Update CHANGELOG for v1.14.1.

Fetcher is an interface and set of functions for retrieving a
certificate (or chain of certificates) from a spec. It will
determine whether the certificate spec is a file or a server,
and fetch accordingly.

.github/workflows/release.yml

@@ -0,0 +1,35 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    name: GoReleaser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,2 +1,5 @@
 .idea
 cmd/cert-bundler/testdata/pkg/*
+# Added by goreleaser init:
+dist/
+cmd/cert-bundler/testdata/bundle/

.goreleaser.yaml

@@ -0,0 +1,445 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    - go generate ./...
+
+builds:
+  - id: atping
+    main: ./cmd/atping/main.go
+    binary: atping
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: ca-signed
+    main: ./cmd/ca-signed/main.go
+    binary: ca-signed
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: cert-bundler
+    main: ./cmd/cert-bundler/main.go
+    binary: cert-bundler
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: cert-revcheck
+    main: ./cmd/cert-revcheck/main.go
+    binary: cert-revcheck
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certchain
+    main: ./cmd/certchain/main.go
+    binary: certchain
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certdump
+    main: ./cmd/certdump/main.go
+    binary: certdump
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certexpiry
+    main: ./cmd/certexpiry/main.go
+    binary: certexpiry
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certser
+    main: ./cmd/certser/main.go
+    binary: certser
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certverify
+    main: ./cmd/certverify/main.go
+    binary: certverify
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: clustersh
+    main: ./cmd/clustersh/main.go
+    binary: clustersh
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: cruntar
+    main: ./cmd/cruntar/main.go
+    binary: cruntar
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: csrpubdump
+    main: ./cmd/csrpubdump/main.go
+    binary: csrpubdump
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: data_sync
+    main: ./cmd/data_sync/main.go
+    binary: data_sync
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: diskimg
+    main: ./cmd/diskimg/main.go
+    binary: diskimg
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: dumpbytes
+    main: ./cmd/dumpbytes/main.go
+    binary: dumpbytes
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: eig
+    main: ./cmd/eig/main.go
+    binary: eig
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: fragment
+    main: ./cmd/fragment/main.go
+    binary: fragment
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: host
+    main: ./cmd/host/main.go
+    binary: host
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: jlp
+    main: ./cmd/jlp/main.go
+    binary: jlp
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: kgz
+    main: ./cmd/kgz/main.go
+    binary: kgz
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: minmax
+    main: ./cmd/minmax/main.go
+    binary: minmax
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: parts
+    main: ./cmd/parts/main.go
+    binary: parts
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: pem2bin
+    main: ./cmd/pem2bin/main.go
+    binary: pem2bin
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: pembody
+    main: ./cmd/pembody/main.go
+    binary: pembody
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: pemit
+    main: ./cmd/pemit/main.go
+    binary: pemit
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: readchain
+    main: ./cmd/readchain/main.go
+    binary: readchain
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: renfnv
+    main: ./cmd/renfnv/main.go
+    binary: renfnv
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: rhash
+    main: ./cmd/rhash/main.go
+    binary: rhash
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: rolldie
+    main: ./cmd/rolldie/main.go
+    binary: rolldie
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: showimp
+    main: ./cmd/showimp/main.go
+    binary: showimp
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: ski
+    main: ./cmd/ski/main.go
+    binary: ski
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: sprox
+    main: ./cmd/sprox/main.go
+    binary: sprox
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: stealchain
+    main: ./cmd/stealchain/main.go
+    binary: stealchain
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: stealchain-server
+    main: ./cmd/stealchain-server/main.go
+    binary: stealchain-server
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: subjhash
+    main: ./cmd/subjhash/main.go
+    binary: subjhash
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: tlsinfo
+    main: ./cmd/tlsinfo/main.go
+    binary: tlsinfo
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: tlskeypair
+    main: ./cmd/tlskeypair/main.go
+    binary: tlskeypair
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: utc
+    main: ./cmd/utc/main.go
+    binary: utc
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: yamll
+    main: ./cmd/yamll/main.go
+    binary: yamll
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: zsearch
+    main: ./cmd/zsearch/main.go
+    binary: zsearch
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+
+archives:
+  - formats: [tar.gz]
+    # archive filename: name_version_os_arch
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        formats: [zip]
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+release:
+  github:
+    owner: kisom
+    name: goutils
+  footer: >-
+
+    ---
+
+    Released by [GoReleaser](https://github.com/goreleaser/goreleaser).

CHANGELOG

@@ -1,5 +1,71 @@
 CHANGELOG
 
+v1.14.1 - 2025-11-18
+
+Added:
+- build: add missing Dockerfile.
+
+v1.14.0 - 2025-11-18
+
+Added:
+- lib/dialer: introduce proxy-aware dialers and helpers:
+  - NewNetDialer and NewTLSDialer honoring SOCKS5_PROXY, HTTPS_PROXY, HTTP_PROXY
+    (case-insensitive) with precedence SOCKS5 > HTTPS > HTTP.
+  - DialTCP and DialTLS convenience functions; DialTLS performs a TLS handshake
+    and returns a concrete *tls.Conn.
+  - NewHTTPClient: returns a proxy-aware *http.Client. Uses SOCKS5 proxy when
+    configured (disables HTTP(S) proxying to avoid double-proxying); otherwise
+    relies on http.ProxyFromEnvironment (respects HTTP(S)_PROXY and NO_PROXY).
+- build: the releasse-docker.sh builds and pushes the correct Docker images.
+
+Changed:
+- cmd: migrate tools to new proxy-aware helpers where appropriate:
+  - certchain, stealchain, tlsinfo: use lib.DialTLS.
+  - cert-revcheck: use lib.DialTLS for site connects and a proxy-aware
+    HTTP client for OCSP/CRL fetches.
+  - rhash: use proxy-aware HTTP client for downloads.
+- lib/fetch: migrate from certlib/fetch.go to lib/fetch.go and use DialTLS
+  under the hood.
+- go.mod: add golang.org/x/net dependency (for SOCKS5 support) and align x/crypto.
+
+Notes:
+- HTTP(S) proxy CONNECT supports optional basic auth via proxy URL credentials.
+- HTTPS proxies are TLS-wrapped prior to CONNECT.
+- Timeouts apply to TCP connects, proxy handshakes, and TLS handshakes; context
+  cancellation is honored.
+- Some commands retain bespoke dialing (e.g., IPv6-only or unix sockets) and
+  were intentionally left unchanged.
+
+v1.13.6 - 2025-11-18
+
+Changed:
+- build: removing gitea stuff.
+
+v1.13.5 - 2025-11-18
+
+Changed:
+- build: updating goreleaser config.
+
+v1.13.4 - 2025-11-18
+
+Changed:
+- build: updating goreleaser config.
+
+v1.13.3 - 2025-11-18
+
+Added:
+- certlib: introduce `Fetcher` for retrieving certificates.
+- lib: `HexEncode` gains a byte-slice output variant.
+- build: add GoReleaser configuration.
+
+Changed:
+- cmd: migrate programs to use `certlib.Fetcher` for certificate retrieval
+  (includes `certdump`, `ski`, and others).
+- cmd/ski: update display mode.
+
+Misc:
+- repository fixups and small cleanups.
+
 v1.13.2 - 2025-11-17
 
 Add:

Dockerfile

@@ -0,0 +1,38 @@
+# syntax=docker/dockerfile:1
+
+# ----- Builder stage: build all cmd/... tools -----
+FROM golang:1.24-alpine AS builder
+
+# Install necessary build dependencies for fetching modules
+RUN apk add --no-cache git ca-certificates && update-ca-certificates
+
+WORKDIR /src
+
+# Cache modules
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+# Copy the rest of the source
+COPY . .
+
+# Build and install all commands under ./cmd/... into /out
+ENV CGO_ENABLED=0
+ENV GOBIN=/out
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go install ./cmd/...
+
+# ----- Final runtime image: minimal alpine with tools installed -----
+FROM alpine:3.20
+
+# Ensure common utilities are present
+RUN apk add --no-cache bash curl ca-certificates && update-ca-certificates
+
+# Copy binaries from builder
+COPY --from=builder /out/ /usr/local/bin/
+
+# Working directory for mounting the host CWD
+WORKDIR /work
+
+# Default command shows available tools if run without args
+CMD ["/bin/sh", "-lc", "echo 'Tools installed:' && ls -1 /usr/local/bin && echo '\nMount your project with: docker run --rm -it -v $PWD:/work IMAGE <tool> ...'"]

