cmd: switch programs over to certlib.Fetcher.

2025-11-18 11:08:17 -08:00
parent 8d5406256f
commit 4560868688
8 changed files with 114 additions and 25 deletions
--- a/cmd/certdump/main.go
+++ b/cmd/certdump/main.go
@@ -112,7 +112,7 @@ func showBasicConstraints(cert *x509.Certificate) {
 			fmt.Fprint(os.Stdout, " (basic constraint failure)")
 		}
 	} else {
-		fmt.Fprint(os.Stdout, "is not a CA certificate")
+		fmt.Fprint(os.Stdout, ", is not a CA certificate")
 		if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
 			fmt.Fprint(os.Stdout, " (key encipherment usage enabled!)")
 		}
--- a/cmd/certexpiry/main.go
+++ b/cmd/certexpiry/main.go
@@ -75,18 +75,15 @@ func checkCert(cert *x509.Certificate) {
 }

 func main() {
+	opts := &certlib.FetcherOpts{}
+
+	flag.BoolVar(&opts.SkipVerify, "k", false, "skip server verification")
 	flag.BoolVar(&warnOnly, "q", false, "only warn about expiring certs")
 	flag.DurationVar(&leeway, "t", leeway, "warn if certificates are closer than this to expiring")
 	flag.Parse()

 	for _, file := range flag.Args() {
-		in, err := os.ReadFile(file)
-		if err != nil {
-			_, _ = lib.Warn(err, "failed to read file")
-			continue
-		}
-
-		certs, err := certlib.ParseCertificatesPEM(in)
+		certs, err := certlib.GetCertificateChain(file, opts)
 		if err != nil {
 			_, _ = lib.Warn(err, "while parsing certificates")
 			continue
--- a/cmd/certser/main.go
+++ b/cmd/certser/main.go
@@ -32,14 +32,16 @@ func serialString(cert *x509.Certificate, mode lib.HexEncodeMode) string {
 }

 func main() {
+	opts := &certlib.FetcherOpts{}
 	displayAs := flag.String("d", "int", "display mode (int, hex, uhex)")
 	showExpiry := flag.Bool("e", false, "show expiry date")
+	flag.BoolVar(&opts.SkipVerify, "k", false, "skip server verification")
 	flag.Parse()

 	displayMode := parseDisplayMode(*displayAs)

 	for _, arg := range flag.Args() {
-		cert, err := certlib.LoadCertificate(arg)
+		cert, err := certlib.GetCertificate(arg, opts)
 		die.If(err)

 		fmt.Printf("%s: %s", arg, serialString(cert, displayMode))
--- a/cmd/certverify/main.go
+++ b/cmd/certverify/main.go
@@ -29,9 +29,9 @@ func printRevocation(cert *x509.Certificate) {
 }

 type appConfig struct {
-	caFile, intFile         string
-	forceIntermediateBundle bool
-	revexp, verbose         bool
+	caFile, intFile             string
+	forceIntermediateBundle     bool
+	revexp, skipVerify, verbose bool
 }

 func parseFlags() appConfig {
@@ -40,6 +40,7 @@ func parseFlags() appConfig {
 	flag.StringVar(&cfg.intFile, "i", "", "intermediate `bundle`")
 	flag.BoolVar(&cfg.forceIntermediateBundle, "f", false,
 		"force the use of the intermediate bundle, ignoring any intermediates bundled with certificate")
+	flag.BoolVar(&cfg.skipVerify, "k", false, "skip CA verification")
 	flag.BoolVar(&cfg.revexp, "r", false, "print revocation and expiry information")
 	flag.BoolVar(&cfg.verbose, "v", false, "verbose")
 	flag.Parse()
@@ -102,12 +103,17 @@ func run(cfg appConfig) error {
 		fmt.Fprintf(os.Stderr, "Usage: %s [-ca bundle] [-i bundle] cert", lib.ProgName())
 	}

-	fileData, err := os.ReadFile(flag.Arg(0))
+	combinedPool, err := certlib.LoadFullCertPool(cfg.caFile, cfg.intFile)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to build combined pool: %w", err)
 	}

-	chain, err := certlib.ParseCertificatesPEM(fileData)
+	opts := &certlib.FetcherOpts{
+		Roots:      combinedPool,
+		SkipVerify: cfg.skipVerify,
+	}
+
+	chain, err := certlib.GetCertificateChain(flag.Arg(0), opts)
 	if err != nil {
 		return err
 	}