Add certgen.TestCA for in-memory test certificate infrastructure

Provides a P-256 CA that issues leaf certificates for TLS testing
with full verification enabled. No files written to disk.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.golangci.yml

@@ -101,7 +101,7 @@ linters:
     - loggercheck # checks key value pairs for common logger libraries (kitlog,klog,logr,zap)
     - makezero # finds slice declarations with non-zero initial length
     - mirror # reports wrong mirror patterns of bytes/strings usage
-    - mnd # detects magic numbers
+    # - mnd # detects magic numbers
     - modernize # suggests simplifications to Go code, using modern language and library features
     - musttag # enforces field tags in (un)marshaled structs
     - nakedret # finds naked returns in functions greater than a specified function length
@@ -488,6 +488,8 @@ linters:
         linters: [ exhaustive, mnd, revive ]
       - path: 'backoff/backoff_test.go'
         linters: [ testpackage ]
+      - path: "cmd/kgz/main.go"
+        linters: [ unconvert ]
       - path: 'dbg/dbg_test.go'
         linters: [ testpackage ]
       - path: 'log/logger.go'

CHANGELOG

@@ -1,12 +1,108 @@
 CHANGELOG
 
-v1.14.7 - 2025-11-18
+v1.19.0 - 2026-02-12
+
+Added:
+- certlib/dump: DisplayCSR function for dumping Certificate Signing Request information.
+- certlib: MatchKeysCSR function for testing if a CSR's public key matches a private key.
+
+v1.18.0 - 2025-11-21
 
 Changed:
+- disable unconvert for kgz, as various platforms complain about it.
+
+v1.17.2 - 2025-11-21
+
+Note: 1.17.2 was a mangled release.
+
+Changed:
+- certlib: fix request configs in testdata.
+
+v1.17.1 - 2025-11-21
+
+Changed:
+- certlib: various code cleanups.
+
+v1.17.0 - 2025-11-21
+
+Added:
+- cmd/bcuz: unzips bandcamp archives.
+
+Changed:
+- certlib: ergonomic improvements.
+
+v1.16.3 - 2025-11-21
+
+Changed:
+- msg: fixups and testing.
+
+v1.16.2 - 2025-11-21
+
+Changed:
+- msg: fill debug null pointer deref.
+
+v1.16.1 - 2025-11-21
+
+Changed:
+- msg: rename functions for ergonomics.
+
+v1.16.0 - 2025-11-20
+
+Added:
+- msg: package for command line outputs.
+
+Changed:
+- lib: add DummyWriteCloser
+- Miscellaneous linter fixes and documentation updates.
+
+v1.15.8 - 2025-11-20
+
+Changed:
+- certlib: fix CSR FileKind, add test cases.
+
+v1.15.7 - 2025-11-19
+
+Changed:
+- certlib: update FileKind with algo information and fix bug where PEM
+  files didn't have their algorithm set.
+- certlib/certgen: GenerateKey had the blocks for Ed25519 and RSA keys
+  swapped.
+- cmd/tlsinfo: fix type in output.
+
+v1.15.6 - 2025-11-19
+certlib: add FileKind function to determine file type.
+
+v1.15.5 - 2025-11-19
+certlib/bundler: add support for crt files that are pem-encoded.
+
+v1.15.4 - 2025-11-19
+Quality of life fixes for CSR generation.
+
+v1.15.3 - 2025-11-19
+Minor bug fixes.
+
+v1.15.2 - 2025-11-19
+Minor bug fixes.
+
+v1.15.1 - 2025-11-19
+
+Changed:
+- linter fixes.
+
+Removed:
+- mnd removed from linter.
+
+v1.15.0 - 2025-11-19
+
+Changed:
+- lib: fetcher and dialer moved to separate packages.
 - cmd/ca-signed: cleaned up code internally.
 - lib: add base64 encoding to HexEncode.
 - linter fixes.
 
+Added:
+- certlib/certgen: add support for generating and signing certificates.
+
 v1.14.6 - 2025-11-18
 
 Added:

README.md

@@ -84,6 +84,7 @@ Contents:
     lib/            Commonly-useful functions for writing Go programs.
     log/            A syslog library.
     logging/        A logging library.
+    msg/            Output library for command line programs.
     mwc/            MultiwriteCloser implementation.
     sbuf/           A byte buffer that can be wiped.
     seekbuf/        A read-seekable byte buffer.

