the media type of the response.
+// For failure responses, meta should contain a short description of the failure.
+// The response meta should not be greater than 1024 bytes.
+func (w *ResponseWriter) Meta(meta string) {
+	w.meta = meta
+}
+
+// Write writes data to the connection as part of the response body.
+// If the response status does not allow for a response body, Write returns
+// ErrBodyNotAllowed.
+//
+// Write writes the response header if it has not already been written.
+// It writes a successful status code if one is not set.
+func (w *ResponseWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		w.writeHeader(StatusSuccess)
+	}
+	if !w.bodyAllowed {
+		return 0, ErrBodyNotAllowed
+	}
+	return w.b.Write(b)
+}
+
+func (w *ResponseWriter) writeHeader(defaultStatus Status) {
+	status := w.status
+	if status == 0 {
+		status = defaultStatus
+	}
+
+	meta := w.meta
+	if status.Class() == StatusClassSuccess {
+		w.bodyAllowed = true
+
+		if meta == "" {
+			meta = "text/gemini"
+		}
+	}
+
+	w.b.WriteString(strconv.Itoa(int(status)))
+	w.b.WriteByte(' ')
+	w.b.WriteString(meta)
+	w.b.Write(crlf)
+	w.wroteHeader = true
+}
+
+// Flush writes any buffered data to the underlying io.Writer.
+//
+// Flush writes the response header if it has not already been written.
+// It writes a failure status code if one is not set.
+func (w *ResponseWriter) Flush() error {
+	if !w.wroteHeader {
+		w.writeHeader(StatusTemporaryFailure)
+	}
+	// Write errors from writeHeader will be returned here.
+	return w.b.Flush()
+}

server.go

@@ -1,15 +1,14 @@
 package gemini
 
 import (
-	"bufio"
 	"crypto/tls"
-	"crypto/x509"
+	"errors"
 	"log"
 	"net"
-	"net/url"
-	"strconv"
 	"strings"
 	"time"
+
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )
 
 // Server is a Gemini server.
@@ -18,35 +17,41 @@ type Server struct {
 	// If Addr is empty, the server will listen on the address ":1965".
 	Addr string
 
+	// ReadTimeout is the maximum duration for reading a request.
+	ReadTimeout time.Duration
+
+	// WriteTimeout is the maximum duration before timing out
+	// writes of the response.
+	WriteTimeout time.Duration
+
 	// Certificates contains the certificates used by the server.
-	Certificates CertificateStore
+	Certificates certificate.Dir
 
 	// CreateCertificate, if not nil, will be called to create a new certificate
 	// if the current one is expired or missing.
 	CreateCertificate func(hostname string) (tls.Certificate, error)
 
+	// ErrorLog specifies an optional logger for errors accepting connections
+	// and file system errors.
+	// If nil, logging is done via the log package's standard logger.
+	ErrorLog *log.Logger
+
 	// registered responders
 	responders map[responderKey]Responder
+	hosts      map[string]bool
 }
 
 type responderKey struct {
 	scheme   string
 	hostname string
-	wildcard bool
 }
 
-// Register registers a responder for the given pattern.
+// Handle registers a responder for the given pattern.
 //
-// Patterns must be in the form of hostname or scheme://hostname
-// (e.g. gemini://example.com).
-// If no scheme is specified, a default scheme of gemini:// is assumed.
-//
-// Wildcard patterns are supported (e.g. *.example.com).
-// To register a certificate for a wildcard hostname, call Certificates.Add:
-//
-//     var s gemini.Server
-//     s.Certificates.Add("*.example.com", cert)
-func (s *Server) Register(pattern string, responder Responder) {
+// The pattern must be in the form of "hostname" or "scheme://hostname".
+// If no scheme is specified, a scheme of "gemini://" is implied.
+// Wildcard patterns are supported (e.g. "*.example.com").
+func (s *Server) Handle(pattern string, responder Responder) {
 	if pattern == "" {
 		panic("gemini: invalid pattern")
 	}
@@ -55,6 +60,7 @@ func (s *Server) Register(pattern string, responder Responder) {
 	}
 	if s.responders == nil {
 		s.responders = map[responderKey]Responder{}
+		s.hosts = map[string]bool{}
 	}
 
 	split := strings.SplitN(pattern, "://", 2)
@@ -66,21 +72,17 @@ func (s *Server) Register(pattern string, responder Responder) {
 		key.scheme = "gemini"
 		key.hostname = split[0]
 	}
-	split = strings.SplitN(key.hostname, ".", 2)
-	if len(split) == 2 && split[0] == "*" {
-		key.hostname = split[1]
-		key.wildcard = true
-	}
 
 	if _, ok := s.responders[key]; ok {
 		panic("gemini: multiple registrations for " + pattern)
 	}
 	s.responders[key] = responder
+	s.hosts[key.hostname] = true
 }
 
