cmd: start linting fixes.

.golangci.yml

@@ -18,6 +18,19 @@ issues:
   # Default: 3
   max-same-issues: 50
 
+  # Exclude some lints for CLI programs under cmd/ (package main).
+  # The project allows fmt.Print* in command-line tools; keep forbidigo for libraries.
+  exclude-rules:
+    - path: ^cmd/
+      linters:
+        - forbidigo
+    - path: cmd/.*
+      linters:
+        - forbidigo
+    - path: .*/cmd/.*
+      linters:
+        - forbidigo
+
 formatters:
   enable:
     - goimports # checks if the code and import statements are formatted according to the 'goimports' command

cmd/cert-revcheck/main.go

@@ -3,12 +3,12 @@ package main
 import (
     "crypto/tls"
     "crypto/x509"
-	"flag"
     "errors"
+    "flag"
     "fmt"
-	"io/ioutil"
     "net"
     "os"
+    "strings"
     "time"
 
     "git.wntrmute.dev/kyle/goutils/certlib"
@@ -23,6 +23,13 @@ var (
 	verbose  bool
 )
 
+var (
+	strOK      = "OK"
+	strExpired = "EXPIRED"
+	strRevoked = "REVOKED"
+	strUnknown = "UNKNOWN"
+)
+
 func main() {
 	flag.BoolVar(&hardfail, "hardfail", false, "treat revocation check failures as fatal")
 	flag.DurationVar(&timeout, "timeout", 10*time.Second, "network timeout for OCSP/CRL fetches and TLS site connects")
@@ -42,16 +49,16 @@ func main() {
 	for _, target := range flag.Args() {
 		status, err := processTarget(target)
 		switch status {
-		case "OK":
+		case strOK:
-			fmt.Printf("%s: OK\n", target)
+			fmt.Printf("%s: %s\n", target, strOK)
-		case "EXPIRED":
+		case strExpired:
-			fmt.Printf("%s: EXPIRED: %v\n", target, err)
+			fmt.Printf("%s: %s: %v\n", target, strExpired, err)
 			exitCode = 1
-		case "REVOKED":
+		case strRevoked:
-			fmt.Printf("%s: REVOKED\n", target)
+			fmt.Printf("%s: %s\n", target, strRevoked)
 			exitCode = 1
-		case "UNKNOWN":
+		case strUnknown:
-			fmt.Printf("%s: UNKNOWN: %v\n", target, err)
+			fmt.Printf("%s: %s: %v\n", target, strUnknown, err)
 			if hardfail {
 				// In hardfail, treat unknown as failure
 				exitCode = 1
@@ -67,74 +74,67 @@ func processTarget(target string) (string, error) {
 		return checkFile(target)
 	}
 
-	// Not a file; treat as site
 	return checkSite(target)
 }
 
 func checkFile(path string) (string, error) {
-	in, err := ioutil.ReadFile(path)
+    // Prefer high-level helpers from certlib to load certificates from disk
-	if err != nil {
+    if certs, err := certlib.LoadCertificates(path); err == nil && len(certs) > 0 {
-		return "UNKNOWN", err
-	}
-
-	// Try PEM first; if that fails, try single DER cert
-	certs, err := certlib.ReadCertificates(in)
-	if err != nil || len(certs) == 0 {
-		cert, _, derr := certlib.ReadCertificate(in)
-		if derr != nil || cert == nil {
-			if err == nil {
-				err = derr
-			}
-			return "UNKNOWN", err
-		}
-		return evaluateCert(cert)
-	}
-
         // Evaluate the first certificate (leaf) by default
         return evaluateCert(certs[0])
+    }
+
+    cert, err := certlib.LoadCertificate(path)
+    if err != nil || cert == nil {
+        return strUnknown, err
+    }
+    return evaluateCert(cert)
 }
 
 func checkSite(hostport string) (string, error) {
 	// Use certlib/hosts to parse host/port (supports https URLs and host:port)
 	target, err := hosts.ParseHost(hostport)
 	if err != nil {
-		return "UNKNOWN", err
+		return strUnknown, err
 	}
 
 	d := &net.Dialer{Timeout: timeout}
-	conn, err := tls.DialWithDialer(d, "tcp", target.String(), &tls.Config{InsecureSkipVerify: true, ServerName: target.Host})
+	conn, err := tls.DialWithDialer(
+		d,
+		"tcp",
+		target.String(),
+		&tls.Config{InsecureSkipVerify: true, ServerName: target.Host}, // #nosec G402
+	)
 	if err != nil {
-		return "UNKNOWN", err
+		return strUnknown, err
 	}
 	defer conn.Close()
 
 	state := conn.ConnectionState()
 	if len(state.PeerCertificates) == 0 {
-		return "UNKNOWN", errors.New("no peer certificates presented")
+		return strUnknown, errors.New("no peer certificates presented")
 	}
 	return evaluateCert(state.PeerCertificates[0])
 }
 
 func evaluateCert(cert *x509.Certificate) (string, error) {
-	// Expiry check
+    // Delegate validity and revocation checks to certlib/revoke helper.
-	now := time.Now()
+    // It returns revoked=true for both revoked and expired/not-yet-valid.
-	if !now.Before(cert.NotAfter) {
+    // Map those cases back to our statuses using the returned error text.
-		return "EXPIRED", fmt.Errorf("expired at %s", cert.NotAfter)
-	}
-	if !now.After(cert.NotBefore) {
-		return "EXPIRED", fmt.Errorf("not valid until %s", cert.NotBefore)
-	}
-
-	// Revocation check using certlib/revoke
     revoked, ok, err := revoke.VerifyCertificateError(cert)
     if revoked {
-		// If revoked is true, ok will be true per implementation, err may describe why
+        if err != nil {
-		return "REVOKED", err
+            msg := err.Error()
+            if strings.Contains(msg, "expired") || strings.Contains(msg, "isn't valid until") || strings.Contains(msg, "not valid until") {
+                return strExpired, err
+            }
+        }
+        return strRevoked, err
     }
     if !ok {
         // Revocation status could not be determined
-		return "UNKNOWN", err
+        return strUnknown, err
     }
 
