minor updates

Builds certificate bundles.

.circleci/config.yml

@@ -2,22 +2,6 @@
 # See: https://circleci.com/docs/2.0/configuration-reference
 version: 2.1
 
-commands:
-  setup-bazel:
-    description: |
-      Setup the Bazel build system used for building the repo
-    steps:
-      - run:
-          name: Add Bazel Apt repository
-          command: |
-            sudo apt install curl gnupg
-            curl -fsSL https://bazel.build/bazel-release.pub.gpg | gpg --dearmor > bazel.gpg
-            sudo mv bazel.gpg /etc/apt/trusted.gpg.d/
-            echo "deb [arch=amd64] https://storage.googleapis.com/bazel-apt stable jdk1.8" | sudo tee /etc/apt/sources.list.d/bazel.list
-      - run:
-          name: Install Bazel from Apt
-          command: sudo apt update && sudo apt install bazel
-
 # Define a job to be invoked later in a workflow.
 # See: https://circleci.com/docs/2.0/configuration-reference/#jobs
 jobs:
@@ -26,12 +10,11 @@ jobs:
     # Specify the execution environment. You can specify an image from Dockerhub or use one of our Convenience Images from CircleCI's Developer Hub.
     # See: https://circleci.com/docs/2.0/configuration-reference/#docker-machine-macos-windows-executor
     docker:
-      - image: circleci/golang:1.15.8
+      - image: cimg/go:1.22.2
     # Add steps to the job
     # See: https://circleci.com/docs/2.0/configuration-reference/#steps
     steps:
       - checkout
-      - setup-bazel
       - restore_cache:
           keys:
             - go-mod-v4-{{ checksum "go.sum" }}
@@ -44,10 +27,10 @@ jobs:
             - "/go/pkg/mod"
       - run:
           name: Run tests
-          command: bazel test //...
+          command: go test ./...
       - run:
           name: Run build
-          command: bazel build //...
+          command: go build ./...
       - store_test_results:
           path: /tmp/test-reports
 

BUILD.bazel

@@ -1,22 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-load("@bazel_gazelle//:def.bzl", "gazelle")
-
-# gazelle:prefix git.wntrmute.dev/kyle/goutils
-gazelle(name = "gazelle")
-
-go_library(
-    name = "goutils",
-    srcs = ["doc.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils",
-    visibility = ["//visibility:public"],
-)
-
-gazelle(
-    name = "gazelle-update-repos",
-    args = [
-        "-from_file=go.mod",
-        "-to_macro=deps.bzl%go_dependencies",
-        "-prune",
-    ],
-    command = "update-repos",
-)

LICENSE

@@ -11,3 +11,34 @@ ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 
+
+
+=======================================================================
+The backoff package (written during my time at Cloudflare) is released
+under the following license:
+
+Copyright (c) 2016 CloudFlare Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

README.md

@@ -12,6 +12,7 @@ Contents:
 
     ahash/          Provides hashes from string algorithm specifiers.
     assert/         Error handling, assertion-style.
+    backoff/        Implementation of an intelligent backoff strategy.
     cmd/
         atping/     Automated TCP ping, meant for putting in cronjobs.
         certchain/  Display the certificate chain from a

WORKSPACE

@@ -1,32 +0,0 @@
-load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
-
-
-### Go tooling, including Gazelle to generate and maintain BUILD files.
-http_archive(
-    name = "io_bazel_rules_go",
-    sha256 = "6b65cb7917b4d1709f9410ffe00ecf3e160edf674b78c54a894471320862184f",
-    urls = [
-        "https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.39.0/rules_go-v0.39.0.zip",
-        "https://github.com/bazelbuild/rules_go/releases/download/v0.39.0/rules_go-v0.39.0.zip",
-    ],
-)
-
-http_archive(
-    name = "bazel_gazelle",
-    sha256 = "ecba0f04f96b4960a5b250c8e8eeec42281035970aa8852dda73098274d14a1d",
-    urls = [
-        "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
-        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.29.0/bazel-gazelle-v0.29.0.tar.gz",
-    ],
-)
-
-load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
-load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
-load("//:deps.bzl", "go_dependencies")
-
-# gazelle:repository_macro deps.bzl%go_dependencies
-go_dependencies()
-go_rules_dependencies()
-go_register_toolchains(version = "1.20.4")
-gazelle_dependencies()
-

ahash/BUILD.bazel

@@ -1,24 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "ahash",
-    srcs = ["ahash.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/ahash",
-    visibility = ["//visibility:public"],
-    deps = [
-        "//assert",
-        "@org_golang_x_crypto//blake2b",
-        "@org_golang_x_crypto//blake2s",
-        "@org_golang_x_crypto//md4",
-        "@org_golang_x_crypto//ripemd160",
-        "@org_golang_x_crypto//sha3",
-    ],
-)
-
-go_test(
-    name = "ahash_test",
-    size = "small",
-    srcs = ["ahash_test.go"],
-    embed = [":ahash"],
-    deps = ["//assert"],
-)

assert/BUILD.bazel

@@ -1,8 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "assert",
-    srcs = ["assert.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/assert",
-    visibility = ["//visibility:public"],
-)

backoff/LICENSE

@@ -0,0 +1,24 @@
+Copyright (c) 2016 CloudFlare Inc.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

backoff/README.md

@@ -0,0 +1,83 @@
+# backoff
+## Go implementation of "Exponential Backoff And Jitter"
+
+This package implements the backoff strategy described in the AWS
+Architecture Blog article
+["Exponential Backoff And Jitter"](http://www.awsarchitectureblog.com/2015/03/backoff.html). Essentially,
+the backoff has an interval `time.Duration`; the *n<sup>th</sup>* call
+to backoff will return an a `time.Duration` that is *2 <sup>n</sup> *
+interval*. If jitter is enabled (which is the default behaviour), the
+duration is a random value between 0 and *2 <sup>n</sup> * interval*.
+The backoff is configured with a maximum duration that will not be
+exceeded; e.g., by default, the longest duration returned is
+`backoff.DefaultMaxDuration`.
+
+## Usage
+
+A `Backoff` is initialised with a call to `New`. Using zero values
+causes it to use `DefaultMaxDuration` and `DefaultInterval` as the
+maximum duration and interval.
+
+```
+package something
+
+import "github.com/cloudflare/backoff"
+
+func retryable() {
+        b := backoff.New(0, 0)
+        for {
+                err := someOperation()
+                if err == nil {
+                    break
+                }
+
+                log.Printf("error in someOperation: %v", err)
+                <-time.After(b.Duration())
+        }
+
+        log.Printf("succeeded after %d tries", b.Tries()+1)
+        b.Reset()
+}
+```
+
+It can also be used to rate limit code that should retry infinitely, but which does not
+use `Backoff` itself.
+
+```
+package something
+
+import (
+    "time"
+
+    "github.com/cloudflare/backoff"
+)
+
+func retryable() {
+        b := backoff.New(0, 0)
+        b.SetDecay(30 * time.Second)
+
+        for {
+                // b will reset if someOperation returns later than
+                // the last call to b.Duration() + 30s.
+                err := someOperation()
+                if err == nil {
+                    break
+                }
+
+                log.Printf("error in someOperation: %v", err)
+                <-time.After(b.Duration())
+        }
+}
+```
+
+## Tunables
+
+* `NewWithoutJitter` creates a Backoff that doesn't use jitter.
+
+The default behaviour is controlled by two variables:
+
+* `DefaultInterval` sets the base interval for backoffs created with
+  the zero `time.Duration` value in the `Interval` field.
+* `DefaultMaxDuration` sets the maximum duration for backoffs created
+  with the zero `time.Duration` value in the `MaxDuration` field.
+

backoff/backoff.go

@@ -0,0 +1,197 @@
+// Package backoff contains an implementation of an intelligent backoff
+// strategy. It is based on the approach in the AWS architecture blog
+// article titled "Exponential Backoff And Jitter", which is found at
+// http://www.awsarchitectureblog.com/2015/03/backoff.html.
+//
+// Essentially, the backoff has an interval `time.Duration`; the nth
+// call to backoff will return a `time.Duration` that is 2^n *
+// interval. If jitter is enabled (which is the default behaviour),
+// the duration is a random value between 0 and 2^n * interval.  The
+// backoff is configured with a maximum duration that will not be
+// exceeded.
+//
+// The `New` function will attempt to use the system's cryptographic
+// random number generator to seed a Go math/rand random number
+// source. If this fails, the package will panic on startup.
+package backoff
+
+import (
+	"crypto/rand"
+	"encoding/binary"
+	"io"
+	"math"
+	mrand "math/rand"
+	"sync"
+	"time"
+)
+
+var prngMu sync.Mutex
+var prng *mrand.Rand
+
+// DefaultInterval is used when a Backoff is initialised with a
+// zero-value Interval.
+var DefaultInterval = 5 * time.Minute
+
+// DefaultMaxDuration is maximum amount of time that the backoff will
+// delay for.
+var DefaultMaxDuration = 6 * time.Hour
+
+// A Backoff contains the information needed to intelligently backoff
+// and retry operations using an exponential backoff algorithm. It should
+// be initialised with a call to `New`.
+//
+// Only use a Backoff from a single goroutine, it is not safe for concurrent
+// access.
+type Backoff struct {
+	// maxDuration is the largest possible duration that can be
+	// returned from a call to Duration.
+	maxDuration time.Duration
+
+	// interval controls the time step for backing off.
+	interval time.Duration
+
+	// noJitter controls whether to use the "Full Jitter"
+	// improvement to attempt to smooth out spikes in a high
+	// contention scenario. If noJitter is set to true, no
+	// jitter will be introduced.
+	noJitter bool
+
+	// decay controls the decay of n. If it is non-zero, n is
+	// reset if more than the last backoff + decay has elapsed since
+	// the last try.
+	decay time.Duration
+
+	n       uint64
+	lastTry time.Time
+}
+
+// New creates a new backoff with the specified max duration and
+// interval. Zero values may be used to use the default values.
+//
+// Panics if either max or interval is negative.
+func New(max time.Duration, interval time.Duration) *Backoff {
+	if max < 0 || interval < 0 {
+		panic("backoff: max or interval is negative")
+	}
+
+	b := &Backoff{
+		maxDuration: max,
+		interval:    interval,
+	}
+	b.setup()
+	return b
+}
+
+// NewWithoutJitter works similarly to New, except that the created
+// Backoff will not use jitter.
+func NewWithoutJitter(max time.Duration, interval time.Duration) *Backoff {
+	b := New(max, interval)
+	b.noJitter = true
+	return b
+}
+
+func init() {
+	var buf [8]byte
+	var n int64
+
+	_, err := io.ReadFull(rand.Reader, buf[:])
+	if err != nil {
+		panic(err.Error())
+	}
+
+	n = int64(binary.LittleEndian.Uint64(buf[:]))
+
+	src := mrand.NewSource(n)
+	prng = mrand.New(src)
+}
+
+func (b *Backoff) setup() {
+	if b.interval == 0 {
+		b.interval = DefaultInterval
+	}
+
+	if b.maxDuration == 0 {
+		b.maxDuration = DefaultMaxDuration
+	}
+}
+
+// Duration returns a time.Duration appropriate for the backoff,
+// incrementing the attempt counter.
+func (b *Backoff) Duration() time.Duration {
+	b.setup()
+
+	b.decayN()
+
+	t := b.duration(b.n)
+
+	if b.n < math.MaxUint64 {
+		b.n++
+	}
+
+	if !b.noJitter {
+		prngMu.Lock()
+		t = time.Duration(prng.Int63n(int64(t)))
+		prngMu.Unlock()
+	}
+
+	return t
+}
+
+// requires b to be locked.
+func (b *Backoff) duration(n uint64) (t time.Duration) {
+	// Saturate pow
+	pow := time.Duration(math.MaxInt64)
+	if n < 63 {
+		pow = 1 << n
+	}
+
+	t = b.interval * pow
+	if t/pow != b.interval || t > b.maxDuration {
+		t = b.maxDuration
+	}
+
+	return
+}
+
+// Reset resets the attempt counter of a backoff.
+//
+// It should be called when the rate-limited action succeeds.
+func (b *Backoff) Reset() {
+	b.lastTry = time.Time{}
+	b.n = 0
+}
+
+// SetDecay sets the duration after which the try counter will be reset.
+// Panics if decay is smaller than 0.
+//
+// The decay only kicks in if at least the last backoff + decay has elapsed
+// since the last try.
+func (b *Backoff) SetDecay(decay time.Duration) {
+	if decay < 0 {
+		panic("backoff: decay < 0")
+	}
+
+	b.decay = decay
+}
+
+// requires b to be locked
+func (b *Backoff) decayN() {
+	if b.decay == 0 {
+		return
+	}
+
+	if b.lastTry.IsZero() {
+		b.lastTry = time.Now()
+		return
+	}
+
+	lastDuration := b.duration(b.n - 1)
+	decayed := time.Since(b.lastTry) > lastDuration+b.decay
+	b.lastTry = time.Now()
+
+	if !decayed {
+		return
+	}
+
+	b.n = 0
+}

