10 files changed, 220 insertions, 29 deletions
diff --git a/Embed.cmake b/Embed.cmake
index 16c47683..810c947b 100644
--- a/Embed.cmake
+++ b/Embed.cmake
@@ -69,6 +69,7 @@ function (embed_make)
    endif ()
    if (needGen)
        if (EMBED_IN_EXECUTABLE)
+            # Compose a source file with the resource data in an array.
            file (WRITE ${EMB_H} "#include <the_Foundation/block.h>\n")
            file (WRITE ${EMB_C} "#include \"embedded.h\"\n")
            foreach (fn ${ARGV})
@@ -76,6 +77,7 @@ function (embed_make)
                embed_write (${fn} ${resName} ${EMB_C} ${EMB_H})
            endforeach (fn)
        else ()
+            # Collect resources in a single binary file.
            set (EMB_BIN ${CMAKE_CURRENT_BINARY_DIR}/resources.bin)
            file (REMOVE ${EMB_BIN})
            execute_process (COMMAND cat ${ARGV} OUTPUT_FILE ${EMB_BIN}
diff --git a/src/app.c b/src/app.c
index 46235206..21028edc 100644
--- a/src/app.c
+++ b/src/app.c
@@ -41,7 +41,8 @@ static const char *dataDir_App_ = "~/Library/Application Support/fi.skyjake.Lagr
 static const char *dataDir_App_ = "~/AppData/Roaming/fi.skyjake.Lagrange";
 #endif
 #if defined (iPlatformLinux)
-#define EMB_BIN "../../share/lagrange/resources.bin"
+#define EMB_BIN  "../../share/lagrange/resources.bin"
+#define EMB_BIN2 "../resources.bin" /* try from build dir as well */
 static const char *dataDir_App_ = "~/.config/lagrange";
 #endif
 static const char *prefsFileName_App_   = "prefs.cfg";
@@ -152,9 +153,11 @@ static void init_App_(iApp *d, int argc, char **argv) {
    load_History(d->history, dataDir_App_);
 #if defined (iHaveLoadEmbed)
    /* Load the resources from a file. */ {
-        if (!load_Embed(concatPath_CStr(cstr_String(execPath_App()), EMB_BIN))) {
+        if (!load_Embed(concatPath_CStr(cstr_String(execPath_App()), "../resources.bin"))) {
-            fprintf(stderr, "failed to load resources.bin\n");
+            if (!load_Embed(concatPath_CStr(cstr_String(execPath_App()), EMB_BIN))) {
-            exit(-1);
+                fprintf(stderr, "failed to load resources.bin: %s\n", strerror(errno));
+                exit(-1);
+            }
        }
    }
 #endif
@@ -311,6 +314,10 @@ void addTicker_App(void (*ticker)(iAny *), iAny *context) {
    insert_SortedArray(&d->tickers, &(iTicker){ context, ticker });
 }
+iGmCerts *certs_App(void) {
+    return app_.certs;
+}
 const iHistory *history_App(void) {
    return app_.history;
 }
diff --git a/src/gmcerts.c b/src/gmcerts.c
index cb4d8477..0aa084a4 100644
--- a/src/gmcerts.c
+++ b/src/gmcerts.c
@@ -1,15 +1,134 @@
 #include "gmcerts.h"
+#include <the_Foundation/file.h>
+#include <the_Foundation/path.h>
+#include <the_Foundation/regexp.h>
+#include <the_Foundation/stringhash.h>
+#include <the_Foundation/time.h>
+#include <ctype.h>
+static const char *filename_GmCerts_ = "trusted.txt";
+iDeclareClass(TrustEntry)
+struct Impl_TrustEntry {
+    iObject object;
+    iBlock fingerprint;
+    iTime validUntil;
+};
+void init_TrustEntry(iTrustEntry *d, const iBlock *fingerprint, const iDate *until) {
+    initCopy_Block(&d->fingerprint, fingerprint);
+    init_Time(&d->validUntil, until);
+}
+void deinit_TrustEntry(iTrustEntry *d) {
+    deinit_Block(&d->fingerprint);
+}
+iDefineObjectConstructionArgs(TrustEntry, (const iBlock *fingerprint, const iDate *until), fingerprint, until)
+iDefineClass(TrustEntry)
+/*-----------------------------------------------------------------------------------------------*/
 struct Impl_GmCerts {
    iString saveDir;
+    iStringHash *trusted;
 };
 iDefineTypeConstructionArgs(GmCerts, (const char *saveDir), saveDir)
+static void save_GmCerts_(const iGmCerts *d) {