certlib/bundler/bundler.go

@@ -422,6 +422,24 @@ func encodeCertsToFiles(
 			name:    baseName + ".pem",
 			content: pemContent,
 		})
+	case "crt":
+		pemContent := encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".crt",
+			content: pemContent,
+		})
+	case "pemcrt":
+		pemContent := encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".pem",
+			content: pemContent,
+		})
+
+		pemContent = encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".crt",
+			content: pemContent,
+		})
 	case "der":
 		if isSingle {
 			// For single file in DER, concatenate all cert DER bytes
@@ -430,13 +448,13 @@ func encodeCertsToFiles(
 				derContent = append(derContent, cert.Raw...)
 			}
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: derContent,
 			})
 		} else if len(certs) > 0 {
 			// Individual DER file (should only have one cert)
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: certs[0].Raw,
 			})
 		}
@@ -454,17 +472,17 @@ func encodeCertsToFiles(
 				derContent = append(derContent, cert.Raw...)
 			}
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: derContent,
 			})
 		} else if len(certs) > 0 {
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: certs[0].Raw,
 			})
 		}
 	default:
-		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', or 'both')", encoding)
+		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', 'both', 'crt', 'pemcrt')", encoding)
 	}
 
 	return files, nil

certlib/certgen/config.go

@@ -0,0 +1,276 @@
+package certgen
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"fmt"
+	"math/big"
+	"net"
+	"slices"
+	"strings"
+	"time"
+
+	"git.wntrmute.dev/kyle/goutils/lib"
+)
+
+type KeySpec struct {
+	Algorithm string `yaml:"algorithm"`
+	Size      int    `yaml:"size"`
+}
+
+func (ks KeySpec) String() string {
+	if strings.ToLower(ks.Algorithm) == nameEd25519 {
+		return nameEd25519
+	}
+
+	return fmt.Sprintf("%s-%d", ks.Algorithm, ks.Size)
+}
+
+func (ks KeySpec) Generate() (crypto.PublicKey, crypto.PrivateKey, error) {
+	switch strings.ToLower(ks.Algorithm) {
+	case "rsa":
+		return GenerateKey(x509.RSA, ks.Size)
+	case "ecdsa":
+		return GenerateKey(x509.ECDSA, ks.Size)
+	case nameEd25519:
+		return GenerateKey(x509.Ed25519, 0)
+	default:
+		return nil, nil, fmt.Errorf("unknown key algorithm: %s", ks.Algorithm)
+	}
+}
+
+func (ks KeySpec) SigningAlgorithm() (x509.SignatureAlgorithm, error) {
+	switch strings.ToLower(ks.Algorithm) {
+	case "rsa":
+		return x509.SHA512WithRSAPSS, nil
+	case "ecdsa":
+		return x509.ECDSAWithSHA512, nil
+	case nameEd25519:
+		return x509.PureEd25519, nil
+	default:
+		return 0, fmt.Errorf("unknown key algorithm: %s", ks.Algorithm)
+	}
+}
+
+type Subject struct {
+	CommonName         string   `yaml:"common_name"`
+	Country            string   `yaml:"country"`
+	Locality           string   `yaml:"locality"`
+	Province           string   `yaml:"province"`
+	Organization       string   `yaml:"organization"`
+	OrganizationalUnit string   `yaml:"organizational_unit"`
+	Email              []string `yaml:"email"`
+	DNSNames           []string `yaml:"dns"`
+	IPAddresses        []string `yaml:"ips"`
+}
+
+type CertificateRequest struct {
+	KeySpec KeySpec `yaml:"key"`
+	Subject Subject `yaml:"subject"`
+	Profile Profile `yaml:"profile"`
+}
+
+func (cs CertificateRequest) Request(priv crypto.PrivateKey) (*x509.CertificateRequest, error) {
+	subject := pkix.Name{}
+	subject.CommonName = cs.Subject.CommonName
+	subject.Country = []string{cs.Subject.Country}
+	subject.Locality = []string{cs.Subject.Locality}
+	subject.Province = []string{cs.Subject.Province}
+	subject.Organization = []string{cs.Subject.Organization}
+	subject.OrganizationalUnit = []string{cs.Subject.OrganizationalUnit}
+
+	ipAddresses := make([]net.IP, 0, len(cs.Subject.IPAddresses))
+	for i, ip := range cs.Subject.IPAddresses {
+		ipAddresses = append(ipAddresses, net.ParseIP(ip))
+		if ipAddresses[i] == nil {
+			return nil, fmt.Errorf("invalid IP address: %s", ip)
+		}
+	}
+
+	dnsNames := cs.Subject.DNSNames
+	if isFQDN(cs.Subject.CommonName) && !slices.Contains(dnsNames, cs.Subject.CommonName) {
+		dnsNames = append(dnsNames, cs.Subject.CommonName)
+	}
+
+	req := &x509.CertificateRequest{
+		PublicKeyAlgorithm: 0,
+		PublicKey:          getPublic(priv),
+		Subject:            subject,
+		EmailAddresses:     cs.Subject.Email,
+		DNSNames:           dnsNames,
+		IPAddresses:        ipAddresses,
+	}
+
+	reqBytes, err := x509.CreateCertificateRequest(rand.Reader, req, priv)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate request: %w", err)
+	}
+
+	req, err = x509.ParseCertificateRequest(reqBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate request: %w", err)
