Major refactoring.
+ Many lib functions have been split out into separate packages. + Adding cert/key generation tooling. + Add new time.Duration parser.
This commit is contained in:
@@ -12,6 +12,8 @@ import (
|
||||
"git.wntrmute.dev/kyle/goutils/certlib/verify"
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/fetch"
|
||||
)
|
||||
|
||||
//go:embed testdata/*.pem
|
||||
@@ -137,11 +139,11 @@ func selftest() int {
|
||||
func main() {
|
||||
var skipVerify, useStrict bool
|
||||
|
||||
lib.StrictTLSFlag(&useStrict)
|
||||
dialer.StrictTLSFlag(&useStrict)
|
||||
flag.BoolVar(&skipVerify, "k", false, "don't verify certificates")
|
||||
flag.Parse()
|
||||
|
||||
tcfg, err := lib.BaselineTLSConfig(skipVerify, useStrict)
|
||||
tcfg, err := dialer.BaselineTLSConfig(skipVerify, useStrict)
|
||||
die.If(err)
|
||||
|
||||
args := flag.Args()
|
||||
@@ -171,7 +173,7 @@ func main() {
|
||||
for _, arg := range args {
|
||||
var cert *x509.Certificate
|
||||
|
||||
cert, err = lib.GetCertificate(arg, tcfg)
|
||||
cert, err = fetch.GetCertificate(arg, tcfg)
|
||||
if err != nil {
|
||||
lib.Warn(err, "while parsing certificate from %s", arg)
|
||||
continue
|
||||
|
||||
@@ -15,7 +15,7 @@ import (
|
||||
hosts "git.wntrmute.dev/kyle/goutils/certlib/hosts"
|
||||
"git.wntrmute.dev/kyle/goutils/certlib/revoke"
|
||||
"git.wntrmute.dev/kyle/goutils/fileutil"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -39,7 +39,7 @@ func main() {
|
||||
|
||||
revoke.HardFail = hardfail
|
||||
// Build a proxy-aware HTTP client for OCSP/CRL fetches
|
||||
if httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: timeout}); err == nil {
|
||||
if httpClient, err := dialer.NewHTTPClient(dialer.DialerOpts{Timeout: timeout}); err == nil {
|
||||
revoke.HTTPClient = httpClient
|
||||
}
|
||||
|
||||
@@ -105,7 +105,7 @@ func checkSite(hostport string) (string, error) {
|
||||
defer cancel()
|
||||
|
||||
// Use proxy-aware TLS dialer
|
||||
conn, err := lib.DialTLS(ctx, target.String(), lib.DialerOpts{Timeout: timeout, TLSConfig: &tls.Config{
|
||||
conn, err := dialer.DialTLS(ctx, target.String(), dialer.DialerOpts{Timeout: timeout, TLSConfig: &tls.Config{
|
||||
InsecureSkipVerify: true, // #nosec G402 -- CLI tool only verifies revocation
|
||||
ServerName: target.Host,
|
||||
}})
|
||||
|
||||
@@ -11,7 +11,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
)
|
||||
|
||||
var hasPort = regexp.MustCompile(`:\d+$`)
|
||||
@@ -25,7 +25,7 @@ func main() {
|
||||
}
|
||||
|
||||
// Use proxy-aware TLS dialer
|
||||
conn, err := lib.DialTLS(context.Background(), server, lib.DialerOpts{TLSConfig: &tls.Config{}}) // #nosec G402
|
||||
conn, err := dialer.DialTLS(context.Background(), server, dialer.DialerOpts{TLSConfig: &tls.Config{}}) // #nosec G402
|
||||
die.If(err)
|
||||
|
||||
defer conn.Close()
|
||||
|
||||
@@ -9,6 +9,7 @@ import (
|
||||
|
||||
"git.wntrmute.dev/kyle/goutils/certlib/dump"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/fetch"
|
||||
)
|
||||
|
||||
var config struct {
|