backoff/backoff_test.go

@@ -0,0 +1,175 @@
+package backoff
+
+import (
+	"fmt"
+	"math"
+	"testing"
+	"time"
+)
+
+// If given New with 0's and no jitter, ensure that certain invariants are met:
+//
+//   - the default max duration and interval should be used
+//   - noJitter should be true
+//   - the RNG should not be initialised
+//   - the first duration should be equal to the default interval
+func TestDefaults(t *testing.T) {
+	b := NewWithoutJitter(0, 0)
+
+	if b.maxDuration != DefaultMaxDuration {
+		t.Fatalf("expected new backoff to use the default max duration (%s), but have %s", DefaultMaxDuration, b.maxDuration)
+	}
+
+	if b.interval != DefaultInterval {
+		t.Fatalf("exepcted new backoff to use the default interval (%s), but have %s", DefaultInterval, b.interval)
+	}
+
+	if b.noJitter != true {
+		t.Fatal("backoff should have been initialised without jitter")
+	}
+
+	dur := b.Duration()
+	if dur != DefaultInterval {
+		t.Fatalf("expected first duration to be %s, have %s", DefaultInterval, dur)
+	}
+}
+
+// Given a zero-value initialised Backoff, it should be transparently
+// setup.
+func TestSetup(t *testing.T) {
+	b := new(Backoff)
+	dur := b.Duration()
+	if dur < 0 || dur > (5*time.Minute) {
+		t.Fatalf("want duration between 0 and 5 minutes, have %s", dur)
+	}
+}
+
+// Ensure that tries incremenets as expected.
+func TestTries(t *testing.T) {
+	b := NewWithoutJitter(5, 1)
+
+	for i := uint64(0); i < 3; i++ {
+		if b.n != i {
+			t.Fatalf("want tries=%d, have tries=%d", i, b.n)
+		}
+
+		pow := 1 << i
+		expected := time.Duration(pow)
+		dur := b.Duration()
+		if dur != expected {
+			t.Fatalf("want duration=%d, have duration=%d at i=%d", expected, dur, i)
+		}
+	}
+
+	for i := uint(3); i < 5; i++ {
+		dur := b.Duration()
+		if dur != 5 {
+			t.Fatalf("want duration=5, have %d at i=%d", dur, i)
+		}
+	}
+}
+
+// Ensure that a call to Reset will actually reset the Backoff.
+func TestReset(t *testing.T) {
+	const iter = 10
+	b := New(1000, 1)
+	for i := 0; i < iter; i++ {
+		_ = b.Duration()
+	}
+
+	if b.n != iter {
+		t.Fatalf("expected tries=%d, have tries=%d", iter, b.n)
+	}
+
+	b.Reset()
+	if b.n != 0 {
+		t.Fatalf("expected tries=0 after reset, have tries=%d", b.n)
+	}
+}
+
+const decay = 5 * time.Millisecond
+const max = 10 * time.Millisecond
+const interval = time.Millisecond
+
+func TestDecay(t *testing.T) {
+	const iter = 10
+
+	b := NewWithoutJitter(max, 1)
+	b.SetDecay(decay)
+
+	var backoff time.Duration
+	for i := 0; i < iter; i++ {
+		backoff = b.Duration()
+	}
+
+	if b.n != iter {
+		t.Fatalf("expected tries=%d, have tries=%d", iter, b.n)
+	}
+
+	// Don't decay below backoff
+	b.lastTry = time.Now().Add(-backoff + 1)
+	backoff = b.Duration()
+	if b.n != iter+1 {
+		t.Fatalf("expected tries=%d, have tries=%d", iter+1, b.n)
+	}
+
+	// Reset after backoff + decay
+	b.lastTry = time.Now().Add(-backoff - decay)
+	b.Duration()
+	if b.n != 1 {
+		t.Fatalf("expected tries=%d, have tries=%d", 1, b.n)
+	}
+}
+
+// Ensure that decay works even if the retry counter is saturated.
+func TestDecaySaturation(t *testing.T) {
+	b := NewWithoutJitter(1<<2, 1)
+	b.SetDecay(decay)
+
+	var duration time.Duration
+	for i := 0; i <= 2; i++ {
+		duration = b.Duration()
+	}
+
+	if duration != 1<<2 {
+		t.Fatalf("expected duration=%v, have duration=%v", 1<<2, duration)
+	}
+
+	b.lastTry = time.Now().Add(-duration - decay)
+	b.n = math.MaxUint64
+
+	duration = b.Duration()
+	if duration != 1 {
+		t.Errorf("expected duration=%v, have duration=%v", 1, duration)
+	}
+}
+
+func ExampleBackoff_SetDecay() {
+	b := NewWithoutJitter(max, interval)
+	b.SetDecay(decay)
+
+	// try 0
+	fmt.Println(b.Duration())
+
+	// try 1
+	fmt.Println(b.Duration())
+
+	// try 2
+	duration := b.Duration()
+	fmt.Println(duration)
+
+	// try 3, below decay
+	time.Sleep(duration)
+	duration = b.Duration()
+	fmt.Println(duration)
+
+	// try 4, resets
+	time.Sleep(duration + decay)
+	fmt.Println(b.Duration())
+
+	// Output: 1ms
+	// 2ms
+	// 4ms
+	// 8ms
+	// 1ms
+}

certlib/BUILD.bazel

@@ -1,30 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "certlib",
-    srcs = [
-        "certlib.go",
-        "der_helpers.go",
-        "ed25519.go",
-        "helpers.go",
-    ],
-    importpath = "git.wntrmute.dev/kyle/goutils/certlib",
-    visibility = ["//visibility:public"],
-    deps = [
-        "//certlib/certerr",
-        "//certlib/pkcs7",
-        "@com_github_google_certificate_transparency_go//:certificate-transparency-go",
-        "@com_github_google_certificate_transparency_go//tls",
-        "@com_github_google_certificate_transparency_go//x509",
-        "@org_golang_x_crypto//ocsp",
-        "@org_golang_x_crypto//pkcs12",
-    ],
-)
-
-go_test(
-    name = "certlib_test",
-    size = "small",
-    srcs = ["certlib_test.go"],
-    embed = [":certlib"],
-    deps = ["//assert"],
-)

certlib/certerr/BUILD.bazel

@@ -1,8 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "certerr",
-    srcs = ["errors.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/certlib/certerr",
-    visibility = ["//visibility:public"],
-)

certlib/hosts/hosts.go

@@ -0,0 +1,82 @@
+package hosts
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+type Target struct {
+	Host string
+	Port int
+}
+
+func (t *Target) String() string {
+	return fmt.Sprintf("%s:%d", t.Host, t.Port)
+}
+
+func parseURL(host string) (string, int, error) {
+	url, err := url.Parse(host)
+	if err != nil {
+		return "", 0, fmt.Errorf("certlib/hosts: invalid host: %s", host)
+	}
+
+	if strings.ToLower(url.Scheme) != "https" {
+		return "", 0, errors.New("certlib/hosts: only https scheme supported")
+	}
+
+	if url.Port() == "" {
+		return url.Hostname(), 443, nil
+	}
+
+	port, err := strconv.ParseInt(url.Port(), 10, 16)
+	if err != nil {
+		return "", 0, fmt.Errorf("certlib/hosts: invalid port: %s", url.Port())
+	}
+
+	return url.Hostname(), int(port), nil
+}
+
+func parseHostPort(host string) (string, int, error) {
+	host, sport, err := net.SplitHostPort(host)
+	if err == nil {
+		port, err := strconv.ParseInt(sport, 10, 16)
+		if err != nil {
+			return "", 0, fmt.Errorf("certlib/hosts: invalid port: %s", sport)
+		}
+
+		return host, int(port), nil
+	}
+
+	return host, 443, nil
+}
+
+func ParseHost(host string) (*Target, error) {
+	host, port, err := parseURL(host)
+	if err == nil {
+		return &Target{Host: host, Port: port}, nil
+	}
+
+	host, port, err = parseHostPort(host)
+	if err == nil {
+		return &Target{Host: host, Port: port}, nil
+	}
+
+	return nil, fmt.Errorf("certlib/hosts: invalid host: %s", host)
+}
+
+func ParseHosts(hosts ...string) ([]*Target, error) {
+	targets := make([]*Target, 0, len(hosts))
+	for _, host := range hosts {
+		target, err := ParseHost(host)
+		if err != nil {
+			return nil, err
+		}
+		targets = append(targets, target)
+	}
+
+	return targets, nil
+}

certlib/pkcs7/BUILD.bazel

@@ -1,9 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "pkcs7",
-    srcs = ["pkcs7.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/certlib/pkcs7",
-    visibility = ["//visibility:public"],
-    deps = ["//certlib/certerr"],
-)

certlib/revoke/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "revoke",
-    srcs = ["revoke.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/certlib/revoke",
-    visibility = ["//visibility:public"],
-    deps = [
-        "//certlib",
-        "//log",
-        "@org_golang_x_crypto//ocsp",
-    ],
-)
-
-go_test(
-    name = "revoke_test",
-    srcs = ["revoke_test.go"],
-    embed = [":revoke"],
-)

cmd/atping/BUILD.bazel

@@ -1,14 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "atping_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/atping",
-    visibility = ["//visibility:private"],
-)
-
-go_binary(
-    name = "atping",
-    embed = [":atping_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/ca-signed/README.txt

@@ -0,0 +1,40 @@
+ca-signed: verify certificates against a CA
+-------------------------------------------
+
+Description
+  ca-signed verifies whether one or more certificates are signed by a given
+  Certificate Authority (CA). It prints a concise status per input certificate
+  along with the certificate’s expiration date when validation succeeds.
+
+Usage
+  ca-signed CA.pem cert1.pem [cert2.pem ...]
+
+  - CA.pem: A file containing one or more CA certificates in PEM, DER, or PKCS#7/PKCS#12 formats.
+  - certN.pem: A file containing the end-entity (leaf) certificate to verify. If the file contains a chain,
+               the first certificate is treated as the leaf and the remaining ones are used as intermediates.
+
+Output format
+  For each input certificate file, one line is printed:
+    <filename>: OK (expires YYYY-MM-DD)
+    <filename>: INVALID
+
+Special self-test mode
+  ca-signed selftest
+
+  Runs a built-in test suite using embedded certificates. This mode requires no
+  external files or network access. The program exits with code 0 if all tests
+  pass, or a non-zero exit code if any test fails. Example output lines include
+  whether validation succeeds and the leaf’s expiration when applicable.
+
+Examples
+  # Verify a server certificate against a root CA
+  ca-signed isrg-root-x1.pem le-e7.pem
+
+  # Run the embedded self-test suite
+  ca-signed selftest
+
+Notes
+  - The tool attempts to parse certificates in PEM first, then falls back to
+    DER/PKCS#7/PKCS#12 (with an empty password) where applicable.
+  - Expiration is shown for the leaf certificate only.
+  - In selftest mode, test certificates are compiled into the binary using go:embed.