backoff/backoff_test.go

@@ -91,7 +91,7 @@ func TestReset(t *testing.T) {
 	}
 }
 
-const decay = 25 * time.Millisecond
+const decay = time.Second
 const maxDuration = 10 * time.Millisecond
 const interval = time.Millisecond
 

certlib/bundler/bundler.go

@@ -12,6 +12,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
 	"time"
 
@@ -483,11 +484,19 @@ func encodeCertsToPEM(certs []*x509.Certificate) []byte {
 }
 
 func generateManifest(files []fileEntry) []byte {
-	var manifest strings.Builder
-	for _, file := range files {
-		if file.name == "MANIFEST" {
+	// Build a sorted list of files by filename to ensure deterministic manifest ordering
+	sorted := make([]fileEntry, 0, len(files))
+	for _, f := range files {
+		// Defensive: skip any existing manifest entry
+		if f.name == "MANIFEST" {
 			continue
 		}
+		sorted = append(sorted, f)
+	}
+	sort.Slice(sorted, func(i, j int) bool { return sorted[i].name < sorted[j].name })
+
+	var manifest strings.Builder
+	for _, file := range sorted {
 		hash := sha256.Sum256(file.content)
 		manifest.WriteString(fmt.Sprintf("%x  %s\n", hash, file.name))
 	}

certlib/helpers.go

@@ -396,6 +396,45 @@ func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, e
 	return certs, rest, nil
 }
 
+// LoadFullCertPool returns a certificate pool with roots and intermediates
+// from disk. If no roots are provided, the system root pool will be used.
+func LoadFullCertPool(roots, intermediates string) (*x509.CertPool, error) {
+	var err error
+
+	pool := x509.NewCertPool()
+
+	if roots == "" {
+		pool, err = x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("loading system cert pool: %w", err)
+		}
+	} else {
+		var rootCerts []*x509.Certificate
+		rootCerts, err = LoadCertificates(roots)
+		if err != nil {
+			return nil, fmt.Errorf("loading roots: %w", err)
+		}
+
+		for _, cert := range rootCerts {
+			pool.AddCert(cert)
+		}
+	}
+
+	if intermediates != "" {
+		var intCerts []*x509.Certificate
+		intCerts, err = LoadCertificates(intermediates)
+		if err != nil {
+			return nil, fmt.Errorf("loading intermediates: %w", err)
+		}
+
+		for _, cert := range intCerts {
+			pool.AddCert(cert)
+		}
+	}
+
+	return pool, nil
+}
+
 // LoadPEMCertPool loads a pool of PEM certificates from file.
 func LoadPEMCertPool(certsFile string) (*x509.CertPool, error) {
 	if certsFile == "" {

certlib/hosts/hosts.go

@@ -26,7 +26,12 @@ func parseURL(host string) (string, int, error) {
 		return "", 0, fmt.Errorf("certlib/hosts: invalid host: %s", host)
 	}
 
-	if strings.ToLower(url.Scheme) != "https" {
+	switch strings.ToLower(url.Scheme) {
+	case "https":
+	// OK
+	case "tls":
+	// OK
+	default:
 		return "", 0, errors.New("certlib/hosts: only https scheme supported")
 	}
 
@@ -43,28 +48,28 @@ func parseURL(host string) (string, int, error) {
 }
 
 func parseHostPort(host string) (string, int, error) {
-	host, sport, err := net.SplitHostPort(host)
+	shost, sport, err := net.SplitHostPort(host)
 	if err == nil {
 		portInt, err2 := strconv.ParseInt(sport, 10, 16)
 		if err2 != nil {
 			return "", 0, fmt.Errorf("certlib/hosts: invalid port: %s", sport)
 		}
 
-		return host, int(portInt), nil
+		return shost, int(portInt), nil
 	}
 
 	return host, defaultHTTPSPort, nil
 }
 
 func ParseHost(host string) (*Target, error) {
-	host, port, err := parseURL(host)
+	uhost, port, err := parseURL(host)
 	if err == nil {
-		return &Target{Host: host, Port: port}, nil
+		return &Target{Host: uhost, Port: port}, nil
 	}
 
-	host, port, err = parseHostPort(host)
+	shost, port, err := parseHostPort(host)
 	if err == nil {
-		return &Target{Host: host, Port: port}, nil
+		return &Target{Host: shost, Port: port}, nil
 	}
 
 	return nil, fmt.Errorf("certlib/hosts: invalid host: %s", host)

certlib/hosts/hosts_test.go

@@ -0,0 +1,35 @@
+package hosts_test
+
+import (
+	"testing"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/hosts"
+)
+
+type testCase struct {
+	Host   string
+	Target hosts.Target
+}
+
+var testCases = []testCase{
+	{Host: "server-name", Target: hosts.Target{Host: "server-name", Port: 443}},
+	{Host: "server-name:8443", Target: hosts.Target{Host: "server-name", Port: 8443}},
+	{Host: "tls://server-name", Target: hosts.Target{Host: "server-name", Port: 443}},
+	{Host: "https://server-name", Target: hosts.Target{Host: "server-name", Port: 443}},
+	{Host: "https://server-name:8443", Target: hosts.Target{Host: "server-name", Port: 8443}},
+	{Host: "tls://server-name:8443", Target: hosts.Target{Host: "server-name", Port: 8443}},
+	{Host: "https://server-name/something/else", Target: hosts.Target{Host: "server-name", Port: 443}},
+}
+
+func TestParseHost(t *testing.T) {
+	for i, tc := range testCases {
+		target, err := hosts.ParseHost(tc.Host)
+		if err != nil {
+			t.Fatalf("test case %d: %s", i+1, err)
+		}
+
+		if target.Host != tc.Target.Host {
+			t.Fatalf("test case %d: got host '%s', want host '%s'", i+1, target.Host, tc.Target.Host)
+		}
+	}
+}

cmd/cert-revcheck/main.go

@@ -7,7 +7,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"net"
 	"os"
 	"strings"
 	"time"
@@ -16,6 +15,7 @@ import (
 	hosts "git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
 	"git.wntrmute.dev/kyle/goutils/fileutil"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 var (
@@ -38,8 +38,10 @@ func main() {
 	flag.Parse()
 
 	revoke.HardFail = hardfail
-	// Set HTTP client timeout for revocation library
-	revoke.HTTPClient.Timeout = timeout
+	// Build a proxy-aware HTTP client for OCSP/CRL fetches
+	if httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: timeout}); err == nil {
+		revoke.HTTPClient = httpClient
+	}
 
 	if flag.NArg() == 0 {
 		fmt.Fprintf(os.Stderr, "Usage: %s [options] <target> [<target>...]\n", os.Args[0])
@@ -99,28 +101,19 @@ func checkSite(hostport string) (string, error) {
 		return strUnknown, err
 	}
 
-	d := &net.Dialer{Timeout: timeout}
-	tcfg := &tls.Config{
-		InsecureSkipVerify: true,
-		ServerName:         target.Host,
-	} // #nosec G402 -- CLI tool only verifies revocation
-	td := &tls.Dialer{NetDialer: d, Config: tcfg}
-
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	conn, err := td.DialContext(ctx, "tcp", target.String())
+	// Use proxy-aware TLS dialer
+	conn, err := lib.DialTLS(ctx, target.String(), lib.DialerOpts{Timeout: timeout, TLSConfig: &tls.Config{
+		InsecureSkipVerify: true, // #nosec G402 -- CLI tool only verifies revocation
+		ServerName:         target.Host,
+	}})
 	if err != nil {
 		return strUnknown, err
 	}
 	defer conn.Close()
-
-	tconn, ok := conn.(*tls.Conn)
-	if !ok {
-		return strUnknown, errors.New("connection is not TLS")
-	}
-
-	state := tconn.ConnectionState()
+	state := conn.ConnectionState()
 	if len(state.PeerCertificates) == 0 {
 		return strUnknown, errors.New("no peer certificates presented")
 	}

cmd/certchain/main.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 var hasPort = regexp.MustCompile(`:\d+$`)
@@ -23,13 +24,9 @@ func main() {
 			server += ":443"
 		}
 