-// RegisterFunc registers a responder function for the given pattern.
-func (s *Server) RegisterFunc(pattern string, responder func(*ResponseWriter, *Request)) {
-	s.Register(pattern, ResponderFunc(responder))
+// HandleFunc registers a responder function for the given pattern.
+func (s *Server) HandleFunc(pattern string, responder func(*ResponseWriter, *Request)) {
+	s.Handle(pattern, ResponderFunc(responder))
 }
 
 // ListenAndServe listens for requests at the server's configured address.
@@ -120,7 +122,7 @@ func (s *Server) Serve(l net.Listener) error {
 				if max := 1 * time.Second; tempDelay > max {
 					tempDelay = max
 				}
-				log.Printf("gemini: Accept error: %v; retrying in %v", err, tempDelay)
+				s.logf("gemini: Accept error: %v; retrying in %v", err, tempDelay)
 				time.Sleep(tempDelay)
 				continue
 			}
@@ -135,196 +137,109 @@ func (s *Server) Serve(l net.Listener) error {
 }
 
 func (s *Server) getCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	cert, err := s.Certificates.Lookup(h.ServerName)
-	switch err {
-	case ErrCertificateExpired, ErrCertificateUnknown:
-		if s.CreateCertificate != nil {
-			cert, err := s.CreateCertificate(h.ServerName)
-			if err == nil {
-				s.Certificates.Add(h.ServerName, cert)
-			}
-			return &cert, err
+	cert, err := s.getCertificateFor(h.ServerName)
+	if err != nil {
+		// Try wildcard
+		wildcard := strings.SplitN(h.ServerName, ".", 2)
+		if len(wildcard) == 2 {
+			cert, err = s.getCertificateFor("*." + wildcard[1])
 		}
 	}
 	return cert, err
 }
 
+func (s *Server) getCertificateFor(hostname string) (*tls.Certificate, error) {
+	if _, ok := s.hosts[hostname]; !ok {
+		return nil, errors.New("hostname not registered")
+	}
+
+	// Generate a new certificate if it is missing or expired
+	cert, ok := s.Certificates.Lookup(hostname)
+	if !ok || cert.Leaf != nil && cert.Leaf.NotAfter.Before(time.Now()) {
+		if s.CreateCertificate != nil {
+			cert, err := s.CreateCertificate(hostname)
+			if err == nil {
+				if err := s.Certificates.Add(hostname, cert); err != nil {
+					s.logf("gemini: Failed to write new certificate for %s: %s", hostname, err)
+				}
+			}
+			return &cert, err
+		}
+		return nil, errors.New("no certificate")
+	}
+	return &cert, nil
+}
+
 // respond responds to a connection.
 func (s *Server) respond(conn net.Conn) {
-	r := bufio.NewReader(conn)
-	w := newResponseWriter(conn)
-	// Read requested URL
-	rawurl, err := r.ReadString('\r')
+	defer conn.Close()
+	if d := s.ReadTimeout; d != 0 {
+		_ = conn.SetReadDeadline(time.Now().Add(d))
+	}
+	if d := s.WriteTimeout; d != 0 {
+		_ = conn.SetWriteDeadline(time.Now().Add(d))
+	}
+
+	w := NewResponseWriter(conn)
+	defer func() {
+		_ = w.Flush()
+	}()
+
+	req, err := ReadRequest(conn)
 	if err != nil {
+		w.Status(StatusBadRequest)
 		return
 	}
-	// Read terminating line feed
-	if b, err := r.ReadByte(); err != nil {
+
+	// Store information about the TLS connection
+	if tlsConn, ok := conn.(*tls.Conn); ok {
+		req.TLS = tlsConn.ConnectionState()
+		if len(req.TLS.PeerCertificates) > 0 {
+			peerCert := req.TLS.PeerCertificates[0]
+			// Store the TLS certificate
+			req.Certificate = &tls.Certificate{
+				Certificate: [][]byte{peerCert.Raw},
+				Leaf:        peerCert,
+			}
+		}
+	}
+
+	resp := s.responder(req)
+	if resp == nil {
+		w.Status(StatusNotFound)
 		return
-	} else if b != '\n' {
-		w.WriteHeader(StatusBadRequest, "Bad request")
 	}
-	// Trim carriage return
-	rawurl = rawurl[:len(rawurl)-1]
-	// Ensure URL is valid
-	if len(rawurl) > 1024 {
-		w.WriteHeader(StatusBadRequest, "Bad request")
-	} else if url, err := url.Parse(rawurl); err != nil || url.User != nil {
-		// Note that we return an error status if User is specified in the URL
-		w.WriteHeader(StatusBadRequest, "Bad request")
-	} else {
-		// If no scheme is specified, assume a default scheme of gemini://
-		if url.Scheme == "" {
-			url.Scheme = "gemini"
-		}
-		req := &Request{
-			URL:        url,
-			RemoteAddr: conn.RemoteAddr(),
-			TLS:        conn.(*tls.Conn).ConnectionState(),
-		}
-		resp := s.responder(req)
-		if resp != nil {
-			resp.Respond(w, req)
-		} else {
-			w.WriteStatus(StatusNotFound)
-		}
-	}
-	w.b.Flush()
-	conn.Close()
+
+	resp.Respond(w, req)
 }
 