cmd/ca-signed/main.go

@@ -0,0 +1,287 @@
+package main
+
+import (
+	"crypto/x509"
+	"embed"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+)
+
+// loadCertsFromFile attempts to parse certificates from a file that may be in
+// PEM or DER/PKCS#7 format. Returns the parsed certificates or an error.
+func loadCertsFromFile(path string) ([]*x509.Certificate, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// Try PEM first
+	if certs, err := certlib.ParseCertificatesPEM(data); err == nil {
+		return certs, nil
+	}
+
+	// Try DER/PKCS7/PKCS12 (with no password)
+	if certs, _, err := certlib.ParseCertificatesDER(data, ""); err == nil {
+		return certs, nil
+	} else {
+		return nil, err
+	}
+}
+
+func makePoolFromFile(path string) (*x509.CertPool, error) {
+	// Try PEM via helper (it builds a pool)
+	if pool, err := certlib.LoadPEMCertPool(path); err == nil && pool != nil {
+		return pool, nil
+	}
+
+	// Fallback: read as DER(s), add to a new pool
+	certs, err := loadCertsFromFile(path)
+	if err != nil || len(certs) == 0 {
+		return nil, fmt.Errorf("failed to load CA certificates from %s", path)
+	}
+	pool := x509.NewCertPool()
+	for _, c := range certs {
+		pool.AddCert(c)
+	}
+	return pool, nil
+}
+
+//go:embed testdata/*.pem
+var embeddedTestdata embed.FS
+
+// loadCertsFromBytes attempts to parse certificates from bytes that may be in
+// PEM or DER/PKCS#7 format.
+func loadCertsFromBytes(data []byte) ([]*x509.Certificate, error) {
+	// Try PEM first
+	if certs, err := certlib.ParseCertificatesPEM(data); err == nil {
+		return certs, nil
+	}
+	// Try DER/PKCS7/PKCS12 (with no password)
+	if certs, _, err := certlib.ParseCertificatesDER(data, ""); err == nil {
+		return certs, nil
+	} else {
+		return nil, err
+	}
+}
+
+func makePoolFromBytes(data []byte) (*x509.CertPool, error) {
+    certs, err := loadCertsFromBytes(data)
+    if err != nil || len(certs) == 0 {
+        return nil, fmt.Errorf("failed to load CA certificates from embedded bytes")
+    }
+    pool := x509.NewCertPool()
+    for _, c := range certs {
+        pool.AddCert(c)
+    }
+    return pool, nil
+}
+
+// isSelfSigned returns true if the given certificate is self-signed.
+// It checks that the subject and issuer match and that the certificate's
+// signature verifies against its own public key.
+func isSelfSigned(cert *x509.Certificate) bool {
+    if cert == nil {
+        return false
+    }
+    // Quick check: subject and issuer match
+    if cert.Subject.String() != cert.Issuer.String() {
+        return false
+    }
+    // Cryptographic check: the certificate is signed by itself
+    if err := cert.CheckSignatureFrom(cert); err != nil {
+        return false
+    }
+    return true
+}
+
+func verifyAgainstCA(caPool *x509.CertPool, path string) (ok bool, expiry string) {
+	certs, err := loadCertsFromFile(path)
+	if err != nil || len(certs) == 0 {
+		return false, ""
+	}
+
+	leaf := certs[0]
+	ints := x509.NewCertPool()
+	if len(certs) > 1 {
+		for _, ic := range certs[1:] {
+			ints.AddCert(ic)
+		}
+	}
+
+	opts := x509.VerifyOptions{
+		Roots:         caPool,
+		Intermediates: ints,
+		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
+	}
+	if _, err := leaf.Verify(opts); err != nil {
+		return false, ""
+	}
+
+	return true, leaf.NotAfter.Format("2006-01-02")
+}
+
+func verifyAgainstCABytes(caPool *x509.CertPool, certData []byte) (ok bool, expiry string) {
+	certs, err := loadCertsFromBytes(certData)
+	if err != nil || len(certs) == 0 {
+		return false, ""
+	}
+
+	leaf := certs[0]
+	ints := x509.NewCertPool()
+	if len(certs) > 1 {
+		for _, ic := range certs[1:] {
+			ints.AddCert(ic)
+		}
+	}
+
+	opts := x509.VerifyOptions{
+		Roots:         caPool,
+		Intermediates: ints,
+		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
+	}
+	if _, err := leaf.Verify(opts); err != nil {
+		return false, ""
+	}
+
+	return true, leaf.NotAfter.Format("2006-01-02")
+}
+
+// selftest runs built-in validation using embedded certificates.
+func selftest() int {
+	type testCase struct {
+		name     string
+		caFile   string
+		certFile string
+		expectOK bool
+	}
+
+ cases := []testCase{
+        {name: "ISRG Root X1 validates LE E7", caFile: "testdata/isrg-root-x1.pem", certFile: "testdata/le-e7.pem", expectOK: true},
+        {name: "ISRG Root X1 does NOT validate Google WR2", caFile: "testdata/isrg-root-x1.pem", certFile: "testdata/goog-wr2.pem", expectOK: false},
+        {name: "GTS R1 validates Google WR2", caFile: "testdata/gts-r1.pem", certFile: "testdata/goog-wr2.pem", expectOK: true},
+        {name: "GTS R1 does NOT validate LE E7", caFile: "testdata/gts-r1.pem", certFile: "testdata/le-e7.pem", expectOK: false},
+    }
+
+    failures := 0
+    for _, tc := range cases {
+		caBytes, err := embeddedTestdata.ReadFile(tc.caFile)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "selftest: failed to read embedded %s: %v\n", tc.caFile, err)
+			failures++
+			continue
+		}
+		certBytes, err := embeddedTestdata.ReadFile(tc.certFile)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "selftest: failed to read embedded %s: %v\n", tc.certFile, err)
+			failures++
+			continue
+		}
+		pool, err := makePoolFromBytes(caBytes)
+		if err != nil || pool == nil {
+			fmt.Fprintf(os.Stderr, "selftest: failed to build CA pool for %s: %v\n", tc.caFile, err)
+			failures++
+			continue
+		}
+		ok, exp := verifyAgainstCABytes(pool, certBytes)
+		if ok != tc.expectOK {
+			fmt.Printf("%s: unexpected result: got %v, want %v\n", tc.name, ok, tc.expectOK)
+			failures++
+		} else {
+			if ok {
+				fmt.Printf("%s: OK (expires %s)\n", tc.name, exp)
+			} else {
+				fmt.Printf("%s: INVALID (as expected)\n", tc.name)
+			}
+		}
+    }
+
+    // Verify that both embedded root CAs are detected as self-signed
+    roots := []string{"testdata/gts-r1.pem", "testdata/isrg-root-x1.pem"}
+    for _, root := range roots {
+        b, err := embeddedTestdata.ReadFile(root)
+        if err != nil {
+            fmt.Fprintf(os.Stderr, "selftest: failed to read embedded %s: %v\n", root, err)
+            failures++
+            continue
+        }
+        certs, err := loadCertsFromBytes(b)
+        if err != nil || len(certs) == 0 {
+            fmt.Fprintf(os.Stderr, "selftest: failed to parse cert(s) from %s: %v\n", root, err)
+            failures++
+            continue
+        }
+        leaf := certs[0]
+        if isSelfSigned(leaf) {
+            fmt.Printf("%s: SELF-SIGNED (as expected)\n", root)
+        } else {
+            fmt.Printf("%s: expected SELF-SIGNED, but was not detected as such\n", root)
+            failures++
+        }
+    }
+
+    if failures == 0 {
+        fmt.Println("selftest: PASS")
+        return 0
+    }
+    fmt.Fprintf(os.Stderr, "selftest: FAIL (%d failure(s))\n", failures)
+    return 1
+}
+
+func main() {
+	// Special selftest mode: single argument "selftest"
+	if len(os.Args) == 2 && os.Args[1] == "selftest" {
+		os.Exit(selftest())
+	}
+
+	if len(os.Args) < 3 {
+		prog := filepath.Base(os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage:\n  %s ca.pem cert1.pem cert2.pem ...\n  %s selftest\n", prog, prog)
+		os.Exit(2)
+	}
+
+	caPath := os.Args[1]
+	caPool, err := makePoolFromFile(caPath)
+	if err != nil || caPool == nil {
+		fmt.Fprintf(os.Stderr, "failed to load CA certificate(s): %v\n", err)
+		os.Exit(1)
+	}
+
+    for _, certPath := range os.Args[2:] {
+        ok, exp := verifyAgainstCA(caPool, certPath)
+        name := filepath.Base(certPath)
+        // Load the leaf once for self-signed detection and potential expiry fallback
+        var leaf *x509.Certificate
+        if certs, err := loadCertsFromFile(certPath); err == nil && len(certs) > 0 {
+            leaf = certs[0]
+        }
+
+        // If the certificate is self-signed, prefer the SELF-SIGNED label
+        if isSelfSigned(leaf) {
+            fmt.Printf("%s: SELF-SIGNED\n", name)
+            continue
+        }
+
+        if ok {
+            // Display with the requested format
+            // Example: file: OK (expires 2031-01-01)
+            // Ensure deterministic date formatting
+            // Note: no timezone displayed; date only as per example
+            // If exp ended up empty for some reason, recompute safely
+            if exp == "" {
+                if leaf != nil {
+                    exp = leaf.NotAfter.Format("2006-01-02")
+                } else {
+                    // fallback to the current date to avoid empty; though shouldn't happen
+                    exp = time.Now().Format("2006-01-02")
+                }
+            }
+            fmt.Printf("%s: OK (expires %s)\n", name, exp)
+        } else {
+            fmt.Printf("%s: INVALID\n", name)
+        }
+    }
+}

cmd/ca-signed/testdata/goog-wr2.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFCzCCAvOgAwIBAgIQf/AFoHxM3tEArZ1mpRB7mDANBgkqhkiG9w0BAQsFADBH
+MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
+QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIw
+MTQwMDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNl
+cnZpY2VzMQwwCgYDVQQDEwNXUjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCp/5x/RR5wqFOfytnlDd5GV1d9vI+aWqxG8YSau5HbyfsvAfuSCQAWXqAc
++MGr+XgvSszYhaLYWTwO0xj7sfUkDSbutltkdnwUxy96zqhMt/TZCPzfhyM1IKji
+aeKMTj+xWfpgoh6zySBTGYLKNlNtYE3pAJH8do1cCA8Kwtzxc2vFE24KT3rC8gIc
+LrRjg9ox9i11MLL7q8Ju26nADrn5Z9TDJVd06wW06Y613ijNzHoU5HEDy01hLmFX
+xRmpC5iEGuh5KdmyjS//V2pm4M6rlagplmNwEmceOuHbsCFx13ye/aoXbv4r+zgX
+FNFmp6+atXDMyGOBOozAKql2N87jAgMBAAGjgf4wgfswDgYDVR0PAQH/BAQDAgGG
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/
+AgEAMB0GA1UdDgQWBBTeGx7teRXUPjckwyG77DQ5bUKyMDAfBgNVHSMEGDAWgBTk
+rysmcRorSCeFL1JmLO/wiRNxPjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAKG
+GGh0dHA6Ly9pLnBraS5nb29nL3IxLmNydDArBgNVHR8EJDAiMCCgHqAchhpodHRw
+Oi8vYy5wa2kuZ29vZy9yL3IxLmNybDATBgNVHSAEDDAKMAgGBmeBDAECATANBgkq
+hkiG9w0BAQsFAAOCAgEARXWL5R87RBOWGqtY8TXJbz3S0DNKhjO6V1FP7sQ02hYS
+TL8Tnw3UVOlIecAwPJQl8hr0ujKUtjNyC4XuCRElNJThb0Lbgpt7fyqaqf9/qdLe
+SiDLs/sDA7j4BwXaWZIvGEaYzq9yviQmsR4ATb0IrZNBRAq7x9UBhb+TV+PfdBJT
+DhEl05vc3ssnbrPCuTNiOcLgNeFbpwkuGcuRKnZc8d/KI4RApW//mkHgte8y0YWu
+ryUJ8GLFbsLIbjL9uNrizkqRSvOFVU6xddZIMy9vhNkSXJ/UcZhjJY1pXAprffJB
+vei7j+Qi151lRehMCofa6WBmiA4fx+FOVsV2/7R6V2nyAiIJJkEd2nSi5SnzxJrl
+Xdaqev3htytmOPvoKWa676ATL/hzfvDaQBEcXd2Ppvy+275W+DKcH0FBbX62xevG
+iza3F4ydzxl6NJ8hk8R+dDXSqv1MbRT1ybB5W0k8878XSOjvmiYTDIfyc9acxVJr
+Y/cykHipa+te1pOhv7wYPYtZ9orGBV5SGOJm4NrB3K1aJar0RfzxC3ikr7Dyc6Qw
+qDTBU39CluVIQeuQRgwG3MuSxl7zRERDRilGoKb8uY45JzmxWuKxrfwT/478JuHU
+/oTxUFqOl2stKnn7QGTq8z29W+GgBLCXSBxC9epaHM0myFH/FJlniXJfHeytWt0=
+-----END CERTIFICATE-----

cmd/ca-signed/testdata/gts-r1.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
+CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
+MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
+MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
+Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
+27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
+Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
+TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
+qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
+szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
+Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
+MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
+wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
+aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
+VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
+AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
+C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
+QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
+h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
+7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
+ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
+MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
+Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
+6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
+0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
+2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
+bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
+-----END CERTIFICATE-----

cmd/ca-signed/testdata/isrg-root-x1.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----

cmd/ca-signed/testdata/le-e7.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVzCCAj+gAwIBAgIRAKp18eYrjwoiCWbTi7/UuqEwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
+WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCRTcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARB6AST
+CFh/vjcwDMCgQer+VtqEkz7JANurZxLP+U9TCeioL6sp5Z8VRvRbYk4P1INBmbef
+QHJFHCxcSjKmwtvGBWpl/9ra8HW0QDsUaJW2qOJqceJ0ZVFT3hbUHifBM/2jgfgw
+gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
+ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSuSJ7chx1EoG/aouVgdAR4
+wpwAgDAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
+BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
+Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAjx66fDdLk5ywFn3CzA1w1qfylHUD
+aEf0QZpXcJseddJGSfbUUOvbNR9N/QQ16K1lXl4VFyhmGXDT5Kdfcr0RvIIVrNxF
+h4lqHtRRCP6RBRstqbZ2zURgqakn/Xip0iaQL0IdfHBZr396FgknniRYFckKORPG
+yM3QKnd66gtMst8I5nkRQlAg/Jb+Gc3egIvuGKWboE1G89NTsN9LTDD3PLj0dUMr
+OIuqVjLB8pEC6yk9enrlrqjXQgkLEYhXzq7dLafv5Vkig6Gl0nuuqjqfp0Q1bi1o
+yVNAlXe6aUXw92CcghC9bNsKEO1+M52YY5+ofIXlS/SEQbvVYYBLZ5yeiglV6t3S
+M6H+vTG0aP9YHzLn/KVOHzGQfXDP7qM5tkf+7diZe7o2fw6O7IvN6fsQXEQQj8TJ
+UXJxv2/uJhcuy/tSDgXwHM8Uk34WNbRT7zGTGkQRX0gsbjAea/jYAoWv0ZvQRwpq
+Pe79D/i7Cep8qWnA+7AE/3B3S/3dEEYmc0lpe1366A/6GEgk3ktr9PEoQrLChs6I
+tu3wnNLB2euC8IKGLQFpGtOO/2/hiAKjyajaBP25w1jF0Wl8Bbqne3uZ2q1GyPFJ
+YRmT7/OXpmOH/FVLtwS+8ng1cAmpCujPwteJZNcDG0sF2n/sc0+SQf49fdyUK0ty
++VUwFj9tmWxyR/M=
+-----END CERTIFICATE-----