||||
@@ -27,7 +28,7 @@ func main() {
|
||||
|
||||
for _, filename := range flag.Args() {
|
||||
fmt.Fprintf(os.Stdout, "--%s ---%s", filename, "\n")
|
||||
certs, err := lib.GetCertificateChain(filename, tlsCfg)
|
||||
certs, err := fetch.GetCertificateChain(filename, tlsCfg)
|
||||
if err != nil {
|
||||
lib.Warn(err, "couldn't read certificate")
|
||||
continue
|
||||
|
||||
@@ -8,6 +8,8 @@ import (
|
||||
"git.wntrmute.dev/kyle/goutils/certlib/verify"
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/fetch"
|
||||
)
|
||||
|
||||
func main() {
|
||||
@@ -18,20 +20,20 @@ func main() {
|
||||
warnOnly bool
|
||||
)
|
||||
|
||||
lib.StrictTLSFlag(&strictTLS)
|
||||
dialer.StrictTLSFlag(&strictTLS)
|
||||
|
||||
flag.BoolVar(&skipVerify, "k", false, "skip server verification") // #nosec G402
|
||||
flag.BoolVar(&warnOnly, "q", false, "only warn about expiring certs")
|
||||
flag.DurationVar(&leeway, "t", leeway, "warn if certificates are closer than this to expiring")
|
||||
flag.Parse()
|
||||
|
||||
tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
|
||||
tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
|
||||
die.If(err)
|
||||
|
||||
for _, file := range flag.Args() {
|
||||
var certs []*x509.Certificate
|
||||
|
||||
certs, err = lib.GetCertificateChain(file, tlsCfg)
|
||||
certs, err = fetch.GetCertificateChain(file, tlsCfg)
|
||||
if err != nil {
|
||||
_, _ = lib.Warn(err, "while parsing certificates")
|
||||
continue
|
||||
|
||||
@@ -8,6 +8,8 @@ import (
|
||||
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/fetch"
|
||||
)
|
||||
|
||||
const displayInt lib.HexEncodeMode = iota
|
||||
@@ -33,13 +35,13 @@ func serialString(cert *x509.Certificate, mode lib.HexEncodeMode) string {
|
||||
func main() {
|
||||
var skipVerify bool
|
||||
var strictTLS bool
|
||||
lib.StrictTLSFlag(&strictTLS)
|
||||
dialer.StrictTLSFlag(&strictTLS)
|
||||
displayAs := flag.String("d", "int", "display mode (int, hex, uhex)")
|
||||
showExpiry := flag.Bool("e", false, "show expiry date")
|
||||
flag.BoolVar(&skipVerify, "k", false, "skip server verification") // #nosec G402
|
||||
flag.Parse()
|
||||
|
||||
tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
|
||||
tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
|
||||
die.If(err)
|
||||
|
||||
displayMode := parseDisplayMode(*displayAs)
|
||||
@@ -47,7 +49,7 @@ func main() {
|
||||
for _, arg := range flag.Args() {
|
||||
var cert *x509.Certificate
|
||||
|
||||
cert, err = lib.GetCertificate(arg, tlsCfg)
|
||||
cert, err = fetch.GetCertificate(arg, tlsCfg)
|
||||
die.If(err)
|
||||
|
||||
fmt.Printf("%s: %s", arg, serialString(cert, displayMode))
|
||||
|
||||
@@ -10,6 +10,7 @@ import (
|
||||
"git.wntrmute.dev/kyle/goutils/certlib/verify"
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
)
|
||||
|
||||
type appConfig struct {
|
||||
@@ -28,7 +29,7 @@ func parseFlags() appConfig {
|
||||
flag.BoolVar(&cfg.skipVerify, "k", false, "skip CA verification")
|
||||
flag.BoolVar(&cfg.revexp, "r", false, "print revocation and expiry information")