-	return "OK", nil
+    return strOK, nil
 }

cmd/certchain/certchain.go

@@ -5,6 +5,7 @@ import (
 	"encoding/pem"
 	"flag"
 	"fmt"
+	"os"
 	"regexp"
 
 	"git.wntrmute.dev/kyle/goutils/die"
@@ -34,6 +35,6 @@ func main() {
 			chain += string(pem.EncodeToMemory(&p))
 		}
 
-		fmt.Println(chain)
+		fmt.Fprintln(os.Stdout, chain)
 	}
 }

cmd/certdump/certdump.go

@@ -101,30 +101,30 @@ func extUsage(ext []x509.ExtKeyUsage) string {
 }
 
 func showBasicConstraints(cert *x509.Certificate) {
-	fmt.Printf("\tBasic constraints: ")
+    fmt.Fprint(os.Stdout, "\tBasic constraints: ")
     if cert.BasicConstraintsValid {
-		fmt.Printf("valid")
+        fmt.Fprint(os.Stdout, "valid")
     } else {
-		fmt.Printf("invalid")
+        fmt.Fprint(os.Stdout, "invalid")
     }
 
     if cert.IsCA {
-		fmt.Printf(", is a CA certificate")
+        fmt.Fprint(os.Stdout, ", is a CA certificate")
         if !cert.BasicConstraintsValid {
-			fmt.Printf(" (basic constraint failure)")
+            fmt.Fprint(os.Stdout, " (basic constraint failure)")
         }
     } else {
-		fmt.Printf("is not a CA certificate")
+        fmt.Fprint(os.Stdout, "is not a CA certificate")
         if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
-			fmt.Printf(" (key encipherment usage enabled!)")
+            fmt.Fprint(os.Stdout, " (key encipherment usage enabled!)")
         }
     }
 
     if (cert.MaxPathLen == 0 && cert.MaxPathLenZero) || (cert.MaxPathLen > 0) {
-		fmt.Printf(", max path length %d", cert.MaxPathLen)
+        fmt.Fprintf(os.Stdout, ", max path length %d", cert.MaxPathLen)
     }
 
-	fmt.Printf("\n")
+    fmt.Fprintln(os.Stdout)
 }
 
 const oneTrueDateFormat = "2006-01-02T15:04:05-0700"
@@ -140,35 +140,35 @@ func wrapPrint(text string, indent int) {
         tabs += "\t"
     }
 
-	fmt.Printf(tabs+"%s\n", wrap(text, indent))
+    fmt.Fprintf(os.Stdout, tabs+"%s\n", wrap(text, indent))
 }
 
 func displayCert(cert *x509.Certificate) {
-	fmt.Println("CERTIFICATE")
+    fmt.Fprintln(os.Stdout, "CERTIFICATE")
     if showHash {
-		fmt.Println(wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(cert.Raw)), 0))
+        fmt.Fprintln(os.Stdout, wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(cert.Raw)), 0))
     }
-	fmt.Println(wrap("Subject: "+displayName(cert.Subject), 0))
+    fmt.Fprintln(os.Stdout, wrap("Subject: "+displayName(cert.Subject), 0))
-	fmt.Println(wrap("Issuer: "+displayName(cert.Issuer), 0))
+    fmt.Fprintln(os.Stdout, wrap("Issuer: "+displayName(cert.Issuer), 0))
-	fmt.Printf("\tSignature algorithm: %s / %s\n", sigAlgoPK(cert.SignatureAlgorithm),
+    fmt.Fprintf(os.Stdout, "\tSignature algorithm: %s / %s\n", sigAlgoPK(cert.SignatureAlgorithm),
         sigAlgoHash(cert.SignatureAlgorithm))
-	fmt.Println("Details:")
+    fmt.Fprintln(os.Stdout, "Details:")
     wrapPrint("Public key: "+certPublic(cert), 1)
-	fmt.Printf("\tSerial number: %s\n", cert.SerialNumber)
+    fmt.Fprintf(os.Stdout, "\tSerial number: %s\n", cert.SerialNumber)
 
  if len(cert.AuthorityKeyId) > 0 {
-		fmt.Printf("\t%s\n", wrap("AKI: "+dumpHex(cert.AuthorityKeyId), 1))
+        fmt.Fprintf(os.Stdout, "\t%s\n", wrap("AKI: "+dumpHex(cert.AuthorityKeyId), 1))
     }
     if len(cert.SubjectKeyId) > 0 {
-		fmt.Printf("\t%s\n", wrap("SKI: "+dumpHex(cert.SubjectKeyId), 1))
+        fmt.Fprintf(os.Stdout, "\t%s\n", wrap("SKI: "+dumpHex(cert.SubjectKeyId), 1))
     }
 
 	wrapPrint("Valid from: "+cert.NotBefore.Format(dateFormat), 1)
-	fmt.Printf("\t     until: %s\n", cert.NotAfter.Format(dateFormat))
+ fmt.Fprintf(os.Stdout, "\t     until: %s\n", cert.NotAfter.Format(dateFormat))
-	fmt.Printf("\tKey usages: %s\n", keyUsages(cert.KeyUsage))
+ fmt.Fprintf(os.Stdout, "\tKey usages: %s\n", keyUsages(cert.KeyUsage))
 