cmd/cert-bundler/README.txt

@@ -0,0 +1,148 @@
+cert-bundler: create certificate chain archives
+------------------------------------------------
+
+Description
+  cert-bundler creates archives of certificate chains from a YAML configuration
+  file. It validates certificates, checks expiration dates, and generates
+  archives in multiple formats (zip, tar.gz) with optional manifest files
+  containing SHA256 checksums.
+
+Usage
+  cert-bundler [options]
+
+  Options:
+    -c <file>    Path to YAML configuration file (default: bundle.yaml)
+    -o <dir>     Output directory for archives (default: pkg)
+
+YAML Configuration Format
+
+  The configuration file uses the following structure:
+
+  config:
+    hashes: <filename>
+    expiry: <duration>
+  chains:
+    <group_name>:
+      certs:
+        - root: <path>
+          intermediates:
+            - <path>
+            - <path>
+        - root: <path>
+          intermediates:
+            - <path>
+      outputs:
+        include_single: <bool>
+        include_individual: <bool>
+        manifest: <bool>
+        encoding: <encoding>
+        formats:
+          - <format>
+          - <format>
+
+Configuration Fields
+
+  config:
+    hashes: (optional) Name of the file to write SHA256 checksums of all
+            generated archives. If omitted, no hash file is created.
+    expiry: (optional) Expiration warning threshold. Certificates expiring
+            within this period will trigger a warning. Supports formats like
+            "1y" (year), "6m" (month), "30d" (day). Default: 1y
+
+  chains:
+    Each key under "chains" defines a named certificate group. All certificates
+    in a group are bundled together into archives with the group name.
+
+    certs:
+      List of certificate chains. Each chain has:
+        root: Path to root CA certificate (PEM or DER format)
+        intermediates: List of paths to intermediate certificates
+
+      All intermediates are validated against their root CA. An error is
+      reported if signature verification fails.
+
+    outputs:
+      Defines output formats and content for the group's archives:
+
+        include_single: (bool) If true, all certificates in the group are
+                        concatenated into a single file named "bundle.pem"
+                        (or "bundle.crt" for DER encoding).
+
+        include_individual: (bool) If true, each certificate is included as
+                            a separate file in the archive, named after the
+                            original file (e.g., "int/cca2.pem" becomes
+                            "cca2.pem").
+
+        manifest: (bool) If true, a MANIFEST file is included containing
+                  SHA256 checksums of all files in the archive.
+
+        encoding: Specifies certificate encoding in the archive:
+                  - "pem": PEM format with .pem extension (default)
+                  - "der": DER format with .crt extension
+                  - "both": Both PEM and DER versions are included
+
+        formats: List of archive formats to generate:
+                 - "zip": Creates a .zip archive
+                 - "tgz": Creates a .tar.gz archive
+
+Output Files
+
+  For each group and format combination, an archive is created:
+    <group_name>.zip or <group_name>.tar.gz
+
+  If config.hashes is specified, a hash file is created in the output directory
+  containing SHA256 checksums of all generated archives.
+
+Example Configuration
+
+  config:
+    hashes: bundle.sha256
+    expiry: 1y
+  chains:
+    core_certs:
+      certs:
+        - root: roots/core-ca.pem
+          intermediates:
+            - int/cca1.pem
+            - int/cca2.pem
+            - int/cca3.pem
+        - root: roots/ssh-ca.pem
+          intermediates:
+            - ssh/ssh_dmz1.pem
+            - ssh/ssh_internal.pem
+      outputs:
+        include_single: true
+        include_individual: true
+        manifest: true
+        encoding: pem
+        formats:
+          - zip
+          - tgz
+
+  This configuration:
+    - Creates core_certs.zip and core_certs.tar.gz in the output directory
+    - Each archive contains bundle.pem (all certificates concatenated)
+    - Each archive contains individual certificates (core-ca.pem, cca1.pem, etc.)
+    - Each archive includes a MANIFEST file with SHA256 checksums
+    - Creates bundle.sha256 with checksums of the two archives
+    - Warns if any certificate expires within 1 year
+
+Examples
+
+  # Create bundles using default configuration (bundle.yaml -> pkg/)
+  cert-bundler
+
+  # Use custom configuration and output directory
+  cert-bundler -c myconfig.yaml -o output
+
+  # Create bundles from testdata configuration
+  cert-bundler -c testdata/bundle.yaml -o testdata/pkg
+
+Notes
+  - Certificate paths in the YAML are relative to the current working directory
+  - All intermediates must be properly signed by their specified root CA
+  - Certificates are checked for expiration; warnings are printed to stderr
+  - Expired certificates do not prevent archive creation but generate warnings
+  - Both PEM and DER certificate formats are supported as input
+  - Archive filenames use the group name, not individual chain names
+  - If both include_single and include_individual are true, archives contain both

cmd/cert-bundler/main.go

@@ -0,0 +1,489 @@
+package main
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"compress/gzip"
+	"crypto/sha256"
+	"crypto/x509"
+	_ "embed"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+	"gopkg.in/yaml.v2"
+)
+
+// Config represents the top-level YAML configuration
+type Config struct {
+	Config struct {
+		Hashes string `yaml:"hashes"`
+		Expiry string `yaml:"expiry"`
+	} `yaml:"config"`
+	Chains map[string]ChainGroup `yaml:"chains"`
+}
+
+// ChainGroup represents a named group of certificate chains
+type ChainGroup struct {
+	Certs   []CertChain `yaml:"certs"`
+	Outputs Outputs     `yaml:"outputs"`
+}
+
+// CertChain represents a root certificate and its intermediates
+type CertChain struct {
+	Root          string   `yaml:"root"`
+	Intermediates []string `yaml:"intermediates"`
+}
+
+// Outputs defines output format options
+type Outputs struct {
+	IncludeSingle     bool     `yaml:"include_single"`
+	IncludeIndividual bool     `yaml:"include_individual"`
+	Manifest          bool     `yaml:"manifest"`
+	Formats           []string `yaml:"formats"`
+	Encoding          string   `yaml:"encoding"`
+}
+
+var (
+	configFile string
+	outputDir  string
+)
+
+var formatExtensions = map[string]string{
+	"zip": ".zip",
+	"tgz": ".tar.gz",
+}
+
+//go:embed README.txt
+var readmeContent string
+
+func usage() {
+	fmt.Fprint(os.Stderr, readmeContent)
+}
+
+func main() {
+	flag.Usage = usage
+	flag.StringVar(&configFile, "c", "bundle.yaml", "path to YAML configuration file")
+	flag.StringVar(&outputDir, "o", "pkg", "output directory for archives")
+	flag.Parse()
+
+	if configFile == "" {
+		fmt.Fprintf(os.Stderr, "Error: configuration file required (-c flag)\n")
+		os.Exit(1)
+	}
+
+	// Load and parse configuration
+	cfg, err := loadConfig(configFile)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error loading config: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Parse expiry duration (default 1 year)
+	expiryDuration := 365 * 24 * time.Hour
+	if cfg.Config.Expiry != "" {
+		expiryDuration, err = parseDuration(cfg.Config.Expiry)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error parsing expiry: %v\n", err)
+			os.Exit(1)
+		}
+	}
+
+	// Create output directory if it doesn't exist
+	if err := os.MkdirAll(outputDir, 0755); err != nil {
+		fmt.Fprintf(os.Stderr, "Error creating output directory: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Process each chain group
+	createdFiles := []string{}
+	for groupName, group := range cfg.Chains {
+		files, err := processChainGroup(groupName, group, expiryDuration)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error processing chain group %s: %v\n", groupName, err)
+			os.Exit(1)
+		}
+		createdFiles = append(createdFiles, files...)
+	}
+
+	// Generate hash file for all created archives
+	if cfg.Config.Hashes != "" {
+		hashFile := filepath.Join(outputDir, cfg.Config.Hashes)
+		if err := generateHashFile(hashFile, createdFiles); err != nil {
+			fmt.Fprintf(os.Stderr, "Error generating hash file: %v\n", err)
+			os.Exit(1)
+		}
+	}
+
+	fmt.Println("Certificate bundling completed successfully")
+}
+
+func loadConfig(path string) (*Config, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var cfg Config
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
+
+func parseDuration(s string) (time.Duration, error) {
+	// Support simple formats like "1y", "6m", "30d"
+	if len(s) < 2 {
+		return 0, fmt.Errorf("invalid duration format: %s", s)
+	}
+
+	unit := s[len(s)-1]
+	value := s[:len(s)-1]
+
+	var multiplier time.Duration
+	switch unit {
+	case 'y', 'Y':
+		multiplier = 365 * 24 * time.Hour
+	case 'm', 'M':
+		multiplier = 30 * 24 * time.Hour
+	case 'd', 'D':
+		multiplier = 24 * time.Hour
+	default:
+		return time.ParseDuration(s)
+	}
+
+	var num int
+	_, err := fmt.Sscanf(value, "%d", &num)
+	if err != nil {
+		return 0, fmt.Errorf("invalid duration value: %s", s)
+	}
+
+	return time.Duration(num) * multiplier, nil
+}
+
+func processChainGroup(groupName string, group ChainGroup, expiryDuration time.Duration) ([]string, error) {
+	var createdFiles []string
+
+	// Default encoding to "pem" if not specified
+	encoding := group.Outputs.Encoding
+	if encoding == "" {
+		encoding = "pem"
+	}
+
+	// Collect data from all chains in the group
+	var singleFileCerts []*x509.Certificate
+	var individualCerts []certWithPath
+
+	for _, chain := range group.Certs {
+		// Step 1: Load all certificates for this chain
+		allCerts := make(map[string]*x509.Certificate)
+
+		// Load root certificate
+		rootCert, err := certlib.LoadCertificate(chain.Root)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load root certificate %s: %v", chain.Root, err)
+		}
+		allCerts[chain.Root] = rootCert
+
+		// Check expiry for root
+		checkExpiry(chain.Root, rootCert, expiryDuration)
+
+		// Add root to single file if needed
+		if group.Outputs.IncludeSingle {
+			singleFileCerts = append(singleFileCerts, rootCert)
+		}
+
+		// Add root to individual files if needed
+		if group.Outputs.IncludeIndividual {
+			individualCerts = append(individualCerts, certWithPath{
+				cert: rootCert,
+				path: chain.Root,
+			})
+		}
+
+		// Step 2: Load and validate intermediates
+		for _, intPath := range chain.Intermediates {
+			intCert, err := certlib.LoadCertificate(intPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load intermediate certificate %s: %v", intPath, err)
+			}
+			allCerts[intPath] = intCert
+
+			// Validate that intermediate is signed by root
+			if err := intCert.CheckSignatureFrom(rootCert); err != nil {
+				return nil, fmt.Errorf("intermediate %s is not properly signed by root %s: %v", intPath, chain.Root, err)
+			}
+
+			// Check expiry for intermediate
+			checkExpiry(intPath, intCert, expiryDuration)
+
+			// Add intermediate to a single file if needed
+			if group.Outputs.IncludeSingle {
+				singleFileCerts = append(singleFileCerts, intCert)
+			}
+
+			// Add intermediate to individual files if needed
+			if group.Outputs.IncludeIndividual {
+				individualCerts = append(individualCerts, certWithPath{
+					cert: intCert,
+					path: intPath,
+				})
+			}
+		}
+	}
+
+	// Prepare files for inclusion in archives for the entire group.
+	var archiveFiles []fileEntry
+
+	// Handle a single bundle file.
+	if group.Outputs.IncludeSingle && len(singleFileCerts) > 0 {
+		files, err := encodeCertsToFiles(singleFileCerts, "bundle", encoding, true)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode single bundle: %v", err)
+		}
+		archiveFiles = append(archiveFiles, files...)
+	}
+
+	// Handle individual files
+	if group.Outputs.IncludeIndividual {
+		for _, cp := range individualCerts {
+			baseName := strings.TrimSuffix(filepath.Base(cp.path), filepath.Ext(cp.path))
+			files, err := encodeCertsToFiles([]*x509.Certificate{cp.cert}, baseName, encoding, false)
+			if err != nil {
+				return nil, fmt.Errorf("failed to encode individual cert %s: %v", cp.path, err)
+			}
+			archiveFiles = append(archiveFiles, files...)
+		}
+	}
+
+	// Generate manifest if requested
+	if group.Outputs.Manifest {
+		manifestContent := generateManifest(archiveFiles)
+		archiveFiles = append(archiveFiles, fileEntry{
+			name:    "MANIFEST",
+			content: manifestContent,
+		})
+	}
+
+	// Create archives for the entire group
+	for _, format := range group.Outputs.Formats {
+		ext, ok := formatExtensions[format]
+		if !ok {
+			return nil, fmt.Errorf("unsupported format: %s", format)
+		}
+		archivePath := filepath.Join(outputDir, groupName+ext)
+		switch format {
+		case "zip":
+			if err := createZipArchive(archivePath, archiveFiles); err != nil {
+				return nil, fmt.Errorf("failed to create zip archive: %v", err)
+			}
+		case "tgz":
+			if err := createTarGzArchive(archivePath, archiveFiles); err != nil {
+				return nil, fmt.Errorf("failed to create tar.gz archive: %v", err)
+			}
+		default:
+			return nil, fmt.Errorf("unsupported format: %s", format)
+		}
+		createdFiles = append(createdFiles, archivePath)
+	}
+
+	return createdFiles, nil
+}
+
+func checkExpiry(path string, cert *x509.Certificate, expiryDuration time.Duration) {
+	now := time.Now()
+	expiryThreshold := now.Add(expiryDuration)
+
+	if cert.NotAfter.Before(expiryThreshold) {
+		daysUntilExpiry := int(cert.NotAfter.Sub(now).Hours() / 24)
+		if daysUntilExpiry < 0 {
+			fmt.Fprintf(os.Stderr, "WARNING: Certificate %s has EXPIRED (expired %d days ago)\n", path, -daysUntilExpiry)
+		} else {
+			fmt.Fprintf(os.Stderr, "WARNING: Certificate %s will expire in %d days (on %s)\n", path, daysUntilExpiry, cert.NotAfter.Format("2006-01-02"))
+		}
+	}
+}
+
+type fileEntry struct {
+	name    string
+	content []byte
+}
+
+type certWithPath struct {
+	cert *x509.Certificate
+	path string
+}
+
+// encodeCertsToFiles converts certificates to file entries based on encoding type
+// If isSingle is true, certs are concatenated into a single file; otherwise one cert per file
+func encodeCertsToFiles(certs []*x509.Certificate, baseName string, encoding string, isSingle bool) ([]fileEntry, error) {
+	var files []fileEntry
+
+	switch encoding {
+	case "pem":
+		pemContent, err := encodeCertsToPEM(certs, isSingle)
+		if err != nil {
+			return nil, err
+		}
+		files = append(files, fileEntry{
+			name:    baseName + ".pem",
+			content: pemContent,
+		})
+	case "der":
+		if isSingle {
+			// For single file in DER, concatenate all cert DER bytes
+			var derContent []byte
+			for _, cert := range certs {
+				derContent = append(derContent, cert.Raw...)
+			}
+			files = append(files, fileEntry{
+				name:    baseName + ".crt",
+				content: derContent,
+			})
+		} else {
+			// Individual DER file (should only have one cert)
+			if len(certs) > 0 {
+				files = append(files, fileEntry{
+					name:    baseName + ".crt",
+					content: certs[0].Raw,
+				})
+			}
+		}
+	case "both":
+		// Add PEM version
+		pemContent, err := encodeCertsToPEM(certs, isSingle)
+		if err != nil {
+			return nil, err
+		}
+		files = append(files, fileEntry{
+			name:    baseName + ".pem",
+			content: pemContent,
+		})
+		// Add DER version
+		if isSingle {
+			var derContent []byte
+			for _, cert := range certs {
+				derContent = append(derContent, cert.Raw...)
+			}
+			files = append(files, fileEntry{
+				name:    baseName + ".crt",
+				content: derContent,
+			})
+		} else {
+			if len(certs) > 0 {
+				files = append(files, fileEntry{
+					name:    baseName + ".crt",
+					content: certs[0].Raw,
+				})
+			}
+		}
+	default:
+		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', or 'both')", encoding)
+	}
+
+	return files, nil
+}
+
+// encodeCertsToPEM encodes certificates to PEM format
+func encodeCertsToPEM(certs []*x509.Certificate, concatenate bool) ([]byte, error) {
+	var pemContent []byte
+	for _, cert := range certs {
+		pemBlock := &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: cert.Raw,
+		}
+		pemContent = append(pemContent, pem.EncodeToMemory(pemBlock)...)
+	}
+	return pemContent, nil
+}
+
+func generateManifest(files []fileEntry) []byte {
+	var manifest strings.Builder
+	for _, file := range files {
+		if file.name == "MANIFEST" {
+			continue
+		}
+		hash := sha256.Sum256(file.content)
+		manifest.WriteString(fmt.Sprintf("%x  %s\n", hash, file.name))
+	}
+	return []byte(manifest.String())
+}
+
+func createZipArchive(path string, files []fileEntry) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	w := zip.NewWriter(f)
+	defer w.Close()
+
+	for _, file := range files {
+		fw, err := w.Create(file.name)
+		if err != nil {
+			return err
+		}
+		if _, err := fw.Write(file.content); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func createTarGzArchive(path string, files []fileEntry) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	gw := gzip.NewWriter(f)
+	defer gw.Close()
+
+	tw := tar.NewWriter(gw)
+	defer tw.Close()
+
+	for _, file := range files {
+		hdr := &tar.Header{
+			Name: file.name,
+			Mode: 0644,
+			Size: int64(len(file.content)),
+		}
+		if err := tw.WriteHeader(hdr); err != nil {
+			return err
+		}
+		if _, err := tw.Write(file.content); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func generateHashFile(path string, files []string) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	for _, file := range files {
+		data, err := os.ReadFile(file)
+		if err != nil {
+			return err
+		}
+
+		hash := sha256.Sum256(data)
+		fmt.Fprintf(f, "%x  %s\n", hash, filepath.Base(file))
+	}
+
+	return nil
+}