|
||||
flag.BoolVar(&cfg.verbose, "v", false, "verbose")
|
||||
lib.StrictTLSFlag(&cfg.strictTLS)
|
||||
dialer.StrictTLSFlag(&cfg.strictTLS)
|
||||
flag.Parse()
|
||||
|
||||
if flag.NArg() == 0 {
|
||||
@@ -71,7 +72,7 @@ func main() {
|
||||
die.If(err)
|
||||
}
|
||||
|
||||
opts.Config, err = lib.BaselineTLSConfig(cfg.skipVerify, cfg.strictTLS)
|
||||
opts.Config, err = dialer.BaselineTLSConfig(cfg.skipVerify, cfg.strictTLS)
|
||||
die.If(err)
|
||||
|
||||
opts.Config.RootCAs = roots
|
||||
|
||||
@@ -14,6 +14,7 @@ import (
|
||||
"git.wntrmute.dev/kyle/goutils/ahash"
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
)
|
||||
|
||||
func usage(w io.Writer) {
|
||||
@@ -84,7 +85,7 @@ func main() {
|
||||
continue
|
||||
}
|
||||
// Use proxy-aware HTTP client with a reasonable timeout for connects/handshakes
|
||||
httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: 30 * time.Second})
|
||||
httpClient, err := dialer.NewHTTPClient(dialer.DialerOpts{Timeout: 30 * time.Second})
|
||||
if err != nil {
|
||||
_, _ = lib.Warn(err, "building HTTP client for %s", remote)
|
||||
continue
|
||||
|
||||
@@ -11,20 +11,20 @@ import (
|
||||
|
||||
"git.wntrmute.dev/kyle/goutils/certlib"
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
)
|
||||
|
||||
func main() {
|
||||
var sysRoot, serverName string
|
||||
var skipVerify bool
|
||||
var strictTLS bool
|
||||
lib.StrictTLSFlag(&strictTLS)
|
||||
dialer.StrictTLSFlag(&strictTLS)
|
||||
flag.StringVar(&sysRoot, "ca", "", "provide an alternate CA bundle")
|
||||
flag.StringVar(&serverName, "sni", "", "provide an SNI name")
|
||||
flag.BoolVar(&skipVerify, "noverify", false, "don't verify certificates")
|
||||
flag.Parse()
|
||||
|
||||
tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
|
||||
tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
|
||||
die.If(err)
|
||||
|
||||
if sysRoot != "" {
|
||||
@@ -43,7 +43,7 @@ func main() {
|
||||
}
|
||||
|
||||
var conn *tls.Conn
|
||||
conn, err = lib.DialTLS(context.Background(), site, lib.DialerOpts{TLSConfig: tlsCfg})
|
||||
conn, err = dialer.DialTLS(context.Background(), site, dialer.DialerOpts{TLSConfig: tlsCfg})
|
||||
die.If(err)
|
||||
|
||||
cs := conn.ConnectionState()
|
||||
|
||||
@@ -9,7 +9,7 @@ import (
|
||||
|
||||
"git.wntrmute.dev/kyle/goutils/certlib/hosts"
|
||||
"git.wntrmute.dev/kyle/goutils/die"
|
||||
"git.wntrmute.dev/kyle/goutils/lib"
|
||||
"git.wntrmute.dev/kyle/goutils/lib/dialer"
|
||||
)
|
||||
|
||||
func main() {
|
||||
@@ -22,10 +22,10 @@ func main() {
|
||||
die.If(err)
|
||||
|
||||
// Use proxy-aware TLS dialer; skip verification as before
|
||||
conn, err := lib.DialTLS(
|
||||
conn, err := dialer.DialTLS(
|
||||
context.Background(),
|
||||
hostPort.String(),
|
||||
lib.DialerOpts{TLSConfig: &tls.Config{InsecureSkipVerify: true}},
|
||||
dialer.DialerOpts{TLSConfig: &tls.Config{InsecureSkipVerify: true}},
|
||||
) // #nosec G402
|
||||
die.If(err)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user