+    iBeginCollect();
+    iFile *f = new_File(collect_String(concatCStr_Path(&d->saveDir, filename_GmCerts_)));
+    if (open_File(f, writeOnly_FileMode | text_FileMode)) {
+        iString line;
+        init_String(&line);
+        iConstForEach(StringHash, i, d->trusted) {
+            const iTrustEntry *trust = value_StringHashNode(i.value);
+            format_String(&line,
+                          "%s %ld %s\n",
+                          cstr_String(key_StringHashConstIterator(&i)),
+                          integralSeconds_Time(&trust->validUntil),
+                          cstrCollect_String(hexEncode_Block(&trust->fingerprint)));
+            write_File(f, &line.chars);
+        }
+        deinit_String(&line);
+    }
+    iRelease(f);
+    iEndCollect();
+}
+static void load_GmCerts_(iGmCerts *d) {
+    iFile *f = new_File(collect_String(concatCStr_Path(&d->saveDir, filename_GmCerts_)));
+    if (open_File(f, readOnly_FileMode | text_FileMode)) {
+        iRegExp *      pattern = new_RegExp("([^\\s]+) ([0-9]+) ([a-z0-9]+)", 0);
+        const iRangecc src     = range_Block(collect_Block(readAll_File(f)));
+        iRangecc       line    = iNullRange;
+        while (nextSplit_Rangecc(&src, "\n", &line)) {
+            iRegExpMatch m;
+            if (matchRange_RegExp(pattern, line, &m)) {
+                const iRangecc domain = capturedRange_RegExpMatch(&m, 1);
+                const iRangecc until  = capturedRange_RegExpMatch(&m, 2);
+                const iRangecc fp     = capturedRange_RegExpMatch(&m, 3);
+                time_t sec;
+                sscanf(until.start, "%ld", &sec);
+                iDate untilDate;
+                initSinceEpoch_Date(&untilDate, sec);
+                insert_StringHash(d->trusted,
+                                  collect_String(newRange_String(domain)),
+                                  new_TrustEntry(collect_Block(hexDecode_Rangecc(fp)),
+                                                 &untilDate));
+            }
+        }
+        iRelease(pattern);
+    }
+    iRelease(f);
+}
 void init_GmCerts(iGmCerts *d, const char *saveDir) {
    initCStr_String(&d->saveDir, saveDir);
+    d->trusted = new_StringHash();
+    load_GmCerts_(d);
 }
-void deinit_GmCerts(iGmCerts *d) {
+void deinit_GmCerts(iGmCerts *d) {    
+    iRelease(d->trusted);
    deinit_String(&d->saveDir);
 }
+iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, const iTlsCertificate *cert) {
+    if (!cert) {
+        return iFalse;
+    }
+    if (isExpired_TlsCertificate(cert)) {
+        return iFalse;
+    }
+    if (!verifyDomain_TlsCertificate(cert, domain)) {
+        return iFalse;
+    }
+    /* Good certificate. If not already trusted, add it now. */
+    const iString *key = collect_String(newRange_String(domain));
+    iDate until;
+    validUntil_TlsCertificate(cert, &until);
+    iBlock *fingerprint = collect_Block(fingerprint_TlsCertificate(cert));
+    iTrustEntry *trust = value_StringHash(d->trusted, key);
+    if (trust) {
+        /* We already have it, check if it matches the one we trust for this domain (if it's
+           still valid. */
+        iTime now;
+        initCurrent_Time(&now);
+        if (secondsSince_Time(&trust->validUntil, &now) > 0) {
+            /* Trusted cert is still valid. */
+            return cmp_Block(fingerprint, &trust->fingerprint) == 0;
+        }
+        /* Update the trusted cert. */
+        init_Time(&trust->validUntil, &until);
+        set_Block(&trust->fingerprint, fingerprint);
+    }
+    else {
+        insert_StringHash(d->trusted, key, iClob(new_TrustEntry(fingerprint, &until)));
+    }
+    save_GmCerts_(d);