cmd/cert-bundler/prompt.txt

@@ -0,0 +1,189 @@
+Task: build a certificate bundling tool in cmd/cert-bundler. It
+creates archives of certificates chains.
+
+A YAML file for this looks something like:
+
+``` yaml
+config:
+  hashes: bundle.sha256
+  expiry: 1y
+chains:
+  core_certs:
+    certs:
+      - root: roots/core-ca.pem
+        intermediates:
+          - int/cca1.pem
+  	- int/cca2.pem
+  	- int/cca3.pem
+      - root: roots/ssh-ca.pem
+        intermediates:
+          - ssh/ssh_dmz1.pem
+  	- ssh/ssh_internal.pem
+  outputs:
+    include_single: true
+    include_individual: true
+    manifest: true
+    formats:
+      - zip
+      - tgz
+```
+
+Some requirements:
+
+1. First, all the certificates should be loaded.
+2. For each root, each of the indivudal intermediates should be
+   checked to make sure they are properly signed by the root CA.
+3. The program should optionally take an expiration period (defaulting
+   to one year), specified in config.expiration, and if any certificate
+   is within that expiration period, a warning should be printed.
+4. If outputs.include_single is true, all certificates under chains
+   should be concatenated into a single file.
+5. If outputs.include_individual is true, all certificates under
+   chains should be included at the root level (e.g. int/cca2.pem
+   would be cca2.pem in the archive).
+6. If bundle.manifest is true, a "MANIFEST" file is created with
+   SHA256 sums of each file included in the archive.
+7. For each of the formats, create an archive file in the output
+   directory (specified with `-o`) with that format.
+   - If zip is included, create a .zip file.
+   - If tgz is included, create a .tar.gz file with default compression
+     levels.
+   - All archive files should include any generated files (single
+     and/or individual) in the top-level directory.
+8. In the output directory, create a file with the same name as
+   config.hashes that contains the SHA256 sum of all files created.
+
+-----
+
+The outputs.include_single and outputs.include_individual describe
+what should go in the final archive. If both are specified, the output
+archive should include both a single bundle.pem and each individual
+certificate, for example.
+
+-----
+
+As it stands, given the following `bundle.yaml`:
+
+``` yaml
+config:
+  hashes: bundle.sha256
+  expiry: 1y
+chains:
+  core_certs:
+    certs:
+      - root: pems/gts-r1.pem
+        intermediates:
+          - pems/goog-wr2.pem
+        outputs:
+          include_single: true
+          include_individual: true
+          manifest: true
+          formats:
+            - zip
+            - tgz
+      - root: pems/isrg-root-x1.pem
+        intermediates:
+          - pems/le-e7.pem
+        outputs:
+          include_single: true
+          include_individual: false
+          manifest: true
+          formats:
+            - zip
+            - tgz
+  google_certs:
+    certs:
+      - root: pems/gts-r1.pem
+        intermediates:
+          - pems/goog-wr2.pem
+        outputs:
+          include_single: true
+          include_individual: false
+          manifest: true
+          formats:
+            - tgz
+  lets_encrypt:
+    certs:
+      - root: pems/isrg-root-x1.pem
+        intermediates:
+          - pems/le-e7.pem
+        outputs:
+          include_single: false
+          include_individual: true
+          manifest: false
+          formats:
+            - zip
+```
+
+The program outputs the following files:
+
+- bundle.sha256
+- core_certs_0.tgz (contains individual certs)
+- core_certs_0.zip (contains individual certs)
+- core_certs_1.tgz (contains core_certs.pem)
+- core_certs_1.zip (contains core_certs.pem)
+- google_certs_0.tgz
+- lets_encrypt_0.zip
+
+It should output
+
+- bundle.sha256
+- core_certs.tgz
+- core_certs.zip
+- google_certs.tgz
+- lets_encrypt.zip
+
+core_certs.* should contain `bundle.pem` and all the individual
+certs. There should be no _$n$ variants of archives.
+
+-----
+
+Add an additional field to outputs: encoding. It should accept one of
+`der`, `pem`, or `both`. If `der`, certificates should be output as a
+`.crt` file containing a DER-encoded certificate. If `pem`, certificates
+should be output as a `.pem` file containing a PEM-encoded certificate.
+If both, both the `.crt` and `.pem` certificate should be included.
+
+For example, given the previous config, if `encoding` is der, the
+google_certs.tgz archive should contain
+
+- bundle.crt
+- MANIFEST
+
+Or with lets_encrypt.zip:
+
+- isrg-root-x1.crt
+- le-e7.crt
+
+However, if `encoding` is pem, the lets_encrypt.zip archive should contain:
+
+- isrg-root-x1.pem
+- le-e7.pem
+
+And if it `encoding` is both, the lets_encrypt.zip archive should contain:
+
+- isrg-root-x1.crt
+- isrg-root-x1.pem
+- le-e7.crt
+- le-e7.pem
+
+-----
+
+The tgz format should output a `.tar.gz` file instead of a `.tgz` file.
+
+-----
+
+Move the format extensions to a global variable.
+
+-----
+
+Write a README.txt with a description of the bundle.yaml format.
+
+Additionally, update the help text for the program (e.g. with `-h`)
+to provide the same detailed information.
+
+-----
+
+It may be easier to embed the README.txt in the program on build.
+
+

cmd/cert-bundler/testdata/bundle.yaml

@@ -0,0 +1,43 @@
+config:
+  hashes: bundle.sha256
+  expiry: 1y
+chains:
+  core_certs:
+    certs:
+      - root: pems/gts-r1.pem
+        intermediates:
+          - pems/goog-wr2.pem
+      - root: pems/isrg-root-x1.pem
+        intermediates:
+          - pems/le-e7.pem
+    outputs:
+      include_single: true
+      include_individual: true
+      manifest: true
+      formats:
+        - zip
+        - tgz
+  google_certs:
+    certs:
+      - root: pems/gts-r1.pem
+        intermediates:
+          - pems/goog-wr2.pem
+    outputs:
+      include_single: true
+      include_individual: false
+      manifest: true
+      encoding: der
+      formats:
+        - tgz
+  lets_encrypt:
+    certs:
+      - root: pems/isrg-root-x1.pem
+        intermediates:
+          - pems/le-e7.pem
+    outputs:
+      include_single: false
+      include_individual: true
+      manifest: false
+      encoding: both
+      formats:
+        - zip

cmd/cert-bundler/testdata/pems/goog-wr2.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFCzCCAvOgAwIBAgIQf/AFoHxM3tEArZ1mpRB7mDANBgkqhkiG9w0BAQsFADBH
+MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
+QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIw
+MTQwMDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNl
+cnZpY2VzMQwwCgYDVQQDEwNXUjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCp/5x/RR5wqFOfytnlDd5GV1d9vI+aWqxG8YSau5HbyfsvAfuSCQAWXqAc
++MGr+XgvSszYhaLYWTwO0xj7sfUkDSbutltkdnwUxy96zqhMt/TZCPzfhyM1IKji
+aeKMTj+xWfpgoh6zySBTGYLKNlNtYE3pAJH8do1cCA8Kwtzxc2vFE24KT3rC8gIc
+LrRjg9ox9i11MLL7q8Ju26nADrn5Z9TDJVd06wW06Y613ijNzHoU5HEDy01hLmFX
+xRmpC5iEGuh5KdmyjS//V2pm4M6rlagplmNwEmceOuHbsCFx13ye/aoXbv4r+zgX
+FNFmp6+atXDMyGOBOozAKql2N87jAgMBAAGjgf4wgfswDgYDVR0PAQH/BAQDAgGG
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/
+AgEAMB0GA1UdDgQWBBTeGx7teRXUPjckwyG77DQ5bUKyMDAfBgNVHSMEGDAWgBTk
+rysmcRorSCeFL1JmLO/wiRNxPjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAKG
+GGh0dHA6Ly9pLnBraS5nb29nL3IxLmNydDArBgNVHR8EJDAiMCCgHqAchhpodHRw
+Oi8vYy5wa2kuZ29vZy9yL3IxLmNybDATBgNVHSAEDDAKMAgGBmeBDAECATANBgkq
+hkiG9w0BAQsFAAOCAgEARXWL5R87RBOWGqtY8TXJbz3S0DNKhjO6V1FP7sQ02hYS
+TL8Tnw3UVOlIecAwPJQl8hr0ujKUtjNyC4XuCRElNJThb0Lbgpt7fyqaqf9/qdLe
+SiDLs/sDA7j4BwXaWZIvGEaYzq9yviQmsR4ATb0IrZNBRAq7x9UBhb+TV+PfdBJT
+DhEl05vc3ssnbrPCuTNiOcLgNeFbpwkuGcuRKnZc8d/KI4RApW//mkHgte8y0YWu
+ryUJ8GLFbsLIbjL9uNrizkqRSvOFVU6xddZIMy9vhNkSXJ/UcZhjJY1pXAprffJB
+vei7j+Qi151lRehMCofa6WBmiA4fx+FOVsV2/7R6V2nyAiIJJkEd2nSi5SnzxJrl
+Xdaqev3htytmOPvoKWa676ATL/hzfvDaQBEcXd2Ppvy+275W+DKcH0FBbX62xevG
+iza3F4ydzxl6NJ8hk8R+dDXSqv1MbRT1ybB5W0k8878XSOjvmiYTDIfyc9acxVJr
+Y/cykHipa+te1pOhv7wYPYtZ9orGBV5SGOJm4NrB3K1aJar0RfzxC3ikr7Dyc6Qw
+qDTBU39CluVIQeuQRgwG3MuSxl7zRERDRilGoKb8uY45JzmxWuKxrfwT/478JuHU
+/oTxUFqOl2stKnn7QGTq8z29W+GgBLCXSBxC9epaHM0myFH/FJlniXJfHeytWt0=
+-----END CERTIFICATE-----

cmd/cert-bundler/testdata/pems/gts-r1.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw
+CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
+MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw
+MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp
+Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA
+A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo
+27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w
+Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw
+TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl
+qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH
+szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8
+Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk
+MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92
+wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p
+aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN
+VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID
+AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb
+C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe
+QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy
+h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4
+7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J
+ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef
+MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/
+Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT
+6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ
+0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm
+2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb
+bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c
+-----END CERTIFICATE-----

cmd/cert-bundler/testdata/pems/isrg-root-x1.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----

cmd/cert-bundler/testdata/pems/le-e7.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVzCCAj+gAwIBAgIRAKp18eYrjwoiCWbTi7/UuqEwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
+WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCRTcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARB6AST
+CFh/vjcwDMCgQer+VtqEkz7JANurZxLP+U9TCeioL6sp5Z8VRvRbYk4P1INBmbef
+QHJFHCxcSjKmwtvGBWpl/9ra8HW0QDsUaJW2qOJqceJ0ZVFT3hbUHifBM/2jgfgw
+gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
+ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSuSJ7chx1EoG/aouVgdAR4
+wpwAgDAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
+AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
+BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
+Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAjx66fDdLk5ywFn3CzA1w1qfylHUD
+aEf0QZpXcJseddJGSfbUUOvbNR9N/QQ16K1lXl4VFyhmGXDT5Kdfcr0RvIIVrNxF
+h4lqHtRRCP6RBRstqbZ2zURgqakn/Xip0iaQL0IdfHBZr396FgknniRYFckKORPG
+yM3QKnd66gtMst8I5nkRQlAg/Jb+Gc3egIvuGKWboE1G89NTsN9LTDD3PLj0dUMr
+OIuqVjLB8pEC6yk9enrlrqjXQgkLEYhXzq7dLafv5Vkig6Gl0nuuqjqfp0Q1bi1o
+yVNAlXe6aUXw92CcghC9bNsKEO1+M52YY5+ofIXlS/SEQbvVYYBLZ5yeiglV6t3S
+M6H+vTG0aP9YHzLn/KVOHzGQfXDP7qM5tkf+7diZe7o2fw6O7IvN6fsQXEQQj8TJ
+UXJxv2/uJhcuy/tSDgXwHM8Uk34WNbRT7zGTGkQRX0gsbjAea/jYAoWv0ZvQRwpq
+Pe79D/i7Cep8qWnA+7AE/3B3S/3dEEYmc0lpe1366A/6GEgk3ktr9PEoQrLChs6I
+tu3wnNLB2euC8IKGLQFpGtOO/2/hiAKjyajaBP25w1jF0Wl8Bbqne3uZ2q1GyPFJ
+YRmT7/OXpmOH/FVLtwS+8ng1cAmpCujPwteJZNcDG0sF2n/sc0+SQf49fdyUK0ty
++VUwFj9tmWxyR/M=
+-----END CERTIFICATE-----

cmd/cert-bundler/testdata/pkg/bundle.sha256

@@ -0,0 +1,4 @@
+5ed8bf9ed693045faa8a5cb0edc4a870052e56aef6291ce8b1604565affbc2a4  core_certs.zip
+e59eddc590d2f7b790a87c5b56e81697088ab54be382c0e2c51b82034006d308  core_certs.tgz
+51b9b63b1335118079e90700a3a5b847c363808e9116e576ca84f301bc433289  google_certs.tgz
+3d1910ca8835c3ded1755a8c7d6c48083c2f3ff68b2bfbf932aaf27e29d0a232  lets_encrypt.zip

cmd/certchain/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "certchain_lib",
-    srcs = ["certchain.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/certchain",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "certchain",
-    embed = [":certchain_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/certdump/BUILD.bazel