  if len(cert.ExtKeyUsage) > 0 {
-		fmt.Printf("\tExtended usages: %s\n", extUsage(cert.ExtKeyUsage))
+        fmt.Fprintf(os.Stdout, "\tExtended usages: %s\n", extUsage(cert.ExtKeyUsage))
     }
 
 	showBasicConstraints(cert)
@@ -221,13 +221,13 @@ func displayAllCerts(in []byte, leafOnly bool) {
  if err != nil {
      certs, _, err = certlib.ParseCertificatesDER(in, "")
      if err != nil {
-			lib.Warn(err, "failed to parse certificates")
+         _, _ = lib.Warn(err, "failed to parse certificates")
          return
      }
  }
 
 	if len(certs) == 0 {
-		lib.Warnx("no certificates found")
+        _, _ = lib.Warnx("no certificates found")
         return
     }
 
@@ -245,7 +245,7 @@ func displayAllCertsWeb(uri string, leafOnly bool) {
 	ci := getConnInfo(uri)
  conn, err := tls.Dial("tcp", ci.Addr, permissiveConfig())
  if err != nil {
-		lib.Warn(err, "couldn't connect to %s", ci.Addr)
+     _, _ = lib.Warn(err, "couldn't connect to %s", ci.Addr)
      return
  }
 	defer conn.Close()
@@ -261,11 +261,11 @@ func displayAllCertsWeb(uri string, leafOnly bool) {
 		}
 		conn.Close()
  } else {
-		lib.Warn(err, "TLS verification error with server name %s", ci.Host)
+        _, _ = lib.Warn(err, "TLS verification error with server name %s", ci.Host)
     }
 
  if len(state.PeerCertificates) == 0 {
-		lib.Warnx("no certificates found")
+        _, _ = lib.Warnx("no certificates found")
         return
     }
 
@@ -275,14 +275,14 @@ func displayAllCertsWeb(uri string, leafOnly bool) {
 	}
 
  if len(state.VerifiedChains) == 0 {
-		lib.Warnx("no verified chains found; using peer chain")
+        _, _ = lib.Warnx("no verified chains found; using peer chain")
         for i := range state.PeerCertificates {
             displayCert(state.PeerCertificates[i])
         }
  } else {
-		fmt.Println("TLS chain verified successfully.")
+        fmt.Fprintln(os.Stdout, "TLS chain verified successfully.")
         for i := range state.VerifiedChains {
-			fmt.Printf("--- Verified certificate chain %d ---\n", i+1)
+            fmt.Fprintf(os.Stdout, "--- Verified certificate chain %d ---%s", i+1, "\n")
             for j := range state.VerifiedChains[i] {
                 displayCert(state.VerifiedChains[i][j])
             }
@@ -300,7 +300,7 @@ func main() {
 	if flag.NArg() == 0 || (flag.NArg() == 1 && flag.Arg(0) == "-") {
   certs, err := io.ReadAll(os.Stdin)
   if err != nil {
-			lib.Warn(err, "couldn't read certificates from standard input")
+      _, _ = lib.Warn(err, "couldn't read certificates from standard input")
       os.Exit(1)
   }
 
@@ -311,13 +311,13 @@ func main() {
 		displayAllCerts(certs, leafOnly)
 	} else {
 		for _, filename := range flag.Args() {
-			fmt.Printf("--%s ---\n", filename)
+   fmt.Fprintf(os.Stdout, "--%s ---%s", filename, "\n")
 			if strings.HasPrefix(filename, "https://") {
 				displayAllCertsWeb(filename, leafOnly)
 			} else {
     in, err := os.ReadFile(filename)
     if err != nil {
-					lib.Warn(err, "couldn't read certificate")
+        _, _ = lib.Warn(err, "couldn't read certificate")
         continue
     }
 

cmd/certdump/util.go

@@ -38,16 +38,22 @@ var extKeyUsages = map[x509.ExtKeyUsage]string{
     x509.ExtKeyUsageOCSPSigning:                "ocsp signing",
     x509.ExtKeyUsageMicrosoftServerGatedCrypto: "microsoft sgc",
     x509.ExtKeyUsageNetscapeServerGatedCrypto:  "netscape sgc",
+    x509.ExtKeyUsageMicrosoftCommercialCodeSigning: "microsoft commercial code signing",
+    x509.ExtKeyUsageMicrosoftKernelCodeSigning:     "microsoft kernel code signing",
 }
 
 func pubKeyAlgo(a x509.PublicKeyAlgorithm) string {
     switch a {
+    case x509.UnknownPublicKeyAlgorithm:
+        return "unknown public key algorithm"
     case x509.RSA:
         return "RSA"
     case x509.ECDSA:
         return "ECDSA"
     case x509.DSA:
         return "DSA"
+    case x509.Ed25519:
+        return "Ed25519"
     default:
         return "unknown public key algorithm"
     }
@@ -55,13 +61,18 @@ func pubKeyAlgo(a x509.PublicKeyAlgorithm) string {
 