 func (s *Server) responder(r *Request) Responder {
-	if h, ok := s.responders[responderKey{r.URL.Scheme, r.URL.Hostname(), false}]; ok {
+	if h, ok := s.responders[responderKey{r.URL.Scheme, r.URL.Hostname()}]; ok {
 		return h
 	}
 	wildcard := strings.SplitN(r.URL.Hostname(), ".", 2)
 	if len(wildcard) == 2 {
-		if h, ok := s.responders[responderKey{r.URL.Scheme, wildcard[1], true}]; ok {
+		if h, ok := s.responders[responderKey{r.URL.Scheme, "*." + wildcard[1]}]; ok {
 			return h
 		}
 	}
 	return nil
 }
 
-// ResponseWriter is used by a Gemini handler to construct a Gemini response.
-type ResponseWriter struct {
-	b           *bufio.Writer
-	bodyAllowed bool
-	wroteHeader bool
-	mimetype    string
-}
-
-func newResponseWriter(conn net.Conn) *ResponseWriter {
-	return &ResponseWriter{
-		b: bufio.NewWriter(conn),
+func (s *Server) logf(format string, args ...interface{}) {
+	if s.ErrorLog != nil {
+		s.ErrorLog.Printf(format, args...)
+	} else {
+		log.Printf(format, args...)
 	}
 }
 
-// WriteHeader writes the response header.
-// If the header has already been written, WriteHeader does nothing.
-//
-// Meta contains more information related to the response status.
-// For successful responses, Meta should contain the mimetype of the response.
-// For failure responses, Meta should contain a short description of the failure.
-// Meta should not be longer than 1024 bytes.
-func (w *ResponseWriter) WriteHeader(status Status, meta string) {
-	if w.wroteHeader {
-		return
-	}
-	w.b.WriteString(strconv.Itoa(int(status)))
-	w.b.WriteByte(' ')
-	w.b.WriteString(meta)
-	w.b.Write(crlf)
-
-	// Only allow body to be written on successful status codes.
-	if status.Class() == StatusClassSuccess {
-		w.bodyAllowed = true
-	}
-	w.wroteHeader = true
-}
-
-// WriteStatus writes the response header with the given status code.
-func (w *ResponseWriter) WriteStatus(status Status) {
-	w.WriteHeader(status, status.Message())
-}
-
-// SetMimetype sets the mimetype that will be written for a successful response.
-// The provided mimetype will only be used if Write is called without calling
-// WriteHeader.
-// If the mimetype is not set, it will default to "text/gemini".
-func (w *ResponseWriter) SetMimetype(mimetype string) {
-	w.mimetype = mimetype
-}
-
-// Write writes the response body.
-// If the response status does not allow for a response body, Write returns
-// ErrBodyNotAllowed.
-//
-// If WriteHeader has not yet been called, Write calls
-// WriteHeader(StatusSuccess, mimetype) where mimetype is the mimetype set in
-// SetMimetype. If no mimetype is set, a default of "text/gemini" will be used.
-func (w *ResponseWriter) Write(b []byte) (int, error) {
-	if !w.wroteHeader {
-		mimetype := w.mimetype
-		if mimetype == "" {
-			mimetype = "text/gemini"
-		}
-		w.WriteHeader(StatusSuccess, mimetype)
-	}
-	if !w.bodyAllowed {
-		return 0, ErrBodyNotAllowed
-	}
-	return w.b.Write(b)
-}
-
 // A Responder responds to a Gemini request.
 type Responder interface {
 	// Respond accepts a Request and constructs a Response.
 	Respond(*ResponseWriter, *Request)
 }
 