-		d := &tls.Dialer{Config: &tls.Config{}} // #nosec G402
-		nc, err := d.DialContext(context.Background(), "tcp", server)
+		// Use proxy-aware TLS dialer
+		conn, err := lib.DialTLS(context.Background(), server, lib.DialerOpts{TLSConfig: &tls.Config{}}) // #nosec G402
 		die.If(err)
-		conn, ok := nc.(*tls.Conn)
-		if !ok {
-			die.With("invalid TLS connection (not a *tls.Conn)")
-		}
 
 		defer conn.Close()
 

cmd/certdump/main.go

@@ -2,27 +2,150 @@
 package main
 
 import (
-	"bytes"
-	"context"
 	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
 	"crypto/sha256"
-	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"flag"
 	"fmt"
-	"io"
 	"os"
 	"sort"
 	"strings"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
+	"github.com/kr/text"
+
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
+// following two lifted from CFSSL, (replace-regexp "\(.+\): \(.+\),"
+// "\2: \1,")
+
+const (
+	sSHA256 = "SHA256"
+	sSHA512 = "SHA512"
+)
+
+var keyUsage = map[x509.KeyUsage]string{
+	x509.KeyUsageDigitalSignature:  "digital signature",
+	x509.KeyUsageContentCommitment: "content committment",
+	x509.KeyUsageKeyEncipherment:   "key encipherment",
+	x509.KeyUsageKeyAgreement:      "key agreement",
+	x509.KeyUsageDataEncipherment:  "data encipherment",
+	x509.KeyUsageCertSign:          "cert sign",
+	x509.KeyUsageCRLSign:           "crl sign",
+	x509.KeyUsageEncipherOnly:      "encipher only",
+	x509.KeyUsageDecipherOnly:      "decipher only",
+}
+
+var extKeyUsages = map[x509.ExtKeyUsage]string{
+	x509.ExtKeyUsageAny:                            "any",
+	x509.ExtKeyUsageServerAuth:                     "server auth",
+	x509.ExtKeyUsageClientAuth:                     "client auth",
+	x509.ExtKeyUsageCodeSigning:                    "code signing",
+	x509.ExtKeyUsageEmailProtection:                "s/mime",
+	x509.ExtKeyUsageIPSECEndSystem:                 "ipsec end system",
+	x509.ExtKeyUsageIPSECTunnel:                    "ipsec tunnel",
+	x509.ExtKeyUsageIPSECUser:                      "ipsec user",
+	x509.ExtKeyUsageTimeStamping:                   "timestamping",
+	x509.ExtKeyUsageOCSPSigning:                    "ocsp signing",
+	x509.ExtKeyUsageMicrosoftServerGatedCrypto:     "microsoft sgc",
+	x509.ExtKeyUsageNetscapeServerGatedCrypto:      "netscape sgc",
+	x509.ExtKeyUsageMicrosoftCommercialCodeSigning: "microsoft commercial code signing",
+	x509.ExtKeyUsageMicrosoftKernelCodeSigning:     "microsoft kernel code signing",
+}
+
+func sigAlgoPK(a x509.SignatureAlgorithm) string {
+	switch a {
+	case x509.MD2WithRSA, x509.MD5WithRSA, x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA:
+		return "RSA"
+	case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
+		return "RSA-PSS"
+	case x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512:
+		return "ECDSA"
+	case x509.DSAWithSHA1, x509.DSAWithSHA256:
+		return "DSA"
+	case x509.PureEd25519:
+		return "Ed25519"
+	case x509.UnknownSignatureAlgorithm:
+		return "unknown public key algorithm"
+	default:
+		return "unknown public key algorithm"
+	}
+}
+
+func sigAlgoHash(a x509.SignatureAlgorithm) string {
+	switch a {
+	case x509.MD2WithRSA:
+		return "MD2"
+	case x509.MD5WithRSA:
+		return "MD5"
+	case x509.SHA1WithRSA, x509.ECDSAWithSHA1, x509.DSAWithSHA1:
+		return "SHA1"
+	case x509.SHA256WithRSA, x509.ECDSAWithSHA256, x509.DSAWithSHA256:
+		return sSHA256
+	case x509.SHA256WithRSAPSS:
+		return sSHA256
+	case x509.SHA384WithRSA, x509.ECDSAWithSHA384:
+		return "SHA384"
+	case x509.SHA384WithRSAPSS:
+		return "SHA384"
+	case x509.SHA512WithRSA, x509.ECDSAWithSHA512:
+		return sSHA512
+	case x509.SHA512WithRSAPSS:
+		return sSHA512
+	case x509.PureEd25519:
+		return sSHA512
+	case x509.UnknownSignatureAlgorithm:
+		return "unknown hash algorithm"
+	default:
+		return "unknown hash algorithm"
+	}
+}
+
+const maxLine = 78
+
+func makeIndent(n int) string {
+	s := "    "
+	var sSb97 strings.Builder
+	for range n {
+		sSb97.WriteString("        ")
+	}
+	s += sSb97.String()
+	return s
+}
+
+func indentLen(n int) int {
+	return 4 + (8 * n)
+}
+
+// this isn't real efficient, but that's not a problem here.
+func wrap(s string, indent int) string {
+	if indent > 3 {
+		indent = 3
+	}
+
+	wrapped := text.Wrap(s, maxLine)
+	lines := strings.SplitN(wrapped, "\n", 2)
+	if len(lines) == 1 {
+		return lines[0]
+	}
+
+	if (maxLine - indentLen(indent)) <= 0 {
+		panic("too much indentation")
+	}
+
+	rest := strings.Join(lines[1:], " ")
+	wrapped = text.Wrap(rest, maxLine-indentLen(indent))
+	return lines[0] + "\n" + text.Indent(wrapped, makeIndent(indent))
+}
+
+func dumpHex(in []byte) string {
+	return lib.HexEncode(in, lib.HexEncodeUpperColon)
+}
+
 func certPublic(cert *x509.Certificate) string {
 	switch pub := cert.PublicKey.(type) {
 	case *rsa.PublicKey:
@@ -116,7 +239,7 @@ func showBasicConstraints(cert *x509.Certificate) {
 			fmt.Fprint(os.Stdout, " (basic constraint failure)")
 		}
 	} else {
-		fmt.Fprint(os.Stdout, "is not a CA certificate")
+		fmt.Fprint(os.Stdout, ", is not a CA certificate")
 		if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
 			fmt.Fprint(os.Stdout, " (key encipherment usage enabled!)")
 		}
@@ -220,122 +343,6 @@ func displayCert(cert *x509.Certificate) {
 	}
 }
 
-func displayAllCerts(in []byte, leafOnly bool) {
-	certs, err := certlib.ParseCertificatesPEM(in)
-	if err != nil {
-		certs, _, err = certlib.ParseCertificatesDER(in, "")
-		if err != nil {
-			_, _ = lib.Warn(err, "failed to parse certificates")
-			return
-		}
-	}
-
-	if len(certs) == 0 {
-		_, _ = lib.Warnx("no certificates found")
-		return
-	}
-
-	if leafOnly {
-		displayCert(certs[0])
-		return
-	}
-
-	for i := range certs {
-		displayCert(certs[i])
-	}
-}
-
-func displayAllCertsWeb(uri string, leafOnly bool) {
-	ci := getConnInfo(uri)
-	d := &tls.Dialer{Config: permissiveConfig()}
-	nc, err := d.DialContext(context.Background(), "tcp", ci.Addr)
-	if err != nil {
-		_, _ = lib.Warn(err, "couldn't connect to %s", ci.Addr)
-		return
-	}
-
-	conn, ok := nc.(*tls.Conn)
-	if !ok {
-		_, _ = lib.Warnx("invalid TLS connection (not a *tls.Conn)")
-		return
-	}
-	defer conn.Close()
-
-	state := conn.ConnectionState()
-	if err = conn.Close(); err != nil {
-		_, _ = lib.Warn(err, "couldn't close TLS connection")
-	}
-
-	d = &tls.Dialer{Config: verifyConfig(ci.Host)}
-	nc, err = d.DialContext(context.Background(), "tcp", ci.Addr)
-	if err == nil {
-		conn, ok = nc.(*tls.Conn)
-		if !ok {
-			_, _ = lib.Warnx("invalid TLS connection (not a *tls.Conn)")
-			return
-		}
-
-		err = conn.VerifyHostname(ci.Host)
-		if err == nil {
-			state = conn.ConnectionState()
-		}
-		conn.Close()
-	} else {
-		_, _ = lib.Warn(err, "TLS verification error with server name %s", ci.Host)
-	}
-
-	if len(state.PeerCertificates) == 0 {
-		_, _ = lib.Warnx("no certificates found")
-		return
-	}
-
-	if leafOnly {
-		displayCert(state.PeerCertificates[0])
-		return
-	}
-
-	if len(state.VerifiedChains) == 0 {
-		_, _ = lib.Warnx("no verified chains found; using peer chain")
-		for i := range state.PeerCertificates {
-			displayCert(state.PeerCertificates[i])
-		}
-	} else {
-		fmt.Fprintln(os.Stdout, "TLS chain verified successfully.")
-		for i := range state.VerifiedChains {
-			fmt.Fprintf(os.Stdout, "--- Verified certificate chain %d ---%s", i+1, "\n")
-			for j := range state.VerifiedChains[i] {
-				displayCert(state.VerifiedChains[i][j])
-			}
-		}
-	}
-}
-
-func shouldReadStdin(argc int, argv []string) bool {
-	if argc == 0 {
-		return true
-	}
-
-	if argc == 1 && argv[0] == "-" {
-		return true
-	}
-
-	return false
-}
-
-func readStdin(leafOnly bool) {
-	certs, err := io.ReadAll(os.Stdin)
-	if err != nil {
-		_, _ = lib.Warn(err, "couldn't read certificates from standard input")
-		os.Exit(1)
-	}
-
-	// This is needed for getting certs from JSON/jq.
-	certs = bytes.TrimSpace(certs)
-	certs = bytes.ReplaceAll(certs, []byte(`\n`), []byte{0xa})
-	certs = bytes.Trim(certs, `"`)
-	displayAllCerts(certs, leafOnly)
-}
-
 func main() {
 	var leafOnly bool
 	flag.BoolVar(&showHash, "d", false, "show hashes of raw DER contents")
@@ -343,23 +350,26 @@ func main() {
 	flag.BoolVar(&leafOnly, "l", false, "only show the leaf certificate")
 	flag.Parse()
 