@@ -1,22 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "certdump_lib",
-    srcs = [
-        "certdump.go",
-        "util.go",
-    ],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/certdump",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//certlib",
-        "//lib",
-        "@com_github_kr_text//:text",
-    ],
-)
-
-go_binary(
-    name = "certdump",
-    embed = [":certdump_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/certdump/certdump.go

@@ -110,6 +110,14 @@ func showBasicConstraints(cert *x509.Certificate) {
 
 	if cert.IsCA {
 		fmt.Printf(", is a CA certificate")
+		if !cert.BasicConstraintsValid {
+			fmt.Printf(" (basic constraint failure)")
+		}
+	} else {
+		fmt.Printf("is not a CA certificate")
+		if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
+			fmt.Printf(" (key encipherment usage enabled!)")
+		}
 	}
 
 	if (cert.MaxPathLen == 0 && cert.MaxPathLenZero) || (cert.MaxPathLen > 0) {

cmd/certexpiry/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "certexpiry_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/certexpiry",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//certlib",
-        "//die",
-        "//lib",
-    ],
-)
-
-go_binary(
-    name = "certexpiry",
-    embed = [":certexpiry_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/certverify/BUILD.bazel

@@ -1,20 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "certverify_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/certverify",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//certlib",
-        "//certlib/revoke",
-        "//die",
-        "//lib",
-    ],
-)
-
-go_binary(
-    name = "certverify",
-    embed = [":certverify_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/clustersh/BUILD.bazel

@@ -1,20 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "clustersh_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/clustersh",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//lib",
-        "@com_github_pkg_sftp//:sftp",
-        "@org_golang_x_crypto//ssh",
-        "@org_golang_x_crypto//ssh/agent",
-    ],
-)
-
-go_binary(
-    name = "clustersh",
-    embed = [":clustersh_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/cruntar/BUILD.bazel

@@ -1,18 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "cruntar_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/cruntar",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//die",
-        "//fileutil",
-    ],
-)
-
-go_binary(
-    name = "cruntar",
-    embed = [":cruntar_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/csrpubdump/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "csrpubdump_lib",
-    srcs = ["pubdump.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/csrpubdump",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "csrpubdump",
-    embed = [":csrpubdump_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/diskimg/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "diskimg_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/diskimg",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//ahash",
-        "//dbg",
-        "//die",
-    ],
-)
-
-go_binary(
-    name = "diskimg",
-    embed = [":diskimg_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/dumpbytes/main.go

@@ -0,0 +1,71 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"git.wntrmute.dev/kyle/goutils/die"
+	"io"
+	"os"
+)
+
+func usage(w io.Writer, exc int) {
+	fmt.Fprintln(w, `usage: dumpbytes <file>`)
+	os.Exit(exc)
+}
+
+func printBytes(buf []byte) {
+	fmt.Printf("\t")
+	for i := 0; i < len(buf); i++ {
+		fmt.Printf("0x%02x, ", buf[i])
+	}
+	fmt.Println()
+}
+
+func dumpFile(path string, indentLevel int) error {
+	indent := ""
+	for i := 0; i < indentLevel; i++ {
+		indent += "\t"
+	}
+
+	file, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+
+	defer file.Close()
+
+	fmt.Printf("%svar buffer = []byte{\n", indent)
+	for {
+		buf := make([]byte, 8)
+		n, err := file.Read(buf)
+		if err == io.EOF {
+			if n > 0 {
+				fmt.Printf("%s", indent)
+				printBytes(buf[:n])
+			}
+			break
+		}
+
+		if err != nil {
+			return err
+		}
+
+		fmt.Printf("%s", indent)
+		printBytes(buf[:n])
+	}
+
+	fmt.Printf("%s}\n", indent)
+	return nil
+}
+
+func main() {
+	indent := 0
+	flag.Usage = func() { usage(os.Stderr, 0) }
+	flag.IntVar(&indent, "n", 0, "indent level")
+	flag.Parse()
+
+	for _, file := range flag.Args() {
+		err := dumpFile(file, indent)
+		die.If(err)
+	}
+}

cmd/eig/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "eig_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/eig",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "eig",
-    embed = [":eig_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/fragment/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "fragment_lib",
-    srcs = ["fragment.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/fragment",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "fragment",
-    embed = [":fragment_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/host/README

@@ -0,0 +1,5 @@
+host
+
+This is a utility to display CNAME records and IPs for a hostname. It
+was born of my frustration in trying to figure out how to get the host(1)
+tool installed on Fedora.

cmd/host/main.go

@@ -0,0 +1,41 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"net"
+)
+
+func lookupHost(host string) error {
+	cname, err := net.LookupCNAME(host)
+	if err != nil {
+		return err
+	}
+
+	if cname != host {
+		fmt.Printf("%s is a CNAME for %s\n", host, cname)
+		host = cname
+	}
+
+	addrs, err := net.LookupHost(host)
+	if err != nil {
+		return err
+	}
+
+	for _, addr := range addrs {
+		fmt.Printf("\t%s\n", addr)
+	}
+
+	return nil
+}
+
+func main() {
+	flag.Parse()
+
+	for _, arg := range flag.Args() {
+		if err := lookupHost(arg); err != nil {
+			log.Printf("%s: %s", arg, err)
+		}
+	}
+}

cmd/jlp/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "jlp_lib",
-    srcs = ["jlp.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/jlp",
-    visibility = ["//visibility:private"],
-    deps = ["//lib"],
-)
-
-go_binary(
-    name = "jlp",
-    embed = [":jlp_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/kgz/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "kgz_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/kgz",
-    visibility = ["//visibility:private"],
-    deps = ["@com_github_pkg_errors//:errors"],
-)
-
-go_binary(
-    name = "kgz",
-    embed = [":kgz_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/minmax/README

@@ -0,0 +1,3 @@
+minmax
+
+A quick tool to calculate minmax codes if needed for uLisp.

cmd/minmax/minmax.go

@@ -0,0 +1,53 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strconv"
+)
+
+var kinds = map[string]int{
+	"sym": 0,
+	"tf":  1,
+	"fn":  2,
+	"sp":  3,
+}
+
+func dieIf(err error) {
+	if err == nil {
+		return
+	}
+	fmt.Fprintf(os.Stderr, "[!] %s\n", err)
+	os.Exit(1)
+}
+
+func usage() {
+	fmt.Fprintf(os.Stderr, "usage: minmax type min max\n")
+	fmt.Fprintf(os.Stderr, "    type is one of fn, sp, sym, tf\n")
+	os.Exit(1)
+}
+
+func main() {
+	flag.Parse()
+
+	if flag.NArg() != 3 {
+		usage()
+	}
+
+	kind, ok := kinds[flag.Arg(0)]
+	if !ok {
+		usage()
+	}
+
+	min, err := strconv.Atoi(flag.Arg(1))
+	dieIf(err)
+
+	max, err := strconv.Atoi(flag.Arg(2))
+	dieIf(err)
+
+	code := kind << 6
+	code += (min << 3)
+	code += max
+	fmt.Printf("%0o\n", code)
+}

cmd/parts/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "parts_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/parts",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "parts",
-    embed = [":parts_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/pem2bin/BUILD.bazel

@@ -1,14 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "pem2bin_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/pem2bin",
-    visibility = ["//visibility:private"],
-)
-
-go_binary(
-    name = "pem2bin",
-    embed = [":pem2bin_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/pembody/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "pembody_lib",
-    srcs = ["pembody.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/pembody",
-    visibility = ["//visibility:private"],
-    deps = ["//lib"],
-)
-
-go_binary(
-    name = "pembody",
-    embed = [":pembody_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/pemit/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "pemit_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/pemit",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//assert",
-        "//die",
-        "//lib",
-    ],
-)
-
-go_binary(
-    name = "pemit",
-    embed = [":pemit_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/readchain/BUILD.bazel

@@ -1,14 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "readchain_lib",
-    srcs = ["chain.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/readchain",
-    visibility = ["//visibility:private"],
-)
-
-go_binary(
-    name = "readchain",
-    embed = [":readchain_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/renfnv/BUILD.bazel

@@ -1,18 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "renfnv_lib",
-    srcs = ["renfnv.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/renfnv",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//fileutil",
-        "//lib",
-    ],
-)
-
-go_binary(
-    name = "renfnv",
-    embed = [":renfnv_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/rhash/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "rhash_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/rhash",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//ahash",
-        "//die",
-        "//lib",
-    ],
-)
-
-go_binary(
-    name = "rhash",
-    embed = [":rhash_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/rolldie/main.go

@@ -0,0 +1,48 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"math/rand"
+	"os"
+	"regexp"
+	"strconv"
+
+	"git.wntrmute.dev/kyle/goutils/die"
+)
+
+var dieRollFormat = regexp.MustCompile(`^(\d+)[dD](\d+)$`)
+
+func rollDie(count, sides int) []int {
+	sum := 0
+	var rolls []int
+
+	for i := 0; i < count; i++ {
+		roll := rand.Intn(sides) + 1
+		sum += roll
+		rolls = append(rolls, roll)
+	}
+
+	rolls = append(rolls, sum)
+	return rolls
+}
+
+func main() {
+	flag.Parse()
+
+	for _, arg := range flag.Args() {
+		if !dieRollFormat.MatchString(arg) {
+			fmt.Fprintf(os.Stderr, "invalid die format %s: should be XdY\n", arg)
+			os.Exit(1)
+		}
+
+		dieRoll := dieRollFormat.FindAllStringSubmatch(arg, -1)
+		count, err := strconv.Atoi(dieRoll[0][1])
+		die.If(err)
+
+		sides, err := strconv.Atoi(dieRoll[0][2])
+		die.If(err)
+
+		fmt.Println(rollDie(count, sides))
+	}
+}

cmd/showimp/BUILD.bazel

@@ -1,18 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "showimp_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/showimp",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//dbg",
-        "//die",
-    ],
-)
-
-go_binary(
-    name = "showimp",
-    embed = [":showimp_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/ski/BUILD.bazel

@@ -1,18 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "ski_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/ski",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//die",
-        "//lib",
-    ],
-)
-
-go_binary(
-    name = "ski",
-    embed = [":ski_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/sprox/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "sprox_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/sprox",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "sprox",
-    embed = [":sprox_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/stealchain-server/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "stealchain-server_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/stealchain-server",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "stealchain-server",
-    embed = [":stealchain-server_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/stealchain/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "stealchain_lib",
-    srcs = ["thief.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/stealchain",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "stealchain",
-    embed = [":stealchain_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/subjhash/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "subjhash_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/subjhash",
-    visibility = ["//visibility:private"],
-    deps = [
-        "//certlib",
-        "//die",
-        "//lib",
-    ],
-)
-
-go_binary(
-    name = "subjhash",
-    embed = [":subjhash_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/tlsinfo/README.txt

@@ -0,0 +1,34 @@
+tlsinfo: show TLS version, cipher, and peer certificates
+---------------------------------------------------------
+
+Description
+  tlsinfo connects to a TLS server and prints the negotiated TLS version and
+  cipher suite, followed by details for each certificate in the server’s
+  presented chain (as provided by the server).
+
+Usage
+  tlsinfo <hostname:port>
+
+Output
+  The program prints the negotiated protocol and cipher, then one section per
+  certificate in the order received from the server. Example fields:
+    TLS Version: TLS 1.3
+    Cipher Suite: TLS_AES_128_GCM_SHA256
+    Certificate 1
+        Subject: CN=example.com, O=Example Corp, C=US
+        Issuer: CN=Example Root CA, O=Example Corp, C=US
+        DNS Names: [example.com www.example.com]
+        Not Before: 2025-01-01 00:00:00 +0000 UTC
+        Not After:  2026-01-01 23:59:59 +0000 UTC
+
+Examples
+  # Inspect a public HTTPS endpoint
+  tlsinfo example.com:443
+
+Notes
+  - Verification is intentionally disabled (InsecureSkipVerify=true). The tool
+    does not validate the server certificate or hostname; it is for inspection
+    only.
+  - The SNI/ServerName is inferred from <hostname> when applicable.
+  - You must specify a port (e.g., 443 for HTTPS).
+  - The entire certificate chain is printed exactly as presented by the server.

