gophi/gemini/cgi.go

package gemini

import (
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"gophi/core"
)

// Mapped to tls.Version__ where:
// value - 0x300 = index.
// Deprecated versions will always be
// prefixed by 'DEPRECATED'
var tlsVersionStrings = []string{
	"DEPRECATED:SSLv3",
	"TLSv1.0",
	"TLSv1.1",
	"TLSv1.2",
	"TLSv1.3",
}

func certSha256Hash(cert *x509.Certificate) string {
	checksum := sha256.Sum256(cert.Raw)
	return hex.EncodeToString(checksum[:])
}

func appendCgiEnv(client *core.Client, request *core.Request, env []string) []string {
	// Build and append the full gemini url
	env = append(env, "GEMINI_URL=gemini://"+core.Hostname+":"+core.Port+request.Path().Selector())

	// Cast client underlying net.Conn as tls.Conn
	tlsConn := client.Conn().Conn().(*tls.Conn)
	state := tlsConn.ConnectionState()

	// Append TLS env vars
	env = append(env, "TLS_CIPHER="+tls.CipherSuiteName(state.CipherSuite))
	env = append(env, "TLS_VERSION="+tlsVersionStrings[state.Version-0x300])

	// Append TLS client cert vars (if present!)
	clientCerts := state.PeerCertificates
	if len(clientCerts) > 0 {
		// Only use first if multiple client
		// certs available
		cert := clientCerts[0]

		// Verify client cert
		var isVerified string
		_, err := cert.Verify(x509.VerifyOptions{})
		if err != nil {
			isVerified = "FAILED:" + err.Error()
		} else {
			isVerified = "SUCCESS"
		}

		// Set user cert environment vars
		env = append(env, "AUTH_TYPE=Certificate")
		env = append(env, "REMOTE_USER="+cert.Subject.CommonName)
		env = append(env, "TLS_CLIENT_HASH=SHA256:"+certSha256Hash(cert))
		env = append(env, "TLS_CLIENT_NOT_BEFORE="+cert.NotBefore.String())
		env = append(env, "TLS_CLIENT_NOT_AFTER="+cert.NotAfter.String())
		env = append(env, "TLS_CLIENT_ISSUER="+cert.Issuer.String())
		env = append(env, "TLS_CLIENT_SUBJECT="+cert.Subject.String())
		env = append(env, "TLS_CLIENT_VERIFIED="+isVerified)
	}

	return env
}