-// Input returns the request query.
-// If no input is provided, it responds with StatusInput.
-func Input(w *ResponseWriter, r *Request, prompt string) (string, bool) {
-	if r.URL.ForceQuery || r.URL.RawQuery != "" {
-		query, err := url.QueryUnescape(r.URL.RawQuery)
-		return query, err == nil
-	}
-	w.WriteHeader(StatusInput, prompt)
-	return "", false
-}
-
-// SensitiveInput returns the request query.
-// If no input is provided, it responds with StatusSensitiveInput.
-func SensitiveInput(w *ResponseWriter, r *Request, prompt string) (string, bool) {
-	if r.URL.ForceQuery || r.URL.RawQuery != "" {
-		query, err := url.QueryUnescape(r.URL.RawQuery)
-		return query, err == nil
-	}
-	w.WriteHeader(StatusSensitiveInput, prompt)
-	return "", false
-}
-
-// Redirect replies to the request with a redirect to the given URL.
-func Redirect(w *ResponseWriter, url string) {
-	w.WriteHeader(StatusRedirect, url)
-}
-
-// PermanentRedirect replies to the request with a permanent redirect to the given URL.
-func PermanentRedirect(w *ResponseWriter, url string) {
-	w.WriteHeader(StatusRedirectPermanent, url)
-}
-
-// Certificate returns the request certificate. If one is not provided,
-// it returns nil and responds with StatusCertificateRequired.
-func Certificate(w *ResponseWriter, r *Request) (*x509.Certificate, bool) {
-	if len(r.TLS.PeerCertificates) == 0 {
-		w.WriteStatus(StatusCertificateRequired)
-		return nil, false
-	}
-	return r.TLS.PeerCertificates[0], true
-}
-
 // ResponderFunc is a wrapper around a bare function that implements Responder.
 type ResponderFunc func(*ResponseWriter, *Request)
 

status.go

@@ -8,7 +8,7 @@ const (
 	StatusSensitiveInput           Status = 11
 	StatusSuccess                  Status = 20
 	StatusRedirect                 Status = 30
-	StatusRedirectPermanent        Status = 31
+	StatusPermanentRedirect        Status = 31
 	StatusTemporaryFailure         Status = 40
 	StatusServerUnavailable        Status = 41
 	StatusCGIError                 Status = 42
@@ -41,19 +41,11 @@ func (s Status) Class() StatusClass {
 	return StatusClass(s / 10)
 }
 
-// Message returns a status message corresponding to this status code.
-func (s Status) Message() string {
+// Meta returns a description of the status code appropriate for use in a response.
+//
+// Meta returns an empty string for input, success, and redirect status codes.
+func (s Status) Meta() string {
 	switch s {
-	case StatusInput:
-		return "Input"
-	case StatusSensitiveInput:
-		return "Sensitive input"
-	case StatusSuccess:
-		return "Success"
-	case StatusRedirect:
-		return "Redirect"
-	case StatusRedirectPermanent:
-		return "Permanent redirect"
 	case StatusTemporaryFailure:
 		return "Temporary failure"
 	case StatusServerUnavailable:

text.go

@@ -87,58 +87,70 @@ func (l LineText) line()                {}
 // Text represents a Gemini text response.
 type Text []Line
 