 func sigAlgoPK(a x509.SignatureAlgorithm) string {
     switch a {
-
     case x509.MD2WithRSA, x509.MD5WithRSA, x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA:
         return "RSA"
+    case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
+        return "RSA-PSS"
     case x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512:
         return "ECDSA"
     case x509.DSAWithSHA1, x509.DSAWithSHA256:
         return "DSA"
+    case x509.PureEd25519:
+        return "Ed25519"
+    case x509.UnknownSignatureAlgorithm:
+        return "unknown public key algorithm"
     default:
         return "unknown public key algorithm"
     }
@@ -77,10 +88,20 @@ func sigAlgoHash(a x509.SignatureAlgorithm) string {
         return "SHA1"
     case x509.SHA256WithRSA, x509.ECDSAWithSHA256, x509.DSAWithSHA256:
         return "SHA256"
+    case x509.SHA256WithRSAPSS:
+        return "SHA256"
     case x509.SHA384WithRSA, x509.ECDSAWithSHA384:
         return "SHA384"
+    case x509.SHA384WithRSAPSS:
+        return "SHA384"
     case x509.SHA512WithRSA, x509.ECDSAWithSHA512:
         return "SHA512"
+    case x509.SHA512WithRSAPSS:
+        return "SHA512"
+    case x509.PureEd25519:
+        return "SHA512"
+    case x509.UnknownSignatureAlgorithm:
+        return "unknown hash algorithm"
     default:
         return "unknown hash algorithm"
     }

cmd/certexpiry/main.go

@@ -5,7 +5,6 @@ import (
     "crypto/x509/pkix"
     "flag"
     "fmt"
-	"io/ioutil"
     "os"
     "strings"
     "time"
@@ -81,15 +80,15 @@ func main() {
 	flag.Parse()
 
     for _, file := range flag.Args() {
-		in, err := ioutil.ReadFile(file)
+        in, err := os.ReadFile(file)
         if err != nil {
-			lib.Warn(err, "failed to read file")
+            _, _ = lib.Warn(err, "failed to read file")
             continue
         }
 
         certs, err := certlib.ParseCertificatesPEM(in)
         if err != nil {
-			lib.Warn(err, "while parsing certificates")
+            _, _ = lib.Warn(err, "while parsing certificates")
             continue
         }
 

cmd/clustersh/main.go

@@ -5,6 +5,7 @@ import (
     "flag"
     "fmt"
     "io"
+    "errors"
     "log"
     "net"
     "os"
@@ -93,7 +94,7 @@ func exec(wg *sync.WaitGroup, user, host string, commands []string) {
 	defer func() {
 		for i := len(shutdown) - 1; i >= 0; i-- {
             err := shutdown[i]()
-			if err != nil && err != io.EOF {
+            if err != nil && !errors.Is(err, io.EOF) {
                 logError(host, err, "shutting down")
             }
         }
@@ -150,7 +151,7 @@ func upload(wg *sync.WaitGroup, user, host, local, remote string) {
 	defer func() {
 		for i := len(shutdown) - 1; i >= 0; i-- {
             err := shutdown[i]()
-			if err != nil && err != io.EOF {
+            if err != nil && !errors.Is(err, io.EOF) {
                 logError(host, err, "shutting down")
             }
         }
@@ -199,7 +200,7 @@ func upload(wg *sync.WaitGroup, user, host, local, remote string) {
 			fmt.Printf("[%s] wrote %d-byte chunk\n", host, n)
 		}
 
-		if err == io.EOF {
+        if errors.Is(err, io.EOF) {
             break
         } else if err != nil {
             logError(host, err, "reading chunk")
@@ -215,7 +216,7 @@ func download(wg *sync.WaitGroup, user, host, local, remote string) {
 	defer func() {
 		for i := len(shutdown) - 1; i >= 0; i-- {
             err := shutdown[i]()
-			if err != nil && err != io.EOF {
+            if err != nil && !errors.Is(err, io.EOF) {
                 logError(host, err, "shutting down")
             }
         }
@@ -265,7 +266,7 @@ func download(wg *sync.WaitGroup, user, host, local, remote string) {
 			fmt.Printf("[%s] wrote %d-byte chunk\n", host, n)
 		}
 
-		if err == io.EOF {
+  if errors.Is(err, io.EOF) {
             break
         } else if err != nil {
             logError(host, err, "reading chunk")

cmd/cruntar/main.go

@@ -263,7 +263,7 @@ func main() {
 	tfr := tar.NewReader(r)
 	for {
   hdr, err := tfr.Next()
-		if err == io.EOF {
+  if errors.Is(err, io.EOF) {
       break
   }
   die.If(err)

cmd/csrpubdump/pubdump.go

@@ -7,8 +7,7 @@ import (
 	"encoding/pem"
 	"flag"
 	"fmt"
-	"io/ioutil"
+	"os"
-	"log"
 
 	"git.wntrmute.dev/kyle/goutils/die"
 )
@@ -17,12 +16,12 @@ func main() {
 	flag.Parse()
 
 	for _, fileName := range flag.Args() {
-		in, err := ioutil.ReadFile(fileName)
+		in, err := os.ReadFile(fileName)
 		die.If(err)
 
 		if p, _ := pem.Decode(in); p != nil {
 			if p.Type != "CERTIFICATE REQUEST" {
-				log.Fatal("INVALID FILE TYPE")
+				die.With("INVALID FILE TYPE")
 			}
 			in = p.Bytes
 		}
@@ -48,8 +47,8 @@ func main() {
 			Bytes: out,
 		}
 
-		err = ioutil.WriteFile(fileName+".pub", pem.EncodeToMemory(p), 0644)
+  err = os.WriteFile(fileName+".pub", pem.EncodeToMemory(p), 0o644)
   die.If(err)
-		fmt.Printf("[+] wrote %s.\n", fileName+".pub")
+  fmt.Fprintf(os.Stdout, "[+] wrote %s.\n", fileName+".pub")
 	}
 }

cmd/fragment/fragment.go

@@ -98,9 +98,9 @@ func main() {
     fmtStr += "\n"
     for i := start; !endFunc(i); i++ {
         if *quiet {
-			fmt.Println(lines[i])
+            fmt.Fprintln(os.Stdout, lines[i])
         } else {
-			fmt.Printf(fmtStr, i, lines[i])
+            fmt.Fprintf(os.Stdout, fmtStr, i, lines[i])
         }
     }
 }

cmd/jlp/jlp.go

@@ -5,7 +5,7 @@ import (
     "encoding/json"
     "flag"
     "fmt"
-	"io/ioutil"
+    "io"
     "os"
 
