astro

commit 64cf47c485c5bb8b4f19e9044be2e4a05e77002d
parent d7fdc4ecb4782467c1344459d0d84e25f83840c6
Author: René Wagner <rwa@clttr.info>
Date:   Thu, 16 Dec 2021 21:03:29 +0100

implement basic client cert handling

Load a client cert and key if one is available for
the domain of the current request.

Shows a message with an openssl command to create a
new cert when a request requires a cert but none is
found.

Diffstat:
M
README.md
 | 
10
+++++++++-
M
astro
 | 
20
+++++++++++++++++---

2 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
@@ -26,6 +26,15 @@ no arguments takes you to *gemini.circumlunar.space*:
 
 `astro`
 
+### Client certificates
+
+astro can work with client certificates if capsules requires them for authentication.
+
+astro allows a single client certificate per (sub)domain identified by it's name. If a client cert for a specific domain is available astro will send it to the server with every request.
+
+When a resource requires a client cert and astro can't find one it will show you a command to create a client cert for the capsule.
+
+The certicates are stored in `~/.config/astro/certs/`.
 
 ### Key bindings
 
@@ -41,7 +50,6 @@ no arguments takes you to *gemini.circumlunar.space*:
 
 More coming.
 
-
 ### Configuration
 
 You can setup a config file at `~/.config/astro/astro.conf` to configure *astro* the way you like.
diff --git a/astro b/astro
@@ -105,8 +105,15 @@ fetch() {
 	echo "$1://$2:$3/$4$5" >> "$histfile"
 
 	clear
-	echo "$1://$2:$3/$4$5" | openssl s_client \
-		-connect "$2:$3" -crlf -quiet \
+	certfile=""
+	if [ -f "$certdir/$2.crt" ] && [ -f "$certdir/$2.key" ]
+	then
+		certfile="-cert \"$certdir/$2.crt\" -key \"$certdir/$2.key\""
+		[ "$debug" ] && echo "using client cert for domain: $certfile" >&2
+	fi
+
+	echo "$1://$2:$3/$4$5" | eval openssl s_client \
+		-connect "$2:$3" $certfile -crlf -quiet \
 		-ign_eof 2> /dev/null | {
 
 		# First line is status and meta information
@@ -168,6 +175,11 @@ fetch() {
 				return 12
 				;;
 			60)
+				echo "client certificate required, to create a client cert use the following command:" >&2
+				echo "openssl req -x509 -newkey rsa:4096 \\" >&2
+				echo "	-keyout $certdir/$2.key \\" >&2
+				echo "	-out $certdir/$2.crt \\" >&2
+				echo "	-days 36500 -nodes" >&2
 				return 13
 				;;
 			61)
@@ -298,10 +310,12 @@ confighome=${XDG_CONFIG_HOME:-$HOME/.config}
 mkdir -p "$confighome/astro"
 configfile="$confighome/astro/astro.conf"
 bookmarkfile="$confighome/astro/bookmarks"
+certdir="$confighome/astro/certs"
+mkdir -p "$certdir"
 
 cachehome=${XDG_CACHE_HOME:-$HOME/.cache}
-mkdir -p "$cachehome/astro"
 cachedir="$cachehome/astro"
+mkdir -p "$cachedir"
 histfile="$cachedir/history"
 
 # move old bookmark file to new location