+    return iTrue;
+}
diff --git a/src/gmcerts.h b/src/gmcerts.h
index 1990463c..a3df8f33 100644
--- a/src/gmcerts.h
+++ b/src/gmcerts.h
@@ -4,3 +4,5 @@
 iDeclareType(GmCerts)
 iDeclareTypeConstructionArgs(GmCerts, const char *saveDir)
+iBool   checkTrust_GmCerts  (iGmCerts *, iRangecc domain, const iTlsCertificate *cert);
diff --git a/src/gmdocument.h b/src/gmdocument.h
index db5a5451..215dcdb5 100644
--- a/src/gmdocument.h
+++ b/src/gmdocument.h
@@ -1,6 +1,6 @@
 #pragma once
-#include "gemini.h"
+#include "gmutil.h"
 #include <the_Foundation/object.h>
 #include <the_Foundation/rect.h>
 #include <the_Foundation/string.h>
diff --git a/src/gmrequest.c b/src/gmrequest.c
index 32b386b2..dc08d23b 100644
--- a/src/gmrequest.c
+++ b/src/gmrequest.c
@@ -1,5 +1,7 @@
 #include "gmrequest.h"
 #include "gmutil.h"
+#include "gmcerts.h"
+#include "app.h"
 #include <the_Foundation/file.h>
 #include <the_Foundation/tlsrequest.h>
@@ -20,7 +22,7 @@ struct Impl_GmRequest {
    iObject object;
    iMutex mutex;
    enum iGmRequestState state;
-    enum iGmRequestCertification certState;
+    int certFlags;
    iString url;
    iTlsRequest *req;
    enum iGmStatusCode code;
@@ -38,7 +40,7 @@ iDefineAudienceGetter(GmRequest, finished)
 void init_GmRequest(iGmRequest *d) {
    init_Mutex(&d->mutex);
    d->state = initialized_GmRequestState;
-    d->certState = notApplicable_GmRequestCertification;
+    d->certFlags = 0;
    init_String(&d->url);
    d->req = NULL;
    d->code = none_GmStatusCode;
@@ -165,11 +167,25 @@ static void requestFinished_GmRequest_(iAnyObject *obj) {
    }
    SDL_RemoveTimer(d->timeoutId);
    d->timeoutId = 0;
-    d->state = finished_GmRequestState;
+    d->state     = finished_GmRequestState;
-#if 1
+    d->certFlags = 0;
    /* Check the server certificate. */ {
-        d->certState = invalid_GmRequestCertification; /* check trust */
        const iTlsCertificate *cert = serverCertificate_TlsRequest(d->req);
+        if (cert) {
+            iGmCerts *     certDb = certs_App();
+            const iRangecc domain = urlHost_String(&d->url);
+            d->certFlags |= available_GmRequestCertFlag;
+            if (!isExpired_TlsCertificate(cert)) {
+                d->certFlags |= timeVerified_GmRequestCertFlag;
+            }
+            if (verifyDomain_TlsCertificate(cert, domain)) {
+                d->certFlags |= domainVerified_GmRequestCertFlag;
+            }
+            if (checkTrust_GmCerts(certDb, domain, cert)) {
+                d->certFlags |= trusted_GmRequestCertFlag;
+            }
+        }
+#if 0
        printf("Server certificate:\n%s\n", cstrLocal_String(pem_TlsCertificate(cert)));
        iBlock *sha = fingerprint_TlsCertificate(cert);
        printf("Fingerprint: %s\n",
@@ -188,8 +204,8 @@ static void requestFinished_GmRequest_(iAnyObject *obj) {
                   verifyDomain_TlsCertificate(cert, parts.host) ? "valid" : "not valid");
        }
        fflush(stdout);
-    }
 #endif
+    }
    unlock_Mutex(&d->mutex);
    iNotifyAudience(d, finished, GmRequestFinished);
 }
@@ -211,7 +227,7 @@ void submit_GmRequest(iGmRequest *d) {
            /* TODO: Check supported file types: images, audio */
            /* TODO: Detect text files based on contents? E.g., is the content valid UTF-8. */
            d->code = success_GmStatusCode;
-            d->certState = notApplicable_GmRequestCertification;
+            d->certFlags = 0;
            if (endsWithCase_String(path, ".gmi")) {
                setCStr_String(&d->header, "text/gemini; charset=utf-8");
            }
@@ -231,6 +247,7 @@ void submit_GmRequest(iGmRequest *d) {
                setCStr_String(&d->header, "application/octet-stream");