-// Parse parses Gemini text from the provided io.Reader.
-func Parse(r io.Reader) Text {
-	const spacetab = " \t"
+// ParseText parses Gemini text from the provided io.Reader.
+func ParseText(r io.Reader) (Text, error) {
 	var t Text
+	err := ParseLines(r, func(line Line) {
+		t = append(t, line)
+	})
+	return t, err
+}
+
+// ParseLines parses Gemini text from the provided io.Reader.
+// It calls handler with each line that it parses.
+func ParseLines(r io.Reader, handler func(Line)) error {
+	const spacetab = " \t"
 	var pre bool
 	scanner := bufio.NewScanner(r)
 	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.HasPrefix(line, "```") {
+		var line Line
+		text := scanner.Text()
+		if strings.HasPrefix(text, "```") {
 			pre = !pre
-			line = line[3:]
-			t = append(t, LinePreformattingToggle(line))
+			text = text[3:]
+			line = LinePreformattingToggle(text)
 		} else if pre {
-			t = append(t, LinePreformattedText(line))
-		} else if strings.HasPrefix(line, "=>") {
-			line = line[2:]
-			line = strings.TrimLeft(line, spacetab)
-			split := strings.IndexAny(line, spacetab)
+			line = LinePreformattedText(text)
+		} else if strings.HasPrefix(text, "=>") {
+			text = text[2:]
+			text = strings.TrimLeft(text, spacetab)
+			split := strings.IndexAny(text, spacetab)
 			if split == -1 {
-				// line is a URL
-				t = append(t, LineLink{URL: line})
+				// text is a URL
+				line = LineLink{URL: text}
 			} else {
-				url := line[:split]
-				name := line[split:]
+				url := text[:split]
+				name := text[split:]
 				name = strings.TrimLeft(name, spacetab)
-				t = append(t, LineLink{url, name})
+				line = LineLink{url, name}
 			}
-		} else if strings.HasPrefix(line, "*") {
-			line = line[1:]
-			line = strings.TrimLeft(line, spacetab)
-			t = append(t, LineListItem(line))
-		} else if strings.HasPrefix(line, "###") {
-			line = line[3:]
-			line = strings.TrimLeft(line, spacetab)
-			t = append(t, LineHeading3(line))
-		} else if strings.HasPrefix(line, "##") {
-			line = line[2:]
-			line = strings.TrimLeft(line, spacetab)
-			t = append(t, LineHeading2(line))
-		} else if strings.HasPrefix(line, "#") {
-			line = line[1:]
-			line = strings.TrimLeft(line, spacetab)
-			t = append(t, LineHeading1(line))
-		} else if strings.HasPrefix(line, ">") {
-			line = line[1:]
-			line = strings.TrimLeft(line, spacetab)
-			t = append(t, LineQuote(line))
+		} else if strings.HasPrefix(text, "*") {
+			text = text[1:]
+			text = strings.TrimLeft(text, spacetab)
+			line = LineListItem(text)
+		} else if strings.HasPrefix(text, "###") {
+			text = text[3:]
+			text = strings.TrimLeft(text, spacetab)
+			line = LineHeading3(text)
+		} else if strings.HasPrefix(text, "##") {
+			text = text[2:]
+			text = strings.TrimLeft(text, spacetab)
+			line = LineHeading2(text)
+		} else if strings.HasPrefix(text, "#") {
+			text = text[1:]
+			text = strings.TrimLeft(text, spacetab)
+			line = LineHeading1(text)
+		} else if strings.HasPrefix(text, ">") {
+			text = text[1:]
+			text = strings.TrimLeft(text, spacetab)
+			line = LineQuote(text)
 		} else {
-			t = append(t, LineText(line))
+			line = LineText(text)
 		}
+		handler(line)
 	}
-	return t
+
+	return scanner.Err()
 }
 
 // String writes the Gemini text response to a string and returns it.