cmd/tlsinfo/main.go

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+)
+
+func main() {
+	if len(os.Args) != 2 {
+		fmt.Printf("Usage: %s ‹hostname:port>\n", os.Args[0])
+		os.Exit(1)
+	}
+
+	hostPort := os.Args[1]
+	conn, err := tls.Dial("tcp", hostPort, &tls.Config{
+		InsecureSkipVerify: true,
+	})
+
+	if err != nil {
+		fmt.Printf("Failed to connect to the TLS server: %v\n", err)
+		os.Exit(1)
+	}
+	defer conn.Close()
+	state := conn.ConnectionState()
+	printConnectionDetails(state)
+}
+
+func printConnectionDetails(state tls.ConnectionState) {
+	version := tlsVersion(state.Version)
+	cipherSuite := tls.CipherSuiteName(state.CipherSuite)
+	fmt.Printf("TLS Version: %s\n", version)
+	fmt.Printf("Cipher Suite: %s\n", cipherSuite)
+	printPeerCertificates(state.PeerCertificates)
+}
+
+func tlsVersion(version uint16) string {
+	switch version {
+
+	case tls.VersionTLS13:
+		return "TLS 1.3"
+	case tls.VersionTLS12:
+
+		return "TLS 1.2"
+	case tls.VersionTLS11:
+		return "TLS 1.1"
+	case tls.VersionTLS10:
+		return "TLS 1.0"
+	default:
+		return "Unknown"
+	}
+}
+
+func printPeerCertificates(certificates []*x509.Certificate) {
+	for i, cert := range certificates {
+		fmt.Printf("Certificate %d\n", i+1)
+		fmt.Printf("\tSubject: %s\n", cert.Subject)
+		fmt.Printf("\tIssuer: %s\n", cert.Issuer)
+		fmt.Printf("\tDNS Names:	%v\n", cert.DNSNames)
+		fmt.Printf("\tNot Before: %s\n:", cert.NotBefore)
+		fmt.Printf("\tNot After: %s\n", cert.NotAfter)
+	}
+}

cmd/tlskeypair/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "tlskeypair_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/tlskeypair",
-    visibility = ["//visibility:private"],
-    deps = ["//die"],
-)
-
-go_binary(
-    name = "tlskeypair",
-    embed = [":tlskeypair_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/utc/BUILD.bazel

@@ -1,14 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "utc_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/utc",
-    visibility = ["//visibility:private"],
-)
-
-go_binary(
-    name = "utc",
-    embed = [":utc_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/yamll/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "yamll_lib",
-    srcs = ["main.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/cmd/yamll",
-    visibility = ["//visibility:private"],
-    deps = ["@in_gopkg_yaml_v2//:yaml_v2"],
-)
-
-go_binary(
-    name = "yamll",
-    embed = [":yamll_lib"],
-    visibility = ["//visibility:public"],
-)

cmd/zsearch/main.go

@@ -0,0 +1,136 @@
+// zsearch is a utility for searching zlib-compressed files for a
+// search string. It was really designed for use with the Git object
+// store, i.e. to aid in the recovery of files after Git does what Git
+// do.
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"compress/zlib"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"regexp"
+)
+
+const defaultDirectory = ".git/objects"
+
+func errorf(format string, a ...interface{}) {
+	fmt.Fprintf(os.Stderr, format, a...)
+	if format[len(format)-1] != '\n' {
+		fmt.Fprintf(os.Stderr, "\n")
+	}
+}
+
+func isDir(path string) bool {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return false
+	}
+
+	return fi.IsDir()
+}
+
+func loadFile(path string) ([]byte, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	buf := new(bytes.Buffer)
+	zread, err := zlib.NewReader(file)
+	if err != nil {
+		return nil, err
+	}
+	defer zread.Close()
+
+	_, err = io.Copy(buf, zread)
+	if err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+func showFile(path string) {
+	fileData, err := loadFile(path)
+	if err != nil {
+		errorf("%v", err)
+		return
+	}
+
+	fmt.Printf("%s\n", fileData)
+}
+
+func searchFile(path string, search *regexp.Regexp) error {
+	file, err := os.Open(path)
+	if err != nil {
+		errorf("%v", err)
+		return err
+	}
+	defer file.Close()
+
+	zread, err := zlib.NewReader(file)
+	if err != nil {
+		errorf("%v", err)
+		return err
+	}
+	defer zread.Close()
+
+	zbuf := bufio.NewReader(zread)
+	if search.MatchReader(zbuf) {
+		fileData, err := loadFile(path)
+		if err != nil {
+			errorf("%v", err)
+			return err
+		}
+		fmt.Printf("%s:\n%s\n", path, fileData)
+	}
+	return nil
+}
+
+func buildWalker(searchExpr *regexp.Regexp) filepath.WalkFunc {
+	return func(path string, info os.FileInfo, err error) error {
+		if info.Mode().IsRegular() {
+			return searchFile(path, searchExpr)
+		}
+		return nil
+	}
+}
+
+func main() {
+	flSearch := flag.String("s", "", "search string (should be an RE2 regular expression)")
+	flag.Parse()
+
+	if *flSearch == "" {
+		for _, path := range flag.Args() {
+			showFile(path)
+		}
+	} else {
+		search, err := regexp.Compile(*flSearch)
+		if err != nil {
+			errorf("Bad regexp: %v", err)
+			return
+		}
+
+		pathList := flag.Args()
+		if len(pathList) == 0 {
+			pathList = []string{defaultDirectory}
+		}
+
+		for _, path := range pathList {
+			if isDir(path) {
+				err := filepath.Walk(path, buildWalker(search))
+				if err != nil {
+					errorf("%v", err)
+					return
+				}
+			} else {
+				searchFile(path, search)
+			}
+		}
+	}
+}

config/BUILD.bazel

@@ -1,24 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "config",
-    srcs = [
-        "config.go",
-        "path.go",
-        "path_linux.go",
-    ],
-    importpath = "git.wntrmute.dev/kyle/goutils/config",
-    visibility = ["//visibility:public"],
-    deps = ["//config/iniconf"],
-)
-
-go_test(
-    name = "config_test",
-    size = "small",
-    srcs = [
-        "config_test.go",
-        "path_test.go",
-    ],
-    data = glob(["testdata/**"]),
-    embed = [":config"],
-)

config/iniconf/BUILD.bazel

@@ -1,16 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "iniconf",
-    srcs = ["iniconf.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/config/iniconf",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "iniconf_test",
-    size = "small",
-    srcs = ["iniconf_test.go"],
-    data = glob(["testdata/**"]),
-    embed = [":iniconf"],
-)

dbg/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "dbg",
-    srcs = ["dbg.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/dbg",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "dbg_test",
-    size = "small",
-    srcs = ["dbg_test.go"],
-    embed = [":dbg"],
-    deps = [
-        "//assert",
-        "//testio",
-    ],
-)