-	if shouldReadStdin(flag.NArg(), flag.Args()) {
-		readStdin(leafOnly)
-		return
+	opts := &lib.FetcherOpts{
+		SkipVerify: true,
+		Roots:      nil,
 	}
 
 	for _, filename := range flag.Args() {
 		fmt.Fprintf(os.Stdout, "--%s ---%s", filename, "\n")
-		if strings.HasPrefix(filename, "https://") {
-			displayAllCertsWeb(filename, leafOnly)
-		} else {
-			in, err := os.ReadFile(filename)
-			if err != nil {
-				_, _ = lib.Warn(err, "couldn't read certificate")
-				continue
-			}
+		certs, err := lib.GetCertificateChain(filename, opts)
+		if err != nil {
+			_, _ = lib.Warn(err, "couldn't read certificate")
+			continue
+		}
 
-			displayAllCerts(in, leafOnly)
+		if leafOnly {
+			displayCert(certs[0])
+			continue
+		}
+
+		for i := range certs {
+			displayCert(certs[i])
 		}
 	}
 }

cmd/certdump/util.go

@@ -1,189 +0,0 @@
-package main
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"net"
-	"strings"
-
-	"github.com/kr/text"
-)
-
-// following two lifted from CFSSL, (replace-regexp "\(.+\): \(.+\),"
-// "\2: \1,")
-
-const (
-	sSHA256 = "SHA256"
-	sSHA512 = "SHA512"
-)
-
-var keyUsage = map[x509.KeyUsage]string{
-	x509.KeyUsageDigitalSignature:  "digital signature",
-	x509.KeyUsageContentCommitment: "content committment",
-	x509.KeyUsageKeyEncipherment:   "key encipherment",
-	x509.KeyUsageKeyAgreement:      "key agreement",
-	x509.KeyUsageDataEncipherment:  "data encipherment",
-	x509.KeyUsageCertSign:          "cert sign",
-	x509.KeyUsageCRLSign:           "crl sign",
-	x509.KeyUsageEncipherOnly:      "encipher only",
-	x509.KeyUsageDecipherOnly:      "decipher only",
-}
-
-var extKeyUsages = map[x509.ExtKeyUsage]string{
-	x509.ExtKeyUsageAny:                            "any",
-	x509.ExtKeyUsageServerAuth:                     "server auth",
-	x509.ExtKeyUsageClientAuth:                     "client auth",
-	x509.ExtKeyUsageCodeSigning:                    "code signing",
-	x509.ExtKeyUsageEmailProtection:                "s/mime",
-	x509.ExtKeyUsageIPSECEndSystem:                 "ipsec end system",
-	x509.ExtKeyUsageIPSECTunnel:                    "ipsec tunnel",
-	x509.ExtKeyUsageIPSECUser:                      "ipsec user",
-	x509.ExtKeyUsageTimeStamping:                   "timestamping",
-	x509.ExtKeyUsageOCSPSigning:                    "ocsp signing",
-	x509.ExtKeyUsageMicrosoftServerGatedCrypto:     "microsoft sgc",
-	x509.ExtKeyUsageNetscapeServerGatedCrypto:      "netscape sgc",
-	x509.ExtKeyUsageMicrosoftCommercialCodeSigning: "microsoft commercial code signing",
-	x509.ExtKeyUsageMicrosoftKernelCodeSigning:     "microsoft kernel code signing",
-}
-
-func sigAlgoPK(a x509.SignatureAlgorithm) string {
-	switch a {
-	case x509.MD2WithRSA, x509.MD5WithRSA, x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA:
-		return "RSA"
-	case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
-		return "RSA-PSS"
-	case x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512:
-		return "ECDSA"
-	case x509.DSAWithSHA1, x509.DSAWithSHA256:
-		return "DSA"
-	case x509.PureEd25519:
-		return "Ed25519"
-	case x509.UnknownSignatureAlgorithm:
-		return "unknown public key algorithm"
-	default:
-		return "unknown public key algorithm"
-	}
-}
-
-func sigAlgoHash(a x509.SignatureAlgorithm) string {
-	switch a {
-	case x509.MD2WithRSA:
-		return "MD2"
-	case x509.MD5WithRSA:
-		return "MD5"
-	case x509.SHA1WithRSA, x509.ECDSAWithSHA1, x509.DSAWithSHA1:
-		return "SHA1"
-	case x509.SHA256WithRSA, x509.ECDSAWithSHA256, x509.DSAWithSHA256:
-		return sSHA256
-	case x509.SHA256WithRSAPSS:
-		return sSHA256
-	case x509.SHA384WithRSA, x509.ECDSAWithSHA384:
-		return "SHA384"
-	case x509.SHA384WithRSAPSS:
-		return "SHA384"
-	case x509.SHA512WithRSA, x509.ECDSAWithSHA512:
-		return sSHA512
-	case x509.SHA512WithRSAPSS:
-		return sSHA512
-	case x509.PureEd25519:
-		return sSHA512
-	case x509.UnknownSignatureAlgorithm:
-		return "unknown hash algorithm"
-	default:
-		return "unknown hash algorithm"
-	}
-}
-
-const maxLine = 78
-
-func makeIndent(n int) string {
-	s := "    "
-	var sSb97 strings.Builder
-	for range n {
-		sSb97.WriteString("        ")
-	}
-	s += sSb97.String()
-	return s
-}
-
-func indentLen(n int) int {
-	return 4 + (8 * n)
-}
-
-// this isn't real efficient, but that's not a problem here.
-func wrap(s string, indent int) string {
-	if indent > 3 {
-		indent = 3
-	}
-
-	wrapped := text.Wrap(s, maxLine)
-	lines := strings.SplitN(wrapped, "\n", 2)
-	if len(lines) == 1 {
-		return lines[0]
-	}
-
-	if (maxLine - indentLen(indent)) <= 0 {
-		panic("too much indentation")
-	}
-
-	rest := strings.Join(lines[1:], " ")
-	wrapped = text.Wrap(rest, maxLine-indentLen(indent))
-	return lines[0] + "\n" + text.Indent(wrapped, makeIndent(indent))
-}
-
-func dumpHex(in []byte) string {
-	var s string
-	var sSb130 strings.Builder
-	for i := range in {
-		sSb130.WriteString(fmt.Sprintf("%02X:", in[i]))
-	}
-	s += sSb130.String()
-
-	return strings.Trim(s, ":")
-}
-
-// permissiveConfig returns a maximally-accepting TLS configuration;
-// the purpose is to look at the cert, not verify the security properties
-// of the connection.
-func permissiveConfig() *tls.Config {
-	return &tls.Config{
-		InsecureSkipVerify: true,
-	} // #nosec G402
-}
-
-// verifyConfig returns a config that will verify the connection.
-func verifyConfig(hostname string) *tls.Config {
-	return &tls.Config{
-		ServerName: hostname,
-	} // #nosec G402
-}
-
-type connInfo struct {
-	// The original URI provided.
-	URI string
-
-	// The hostname of the server.
-	Host string
-
-	// The port to connect on.
-	Port string
-
-	// The address to connect to.
-	Addr string
-}
-
-func getConnInfo(uri string) *connInfo {
-	ci := &connInfo{URI: uri}
-	ci.Host = uri[len("https://"):]
-
-	host, port, err := net.SplitHostPort(ci.Host)
-	if err != nil {
-		ci.Port = "443"
-	} else {
-		ci.Host = host
-		ci.Port = port
-	}
-	ci.Addr = net.JoinHostPort(ci.Host, ci.Port)
-	return ci
-}