tofu.go

@@ -1,196 +0,0 @@
-package gemini
-
-import (
-	"bufio"
-	"crypto/sha512"
-	"crypto/x509"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"time"
-)
-
-// KnownHosts represents a list of known hosts.
-// The zero value for KnownHosts is an empty list ready to use.
-type KnownHosts struct {
-	hosts map[string]certInfo
-	file  *os.File
-}
-
-// LoadDefault loads the known hosts from the default known hosts path, which is
-// $XDG_DATA_HOME/gemini/known_hosts.
-// It creates the path and any of its parent directories if they do not exist.
-// KnownHosts will append to the file whenever a certificate is added.
-func (k *KnownHosts) LoadDefault() error {
-	path, err := defaultKnownHostsPath()
-	if err != nil {
-		return err
-	}
-	return k.Load(path)
-}
-
-// Load loads the known hosts from the provided path.
-// It creates the path and any of its parent directories if they do not exist.
-// KnownHosts will append to the file whenever a certificate is added.
-func (k *KnownHosts) Load(path string) error {
-	if dir := filepath.Dir(path); dir != "." {
-		err := os.MkdirAll(dir, 0755)
-		if err != nil {
-			return err
-		}
-	}
-	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
-	if err != nil {
-		return err
-	}
-	k.Parse(f)
-	f.Close()
-	// Open the file for append-only use
-	f, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644)
-	if err != nil {
-		return err
-	}
-	k.file = f
-	return nil
-}
-
-// Add adds a certificate to the list of known hosts.
-// If KnownHosts was loaded from a file, Add will append to the file.
-func (k *KnownHosts) Add(hostname string, cert *x509.Certificate) {
-	k.add(hostname, cert, true)
-}
-
-// AddTemporary adds a certificate to the list of known hosts
-// without writing it to the known hosts file.
-func (k *KnownHosts) AddTemporary(hostname string, cert *x509.Certificate) {
-	k.add(hostname, cert, false)
-}
-
-func (k *KnownHosts) add(hostname string, cert *x509.Certificate, write bool) {
-	if k.hosts == nil {
-		k.hosts = map[string]certInfo{}
-	}
-	info := certInfo{
-		Algorithm:   "SHA-512",
-		Fingerprint: Fingerprint(cert),
-		Expires:     cert.NotAfter.Unix(),
-	}
-	k.hosts[hostname] = info
-	// Append to the file
-	if write && k.file != nil {
-		appendKnownHost(k.file, hostname, info)
-	}
-}
-
-// Lookup looks for the provided certificate in the list of known hosts.
-// If the hostname is in the list, but the fingerprint differs,
-// Lookup returns ErrCertificateNotTrusted.
-// If the hostname is not in the list, Lookup returns ErrCertificateUnknown.
-// If the certificate is found and the fingerprint matches, error will be nil.
-func (k *KnownHosts) Lookup(hostname string, cert *x509.Certificate) error {
-	now := time.Now().Unix()
-	fingerprint := Fingerprint(cert)
-	if c, ok := k.hosts[hostname]; ok {
-		if c.Expires <= now {
-			// Certificate is expired
-			return ErrCertificateUnknown
-		}
-		if c.Fingerprint != fingerprint {
-			// Fingerprint does not match
-			return ErrCertificateNotTrusted
-		}
-		// Certificate is trusted
-		return nil
-	}
-	return ErrCertificateUnknown
-}
-
-// Parse parses the provided reader and adds the parsed known hosts to the list.
-// Invalid lines are ignored.
-func (k *KnownHosts) Parse(r io.Reader) {
-	if k.hosts == nil {
-		k.hosts = map[string]certInfo{}
-	}
-	scanner := bufio.NewScanner(r)
-	for scanner.Scan() {
-		text := scanner.Text()
-		parts := strings.Split(text, " ")
-		if len(parts) < 4 {
-			continue
-		}
-
-		hostname := parts[0]
-		algorithm := parts[1]
-		if algorithm != "SHA-512" {
-			continue
-		}
-		fingerprint := parts[2]
-		expires, err := strconv.ParseInt(parts[3], 10, 0)
-		if err != nil {
-			continue
-		}
-
-		k.hosts[hostname] = certInfo{
-			Algorithm:   algorithm,
-			Fingerprint: fingerprint,
-			Expires:     expires,
-		}
-	}
-}
-
-// Write writes the known hosts to the provided io.Writer.
-func (k *KnownHosts) Write(w io.Writer) {
-	for h, c := range k.hosts {
-		appendKnownHost(w, h, c)
-	}
-}
-
-type certInfo struct {
-	Algorithm   string // fingerprint algorithm e.g. SHA-512
-	Fingerprint string // fingerprint in hexadecimal, with ':' between each octet
-	Expires     int64  // unix time of certificate notAfter date
-}
-
-func appendKnownHost(w io.Writer, hostname string, c certInfo) (int, error) {
-	return fmt.Fprintf(w, "%s %s %s %d\n", hostname, c.Algorithm, c.Fingerprint, c.Expires)
-}
-
-// Fingerprint returns the SHA-512 fingerprint of the provided certificate.
-func Fingerprint(cert *x509.Certificate) string {
-	sum512 := sha512.Sum512(cert.Raw)
-	var b strings.Builder
-	for i, f := range sum512 {
-		if i > 0 {
-			b.WriteByte(':')
-		}
-		fmt.Fprintf(&b, "%02X", f)
-	}
-	return b.String()
-}
-
-// defaultKnownHostsPath returns the default known_hosts path.
-// The default path is $XDG_DATA_HOME/gemini/known_hosts
-func defaultKnownHostsPath() (string, error) {
-	dataDir, err := userDataDir()
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(dataDir, "gemini", "known_hosts"), nil
-}
-
-// userDataDir returns the user data directory.
-func userDataDir() (string, error) {
-	dataDir, ok := os.LookupEnv("XDG_DATA_HOME")
-	if ok {
-		return dataDir, nil
-	}
-
-	home, err := os.UserHomeDir()
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(home, ".local", "share"), nil
-}

