working on removing dependency on cfssl.

cmd/certdump/BUILD.bazel

@@ -9,8 +9,8 @@ go_library(
     importpath = "git.wntrmute.dev/kyle/goutils/cmd/certdump",
     visibility = ["//visibility:private"],
     deps = [
-        "@com_github_cloudflare_cfssl//errors",
-        "@com_github_cloudflare_cfssl//helpers",
+        "//certlib",
+        "//lib",
         "@com_github_kr_text//:text",
     ],
 )

cmd/certdump/certdump.go

@@ -12,12 +12,13 @@ import (
 	"crypto/x509/pkix"
 	"flag"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"sort"
 	"strings"
 
-	"github.com/cloudflare/cfssl/helpers"
+	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func certPublic(cert *x509.Certificate) string {
@@ -208,17 +209,17 @@ func displayCert(cert *x509.Certificate) {
 }
 
 func displayAllCerts(in []byte, leafOnly bool) {
-	certs, err := helpers.ParseCertificatesPEM(in)
+	certs, err := certlib.ParseCertificatesPEM(in)
 	if err != nil {
-		certs, _, err = helpers.ParseCertificatesDER(in, "")
+		certs, _, err = certlib.ParseCertificatesDER(in, "")
 		if err != nil {
-			Warn(TranslateCFSSLError(err), "failed to parse certificates")
+			lib.Warn(err, "failed to parse certificates")
 			return
 		}
 	}
 
 	if len(certs) == 0 {
-		Warnx("no certificates found")
+		lib.Warnx("no certificates found")
 		return
 	}
 
@@ -236,7 +237,7 @@ func displayAllCertsWeb(uri string, leafOnly bool) {
 	ci := getConnInfo(uri)
 	conn, err := tls.Dial("tcp", ci.Addr, permissiveConfig())
 	if err != nil {
-		Warn(err, "couldn't connect to %s", ci.Addr)
+		lib.Warn(err, "couldn't connect to %s", ci.Addr)
 		return
 	}
 	defer conn.Close()
@@ -252,11 +253,11 @@ func displayAllCertsWeb(uri string, leafOnly bool) {
 		}
 		conn.Close()
 	} else {
-		Warn(err, "TLS verification error with server name %s", ci.Host)
+		lib.Warn(err, "TLS verification error with server name %s", ci.Host)
 	}
 
 	if len(state.PeerCertificates) == 0 {
-		Warnx("no certificates found")
+		lib.Warnx("no certificates found")
 		return
 	}
 
@@ -266,7 +267,7 @@ func displayAllCertsWeb(uri string, leafOnly bool) {
 	}
 
 	if len(state.VerifiedChains) == 0 {
-		Warnx("no verified chains found; using peer chain")
+		lib.Warnx("no verified chains found; using peer chain")
 		for i := range state.PeerCertificates {
 			displayCert(state.PeerCertificates[i])
 		}
@@ -289,9 +290,9 @@ func main() {
 	flag.Parse()
 
 	if flag.NArg() == 0 || (flag.NArg() == 1 && flag.Arg(0) == "-") {
-		certs, err := ioutil.ReadAll(os.Stdin)
+		certs, err := io.ReadAll(os.Stdin)
 		if err != nil {
-			Warn(err, "couldn't read certificates from standard input")
+			lib.Warn(err, "couldn't read certificates from standard input")
 			os.Exit(1)
 		}
 
@@ -306,9 +307,9 @@ func main() {
 			if strings.HasPrefix(filename, "https://") {
 				displayAllCertsWeb(filename, leafOnly)
 			} else {
-				in, err := ioutil.ReadFile(filename)
+				in, err := os.ReadFile(filename)
 				if err != nil {
-					Warn(err, "couldn't read certificate")
+					lib.Warn(err, "couldn't read certificate")
 					continue
 				}
 

cmd/certdump/util.go

@@ -3,13 +3,10 @@ package main
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"net"
-	"os"
 	"strings"
 
-	cferr "github.com/cloudflare/cfssl/errors"
 	"github.com/kr/text"
 )
 
@@ -89,34 +86,6 @@ func sigAlgoHash(a x509.SignatureAlgorithm) string {
 	}
 }
 
-// TranslateCFSSLError turns a CFSSL error into a more readable string.
-func TranslateCFSSLError(err error) error {
-	if err == nil {
-		return nil
-	}
-
-	// printing errors as json is terrible
-	if cfsslError, ok := err.(*cferr.Error); ok {
-		err = errors.New(cfsslError.Message)
-	}
-	return err
-}
-
-// Warnx displays a formatted error message to standard error, à la
-// warnx(3).
-func Warnx(format string, a ...interface{}) (int, error) {
-	format += "\n"
-	return fmt.Fprintf(os.Stderr, format, a...)
-}
-
-// Warn displays a formatted error message to standard output,
-// appending the error string, à la warn(3).
-func Warn(err error, format string, a ...interface{}) (int, error) {
-	format += ": %v\n"
-	a = append(a, err)
-	return fmt.Fprintf(os.Stderr, format, a...)
-}
-
 const maxLine = 78
 
