mirror of
https://git.sr.ht/~adnano/go-gemini
synced 2025-05-03 12:45:24 +02:00
103 lines
3.0 KiB
Go
103 lines
3.0 KiB
Go
package gemini
|
|
|
|
import (
|
|
"bufio"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
)
|
|
|
|
// Client represents a Gemini client.
|
|
type Client struct {
|
|
// KnownHosts is a list of known hosts that the client trusts.
|
|
KnownHosts KnownHosts
|
|
|
|
// CertificateStore maps hostnames to certificates.
|
|
// It is used to determine which certificate to use when the server requests
|
|
// a certificate.
|
|
CertificateStore CertificateStore
|
|
|
|
// GetCertificate, if not nil, will be called when a server requests a certificate.
|
|
// The returned certificate will be used when sending the request again.
|
|
// If the certificate is nil, the request will not be sent again and
|
|
// the response will be returned.
|
|
GetCertificate func(hostname string, store *CertificateStore) *tls.Certificate
|
|
|
|
// TrustCertificate, if not nil, will be called to determine whether the
|
|
// client should trust the given certificate.
|
|
// If error is not nil, the connection will be aborted.
|
|
TrustCertificate func(hostname string, cert *x509.Certificate, knownHosts *KnownHosts) error
|
|
}
|
|
|
|
// Send sends a Gemini request and returns a Gemini response.
|
|
func (c *Client) Send(req *Request) (*Response, error) {
|
|
// Connect to the host
|
|
config := &tls.Config{
|
|
InsecureSkipVerify: true,
|
|
MinVersion: tls.VersionTLS12,
|
|
GetClientCertificate: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
|
// Request certificates take precedence over client certificates
|
|
if req.Certificate != nil {
|
|
return req.Certificate, nil
|
|
}
|
|
// If we have already stored the certificate, return it
|
|
if cert, err := c.CertificateStore.Lookup(hostname(req.Host)); err == nil {
|
|
return cert, nil
|
|
}
|
|
return &tls.Certificate{}, nil
|
|
},
|
|
VerifyConnection: func(cs tls.ConnectionState) error {
|
|
cert := cs.PeerCertificates[0]
|
|
// Verify the hostname
|
|
if err := verifyHostname(cert, hostname(req.Host)); err != nil {
|
|
return err
|
|
}
|
|
// Check that the client trusts the certificate
|
|
if c.TrustCertificate == nil {
|
|
if err := c.KnownHosts.Lookup(hostname(req.Host), cert); err != nil {
|
|
return err
|
|
}
|
|
} else if err := c.TrustCertificate(hostname(req.Host), cert, &c.KnownHosts); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
conn, err := tls.Dial("tcp", req.Host, config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer conn.Close()
|
|
|
|
// Write the request
|
|
w := bufio.NewWriter(conn)
|
|
req.write(w)
|
|
if err := w.Flush(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Read the response
|
|
resp := &Response{}
|
|
r := bufio.NewReader(conn)
|
|
if err := resp.read(r); err != nil {
|
|
return nil, err
|
|
}
|
|
// Store connection information
|
|
resp.TLS = conn.ConnectionState()
|
|
|
|
// Resend the request with a certificate if the server responded
|
|
// with CertificateRequired
|
|
if resp.Status == StatusCertificateRequired {
|
|
// Check to see if a certificate was already provided to prevent an infinite loop
|
|
if req.Certificate != nil {
|
|
return resp, nil
|
|
}
|
|
if c.GetCertificate != nil {
|
|
if cert := c.GetCertificate(hostname(req.Host), &c.CertificateStore); cert != nil {
|
|
req.Certificate = cert
|
|
return c.Send(req)
|
|
}
|
|
}
|
|
}
|
|
return resp, nil
|
|
}
|