tofu/tofu.go

@@ -0,0 +1,344 @@
+// Package tofu implements trust on first use using hosts and fingerprints.
+package tofu
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/sha512"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+// KnownHosts represents a list of known hosts.
+// The zero value for KnownHosts represents an empty list ready to use.
+//
+// KnownHosts is safe for concurrent use by multiple goroutines.
+type KnownHosts struct {
+	hosts map[string]Host
+	mu    sync.RWMutex
+}
+
+// Add adds a host to the list of known hosts.
+func (k *KnownHosts) Add(h Host) error {
+	k.mu.Lock()
+	defer k.mu.Unlock()
+	if k.hosts == nil {
+		k.hosts = map[string]Host{}
+	}
+
+	k.hosts[h.Hostname] = h
+	return nil
+}
+
+// Lookup returns the known host entry corresponding to the given hostname.
+func (k *KnownHosts) Lookup(hostname string) (Host, bool) {
+	k.mu.RLock()
+	defer k.mu.RUnlock()
+	c, ok := k.hosts[hostname]
+	return c, ok
+}
+
+// Entries returns the known host entries sorted by hostname.
+func (k *KnownHosts) Entries() []Host {
+	keys := make([]string, 0, len(k.hosts))
+	for key := range k.hosts {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+
+	hosts := make([]Host, 0, len(k.hosts))
+	for _, key := range keys {
+		hosts = append(hosts, k.hosts[key])
+	}
+	return hosts
+}
+
+// WriteTo writes the list of known hosts to the provided io.Writer.
+func (k *KnownHosts) WriteTo(w io.Writer) (int64, error) {
+	k.mu.RLock()
+	defer k.mu.RUnlock()
+
+	var written int
+
+	bw := bufio.NewWriter(w)
+	for _, h := range k.hosts {
+		n, err := bw.WriteString(h.String())
+		written += n
+		if err != nil {
+			return int64(written), err
+		}
+
+		bw.WriteByte('\n')
+		written += 1
+	}
+
+	return int64(written), bw.Flush()
+}
+
+// Load loads the known hosts entries from the provided path.
+func (k *KnownHosts) Load(path string) error {
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	return k.Parse(f)
+}
+
+// Parse parses the provided io.Reader and adds the parsed hosts to the list.
+// Invalid entries are ignored.
+//
+// For more control over errors encountered during parsing, use bufio.Scanner
+// in combination with ParseHost. For example:
+//
+//    var knownHosts tofu.KnownHosts
+//    scanner := bufio.NewScanner(r)
+//    for scanner.Scan() {
+//        host, err := tofu.ParseHost(scanner.Bytes())
+//        if err != nil {
+//            // handle error
+//        } else {
+//            knownHosts.Add(host)
+//        }
+//    }
+//    err := scanner.Err()
+//    if err != nil {
+//        // handle error
+//    }
+//
+func (k *KnownHosts) Parse(r io.Reader) error {
+	k.mu.Lock()
+	defer k.mu.Unlock()
+
+	if k.hosts == nil {
+		k.hosts = map[string]Host{}
+	}
+
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		text := scanner.Bytes()
+		if len(text) == 0 {
+			continue
+		}
+
+		h, err := ParseHost(text)
+		if err != nil {
+			continue
+		}
+
+		k.hosts[h.Hostname] = h
+	}
+
+	return scanner.Err()
+}
+
+// TOFU implements basic trust on first use.
+//
+// If the host is not on file, it is added to the list.
+// If the host on file is expired, it is replaced with the provided host.
+// If the fingerprint does not match the one on file, an error is returned.
+func (k *KnownHosts) TOFU(hostname string, cert *x509.Certificate) error {
+	host := NewHost(hostname, cert.Raw, cert.NotAfter)
+
+	knownHost, ok := k.Lookup(hostname)
+	if !ok || time.Now().After(knownHost.Expires) {
+		k.Add(host)
+		return nil
+	}
+
+	// Check fingerprint
+	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+		return fmt.Errorf("fingerprint for %q does not match", hostname)
+	}
+
+	return nil
+}
+
+// HostWriter writes host entries to an io.WriteCloser.
+//
+// HostWriter is safe for concurrent use by multiple goroutines.
+type HostWriter struct {
+	bw *bufio.Writer
+	cl io.Closer
+	mu sync.Mutex
+}
+
+// NewHostWriter returns a new host writer that writes to
+// the provided io.WriteCloser.
+func NewHostWriter(w io.WriteCloser) *HostWriter {
+	return &HostWriter{