 func makeIndent(n int) string {

cmd/certexpiry/BUILD.bazel

@@ -6,9 +6,9 @@ go_library(
     importpath = "git.wntrmute.dev/kyle/goutils/cmd/certexpiry",
     visibility = ["//visibility:private"],
     deps = [
+        "//certlib",
         "//die",
         "//lib",
-        "@com_github_cloudflare_cfssl//helpers",
     ],
 )
 

cmd/certexpiry/main.go

@@ -10,9 +10,9 @@ import (
 	"strings"
 	"time"
 
+	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
-	"github.com/cloudflare/cfssl/helpers"
 )
 
 var warnOnly bool
@@ -87,7 +87,7 @@ func main() {
 			continue
 		}
 
-		certs, err := helpers.ParseCertificatesPEM(in)
+		certs, err := certlib.ParseCertificatesPEM(in)
 		if err != nil {
 			lib.Warn(err, "while parsing certificates")
 			continue

cmd/certverify/BUILD.bazel

@@ -6,9 +6,9 @@ go_library(
     importpath = "git.wntrmute.dev/kyle/goutils/cmd/certverify",
     visibility = ["//visibility:private"],
     deps = [
+        "//certlib",
         "//die",
         "//lib",
-        "@com_github_cloudflare_cfssl//helpers",
         "@com_github_cloudflare_cfssl//revoke",
     ],
 )

cmd/certverify/main.go

@@ -8,14 +8,14 @@ import (
 	"os"
 	"time"
 
+	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
-	"github.com/cloudflare/cfssl/helpers"
-	"github.com/cloudflare/cfssl/revoke"
 )
 
 func printRevocation(cert *x509.Certificate) {
-	remaining := cert.NotAfter.Sub(time.Now())
+	remaining := time.Until(cert.NotAfter)
 	fmt.Printf("certificate expires in %s.\n", lib.Duration(remaining))
 
 	revoked, ok := revoke.VerifyCertificate(cert)
@@ -47,7 +47,7 @@ func main() {
 		if verbose {
 			fmt.Println("[+] loading root certificates from", caFile)
 		}
-		roots, err = helpers.LoadPEMCertPool(caFile)
+		roots, err = certlib.LoadPEMCertPool(caFile)
 		die.If(err)
 	}
 
@@ -57,7 +57,7 @@ func main() {
 		if verbose {
 			fmt.Println("[+] loading intermediate certificates from", intFile)
 		}
-		ints, err = helpers.LoadPEMCertPool(caFile)
+		ints, err = certlib.LoadPEMCertPool(caFile)
 		die.If(err)
 	} else {
 		ints = x509.NewCertPool()
@@ -71,7 +71,7 @@ func main() {
 	fileData, err := ioutil.ReadFile(flag.Arg(0))
 	die.If(err)
 
-	chain, err := helpers.ParseCertificatesPEM(fileData)
+	chain, err := certlib.ParseCertificatesPEM(fileData)
 	die.If(err)
 	if verbose {
 		fmt.Printf("[+] %s has %d certificates\n", flag.Arg(0), len(chain))

cmd/subjhash/BUILD.bazel

@@ -6,6 +6,7 @@ go_library(
     importpath = "git.wntrmute.dev/kyle/goutils/cmd/subjhash",
     visibility = ["//visibility:private"],
     deps = [
+        "//certlib",
         "//die",
         "//lib",
     ],

cmd/subjhash/main.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"os"
 
+	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
@@ -57,7 +58,7 @@ func getSubjectInfoHash(cert *x509.Certificate, issuer bool) []byte {
 
 func printDigests(paths []string, issuer bool) {
 	for _, path := range paths {
-		cert, err := lib.LoadCertificate(path)
+		cert, err := certlib.LoadCertificate(path)
 		if err != nil {
 			lib.Warn(err, "failed to load certificate from %s", path)
 			continue
@@ -82,9 +83,9 @@ func matchDigests(paths []string, issuer bool) {
 		snd := paths[1]
 		paths = paths[2:]
 
-		fstCert, err := lib.LoadCertificate(fst)
+		fstCert, err := certlib.LoadCertificate(fst)
 		die.If(err)
-		sndCert, err := lib.LoadCertificate(snd)
+		sndCert, err := certlib.LoadCertificate(snd)
 		die.If(err)
 		if !bytes.Equal(getSubjectInfoHash(fstCert, issuer), getSubjectInfoHash(sndCert, issuer)) {
 			lib.Warnx("certificates don't match: %s and %s", fst, snd)