     "git.wntrmute.dev/kyle/goutils/lib"
@@ -16,20 +16,20 @@ func prettify(file string, validateOnly bool) error {
 	var err error
 
  if file == "-" {
-		in, err = ioutil.ReadAll(os.Stdin)
+        in, err = io.ReadAll(os.Stdin)
     } else {
-		in, err = ioutil.ReadFile(file)
+        in, err = os.ReadFile(file)
     }
 
  if err != nil {
-		lib.Warn(err, "ReadFile")
+        _, _ = lib.Warn(err, "ReadFile")
         return err
     }
 
 	var buf = &bytes.Buffer{}
 	err = json.Indent(buf, in, "", "    ")
  if err != nil {
-		lib.Warn(err, "%s", file)
+        _, _ = lib.Warn(err, "%s", file)
         return err
     }
 
@@ -40,11 +40,11 @@ func prettify(file string, validateOnly bool) error {
  if file == "-" {
         _, err = os.Stdout.Write(buf.Bytes())
     } else {
-		err = ioutil.WriteFile(file, buf.Bytes(), 0644)
+        err = os.WriteFile(file, buf.Bytes(), 0o644)
     }
 
  if err != nil {
-		lib.Warn(err, "WriteFile")
+        _, _ = lib.Warn(err, "WriteFile")
     }
 
 	return err
@@ -55,20 +55,20 @@ func compact(file string, validateOnly bool) error {
 	var err error
 
  if file == "-" {
-		in, err = ioutil.ReadAll(os.Stdin)
+        in, err = io.ReadAll(os.Stdin)
     } else {
-		in, err = ioutil.ReadFile(file)
+        in, err = os.ReadFile(file)
     }
 
  if err != nil {
-		lib.Warn(err, "ReadFile")
+        _, _ = lib.Warn(err, "ReadFile")
         return err
     }
 
 	var buf = &bytes.Buffer{}
 	err = json.Compact(buf, in)
  if err != nil {
-		lib.Warn(err, "%s", file)
+        _, _ = lib.Warn(err, "%s", file)
         return err
     }
 
@@ -79,11 +79,11 @@ func compact(file string, validateOnly bool) error {
  if file == "-" {
         _, err = os.Stdout.Write(buf.Bytes())
     } else {
-		err = ioutil.WriteFile(file, buf.Bytes(), 0644)
+        err = os.WriteFile(file, buf.Bytes(), 0o644)
     }
 
  if err != nil {
-		lib.Warn(err, "WriteFile")
+        _, _ = lib.Warn(err, "WriteFile")
     }
 
 	return err
@@ -91,7 +91,7 @@ func compact(file string, validateOnly bool) error {
 
 func usage() {
     progname := lib.ProgName()
-	fmt.Printf(`Usage: %s [-h] files...
+    fmt.Fprintf(os.Stdout, `Usage: %s [-h] files...
 	%s is used to lint and prettify (or compact) JSON files. The
 	files will be updated in-place.
 

cmd/minmax/minmax.go

@@ -49,5 +49,5 @@ func main() {
     code := kind << 6
     code += (min << 3)
     code += max
-	fmt.Printf("%0o\n", code)
+    fmt.Fprintf(os.Stdout, "%0o\n", code)
 }

cmd/pembody/pembody.go

@@ -3,8 +3,7 @@ package main
 import (
 	"encoding/pem"
 	"flag"
-	"fmt"
+	"io"
-	"io/ioutil"
 	"os"
 
 	"git.wntrmute.dev/kyle/goutils/lib"
@@ -21,9 +20,9 @@ func main() {
 
  path := flag.Arg(0)
  if path == "-" {
-		in, err = ioutil.ReadAll(os.Stdin)
+     in, err = io.ReadAll(os.Stdin)
  } else {
-		in, err = ioutil.ReadFile(flag.Arg(0))
+     in, err = os.ReadFile(flag.Arg(0))
  }
 	if err != nil {
 		lib.Err(lib.ExitFailure, err, "couldn't read file")
@@ -33,5 +32,7 @@ func main() {
  if p == nil {
         lib.Errx(lib.ExitFailure, "%s isn't a PEM-encoded file", flag.Arg(0))
     }
-	fmt.Printf("%s", p.Bytes)
+    if _, err := os.Stdout.Write(p.Bytes); err != nil {
+        lib.Err(lib.ExitFailure, err, "writing body")
+    }
 }

cmd/readchain/chain.go

@@ -5,7 +5,6 @@ import (
     "encoding/pem"
     "flag"
     "fmt"
-	"io/ioutil"
     "os"
 )
 
@@ -13,13 +12,13 @@ func main() {
 	flag.Parse()
 
 	for _, fileName := range flag.Args() {
-		data, err := ioutil.ReadFile(fileName)
+  data, err := os.ReadFile(fileName)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "[!] %s: %v\n", fileName, err)
 			continue
 		}
 
-		fmt.Printf("[+] %s:\n", fileName)
+  fmt.Fprintf(os.Stdout, "[+] %s:\n", fileName)
 		rest := data[:]
 		for {
 			var p *pem.Block
@@ -34,7 +33,7 @@ func main() {
 				break
 			}
 