cmd/certexpiry/main.go

@@ -9,7 +9,6 @@ import (
 	"strings"
 	"time"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
@@ -75,18 +74,15 @@ func checkCert(cert *x509.Certificate) {
 }
 
 func main() {
+	opts := &lib.FetcherOpts{}
+
+	flag.BoolVar(&opts.SkipVerify, "k", false, "skip server verification")
 	flag.BoolVar(&warnOnly, "q", false, "only warn about expiring certs")
 	flag.DurationVar(&leeway, "t", leeway, "warn if certificates are closer than this to expiring")
 	flag.Parse()
 
 	for _, file := range flag.Args() {
-		in, err := os.ReadFile(file)
-		if err != nil {
-			_, _ = lib.Warn(err, "failed to read file")
-			continue
-		}
-
-		certs, err := certlib.ParseCertificatesPEM(in)
+		certs, err := lib.GetCertificateChain(file, opts)
 		if err != nil {
 			_, _ = lib.Warn(err, "while parsing certificates")
 			continue

cmd/certser/main.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"strings"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
@@ -32,14 +31,16 @@ func serialString(cert *x509.Certificate, mode lib.HexEncodeMode) string {
 }
 
 func main() {
+	opts := &lib.FetcherOpts{}
 	displayAs := flag.String("d", "int", "display mode (int, hex, uhex)")
 	showExpiry := flag.Bool("e", false, "show expiry date")
+	flag.BoolVar(&opts.SkipVerify, "k", false, "skip server verification")
 	flag.Parse()
 
 	displayMode := parseDisplayMode(*displayAs)
 
 	for _, arg := range flag.Args() {
-		cert, err := certlib.LoadCertificate(arg)
+		cert, err := lib.GetCertificate(arg, opts)
 		die.If(err)
 
 		fmt.Printf("%s: %s", arg, serialString(cert, displayMode))

cmd/certverify/main.go

@@ -29,9 +29,9 @@ func printRevocation(cert *x509.Certificate) {
 }
 
 type appConfig struct {
-	caFile, intFile         string
-	forceIntermediateBundle bool
-	revexp, verbose         bool
+	caFile, intFile             string
+	forceIntermediateBundle     bool
+	revexp, skipVerify, verbose bool
 }
 
 func parseFlags() appConfig {
@@ -40,6 +40,7 @@ func parseFlags() appConfig {
 	flag.StringVar(&cfg.intFile, "i", "", "intermediate `bundle`")
 	flag.BoolVar(&cfg.forceIntermediateBundle, "f", false,
 		"force the use of the intermediate bundle, ignoring any intermediates bundled with certificate")
+	flag.BoolVar(&cfg.skipVerify, "k", false, "skip CA verification")
 	flag.BoolVar(&cfg.revexp, "r", false, "print revocation and expiry information")
 	flag.BoolVar(&cfg.verbose, "v", false, "verbose")
 	flag.Parse()
@@ -102,12 +103,17 @@ func run(cfg appConfig) error {
 		fmt.Fprintf(os.Stderr, "Usage: %s [-ca bundle] [-i bundle] cert", lib.ProgName())
 	}
 
-	fileData, err := os.ReadFile(flag.Arg(0))
+	combinedPool, err := certlib.LoadFullCertPool(cfg.caFile, cfg.intFile)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to build combined pool: %w", err)
 	}
 
-	chain, err := certlib.ParseCertificatesPEM(fileData)
+	opts := &lib.FetcherOpts{
+		Roots:      combinedPool,
+		SkipVerify: cfg.skipVerify,
+	}
+
+	chain, err := lib.GetCertificateChain(flag.Arg(0), opts)
 	if err != nil {
 		return err
 	}

cmd/rhash/main.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"time"
 
 	"git.wntrmute.dev/kyle/goutils/ahash"
 	"git.wntrmute.dev/kyle/goutils/die"
@@ -82,8 +83,13 @@ func main() {
 			_, _ = lib.Warn(reqErr, "building request for %s", remote)
 			continue
 		}
-		client := &http.Client{}
-		resp, err := client.Do(req)
+		// Use proxy-aware HTTP client with a reasonable timeout for connects/handshakes
+		httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: 30 * time.Second})
+		if err != nil {
+			_, _ = lib.Warn(err, "building HTTP client for %s", remote)
+			continue
+		}
+		resp, err := httpClient.Do(req)
 		if err != nil {
 			_, _ = lib.Warn(err, "fetching %s", remote)
 			continue

cmd/ski/main.go

@@ -13,7 +13,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
@@ -32,10 +31,10 @@ Usage:
 	ski [-hm] files...
 
 Flags:
+	-d  Hex encoding mode.
 	-h	Print this help message.
 	-m	All SKIs should match; as soon as an SKI mismatch is found,
 		it is reported.
-
 `)
 }
 
@@ -145,15 +144,8 @@ func parseCSR(data []byte) ([]byte, string) {
 	return public, kt
 }
 
-func dumpHex(in []byte) string {
-	var s string
-	var sSb153 strings.Builder
-	for i := range in {
-		sSb153.WriteString(fmt.Sprintf("%02X:", in[i]))
-	}
-	s += sSb153.String()
-
-	return strings.Trim(s, ":")
+func dumpHex(in []byte, mode lib.HexEncodeMode) string {
+	return lib.HexEncode(in, mode)
 }
 
 type subjectPublicKeyInfo struct {
@@ -163,10 +155,14 @@ type subjectPublicKeyInfo struct {
 
 func main() {
 	var help, shouldMatch bool
+	var displayModeString string
+	flag.StringVar(&displayModeString, "d", "lower", "hex encoding mode")
 	flag.BoolVar(&help, "h", false, "print a help message and exit")
 	flag.BoolVar(&shouldMatch, "m", false, "all SKIs should match")
 	flag.Parse()
 
+	displayMode := lib.ParseHexEncodeMode(displayModeString)
+
 	if help {
 		usage(os.Stdout)
 		os.Exit(0)
@@ -184,7 +180,7 @@ func main() {
 		}
 
 		pubHash := sha1.Sum(subPKI.SubjectPublicKey.Bytes) // #nosec G401 this is the standard
-		pubHashString := dumpHex(pubHash[:])
+		pubHashString := dumpHex(pubHash[:], displayMode)
 		if ski == "" {
 			ski = pubHashString
 		}

cmd/stealchain/main.go

@@ -11,6 +11,7 @@ import (
 	"os"
 
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func main() {
@@ -44,15 +45,10 @@ func main() {
 		if err != nil {
 			site += ":443"
 		}
-		d := &tls.Dialer{Config: cfg}
-		nc, err := d.DialContext(context.Background(), "tcp", site)
+		// Use proxy-aware TLS dialer
+		conn, err := lib.DialTLS(context.Background(), site, lib.DialerOpts{TLSConfig: cfg})
 		die.If(err)
 
-		conn, ok := nc.(*tls.Conn)
-		if !ok {
-			die.With("invalid TLS connection (not a *tls.Conn)")
-		}
-
 		cs := conn.ConnectionState()
 		var chain []byte
 

cmd/tlsinfo/main.go

@@ -9,6 +9,7 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func main() {
@@ -20,18 +21,14 @@ func main() {
 	hostPort, err := hosts.ParseHost(os.Args[1])
 	die.If(err)
 
-	d := &tls.Dialer{Config: &tls.Config{
-		InsecureSkipVerify: true,
-	}} // #nosec G402
-
-	nc, err := d.DialContext(context.Background(), "tcp", hostPort.String())
+	// Use proxy-aware TLS dialer; skip verification as before
+	conn, err := lib.DialTLS(
+		context.Background(),
+		hostPort.String(),
+		lib.DialerOpts{TLSConfig: &tls.Config{InsecureSkipVerify: true}},
+	) // #nosec G402
 	die.If(err)
 