+		bw: bufio.NewWriter(w),
+		cl: w,
+	}
+}
+
+// NewHostsFile returns a new host writer that appends to the file at the given path.
+// The file is created if it does not exist.
+func NewHostsFile(path string) (*HostWriter, error) {
+	f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return nil, err
+	}
+	return NewHostWriter(f), nil
+}
+
+// WriteHost writes the host to the underlying io.Writer.
+func (h *HostWriter) WriteHost(host Host) error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	h.bw.WriteString(host.String())
+	h.bw.WriteByte('\n')
+
+	if err := h.bw.Flush(); err != nil {
+		return fmt.Errorf("failed to write host: %w", err)
+	}
+	return nil
+}
+
+// Close closes the underlying io.Closer.
+func (h *HostWriter) Close() error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	return h.cl.Close()
+}
+
+// Host represents a host entry with a fingerprint using a certain algorithm.
+type Host struct {
+	Hostname    string      // hostname
+	Algorithm   string      // fingerprint algorithm e.g. SHA-512
+	Fingerprint Fingerprint // fingerprint
+	Expires     time.Time   // unix time of the fingerprint expiration date
+}
+
+// NewHost returns a new host with a SHA-512 fingerprint of
+// the provided raw data.
+func NewHost(hostname string, raw []byte, expires time.Time) Host {
+	sum := sha512.Sum512(raw)
+
+	return Host{
+		Hostname:    hostname,
+		Algorithm:   "SHA-512",
+		Fingerprint: sum[:],
+		Expires:     expires,
+	}
+}
+
+// ParseHost parses a host from the provided text.
+func ParseHost(text []byte) (Host, error) {
+	var h Host
+	err := h.UnmarshalText(text)
+	return h, err
+}
+
+// String returns a string representation of the host.
+func (h Host) String() string {
+	var b strings.Builder
+	b.WriteString(h.Hostname)
+	b.WriteByte(' ')
+	b.WriteString(h.Algorithm)
+	b.WriteByte(' ')
+	b.WriteString(h.Fingerprint.String())
+	b.WriteByte(' ')
+	b.WriteString(strconv.FormatInt(h.Expires.Unix(), 10))
+	return b.String()
+}
+
+// UnmarshalText unmarshals the host from the provided text.
+func (h *Host) UnmarshalText(text []byte) error {
+	const format = "hostname algorithm hex-fingerprint expiry-unix-ts"
+
+	parts := bytes.Split(text, []byte(" "))
+	if len(parts) != 4 {
+		return fmt.Errorf(
+			"expected the format %q", format)
+	}
+
+	if len(parts[0]) == 0 {
+		return errors.New("empty hostname")
+	}
+
+	h.Hostname = string(parts[0])
+
+	algorithm := string(parts[1])
+	if algorithm != "SHA-512" {
+		return fmt.Errorf(
+			"unsupported algorithm %q", algorithm)
+	}
+
+	h.Algorithm = algorithm
+
+	fingerprint := make([]byte, 0, sha512.Size)
+	scanner := bufio.NewScanner(bytes.NewReader(parts[2]))
+	scanner.Split(scanFingerprint)
+
+	for scanner.Scan() {
+		b, err := strconv.ParseUint(scanner.Text(), 16, 8)
+		if err != nil {
+			return fmt.Errorf("failed to parse fingerprint hash: %w", err)
+		}
+		fingerprint = append(fingerprint, byte(b))
+	}
+
+	if len(fingerprint) != sha512.Size {
+		return fmt.Errorf("invalid fingerprint size %d, expected %d",
+			len(fingerprint), sha512.Size)
+	}
+
+	h.Fingerprint = fingerprint
+
+	unix, err := strconv.ParseInt(string(parts[3]), 10, 0)
+	if err != nil {
+		return fmt.Errorf(
+			"invalid unix timestamp: %w", err)
+	}
+
+	h.Expires = time.Unix(unix, 0)
+
+	return nil
+}
+
+func scanFingerprint(data []byte, atEOF bool) (advance int, token []byte, err error) {
+	if atEOF && len(data) == 0 {
+		return 0, nil, nil
+	}
+	if i := bytes.IndexByte(data, ':'); i >= 0 {
+		// We have a full newline-terminated line.
+		return i + 1, data[0:i], nil
+	}
+
+	// If we're at EOF, we have a final, non-terminated hex byte
+	if atEOF {
+		return len(data), data, nil
+	}
+
+	// Request more data.
+	return 0, nil, nil
+}
+
+// Fingerprint represents a fingerprint.
+type Fingerprint []byte
+
+// String returns a string representation of the fingerprint.
+func (f Fingerprint) String() string {
+	var sb strings.Builder
+
+	for i, b := range f {
+		if i > 0 {
+			sb.WriteByte(':')
+		}
+
+		fmt.Fprintf(&sb, "%02X", b)
+	}
+
+	return sb.String()
+}