-			fmt.Printf("\t%+v\n", cert.Subject.CommonName)
+   fmt.Fprintf(os.Stdout, "\t%+v\n", cert.Subject.CommonName)
 		}
 	}
 }

cmd/renfnv/renfnv.go

@@ -110,25 +110,25 @@ func main() {
 	for _, file := range flag.Args() {
 		renamed, err := newName(file)
   if err != nil {
-			lib.Warn(err, "failed to get new file name")
+            _, _ = lib.Warn(err, "failed to get new file name")
             continue
         }
 
   if verbose && !printChanged {
-			fmt.Println(file)
+            fmt.Fprintln(os.Stdout, file)
         }
 
 		if renamed != file {
 			if !dryRun {
 				err = move(renamed, file, force)
     if err != nil {
-					lib.Warn(err, "failed to rename file from %s to %s", file, renamed)
+                    _, _ = lib.Warn(err, "failed to rename file from %s to %s", file, renamed)
                     continue
                 }
 			}
 
    if printChanged && !verbose {
-				fmt.Println(file, "->", renamed)
+                fmt.Fprintln(os.Stdout, file, "->", renamed)
             }
 		}
 	}

cmd/rhash/main.go

@@ -66,24 +66,19 @@ func main() {
 	for _, remote := range flag.Args() {
 		u, err := url.Parse(remote)
 		if err != nil {
-			lib.Warn(err, "parsing %s", remote)
+			_, _ = lib.Warn(err, "parsing %s", remote)
 			continue
 		}
 
 		name := filepath.Base(u.Path)
 		if name == "" {
-			lib.Warnx("source URL doesn't appear to name a file")
+			_, _ = lib.Warnx("source URL doesn't appear to name a file")
 			continue
 		}
 
 		resp, err := http.Get(remote)
 		if err != nil {
-			lib.Warn(err, "fetching %s", remote)
+			_, _ = lib.Warn(err, "fetching %s", remote)
-			continue
-		}
-
-		if err != nil {
-			lib.Warn(err, "fetching %s", remote)
 			continue
 		}
 

cmd/rolldie/main.go

@@ -3,7 +3,7 @@ package main
 import (
 	"flag"
 	"fmt"
-	"math/rand"
+	"math/rand/v2"
 	"os"
 	"regexp"
 	"strconv"
@@ -18,7 +18,7 @@ func rollDie(count, sides int) []int {
 	var rolls []int
 
  for i := 0; i < count; i++ {
-		roll := rand.Intn(sides) + 1
+        roll := rand.IntN(sides) + 1
         sum += roll
         rolls = append(rolls, roll)
     }

cmd/ski/main.go

@@ -13,7 +13,6 @@ import (
     "flag"
     "fmt"
     "io"
-	"io/ioutil"
     "os"
     "strings"
 
@@ -40,13 +39,13 @@ func init() {
 }
 
 func parse(path string) (public []byte, kt, ft string) {
-	data, err := ioutil.ReadFile(path)
+    data, err := os.ReadFile(path)
 	die.If(err)
 
 	data = bytes.TrimSpace(data)
 	p, rest := pem.Decode(data)
  if len(rest) > 0 {
-		lib.Warnx("trailing data in PEM file")
+        _, _ = lib.Warnx("trailing data in PEM file")
     }
 
 	if p == nil {
@@ -85,12 +84,12 @@ func parseKey(data []byte) (public []byte, kt string) {
 	}
 
 	var priv crypto.Signer
-	switch privInterface.(type) {
+	switch p := privInterface.(type) {
 	case *rsa.PrivateKey:
-		priv = privInterface.(*rsa.PrivateKey)
+		priv = p
 		kt = "RSA"
 	case *ecdsa.PrivateKey:
-		priv = privInterface.(*ecdsa.PrivateKey)
+		priv = p
 		kt = "ECDSA"
 	default:
 		die.With("unknown private key type %T", privInterface)
@@ -172,7 +171,7 @@ func main() {
 		var subPKI subjectPublicKeyInfo
 		_, err := asn1.Unmarshal(public, &subPKI)
   if err != nil {
-			lib.Warn(err, "failed to get subject PKI")
+            _, _ = lib.Warn(err, "failed to get subject PKI")
             continue
         }
 
@@ -183,7 +182,7 @@ func main() {
 		}
 
   if shouldMatch && ski != pubHashString {
-			lib.Warnx("%s: SKI mismatch (%s != %s)",
+            _, _ = lib.Warnx("%s: SKI mismatch (%s != %s)",
                 path, ski, pubHashString)
         }
 		fmt.Printf("%s  %s (%s %s)\n", path, pubHashString, kt, ft)

cmd/sprox/main.go

@@ -3,10 +3,10 @@ package main
 import (
 	"flag"
 	"io"
-	"log"
 	"net"
 
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func proxy(conn net.Conn, inside string) error {
@@ -19,7 +19,7 @@ func proxy(conn net.Conn, inside string) error {
 	defer conn.Close()
 
     go func() {
-		io.Copy(conn, proxyConn)
+        _, _ = io.Copy(conn, proxyConn)
     }()
     _, err = io.Copy(proxyConn, conn)
     return err
@@ -37,10 +37,14 @@ func main() {
     for {
         conn, err := l.Accept()
         if err != nil {
-			log.Println(err)
+            _, _ = lib.Warn(err, "accept failed")
             continue
         }
 
-		go proxy(conn, "127.0.0.1:"+inside)
+        go func() {
+            if err := proxy(conn, "127.0.0.1:"+inside); err != nil {
+                _, _ = lib.Warn(err, "proxy error")
+            }
+        }()
     }
 }

cmd/stealchain-server/main.go

@@ -8,7 +8,6 @@ import (
 	"encoding/pem"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
 