-	conn, ok := nc.(*tls.Conn)
-	if !ok {
-		die.With("invalid TLS connection (not a *tls.Conn)")
-	}
-
 	defer conn.Close()
 
 	state := conn.ConnectionState()

go.mod

@@ -6,7 +6,8 @@ require (
 	github.com/hashicorp/go-syslog v1.0.0
 	github.com/kr/text v0.2.0
 	github.com/pkg/sftp v1.12.0
-	golang.org/x/crypto v0.44.0
+	golang.org/x/crypto v0.39.0
+	golang.org/x/net v0.38.0
 	golang.org/x/sys v0.38.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -15,6 +16,7 @@ require (
 	github.com/benbjohnson/clock v1.3.5
 	github.com/davecgh/go-spew v1.1.1
 	github.com/google/certificate-transparency-go v1.0.21
+	rsc.io/qr v0.2.0
 )
 
 require (
@@ -22,5 +24,4 @@ require (
 	github.com/kr/pretty v0.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
-	rsc.io/qr v0.2.0 // indirect
 )

go.sum

@@ -27,13 +27,19 @@ github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
 golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
 golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

lib/dialer.go

@@ -0,0 +1,452 @@
+// Package lib contains reusable helpers. This file provides proxy-aware
+// dialers for plain TCP and TLS connections using environment variables.
+//
+// Supported proxy environment variables (checked case-insensitively):
+//   - SOCKS5_PROXY  (e.g., socks5://user:pass@host:1080)
+//   - HTTPS_PROXY   (e.g., https://user:pass@host:443)
+//   - HTTP_PROXY    (e.g., http://user:pass@host:3128)
+//
+// Precedence when multiple proxies are set (both for net and TLS dialers):
+//  1. SOCKS5_PROXY
+//  2. HTTPS_PROXY
+//  3. HTTP_PROXY
+//
+// Both uppercase and lowercase variable names are honored.
+package lib
+
+import (
+	"bufio"
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	xproxy "golang.org/x/net/proxy"
+)
+
+// DialerOpts controls creation of proxy-aware dialers.
+//
+// Timeout controls the maximum amount of time spent establishing the
+// underlying TCP connection and any proxy handshake. If zero, a
+// reasonable default (30s) is used.
+//
+// TLSConfig is used by the TLS dialer to configure the TLS handshake to
+// the target endpoint. If TLSConfig.ServerName is empty, it will be set
+// from the host portion of the address passed to DialContext.
+type DialerOpts struct {
+	Timeout   time.Duration
+	TLSConfig *tls.Config
+}
+
+// ContextDialer matches the common DialContext signature used by net and tls dialers.
+type ContextDialer interface {
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+}
+
+// DialTCP is a convenience helper that dials a TCP connection to address
+// using a proxy-aware dialer derived from opts. It honors SOCKS5_PROXY,
+// HTTPS_PROXY, and HTTP_PROXY environment variables.
+func DialTCP(ctx context.Context, address string, opts DialerOpts) (net.Conn, error) {
+	d, err := NewNetDialer(opts)
+	if err != nil {
+		return nil, err
+	}
+	return d.DialContext(ctx, "tcp", address)
+}
+
+// DialTLS is a convenience helper that dials a TLS-wrapped TCP connection to
+// address using a proxy-aware dialer derived from opts. It returns a *tls.Conn.
+// It honors SOCKS5_PROXY, HTTPS_PROXY, and HTTP_PROXY environment variables and
+// uses opts.TLSConfig for the handshake (filling ServerName from address if empty).
+func DialTLS(ctx context.Context, address string, opts DialerOpts) (*tls.Conn, error) {
+	d, err := NewTLSDialer(opts)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := d.DialContext(ctx, "tcp", address)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConn, ok := c.(*tls.Conn)
+	if !ok {
+		_ = c.Close()
+		return nil, fmt.Errorf("DialTLS: expected *tls.Conn, got %T", c)
+	}
+	return tlsConn, nil
+}
+
+// NewNetDialer returns a ContextDialer that dials TCP connections using
+// proxies discovered from the environment (SOCKS5_PROXY, HTTPS_PROXY, HTTP_PROXY).
+// The returned dialer supports context cancellation for direct and HTTP(S)
+// proxies and applies the configured timeout to connection/proxy handshake.
+func NewNetDialer(opts DialerOpts) (ContextDialer, error) {
+	if opts.Timeout <= 0 {
+		opts.Timeout = 30 * time.Second
+	}
+
+	if u := getProxyURLFromEnv("SOCKS5_PROXY"); u != nil {
+		return newSOCKS5Dialer(u, opts)
+	}
+
+	if u := getProxyURLFromEnv("HTTPS_PROXY"); u != nil {
+		return &httpProxyDialer{
+			proxyURL: u,
+			timeout:  opts.Timeout,
+			secure:   true,
+			config:   opts.TLSConfig,
+		}, nil
+	}
+
+	if u := getProxyURLFromEnv("HTTP_PROXY"); u != nil {
+		return &httpProxyDialer{
+			proxyURL: u,
+			timeout:  opts.Timeout,
+			secure:   true,
+			config:   opts.TLSConfig,
+		}, nil
+	}
+
+	// Direct dialer
+	return &net.Dialer{Timeout: opts.Timeout}, nil
+}
+
+// NewTLSDialer returns a ContextDialer that establishes a TLS connection to
+// the destination, while honoring SOCKS5_PROXY/HTTPS_PROXY/HTTP_PROXY.
+//
+// The returned dialer performs proxy negotiation (if any), then completes a
+// TLS handshake to the target using opts.TLSConfig.
+func NewTLSDialer(opts DialerOpts) (ContextDialer, error) {
+	if opts.Timeout <= 0 {
+		opts.Timeout = 30 * time.Second
+	}
+
+	// Prefer SOCKS5 if present.
+	if u := getProxyURLFromEnv("SOCKS5_PROXY"); u != nil {
+		base, err := newSOCKS5Dialer(u, opts)
+		if err != nil {
+			return nil, err
+		}
+		return &tlsWrappingDialer{base: base, tcfg: opts.TLSConfig, timeout: opts.Timeout}, nil
+	}
+
+	// For TLS, prefer HTTPS proxy over HTTP if both set.
+	if u := getProxyURLFromEnv("HTTPS_PROXY"); u != nil {
+		base := &httpProxyDialer{
+			proxyURL: u,
+			timeout:  opts.Timeout,
+			secure:   true,
+			config:   opts.TLSConfig,
+		}
+		return &tlsWrappingDialer{base: base, tcfg: opts.TLSConfig, timeout: opts.Timeout}, nil
+	}
+	if u := getProxyURLFromEnv("HTTP_PROXY"); u != nil {
+		base := &httpProxyDialer{
+			proxyURL: u,
+			timeout:  opts.Timeout,
+			secure:   true,
+			config:   opts.TLSConfig,
+		}
+		return &tlsWrappingDialer{base: base, tcfg: opts.TLSConfig, timeout: opts.Timeout}, nil
+	}
+
+	// Direct TLS
+	base := &net.Dialer{Timeout: opts.Timeout}
+	return &tlsWrappingDialer{base: base, tcfg: opts.TLSConfig, timeout: opts.Timeout}, nil
+}
+
+// ---- Implementation helpers ----
+
+func getProxyURLFromEnv(name string) *url.URL {
+	// check both upper/lowercase
+	v := os.Getenv(name)
+	if v == "" {
+		v = os.Getenv(strings.ToLower(name))
+	}
+	if v == "" {
+		return nil
+	}
+	// If scheme omitted, infer from env var name.
+	if !strings.Contains(v, "://") {
+		switch strings.ToUpper(name) {
+		case "SOCKS5_PROXY":
+			v = "socks5://" + v
+		case "HTTPS_PROXY":
+			v = "https://" + v
+		default:
+			v = "http://" + v
+		}
+	}
+	u, err := url.Parse(v)
+	if err != nil {
+		return nil
+	}
+	return u
+}
+
+// NewHTTPClient returns an *http.Client that is proxy-aware.
+//
+// Behavior:
+//   - If SOCKS5_PROXY is set, the client routes all TCP connections through the
+//     SOCKS5 proxy using a custom DialContext, and disables HTTP(S) proxying in
+//     the transport (per our precedence SOCKS5 > HTTPS > HTTP).
+//   - Otherwise, it uses http.ProxyFromEnvironment which supports HTTP_PROXY,
+//     HTTPS_PROXY, and NO_PROXY/no_proxy.
+//   - Connection and TLS handshake timeouts are derived from opts.Timeout.