            }
            set_Block(&d->body, collect_Block(readAll_File(f)));
+            d->state = receivingBody_GmRequestState;
            iNotifyAudience(d, updated, GmRequestUpdated);
        }
        else {
@@ -238,14 +255,14 @@ void submit_GmRequest(iGmRequest *d) {
            setCStr_String(&d->header, cstr_String(path));
        }
        iRelease(f);
+        d->certFlags = 0;
        d->state = finished_GmRequestState;
-        d->certState = notApplicable_GmRequestCertification;
        iNotifyAudience(d, finished, GmRequestFinished);
        return;
    }
    else if (equalCase_Rangecc(&url.protocol, "data")) {
        d->code = success_GmStatusCode;
-        d->certState = notApplicable_GmRequestCertification;
+        d->certFlags = 0;
        iString *src = collectNewCStr_String(url.protocol.start + 5);
        iRangecc header = { constBegin_String(src), constBegin_String(src) };
        while (header.end < constEnd_String(src) && *header.end != ',') {
@@ -269,6 +286,8 @@ void submit_GmRequest(iGmRequest *d) {
            set_String(src, collect_String(urlDecode_String(src)));
        }
        set_Block(&d->body, &src->chars);
+        d->state = receivingBody_GmRequestState;
+        iNotifyAudience(d, updated, GmRequestUpdated);
        d->state = finished_GmRequestState;
        iNotifyAudience(d, finished, GmRequestFinished);
        return;
@@ -314,4 +333,14 @@ const iString *url_GmRequest(const iGmRequest *d) {
    return &d->url;
 }
+int certFlags_GmRequest(const iGmRequest *d) {
+    return d->certFlags;
+}
+iDate certExpirationDate_GmRequest(const iGmRequest *d) {
+    iDate expiry;
+    validUntil_TlsCertificate(serverCertificate_TlsRequest(d->req), &expiry);
+    return expiry;
+}
 iDefineClass(GmRequest)
diff --git a/src/gmrequest.h b/src/gmrequest.h
index 37f324eb..500ed71b 100644
--- a/src/gmrequest.h
+++ b/src/gmrequest.h
@@ -1,9 +1,9 @@
 #pragma once
 #include <the_Foundation/audience.h>
-#include <the_Foundation/object.h>
+#include <the_Foundation/tlsrequest.h>
-#include "gemini.h"
+#include "gmutil.h"
 iDeclareClass(GmRequest)
 iDeclareObjectConstruction(GmRequest)
@@ -16,11 +16,11 @@ iDeclareAudienceGetter(GmRequest, finished)
 void    setUrl_GmRequest    (iGmRequest *, const iString *url);
 void    submit_GmRequest    (iGmRequest *);
-enum iGmRequestCertification {
+enum iGmRequestCertFlags {
-    notApplicable_GmRequestCertification,
+    available_GmRequestCertFlag      = iBit(1), /* certificate provided by server */
-    invalid_GmRequestCertification,
+    trusted_GmRequestCertFlag        = iBit(2), /* TOFU status */
-    valid_GmRequestCertification,
+    timeVerified_GmRequestCertFlag   = iBit(3), /* has not expired */
-    expired_GmRequestCertification,
+    domainVerified_GmRequestCertFlag = iBit(4), /* cert matches server domain */
 };
 iBool               isFinished_GmRequest    (const iGmRequest *);
@@ -28,3 +28,6 @@ enum iGmStatusCode  status_GmRequest        (const iGmRequest *);
 const iString *     meta_GmRequest          (const iGmRequest *);
 const iBlock  *     body_GmRequest          (const iGmRequest *);
 const iString *     url_GmRequest           (const iGmRequest *);
+int                 certFlags_GmRequest         (const iGmRequest *);
+iDate               certExpirationDate_GmRequest(const iGmRequest *);
diff --git a/src/gmutil.c b/src/gmutil.c
index bf08e960..0caadd32 100644
--- a/src/gmutil.c
+++ b/src/gmutil.c
@@ -1,5 +1,4 @@
 #include "gmutil.h"
-#include "gemini.h"
 #include <the_Foundation/regexp.h>
 #include <the_Foundation/object.h>
@@ -88,6 +87,12 @@ void cleanUrlPath_String(iString *d) {
    deinit_String(&clean);
 }
