From 8eaca580bed545d75b41beac29dfb05c1fe0c9fb Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Wed, 19 Nov 2025 02:20:21 -0800
Subject: [PATCH] Minor bug fixes.

---
 certlib/certlib.go | 16 ++++++++++++++--
 certlib/helpers.go |  7 ++++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/certlib/certlib.go b/certlib/certlib.go
index ff4a8a0..f62af14 100644
--- a/certlib/certlib.go
+++ b/certlib/certlib.go
@@ -1,6 +1,8 @@
 package certlib
 
 import (
+	"bytes"
+	"crypto"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
@@ -13,6 +15,7 @@ import (
 // ReadCertificate reads a DER or PEM-encoded certificate from the
 // byte slice.
 func ReadCertificate(in []byte) (*x509.Certificate, []byte, error) {
+	in = bytes.TrimSpace(in)
 	if len(in) == 0 {
 		return nil, nil, certerr.ParsingError(certerr.ErrorSourceCertificate, certerr.ErrEmptyCertificate)
 	}
@@ -24,10 +27,10 @@ func ReadCertificate(in []byte) (*x509.Certificate, []byte, error) {
 		}
 
 		rest := remaining
-		if p.Type != "CERTIFICATE" {
+		if p.Type != pemTypeCertificate {
 			return nil, rest, certerr.ParsingError(
 				certerr.ErrorSourceCertificate,
-				certerr.ErrInvalidPEMType(p.Type, "CERTIFICATE"),
+				certerr.ErrInvalidPEMType(p.Type, pemTypeCertificate),
 			)
 		}
 
@@ -109,3 +112,12 @@ func PoolFromBytes(certBytes []byte) (*x509.CertPool, error) {
 
 	return pool, nil
 }
+
+func ExportPrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error) {
+	keyDER, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: pemTypePrivateKey, Bytes: keyDER}), nil
+}
diff --git a/certlib/helpers.go b/certlib/helpers.go
index 911accc..b4c23af 100644
--- a/certlib/helpers.go
+++ b/certlib/helpers.go
@@ -75,6 +75,11 @@ var DelegationExtension = pkix.Extension{
 	Value:    []byte{0x05, 0x00}, // ASN.1 NULL
 }
 
+const (
+	pemTypeCertificate = "CERTIFICATE"
+	pemTypePrivateKey  = "PRIVATE KEY"
+)
+
 // InclusiveDate returns the time.Time representation of a date - 1
 // nanosecond. This allows time.After to be used inclusively.
 func InclusiveDate(year int, month time.Month, day int) time.Time {
@@ -246,7 +251,7 @@ func EncodeCertificatesPEM(certs []*x509.Certificate) []byte {
 	var buffer bytes.Buffer
 	for _, cert := range certs {
 		if err := pem.Encode(&buffer, &pem.Block{
-			Type:  "CERTIFICATE",
+			Type:  pemTypeCertificate,
 			Bytes: cert.Raw,
 		}); err != nil {
 			return nil