+//   - For HTTPS targets, opts.TLSConfig is applied to the transport.
+func NewHTTPClient(opts DialerOpts) (*http.Client, error) {
+	if opts.Timeout <= 0 {
+		opts.Timeout = 30 * time.Second
+	}
+
+	// Base transport configuration
+	tr := &http.Transport{
+		TLSClientConfig:     opts.TLSConfig,
+		TLSHandshakeTimeout: opts.Timeout,
+		// Leave other fields as Go defaults for compatibility.
+	}
+
+	// If SOCKS5 is configured, use our dialer and disable HTTP proxying to
+	// avoid double-proxying. Otherwise, rely on ProxyFromEnvironment for
+	// HTTP(S) proxies and still set a connect timeout via net.Dialer.
+	if u := getProxyURLFromEnv("SOCKS5_PROXY"); u != nil {
+		d, err := newSOCKS5Dialer(u, opts)
+		if err != nil {
+			return nil, err
+		}
+		tr.Proxy = nil
+		tr.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
+			return d.DialContext(ctx, network, address)
+		}
+	} else {
+		tr.Proxy = http.ProxyFromEnvironment
+		// Use a standard net.Dialer to ensure we apply a connect timeout.
+		nd := &net.Dialer{Timeout: opts.Timeout}
+		tr.DialContext = nd.DialContext
+	}
+
+	// Construct client; we don't set Client.Timeout here to avoid affecting
+	// streaming responses. Callers can set it if they want an overall deadline.
+	return &http.Client{Transport: tr}, nil
+}
+
+// httpProxyDialer implements CONNECT tunneling over HTTP or HTTPS proxy.
+type httpProxyDialer struct {
+	proxyURL *url.URL
+	timeout  time.Duration
+	secure   bool // true for HTTPS proxy
+	config   *tls.Config
+}
+
+func (d *httpProxyDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	if !strings.HasPrefix(network, "tcp") {
+		return nil, fmt.Errorf("http proxy dialer only supports TCP, got %q", network)
+	}
+
+	// Dial to proxy
+	var nd = &net.Dialer{Timeout: d.timeout}
+	proxyAddr := d.proxyURL.Host
+	if !strings.Contains(proxyAddr, ":") {
+		if d.secure {
+			proxyAddr += ":443"
+		} else {
+			proxyAddr += ":80"
+		}
+	}
+	conn, err := nd.DialContext(ctx, "tcp", proxyAddr)
+	if err != nil {
+		return nil, err
+	}
+
+	// Deadline covering CONNECT and (for TLS wrapper) will be handled by caller too.
+	if d.timeout > 0 {
+		_ = conn.SetDeadline(time.Now().Add(d.timeout))
+	}
+
+	// If HTTPS proxy, wrap with TLS to the proxy itself.
+	if d.secure {
+		host := d.proxyURL.Hostname()
+		d.config.ServerName = host
+		tlsConn := tls.Client(conn, d.config)
+		if err = tlsConn.HandshakeContext(ctx); err != nil {
+			_ = conn.Close()
+			return nil, fmt.Errorf("tls handshake with https proxy failed: %w", err)
+		}
+		conn = tlsConn
+	}
+
+	req := buildConnectRequest(d.proxyURL, address)
+	if _, err = conn.Write([]byte(req)); err != nil {
+		_ = conn.Close()
+		return nil, fmt.Errorf("failed to write CONNECT request: %w", err)
+	}
+
+	// Read proxy response until end of headers
+	br := bufio.NewReader(conn)
+	statusLine, err := br.ReadString('\n')
+	if err != nil {
+		_ = conn.Close()
+		return nil, fmt.Errorf("failed to read CONNECT response: %w", err)
+	}
+
+	if !strings.HasPrefix(statusLine, "HTTP/") {
+		_ = conn.Close()
+		return nil, fmt.Errorf("invalid proxy response: %q", strings.TrimSpace(statusLine))
+	}
+
+	if !strings.Contains(statusLine, " 200 ") && !strings.HasSuffix(strings.TrimSpace(statusLine), " 200") {
+		// Drain headers for context
+		_ = drainHeaders(br)
+		_ = conn.Close()
+		return nil, fmt.Errorf("proxy CONNECT failed: %s", strings.TrimSpace(statusLine))
+	}
+
+	if err = drainHeaders(br); err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+
+	// Clear deadline for caller to manage further I/O.
+	_ = conn.SetDeadline(time.Time{})
+	return conn, nil
+}
+
+func buildConnectRequest(proxyURL *url.URL, target string) string {
+	var b strings.Builder
+	fmt.Fprintf(&b, "CONNECT %s HTTP/1.1\r\n", target)
+	fmt.Fprintf(&b, "Host: %s\r\n", target)
+	b.WriteString("Proxy-Connection: Keep-Alive\r\n")
+	b.WriteString("User-Agent: goutils-dialer/1\r\n")
+
+	if proxyURL.User != nil {
+		user := proxyURL.User.Username()
+		pass, _ := proxyURL.User.Password()
+		auth := base64.StdEncoding.EncodeToString([]byte(user + ":" + pass))
+		fmt.Fprintf(&b, "Proxy-Authorization: Basic %s\r\n", auth)
+	}
+	b.WriteString("\r\n")
+	return b.String()
+}
+
+func drainHeaders(br *bufio.Reader) error {
+	for {
+		line, err := br.ReadString('\n')
+		if err != nil {
+			return fmt.Errorf("reading proxy headers: %w", err)
+		}
+		if line == "\r\n" || line == "\n" {
+			return nil
+		}
+	}
+}
+
+// newSOCKS5Dialer builds a context-aware wrapper over the x/net/proxy dialer.
+func newSOCKS5Dialer(u *url.URL, opts DialerOpts) (ContextDialer, error) {
+	var auth *xproxy.Auth
+	if u.User != nil {
+		user := u.User.Username()
+		pass, _ := u.User.Password()
+		auth = &xproxy.Auth{User: user, Password: pass}
+	}
+	forward := &net.Dialer{Timeout: opts.Timeout}
+	d, err := xproxy.SOCKS5("tcp", hostPortWithDefault(u, "1080"), auth, forward)
+	if err != nil {
+		return nil, err
+	}
+	return &socks5ContextDialer{d: d, timeout: opts.Timeout}, nil
+}
+
+type socks5ContextDialer struct {
+	d       xproxy.Dialer // lacks context; we wrap it
+	timeout time.Duration
+}
+
+func (s *socks5ContextDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	if !strings.HasPrefix(network, "tcp") {
+		return nil, errors.New("socks5 dialer only supports TCP")
+	}
+	// Best-effort context support: run the non-context dial in a goroutine
+	// and respect ctx cancellation/timeout.
+	type result struct {
+		c   net.Conn
+		err error
+	}
+	ch := make(chan result, 1)
+	go func() {
+		c, err := s.d.Dial("tcp", address)
+		ch <- result{c: c, err: err}
+	}()
+
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case r := <-ch:
+		return r.c, r.err
+	}
+}
+
+// tlsWrappingDialer performs a TLS handshake over an existing base dialer.
+type tlsWrappingDialer struct {
+	base    ContextDialer
+	tcfg    *tls.Config
+	timeout time.Duration
+}
+
+func (t *tlsWrappingDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	if !strings.HasPrefix(network, "tcp") {
+		return nil, fmt.Errorf("tls dialer only supports TCP, got %q", network)
+	}
+	raw, err := t.base.DialContext(ctx, network, address)
+	if err != nil {
+		return nil, err
+	}
+
+	// Apply deadline for handshake.
+	if t.timeout > 0 {
+		_ = raw.SetDeadline(time.Now().Add(t.timeout))
+	}
+
+	var h string
+	host := address
+
+	if h, _, err = net.SplitHostPort(address); err == nil {
+		host = h
+	}
+	var cfg *tls.Config
+	if t.tcfg != nil {
+		// Clone to avoid copying internal locks and to prevent mutating caller's config.
+		c := t.tcfg.Clone()
+		if c.ServerName == "" {
+			c.ServerName = host
+		}
+		cfg = c
+	} else {
+		cfg = &tls.Config{ServerName: host} // #nosec G402 - intentional
+	}
+
+	tlsConn := tls.Client(raw, cfg)
+	if err = tlsConn.HandshakeContext(ctx); err != nil {
+		_ = raw.Close()
+		return nil, err
+	}
+
+	// Clear deadline after successful handshake
+	_ = tlsConn.SetDeadline(time.Time{})
+	return tlsConn, nil
+}
+
+func hostPortWithDefault(u *url.URL, defPort string) string {
+	host := u.Host
+	if !strings.Contains(host, ":") {
+		host += ":" + defPort
+	}
+	return host
+}