+iRangecc urlHost_String(const iString *d) {
+    iUrl url;
+    init_Url(&url, d);
+    return url.host;
+}
 const iString *absoluteUrl_String(const iString *d, const iString *urlMaybeRelative) {
    iUrl orig;
    iUrl rel;
diff --git a/src/gmutil.h b/src/gmutil.h
index 3342b262..6c1b01ad 100644
--- a/src/gmutil.h
+++ b/src/gmutil.h
@@ -54,5 +54,6 @@ struct Impl_Url {
 void            init_Url                (iUrl *, const iString *text);
+iRangecc        urlHost_String          (const iString *);
 const iString * absoluteUrl_String      (const iString *, const iString *urlMaybeRelative);
 void            urlEncodeSpaces_String  (iString *);
diff --git a/src/ui/documentwidget.c b/src/ui/documentwidget.c
index 954ded0c..4c20a188 100644
--- a/src/ui/documentwidget.c
+++ b/src/ui/documentwidget.c
@@ -1,11 +1,11 @@
 #include "documentwidget.h"
 #include "scrollwidget.h"
 #include "inputwidget.h"
+#include "labelwidget.h"
 #include "paint.h"
 #include "command.h"
 #include "util.h"
 #include "app.h"
-#include "../gemini.h"
 #include "../gmdocument.h"
 #include "../gmrequest.h"
 #include "../gmutil.h"
@@ -406,13 +406,37 @@ static void scrollTo_DocumentWidget_(iDocumentWidget *d, int documentY) {
    scroll_DocumentWidget_(d, 0); /* clamp it */
 }
-static void checkResponseCode_DocumentWidget_(iDocumentWidget *d) {
+static void updateTrust_DocumentWidget_(iDocumentWidget *d) {
+    iAssert(d->request);
+#define openLock_CStr   "\U0001f513"
+#define closedLock_CStr "\U0001f512"
+    int certFlags = certFlags_GmRequest(d->request);
+    iLabelWidget *lock = findWidget_App("navbar.lock");
+    if (~certFlags & available_GmRequestCertFlag) {
+        setFlags_Widget(as_Widget(lock), disabled_WidgetFlag, iTrue);
+        updateTextCStr_LabelWidget(lock, gray50_ColorEscape openLock_CStr);
+        return;
+    }
+    setFlags_Widget(as_Widget(lock), disabled_WidgetFlag, iFalse);
+    if (~certFlags & domainVerified_GmRequestCertFlag) {
+        updateTextCStr_LabelWidget(lock, red_ColorEscape closedLock_CStr);
+    }
+    else if (certFlags & trusted_GmRequestCertFlag) {
+        updateTextCStr_LabelWidget(lock, green_ColorEscape closedLock_CStr);
+    }
+    else {
+        updateTextCStr_LabelWidget(lock, orange_ColorEscape closedLock_CStr);
+    }
+}
+static void checkResponse_DocumentWidget_(iDocumentWidget *d) {
    if (!d->request) {
        return;
    }
    enum iGmStatusCode statusCode = status_GmRequest(d->request);
    if (d->state == fetching_DocumentState) {
        d->state = receivedPartialResponse_DocumentState;
+        updateTrust_DocumentWidget_(d);
        switch (statusCode / 10) {
            case 1: /* input required */ {
                iUrl parts;
@@ -594,14 +618,13 @@ static iBool processEvent_DocumentWidget_(iDocumentWidget *d, const SDL_Event *e
    }
    else if (isCommand_Widget(w, ev, "document.request.updated") &&
             pointerLabel_Command(command_UserEvent(ev), "request") == d->request) {
-        checkResponseCode_DocumentWidget_(d);
+        checkResponse_DocumentWidget_(d);
-//        updateSource_DocumentWidget_(d);
        return iFalse;
    }
    else if (isCommand_Widget(w, ev, "document.request.finished") &&
             pointerLabel_Command(command_UserEvent(ev), "request") == d->request) {
-//        updateSource_DocumentWidget_(d);
+        iAssert(d->state == receivedPartialResponse_DocumentState); /* must already have been updated at least once */
-        checkResponseCode_DocumentWidget_(d);
+        checkResponse_DocumentWidget_(d);
        d->state = ready_DocumentState;
        iReleasePtr(&d->request);
        postCommandf_App("document.changed url:%s", cstr_String(d->url));