deps.bzl

@@ -1,346 +0,0 @@
-load("@bazel_gazelle//:deps.bzl", "go_repository")
-
-def go_dependencies():
-    go_repository(
-        name = "com_github_akavel_rsrc",
-        importpath = "github.com/akavel/rsrc",
-        sum = "h1:zjWn7ukO9Kc5Q62DOJCcxGpXC18RawVtYAGdz2aLlfw=",
-        version = "v0.8.0",
-    )
-    go_repository(
-        name = "com_github_certifi_gocertifi",
-        importpath = "github.com/certifi/gocertifi",
-        sum = "h1:6/yVvBsKeAw05IUj4AzvrxaCnDjN4nUqKjW9+w5wixg=",
-        version = "v0.0.0-20180118203423-deb3ae2ef261",
-    )
-    go_repository(
-        name = "com_github_cloudflare_backoff",
-        importpath = "github.com/cloudflare/backoff",
-        sum = "h1:8d1CEOF1xldesKds5tRG3tExBsMOgWYownMHNCsev54=",
-        version = "v0.0.0-20161212185259-647f3cdfc87a",
-    )
-    go_repository(
-        name = "com_github_cloudflare_cfssl",
-        importpath = "github.com/cloudflare/cfssl",
-        sum = "h1:vFJDAvQgFSRbCn9zg8KpSrrEZrBAQ4KO5oNK7SXEyb0=",
-        version = "v1.5.0",
-    )
-    go_repository(
-        name = "com_github_cloudflare_go_metrics",
-        importpath = "github.com/cloudflare/go-metrics",
-        sum = "h1:/8sZyuGTAU2+fYv0Sz9lBcipqX0b7i4eUl8pSStk/4g=",
-        version = "v0.0.0-20151117154305-6a9aea36fb41",
-    )
-    go_repository(
-        name = "com_github_cloudflare_redoctober",
-        importpath = "github.com/cloudflare/redoctober",
-        sum = "h1:p0Q1GvgWtVf46XpMMibupKiE7aQxPYUIb+/jLTTK2kM=",
-        version = "v0.0.0-20171127175943-746a508df14c",
-    )
-    go_repository(
-        name = "com_github_creack_pty",
-        importpath = "github.com/creack/pty",
-        sum = "h1:uDmaGzcdjhF4i/plgjmEsriH11Y0o7RKapEf/LDaM3w=",
-        version = "v1.1.9",
-    )
-    go_repository(
-        name = "com_github_daaku_go_zipexe",
-        importpath = "github.com/daaku/go.zipexe",
-        sum = "h1:VSOgZtH418pH9L16hC/JrgSNJbbAL26pj7lmD1+CGdY=",
-        version = "v1.0.0",
-    )
-    go_repository(
-        name = "com_github_davecgh_go_spew",
-        importpath = "github.com/davecgh/go-spew",
-        sum = "h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=",
-        version = "v1.1.1",
-    )
-    go_repository(
-        name = "com_github_geertjohan_go_incremental",
-        importpath = "github.com/GeertJohan/go.incremental",
-        sum = "h1:7AH+pY1XUgQE4Y1HcXYaMqAI0m9yrFqo/jt0CW30vsg=",
-        version = "v1.0.0",
-    )
-    go_repository(
-        name = "com_github_geertjohan_go_rice",
-        importpath = "github.com/GeertJohan/go.rice",
-        sum = "h1:KkI6O9uMaQU3VEKaj01ulavtF7o1fWT7+pk/4voiMLQ=",
-        version = "v1.0.0",
-    )
-    go_repository(
-        name = "com_github_getsentry_raven_go",
-        importpath = "github.com/getsentry/raven-go",
-        sum = "h1:ELaJ1cjF2nEJeIlHXahGme22yG7TK+3jB6IGCq0Cdrc=",
-        version = "v0.0.0-20180121060056-563b81fc02b7",
-    )
-    go_repository(
-        name = "com_github_go_sql_driver_mysql",
-        importpath = "github.com/go-sql-driver/mysql",
-        sum = "h1:7LxgVwFb2hIQtMm87NdgAVfXjnt4OePseqT1tKx+opk=",
-        version = "v1.4.0",
-    )
-    go_repository(
-        name = "com_github_golang_protobuf",
-        importpath = "github.com/golang/protobuf",
-        sum = "h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=",
-        version = "v1.3.1",
-    )
-    go_repository(
-        name = "com_github_google_certificate_transparency_go",
-        importpath = "github.com/google/certificate-transparency-go",
-        sum = "h1:Yf1aXowfZ2nuboBsg7iYGLmwsOARdV86pfH3g95wXmE=",
-        version = "v1.0.21",
-    )
-    go_repository(
-        name = "com_github_hashicorp_go_syslog",
-        importpath = "github.com/hashicorp/go-syslog",
-        sum = "h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE=",
-        version = "v1.0.0",
-    )
-
-    go_repository(
-        name = "com_github_jessevdk_go_flags",
-        importpath = "github.com/jessevdk/go-flags",
-        sum = "h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA=",
-        version = "v1.4.0",
-    )
-    go_repository(
-        name = "com_github_jmhodges_clock",
-        importpath = "github.com/jmhodges/clock",
-        sum = "h1:dYTbLf4m0a5u0KLmPfB6mgxbcV7588bOCx79hxa5Sr4=",
-        version = "v0.0.0-20160418191101-880ee4c33548",
-    )
-    go_repository(
-        name = "com_github_jmoiron_sqlx",
-        importpath = "github.com/jmoiron/sqlx",
-        sum = "h1:41Ip0zITnmWNR/vHV+S4m+VoUivnWY5E4OJfLZjCJMA=",
-        version = "v1.2.0",
-    )
-    go_repository(
-        name = "com_github_kisielk_sqlstruct",
-        importpath = "github.com/kisielk/sqlstruct",
-        sum = "h1:o/c0aWEP/m6n61xlYW2QP4t9424qlJOsxugn5Zds2Rg=",
-        version = "v0.0.0-20150923205031-648daed35d49",
-    )
-    go_repository(
-        name = "com_github_kisom_goutils",
-        importpath = "github.com/kisom/goutils",
-        sum = "h1:z4HEOgAnFq+e1+O4QdVsyDPatJDu5Ei/7w7DRbYjsIA=",
-        version = "v1.1.0",
-    )
-    go_repository(
-        name = "com_github_konsorten_go_windows_terminal_sequences",
-        importpath = "github.com/konsorten/go-windows-terminal-sequences",
-        sum = "h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=",
-        version = "v1.0.1",
-    )
-    go_repository(
-        name = "com_github_kr_fs",
-        importpath = "github.com/kr/fs",
-        sum = "h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=",
-        version = "v0.1.0",
-    )
-    go_repository(
-        name = "com_github_kr_pretty",
-        importpath = "github.com/kr/pretty",
-        sum = "h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=",
-        version = "v0.1.0",
-    )
-    go_repository(
-        name = "com_github_kr_pty",
-        importpath = "github.com/kr/pty",
-        sum = "h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=",
-        version = "v1.1.1",
-    )
-    go_repository(
-        name = "com_github_kr_text",
-        importpath = "github.com/kr/text",
-        sum = "h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=",
-        version = "v0.2.0",
-    )
-    go_repository(
-        name = "com_github_kylelemons_go_gypsy",
-        importpath = "github.com/kylelemons/go-gypsy",
-        sum = "h1:mkl3tvPHIuPaWsLtmHTybJeoVEW7cbePK73Ir8VtruA=",
-        version = "v0.0.0-20160905020020-08cad365cd28",
-    )
-    go_repository(
-        name = "com_github_lib_pq",
-        importpath = "github.com/lib/pq",
-        sum = "h1:/qkRGz8zljWiDcFvgpwUpwIAPu3r07TDvs3Rws+o/pU=",
-        version = "v1.3.0",
-    )
-    go_repository(
-        name = "com_github_mattn_go_sqlite3",
-        importpath = "github.com/mattn/go-sqlite3",
-        sum = "h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK860o=",
-        version = "v1.10.0",
-    )
-    go_repository(
-        name = "com_github_mreiferson_go_httpclient",
-        importpath = "github.com/mreiferson/go-httpclient",
-        sum = "h1:oKIteTqeSpenyTrOVj5zkiyCaflLa8B+CD0324otT+o=",
-        version = "v0.0.0-20160630210159-31f0106b4474",
-    )
-    go_repository(
-        name = "com_github_nkovacs_streamquote",
-        importpath = "github.com/nkovacs/streamquote",
-        sum = "h1:E2B8qYyeSgv5MXpmzZXRNp8IAQ4vjxIjhpAf5hv/tAg=",
-        version = "v0.0.0-20170412213628-49af9bddb229",
-    )
-    go_repository(
-        name = "com_github_op_go_logging",
-        importpath = "github.com/op/go-logging",
-        sum = "h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=",
-        version = "v0.0.0-20160315200505-970db520ece7",
-    )
-    go_repository(
-        name = "com_github_pkg_errors",
-        importpath = "github.com/pkg/errors",
-        sum = "h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=",
-        version = "v0.9.1",
-    )
-    go_repository(
-        name = "com_github_pkg_sftp",
-        importpath = "github.com/pkg/sftp",
-        sum = "h1:/f3b24xrDhkhddlaobPe2JgBqfdt+gC/NYl0QY9IOuI=",
-        version = "v1.12.0",
-    )
-    go_repository(
-        name = "com_github_pmezard_go_difflib",
-        importpath = "github.com/pmezard/go-difflib",
-        sum = "h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=",
-        version = "v1.0.0",
-    )
-    go_repository(
-        name = "com_github_sirupsen_logrus",
-        importpath = "github.com/sirupsen/logrus",
-        sum = "h1:hI/7Q+DtNZ2kINb6qt/lS+IyXnHQe9e90POfeewL/ME=",
-        version = "v1.3.0",
-    )
-    go_repository(
-        name = "com_github_stretchr_objx",
-        importpath = "github.com/stretchr/objx",
-        sum = "h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=",
-        version = "v0.1.0",
-    )
-    go_repository(
-        name = "com_github_stretchr_testify",
-        importpath = "github.com/stretchr/testify",
-        sum = "h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=",
-        version = "v1.6.1",
-    )
-    go_repository(
-        name = "com_github_valyala_bytebufferpool",
-        importpath = "github.com/valyala/bytebufferpool",
-        sum = "h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=",
-        version = "v1.0.0",
-    )
-    go_repository(
-        name = "com_github_valyala_fasttemplate",
-        importpath = "github.com/valyala/fasttemplate",
-        sum = "h1:tY9CJiPnMXf1ERmG2EyK7gNUd+c6RKGD0IfU8WdUSz8=",
-        version = "v1.0.1",
-    )
-    go_repository(
-        name = "com_github_weppos_publicsuffix_go",
-        importpath = "github.com/weppos/publicsuffix-go",
-        sum = "h1:0Tu1uzLBd1jPn4k6OnMmOPZH/l/9bj9kUOMMkoRs6Gg=",
-        version = "v0.13.0",
-    )
-    go_repository(
-        name = "com_github_ziutek_mymysql",
-        importpath = "github.com/ziutek/mymysql",
-        sum = "h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs=",
-        version = "v1.5.4",
-    )
-    go_repository(
-        name = "com_github_zmap_rc2",
-        importpath = "github.com/zmap/rc2",
-        sum = "h1:kKCF7VX/wTmdg2ZjEaqlq99Bjsoiz7vH6sFniF/vI4M=",
-        version = "v0.0.0-20131011165748-24b9757f5521",
-    )
-    go_repository(
-        name = "com_github_zmap_zcertificate",
-        importpath = "github.com/zmap/zcertificate",
-        sum = "h1:17HHAgFKlLcZsDOjBOUrd5hDihb1ggf+1a5dTbkgkIY=",
-        version = "v0.0.0-20180516150559-0e3d58b1bac4",
-    )
-    go_repository(
-        name = "com_github_zmap_zcrypto",
-        importpath = "github.com/zmap/zcrypto",
-        sum = "h1:PIpcdSOg3pMdFJUBg5yR9xxcj5rm/SGAyaWT/wK6Kco=",
-        version = "v0.0.0-20200911161511-43ff0ea04f21",
-    )
-    go_repository(
-        name = "com_github_zmap_zlint_v2",
-        importpath = "github.com/zmap/zlint/v2",
-        sum = "h1:b2kI/ToXX16h2wjV2c6Da65eT6aTMtkLHKetXuM9EtI=",
-        version = "v2.2.1",
-    )
-    go_repository(
-        name = "in_gopkg_check_v1",
-        importpath = "gopkg.in/check.v1",
-        sum = "h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=",
-        version = "v1.0.0-20180628173108-788fd7840127",
-    )
-    go_repository(
-        name = "in_gopkg_yaml_v2",
-        importpath = "gopkg.in/yaml.v2",
-        sum = "h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=",
-        version = "v2.4.0",
-    )
-    go_repository(
-        name = "in_gopkg_yaml_v3",
-        importpath = "gopkg.in/yaml.v3",
-        sum = "h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=",
-        version = "v3.0.0-20200313102051-9f266ea9e77c",
-    )
-    go_repository(
-        name = "org_bitbucket_liamstask_goose",
-        importpath = "bitbucket.org/liamstask/goose",
-        sum = "h1:bkb2NMGo3/Du52wvYj9Whth5KZfMV6d3O0Vbr3nz/UE=",
-        version = "v0.0.0-20150115234039-8488cc47d90c",
-    )
-    go_repository(
-        name = "org_golang_x_crypto",
-        importpath = "golang.org/x/crypto",
-        sum = "h1:Qwe1rC8PSniVfAFPFJeyUkB+zcysC3RgJBAGk7eqBEU=",
-        version = "v0.0.0-20220314234659-1baeb1ce4c0b",
-    )
-    go_repository(
-        name = "org_golang_x_lint",
-        importpath = "golang.org/x/lint",
-        sum = "h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=",
-        version = "v0.0.0-20190930215403-16217165b5de",
-    )
-    go_repository(
-        name = "org_golang_x_net",
-        importpath = "golang.org/x/net",
-        sum = "h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=",
-        version = "v0.0.0-20211112202133-69e39bad7dc2",
-    )
-    go_repository(
-        name = "org_golang_x_sys",
-        importpath = "golang.org/x/sys",
-        sum = "h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0=",
-        version = "v0.0.0-20220412211240-33da011f77ad",
-    )
-    go_repository(
-        name = "org_golang_x_term",
-        importpath = "golang.org/x/term",
-        sum = "h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=",
-        version = "v0.0.0-20201126162022-7de9c90e9dd1",
-    )
-    go_repository(
-        name = "org_golang_x_text",
-        importpath = "golang.org/x/text",
-        sum = "h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=",
-        version = "v0.3.6",
-    )
-    go_repository(
-        name = "org_golang_x_tools",
-        importpath = "golang.org/x/tools",
-        sum = "h1:/e+gpKk9r3dJobndpTytxS2gOy6m5uvpg+ISQoEcusQ=",
-        version = "v0.0.0-20190311212946-11955173bddd",
-    )

die/BUILD.bazel

@@ -1,8 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "die",
-    srcs = ["die.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/die",
-    visibility = ["//visibility:public"],
-)

fileutil/BUILD.bazel

@@ -1,54 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "fileutil",
-    srcs = [
-        "fileutil.go",
-        "fileutil_windows.go",
-        "symlinks.go",
-    ],
-    importpath = "git.wntrmute.dev/kyle/goutils/fileutil",
-    visibility = ["//visibility:public"],
-    deps = select({
-        "@io_bazel_rules_go//go/platform:aix": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:android": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:darwin": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:dragonfly": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:freebsd": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:illumos": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:ios": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:js": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:netbsd": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:openbsd": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:plan9": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:solaris": [
-            "@org_golang_x_sys//unix",
-        ],
-        "//conditions:default": [],
-    }),
-)

gazelle.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -euxo pipefail
-
-BAZEL="bazel"
-if [ -z "$(command -v ${BAZEL})" ]
-then
-	BAZEL="bazelisk"
-fi
-
-$BAZEL run //:gazelle
-$BAZEL run //:gazelle -- update-repos -from_file=go.mod -to_macro=deps.bzl%go_dependencies
-$BAZEL run //:gazelle
-

lib/BUILD.bazel

@@ -1,109 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "lib",
-    srcs = [
-        "defs.go",
-        "ftime_bsd.go",
-        "ftime_unix.go",
-        "lib.go",
-    ],
-    importpath = "git.wntrmute.dev/kyle/goutils/lib",
-    visibility = ["//visibility:public"],
-    deps = select({
-        "@io_bazel_rules_go//go/platform:android_386": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:android_amd64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:android_arm": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:android_arm64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:darwin_386": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:darwin_amd64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:freebsd_386": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:freebsd_amd64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:freebsd_arm": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:freebsd_arm64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:ios_amd64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_386": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_amd64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_arm": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_arm64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_mips": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_mips64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_mips64le": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_mipsle": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_ppc64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_ppc64le": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_riscv64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:linux_s390x": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:netbsd_386": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:netbsd_amd64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:netbsd_arm": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:netbsd_arm64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:openbsd_386": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:openbsd_amd64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:openbsd_arm": [
-            "@org_golang_x_sys//unix",
-        ],
-        "@io_bazel_rules_go//go/platform:openbsd_arm64": [
-            "@org_golang_x_sys//unix",
-        ],
-        "//conditions:default": [],
-    }),
-)

log/BUILD.bazel

@@ -1,23 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "syslog",
-    srcs = ["logger.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/syslog",
-    visibility = ["//visibility:public"],
-    deps = [
-        "@com_github_davecgh_go_spew//spew",
-        "@com_github_hashicorp_go_syslog//:go-syslog",
-    ],
-)
-
-go_library(
-    name = "log",
-    srcs = ["logger.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/log",
-    visibility = ["//visibility:public"],
-    deps = [
-        "@com_github_davecgh_go_spew//spew",
-        "@com_github_hashicorp_go_syslog//:go-syslog",
-    ],
-)

log/logger.go

@@ -148,9 +148,6 @@ func Setup(opts *Options) error {
 
 	log.p = priority
 	log.writeConsole = opts.WriteConsole
-	if opts.WriteConsole {
-		fmt.Println("will write to console")
-	}
 
 	if opts.WriteSyslog {
 		var err error

logging/BUILD.bazel

@@ -1,24 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "logging",
-    srcs = [
-        "console_logger.go",
-        "doc.go",
-        "file.go",
-        "levels.go",
-        "log.go",
-    ],
-    importpath = "git.wntrmute.dev/kyle/goutils/logging",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "logging_test",
-    size = "small",
-    srcs = [
-        "example_test.go",
-        "log_test.go",
-    ],
-    embed = [":logging"],
-)

logging/example/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-
-go_library(
-    name = "example_lib",
-    srcs = ["example.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/logging/example",
-    visibility = ["//visibility:private"],
-    deps = ["//logging"],
-)
-
-go_binary(
-    name = "example",
-    embed = [":example_lib"],
-    visibility = ["//visibility:public"],
-)

mwc/BUILD.bazel

@@ -1,19 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "mwc",
-    srcs = ["mwc.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/mwc",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "mwc_test",
-    size = "small",
-    srcs = ["mwc_test.go"],
-    embed = [":mwc"],
-    deps = [
-        "//assert",
-        "//testio",
-    ],
-)

rand/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "rand",
-    srcs = ["rand.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/rand",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "rand_test",
-    size = "small",
-    srcs = ["rand_test.go"],
-    embed = [":rand"],
-)

sbuf/BUILD.bazel

@@ -1,16 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "sbuf",
-    srcs = ["sbuf.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/sbuf",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "sbuf_test",
-    size = "small",
-    srcs = ["sbuf_test.go"],
-    embed = [":sbuf"],
-    deps = ["@org_golang_x_crypto//nacl/box"],
-)

seekbuf/BUILD.bazel

@@ -1,16 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "seekbuf",
-    srcs = ["seekbuf.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/seekbuf",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "seekbuf_test",
-    size = "small",
-    srcs = ["seekbuf_test.go"],
-    embed = [":seekbuf"],
-    deps = ["//assert"],
-)

seekbuf/seekbuf.go

@@ -55,3 +55,8 @@ func (b *Buffer) Close() error {
 func (b *Buffer) Len() int {
 	return len(b.data[b.pos:])
 }
+
+// Bytes returns the underlying bytes from the current position.
+func (b *Buffer) Bytes() []byte {
+	return b.data[b.pos:]
+}

tee/BUILD.bazel

@@ -1,8 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "tee",
-    srcs = ["tee.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/tee",
-    visibility = ["//visibility:public"],
-)

testio/BUILD.bazel

@@ -1,15 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
-
-go_library(
-    name = "testio",
-    srcs = ["testio.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/testio",
-    visibility = ["//visibility:public"],
-)
-
-go_test(
-    name = "testio_test",
-    size = "small",
-    srcs = ["testio_test.go"],
-    embed = [":testio"],
-)

testutil/BUILD.bazel

@@ -1,8 +0,0 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
-
-go_library(
-    name = "testutil",
-    srcs = ["testutil.go"],
-    importpath = "git.wntrmute.dev/kyle/goutils/testutil",
-    visibility = ["//visibility:public"],
-)