@@ -47,7 +46,7 @@ func main() {
 	}
 	cfg.Certificates = append(cfg.Certificates, cert)
  if sysRoot != "" {
-		pemList, err := ioutil.ReadFile(sysRoot)
+        pemList, err := os.ReadFile(sysRoot)
         die.If(err)
 
         roots := x509.NewCertPool()
@@ -69,38 +68,42 @@ func main() {
         conn, err := l.Accept()
         if err != nil {
             fmt.Println(err.Error())
+            continue
         }
+        handleConn(conn, cfg)
+    }
+}
 
+// handleConn performs a TLS handshake, extracts the peer chain, and writes it to a file.
+func handleConn(conn net.Conn, cfg *tls.Config) {
+    defer conn.Close()
     raddr := conn.RemoteAddr()
     tconn := tls.Server(conn, cfg)
-		err = tconn.Handshake()
+    if err := tconn.Handshake(); err != nil {
-		if err != nil {
         fmt.Printf("[+] %v: failed to complete handshake: %v\n", raddr, err)
-			continue
+        return
     }
     cs := tconn.ConnectionState()
     if len(cs.PeerCertificates) == 0 {
         fmt.Printf("[+] %v: no chain presented\n", raddr)
-			continue
+        return
     }
 
     var chain []byte
     for _, cert := range cs.PeerCertificates {
-			p := &pem.Block{
+        p := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
-				Type:  "CERTIFICATE",
-				Bytes: cert.Raw,
-			}
         chain = append(chain, pem.EncodeToMemory(p)...)
     }
 
     var nonce [16]byte
-		_, err = rand.Read(nonce[:])
+    if _, err := rand.Read(nonce[:]); err != nil {
-		if err != nil {
+        fmt.Printf("[+] %v: failed to generate filename nonce: %v\n", raddr, err)
-			panic(err)
+        return
     }
     fname := fmt.Sprintf("%v-%v.pem", raddr, hex.EncodeToString(nonce[:]))
-		err = ioutil.WriteFile(fname, chain, 0644)
+    if err := os.WriteFile(fname, chain, 0o644); err != nil {
-		die.If(err)
+        fmt.Printf("[+] %v: failed to write %v: %v\n", raddr, fname, err)
-		fmt.Printf("%v: [+] wrote %v.\n", raddr, fname)
+        return
     }
+    fmt.Printf("%v: [+] wrote %v.\n", raddr, fname)
 }

cmd/subjhash/main.go

@@ -60,7 +60,7 @@ func printDigests(paths []string, issuer bool) {
     for _, path := range paths {
         cert, err := certlib.LoadCertificate(path)
         if err != nil {
-			lib.Warn(err, "failed to load certificate from %s", path)
+            _, _ = lib.Warn(err, "failed to load certificate from %s", path)
             continue
         }
 
@@ -88,7 +88,7 @@ func matchDigests(paths []string, issuer bool) {
 		sndCert, err := certlib.LoadCertificate(snd)
 		die.If(err)
   if !bytes.Equal(getSubjectInfoHash(fstCert, issuer), getSubjectInfoHash(sndCert, issuer)) {
-			lib.Warnx("certificates don't match: %s and %s", fst, snd)
+            _, _ = lib.Warnx("certificates don't match: %s and %s", fst, snd)
             invalid++
         }
 	}

cmd/tlskeypair/main.go

@@ -11,8 +11,6 @@ import (
     "errors"
     "flag"
     "fmt"
-	"io/ioutil"
-	"log"
     "os"
 
     "git.wntrmute.dev/kyle/goutils/die"
@@ -52,8 +50,75 @@ func getECCurve(pub interface{}) int {
 	}
 }
 
+// matchRSA compares an RSA public key from certificate against RSA public key from private key.
+// It returns true on match.
+func matchRSA(certPub *rsa.PublicKey, keyPub *rsa.PublicKey) bool {
+    return keyPub.N.Cmp(certPub.N) == 0 && keyPub.E == certPub.E
+}
+
+// matchECDSA compares ECDSA public keys for equality and compatible curve.
+// It returns match=true when they are on the same curve and have the same X/Y.
+// If curves mismatch, match is false.
+func matchECDSA(certPub *ecdsa.PublicKey, keyPub *ecdsa.PublicKey) bool {
+    if getECCurve(certPub) != getECCurve(keyPub) {
+        return false
+    }
+    if keyPub.X.Cmp(certPub.X) != 0 {
+        return false
+    }
+    if keyPub.Y.Cmp(certPub.Y) != 0 {
+        return false
+    }
+    return true
+}
+
+// matchKeys determines whether the certificate's public key matches the given private key.
+// It returns true if they match; otherwise, it returns false and a human-friendly reason.
+func matchKeys(cert *x509.Certificate, priv crypto.Signer) (bool, string) {
+    switch keyPub := priv.Public().(type) {
+    case *rsa.PublicKey:
+        switch certPub := cert.PublicKey.(type) {
+        case *rsa.PublicKey:
+            if matchRSA(certPub, keyPub) {
+                return true, ""
+            }
+            return false, "public keys don't match"
+        case *ecdsa.PublicKey:
+            return false, "RSA private key, EC public key"
+        default:
+            return false, fmt.Sprintf("unsupported certificate public key type: %T", cert.PublicKey)
+        }
+    case *ecdsa.PublicKey:
+        switch certPub := cert.PublicKey.(type) {
+        case *ecdsa.PublicKey:
+            if matchECDSA(certPub, keyPub) {
+                return true, ""
+            }
+            // Determine a more precise reason
+            kc := getECCurve(keyPub)
+            cc := getECCurve(certPub)
+            if kc == curveInvalid {
+                return false, "invalid private key curve"
+            }
+            if cc == curveRSA {
+                return false, "private key is EC, certificate is RSA"
+            }
+            if kc != cc {
+                return false, "EC curves don't match"
+            }
+            return false, "public keys don't match"
+        case *rsa.PublicKey:
+            return false, "private key is EC, certificate is RSA"
+        default:
+            return false, fmt.Sprintf("unsupported certificate public key type: %T", cert.PublicKey)
+        }
+    default:
+        return false, fmt.Sprintf("unrecognised private key type: %T", priv.Public())
+    }
+}
+
 func loadKey(path string) (crypto.Signer, error) {
-	in, err := ioutil.ReadFile(path)
+    in, err := os.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
@@ -78,15 +143,15 @@ func loadKey(path string) (crypto.Signer, error) {
 		}
 	}
 
