Fork of go-gemini

Go to file

adnano a691e3cc8b Fix README.md		2020-09-27 16:31:41 -04:00
examples	Update documentation	2020-09-27 16:21:56 -04:00
.gitignore	Implement certificate creation	2020-09-27 13:50:48 -04:00
cert.go	Implement certificate creation	2020-09-27 13:50:48 -04:00
client.go	Make TrustCertificate accept hostname instead of request	2020-09-27 16:10:36 -04:00
gemini_test.go	Add test	2020-09-25 11:27:26 -04:00
gemini.go	Make TrustCertificate accept hostname instead of request	2020-09-27 16:10:36 -04:00
go.mod	Initial commit	2020-09-21 15:49:09 -04:00
LICENSE	Temporarily allow common names in certificates	2020-09-27 15:57:55 -04:00
README.md	Fix README.md	2020-09-27 16:31:41 -04:00
server.go	Reject requests containing '..' in them	2020-09-26 17:13:13 -04:00
tofu.go	Fix hosts not being added to known hosts file	2020-09-27 16:06:17 -04:00
verify.go	Temporarily allow common names in certificates	2020-09-27 15:57:55 -04:00

README.md

go-gemini

go-gemini implements the Gemini protocol in Go.

It aims to provide an API similar to that of net/http to make it easy to develop Gemini clients and servers.

Examples

See examples/client and examples/server for an example client and server.

To run the examples:

go run -tags=example ./examples/server

Overview

A quick overview of the Gemini protocol:

Client opens connection
Server accepts connection
Client and server complete a TLS handshake
Client validates server certificate
Client sends request
Server sends response header
Server sends response body (only for successful responses)
Server closes connection
Client handles response

The way this is implemented in this package is like so:

Client makes a request with NewRequest. The client then sends the request with (*Client).Send(*Request) (*Response, error). The client then determines whether to trust the certificate (see TOFU).
Server recieves the request and constructs a response. The server calls the Serve(*ResponseWriter, *Request) method on the Handler field. The handler writes the response. The server then closes the connection.
Client recieves the response as a *Response. The client then handles the response.

TOFU

go-gemini makes it easy to implement Trust On First Use in your clients.

The default client loads known hosts from $XDG_DATA_HOME/gemini/known_hosts. If that is all you need, you can simply use the top-level Send function:

// Send uses the default client, which will load the default list of known hosts.
req := gemini.NewRequest("gemini://example.com")
gemini.Send(req)

Clients can also load their own list of known hosts:

client := &Client{}
if err := client.KnownHosts.LoadFrom("path/to/my/known_hosts"); err != nil {
	log.Fatal(err)
}

Clients can then specify how to trust certificates in the TrustCertificate field:

client.TrustCertificate = func(hostname string, cert *x509.Certificate, knownHosts *gemini.KnownHosts) error {
	// If the certificate is in the known hosts list, allow the connection
	return knownHosts.Lookup(hostname, cert)
}

Advanced clients can prompt the user for what to do when encountering an unknown certificate:

client.TrustCertificate = func(hostname string, cert *x509.Certificate, knownHosts *gemini.KnownHosts) error {
	err := knownHosts.Lookup(cert)
	if err != nil {
		switch err {
		case gemini.ErrCertificateNotTrusted:
			// Alert the user that the certificate is not trusted
			fmt.Printf("Warning: certificate for %s is not trusted!\n", hostname)
			fmt.Println("This could indicate a Man-in-the-Middle attack.")
		case gemini.ErrCertificateUnknown:
			// Prompt the user to trust the certificate
			if userTrustsCertificateTemporarily() {
				// Temporarily trust the certificate
				return nil
			} else if userTrustsCertificatePermanently() {
				// Add the certificate to the known hosts file
				knownHosts.Add(cert)
				return nil
			}
		}
	}
	return err
}

See examples/client for an example client.