lib/fetch.go

@@ -0,0 +1,172 @@
+package lib
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io"
+	"net"
+	"os"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/certlib/hosts"
+	"git.wntrmute.dev/kyle/goutils/fileutil"
+)
+
+// FetcherOpts are options for fetching certificates. They are only applicable to ServerFetcher.
+type FetcherOpts struct {
+	SkipVerify bool
+	Roots      *x509.CertPool
+}
+
+func (fo *FetcherOpts) TLSConfig() *tls.Config {
+	return &tls.Config{
+		InsecureSkipVerify: fo.SkipVerify, // #nosec G402 - intentional
+		RootCAs:            fo.Roots,
+	}
+}
+
+// Fetcher is an interface for fetching certificates from a remote source. It
+// currently supports fetching from a server or a file.
+type Fetcher interface {
+	Get() (*x509.Certificate, error)
+	GetChain() ([]*x509.Certificate, error)
+	String() string
+}
+
+type ServerFetcher struct {
+	host     string
+	port     int
+	insecure bool
+	roots    *x509.CertPool
+}
+
+// WithRoots sets the roots for the ServerFetcher.
+func WithRoots(roots *x509.CertPool) func(*ServerFetcher) {
+	return func(sf *ServerFetcher) {
+		sf.roots = roots
+	}
+}
+
+// WithSkipVerify sets the insecure flag for the ServerFetcher.
+func WithSkipVerify() func(*ServerFetcher) {
+	return func(sf *ServerFetcher) {
+		sf.insecure = true
+	}
+}
+
+// ParseServer parses a server string into a ServerFetcher. It can be a URL or a
+// a host:port pair.
+func ParseServer(host string) (*ServerFetcher, error) {
+	target, err := hosts.ParseHost(host)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse server: %w", err)
+	}
+
+	return &ServerFetcher{
+		host: target.Host,
+		port: target.Port,
+	}, nil
+}
+
+func (sf *ServerFetcher) String() string {
+	return fmt.Sprintf("tls://%s", net.JoinHostPort(sf.host, Itoa(sf.port, -1)))
+}
+
+func (sf *ServerFetcher) GetChain() ([]*x509.Certificate, error) {
+	opts := DialerOpts{
+		TLSConfig: &tls.Config{
+			InsecureSkipVerify: sf.insecure, // #nosec G402 - no shit sherlock
+			RootCAs:            sf.roots,
+		},
+	}
+
+	conn, err := DialTLS(context.Background(), net.JoinHostPort(sf.host, Itoa(sf.port, -1)), opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to dial server: %w", err)
+	}
+	defer conn.Close()
+
+	state := conn.ConnectionState()
+	return state.PeerCertificates, nil
+}
+
+func (sf *ServerFetcher) Get() (*x509.Certificate, error) {
+	certs, err := sf.GetChain()
+	if err != nil {
+		return nil, err
+	}
+
+	return certs[0], nil
+}
+
+type FileFetcher struct {
+	path string
+}
+
+func NewFileFetcher(path string) *FileFetcher {
+	return &FileFetcher{
+		path: path,
+	}
+}
+
+func (ff *FileFetcher) String() string {
+	return ff.path
+}
+
+func (ff *FileFetcher) GetChain() ([]*x509.Certificate, error) {
+	if ff.path == "-" {
+		certData, err := io.ReadAll(os.Stdin)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read from stdin: %w", err)
+		}
+
+		return certlib.ParseCertificatesPEM(certData)
+	}
+
+	certs, err := certlib.LoadCertificates(ff.path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load chain: %w", err)
+	}
+
+	return certs, nil
+}
+
+func (ff *FileFetcher) Get() (*x509.Certificate, error) {
+	certs, err := ff.GetChain()
+	if err != nil {
+		return nil, err
+	}
+
+	return certs[0], nil
+}
+
+// GetCertificateChain fetches a certificate chain from a remote source.
+func GetCertificateChain(spec string, opts *FetcherOpts) ([]*x509.Certificate, error) {
+	if fileutil.FileDoesExist(spec) {
+		return NewFileFetcher(spec).GetChain()
+	}
+
+	fetcher, err := ParseServer(spec)
+	if err != nil {
+		return nil, err
+	}
+
+	if opts != nil {
+		fetcher.insecure = opts.SkipVerify
+		fetcher.roots = opts.Roots
+	}
+
+	return fetcher.GetChain()
+}
+
+// GetCertificate fetches the first certificate from a certificate chain.
+func GetCertificate(spec string, opts *FetcherOpts) (*x509.Certificate, error) {
+	certs, err := GetCertificateChain(spec, opts)
+	if err != nil {
+		return nil, err
+	}
+
+	return certs[0], nil
+}

lib/lib.go

@@ -1,4 +1,3 @@
-// Package lib contains functions useful for most programs.
 package lib
 
 import (
@@ -125,6 +124,8 @@ const (
 	// HexEncodeUpperColon prints the bytes as uppercase hexadecimal
 	// with colons between each pair of bytes.
 	HexEncodeUpperColon
+	// HexEncodeBytes prints the string as a sequence of []byte.
+	HexEncodeBytes
 )
 
 func (m HexEncodeMode) String() string {
@@ -137,6 +138,8 @@ func (m HexEncodeMode) String() string {
 		return "lcolon"
 	case HexEncodeUpperColon:
 		return "ucolon"
+	case HexEncodeBytes:
+		return "bytes"
 	default:
 		panic("invalid hex encode mode")
 	}
@@ -152,6 +155,8 @@ func ParseHexEncodeMode(s string) HexEncodeMode {
 		return HexEncodeLowerColon
 	case "ucolon":
 		return HexEncodeUpperColon
+	case "bytes":
+		return HexEncodeBytes
 	}
 
 	panic("invalid hex encode mode")
@@ -202,6 +207,17 @@ func hexEncode(b []byte) string {
 	return s
 }
 
+func bytesAsByteSliceString(buf []byte) string {
+	sb := &strings.Builder{}
+	sb.WriteString("[]byte{")
+	for i := range buf {
+		fmt.Fprintf(sb, "0x%02x, ", buf[i])
+	}
+	sb.WriteString("}")
+
+	return sb.String()
+}
+
 // HexEncode encodes the given bytes as a hexadecimal string.
 func HexEncode(b []byte, mode HexEncodeMode) string {
 	str := hexEncode(b)
@@ -215,6 +231,8 @@ func HexEncode(b []byte, mode HexEncodeMode) string {
 		return hexColons(str)
 	case HexEncodeUpperColon:
 		return strings.ToUpper(hexColons(str))
+	case HexEncodeBytes:
+		return bytesAsByteSliceString(b)
 	default:
 		panic("invalid hex encode mode")
 	}

release-docker.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+# Release Docker image for kisom/goutils using the Dockerfile in the repo root.
+#
+# Behavior:
+# - Determines the git tag that points to HEAD. If no tag points to HEAD, aborts.
+# - Builds the Docker image from the top-level Dockerfile.
+# - Tags the image as kisom/goutils:<TAG> and kisom/goutils:latest.
+# - Pushes both tags.
+#
+# Usage:
+#   ./release-docker.sh
+
+set -euo pipefail
+
+err() { printf "Error: %s\n" "$*" >&2; }
+info() { printf "==> %s\n" "$*"; }
+
+# Ensure we're inside a git repository and operate from the repo root.
+if ! REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null); then
+  err "This script must be run within a git repository."
+  exit 1
+fi
+cd "$REPO_ROOT"
+
+IMAGE_REPO="kisom/goutils"
+DOCKERFILE_PATH="$REPO_ROOT/Dockerfile"
+
+if [[ ! -f "$DOCKERFILE_PATH" ]]; then
+  err "Dockerfile not found at repository root: $DOCKERFILE_PATH"
+  err "Create a top-level Dockerfile or adjust this script before releasing."
+  exit 1
+fi
+
+# Find tags that point to HEAD.
+if ! TAGS=$(git tag --points-at HEAD); then
+  err "Unable to query git tags."
+  exit 1
+fi
+
+if [[ -z "$TAGS" ]]; then
+  err "No git tag points at HEAD. Aborting release."
+  exit 1
+fi
+
+# Use the first tag if multiple are present; warn the user.
+# Avoid readarray for broader Bash compatibility (e.g., macOS Bash 3.2).
+TAG_ARRAY=($TAGS)
+TAG="${TAG_ARRAY[0]}"
+
+if (( ${#TAG_ARRAY[@]} > 1 )); then
+  info "Multiple tags point at HEAD: ${TAG_ARRAY[*]}"
+  info "Using first tag: $TAG"
+fi
+
+info "Releasing Docker image for tag: $TAG"
+
+IMAGE_TAGGED="$IMAGE_REPO:$TAG"
+IMAGE_LATEST="$IMAGE_REPO:latest"
+
+info "Building image from $DOCKERFILE_PATH"
+docker build -f "$DOCKERFILE_PATH" -t "$IMAGE_TAGGED" -t "$IMAGE_LATEST" "$REPO_ROOT"
+
+info "Pushing $IMAGE_TAGGED"
+docker push "$IMAGE_TAGGED"
+
+info "Pushing $IMAGE_LATEST"
+docker push "$IMAGE_LATEST"
+
+info "Release complete."