-	switch priv.(type) {
+ switch p := priv.(type) {
  case *rsa.PrivateKey:
-		return priv.(*rsa.PrivateKey), nil
+     return p, nil
  case *ecdsa.PrivateKey:
-		return priv.(*ecdsa.PrivateKey), nil
+     return p, nil
-	}
+ default:
-
      // should never reach here
      return nil, errors.New("invalid private key")
+ }
 
 }
 
@@ -96,7 +161,7 @@ func main() {
 	flag.StringVar(&certFile, "c", "", "TLS `certificate` file")
 	flag.Parse()
 
-	in, err := ioutil.ReadFile(certFile)
+ in, err := os.ReadFile(certFile)
 	die.If(err)
 
 	p, _ := pem.Decode(in)
@@ -112,50 +177,11 @@ func main() {
 	priv, err := loadKey(keyFile)
 	die.If(err)
 
-	switch pub := priv.Public().(type) {
+ matched, reason := matchKeys(cert, priv)
-	case *rsa.PublicKey:
+ if matched {
-		switch certPub := cert.PublicKey.(type) {
-		case *rsa.PublicKey:
-			if pub.N.Cmp(certPub.N) != 0 || pub.E != certPub.E {
-				fmt.Println("No match (public keys don't match).")
-				os.Exit(1)
-			}
      fmt.Println("Match.")
      return
-		case *ecdsa.PublicKey:
-			fmt.Println("No match (RSA private key, EC public key).")
-			os.Exit(1)
  }
-	case *ecdsa.PublicKey:
+ fmt.Printf("No match (%s).\n", reason)
-		privCurve := getECCurve(pub)
-		certCurve := getECCurve(cert.PublicKey)
-		log.Printf("priv: %d\tcert: %d\n", privCurve, certCurve)
-
-		if certCurve == curveRSA {
-			fmt.Println("No match (private key is EC, certificate is RSA).")
  os.Exit(1)
-		} else if privCurve == curveInvalid {
-			fmt.Println("No match (invalid private key curve).")
-			os.Exit(1)
-		} else if privCurve != certCurve {
-			fmt.Println("No match (EC curves don't match).")
-			os.Exit(1)
-		}
-
-		certPub := cert.PublicKey.(*ecdsa.PublicKey)
-		if pub.X.Cmp(certPub.X) != 0 {
-			fmt.Println("No match (public keys don't match).")
-			os.Exit(1)
-		}
-
-		if pub.Y.Cmp(certPub.Y) != 0 {
-			fmt.Println("No match (public keys don't match).")
-			os.Exit(1)
-		}
-
-		fmt.Println("Match.")
-	default:
-		fmt.Printf("Unrecognised private key type: %T\n", priv.Public())
-		os.Exit(1)
-	}
 }

cmd/zsearch/main.go

@@ -123,13 +123,14 @@ func main() {
 
 		for _, path := range pathList {
 			if isDir(path) {
-				err := filepath.Walk(path, buildWalker(search))
+				if err := filepath.Walk(path, buildWalker(search)); err != nil {
-				if err != nil {
 					errorf("%v", err)
 					return
 				}
 			} else {
-				searchFile(path, search)
+				if err := searchFile(path, search); err != nil {
+					errorf("%v", err)
+				}
 			}
 		}
 	}

lib/lib.go

@@ -83,9 +83,9 @@ var (
 func Duration(d time.Duration) string {
     var s string
     if d >= yearDuration {
-		years := d / yearDuration
+        years := int64(d / yearDuration)
         s += fmt.Sprintf("%dy", years)
-		d -= years * yearDuration
+        d -= time.Duration(years) * yearDuration
     }
 
 	if d >= dayDuration {
@@ -98,8 +98,8 @@ func Duration(d time.Duration) string {
 	}
 
  d %= 1 * time.Second
-	hours := d / time.Hour
+ hours := int64(d / time.Hour)
-	d -= hours * time.Hour
+ d -= time.Duration(hours) * time.Hour
 	s += fmt.Sprintf("%dh%s", hours, d)
 	return s
 }

logging/file.go

@@ -1,6 +1,7 @@
 package logging
 
 import (
+    "errors"
     "fmt"
     "os"
 )
@@ -61,9 +62,9 @@ func NewSplitFile(outpath, errpath string, overwrite bool) (*File, error) {
 
  if err != nil {
         if closeErr := fl.Close(); closeErr != nil {
-            return nil, fmt.Errorf("failed to open error log: cleanup close failed: %v: %w", closeErr, err)
+            return nil, fmt.Errorf("failed to open error log: %w", errors.Join(closeErr, err))
         }
-        return nil, err
+        return nil, fmt.Errorf("failed to open error log: %w", err)
     }
 
 	fl.LogWriter = NewLogWriter(fl.fo, fl.fe)