+	}
+
+	return req, nil
+}
+
+func (cs CertificateRequest) Generate() (crypto.PrivateKey, *x509.CertificateRequest, error) {
+	_, priv, err := cs.KeySpec.Generate()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	req, err := cs.Request(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return priv, req, nil
+}
+
+type Profile struct {
+	IsCA                  bool     `yaml:"is_ca"`
+	PathLen               int      `yaml:"path_len"`
+	KeyUse                []string `yaml:"key_uses"`
+	ExtKeyUsages          []string `yaml:"ext_key_usages"`
+	Expiry                string   `yaml:"expiry"`
+	OCSPServer            []string `yaml:"ocsp_server,omitempty"`
+	IssuingCertificateURL []string `yaml:"issuing_certificate_url,omitempty"`
+}
+
+func (p Profile) templateFromRequest(req *x509.CertificateRequest) (*x509.Certificate, error) {
+	serial, err := SerialNumber()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	expiry, err := lib.ParseDuration(p.Expiry)
+	if err != nil {
+		return nil, fmt.Errorf("parsing expiry: %w", err)
+	}
+
+	certTemplate := &x509.Certificate{
+		SignatureAlgorithm:    req.SignatureAlgorithm,
+		PublicKeyAlgorithm:    req.PublicKeyAlgorithm,
+		PublicKey:             req.PublicKey,
+		SerialNumber:          serial,
+		Subject:               req.Subject,
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(expiry),
+		BasicConstraintsValid: true,
+		IsCA:                  p.IsCA,
+		MaxPathLen:            p.PathLen,
+		DNSNames:              req.DNSNames,
+		IPAddresses:           req.IPAddresses,
+	}
+
+	for _, sku := range p.KeyUse {
+		ku, ok := keyUsageStrings[sku]
+		if !ok {
+			return nil, fmt.Errorf("invalid key usage: %s", p.KeyUse)
+		}
+
+		certTemplate.KeyUsage |= ku
+	}
+
+	for _, extKeyUsage := range p.ExtKeyUsages {
+		eku, ok := extKeyUsageStrings[extKeyUsage]
+		if !ok {
+			return nil, fmt.Errorf("invalid extended key usage: %s", extKeyUsage)
+		}
+		certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, eku)
+	}
+
+	if len(p.OCSPServer) > 0 {
+		certTemplate.OCSPServer = p.OCSPServer
+	}
+	if len(p.IssuingCertificateURL) > 0 {
+		certTemplate.IssuingCertificateURL = p.IssuingCertificateURL
+	}
+
+	return certTemplate, nil
+}
+
+func (p Profile) SignRequest(
+	parent *x509.Certificate,
+	req *x509.CertificateRequest,
+	priv crypto.PrivateKey,
+) (*x509.Certificate, error) {
+	tpl, err := p.templateFromRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate template: %w", err)
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, tpl, parent, req.PublicKey, priv)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	return cert, nil
+}
+
+func (p Profile) SelfSign(req *x509.CertificateRequest, priv crypto.PrivateKey) (*x509.Certificate, error) {
+	certTemplate, err := p.templateFromRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate template: %w", err)
+	}
+
+	return p.SignRequest(certTemplate, req, priv)
+}
+
+// isFQDN returns true if s looks like a fully-qualified domain name.
+func isFQDN(s string) bool {
+	if s == "" {
+		return false
+	}
+	// Must contain at least one dot and no spaces.
+	if !strings.Contains(s, ".") || strings.ContainsAny(s, " \t") {
+		return false
+	}
+	// Each label must be non-empty and consist of letters, digits, or hyphens.
+	for label := range strings.SplitSeq(strings.TrimSuffix(s, "."), ".") {
+		if label == "" {
+			return false
+		}
+		for _, c := range label {
+			if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '-') {
+				return false
+			}
+		}
+		if label[0] == '-' || label[len(label)-1] == '-' {
+			return false
+		}
+	}
+	return true
+}
+
+func SerialNumber() (*big.Int, error) {
+	serialNumberBytes := make([]byte, 20)
+	_, err := rand.Read(serialNumberBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+	return new(big.Int).SetBytes(serialNumberBytes), nil
+}
+
+// GenerateSelfSigned generates a self-signed certificate using the given certificate request.
+func GenerateSelfSigned(creq *CertificateRequest) (*x509.Certificate, crypto.PrivateKey, error) {
+	priv, req, err := creq.Generate()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to generate certificate request: %w", err)
+	}
+
+	cert, err := creq.Profile.SelfSign(req, priv)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to self-sign certificate: %w", err)
+	}
+
+	return cert, priv, nil
+}

certlib/certgen/config_test.go

@@ -0,0 +1,188 @@
+package certgen
+
+import (
+	"slices"
+	"testing"
+)
+
+func TestIsFQDN(t *testing.T) {
+	tests := []struct {
+		input string
+		want  bool
+	}{
+		{"example.com", true},
+		{"sub.example.com", true},
+		{"example.com.", true}, // trailing dot
+		{"localhost", false},   // no dot
+		{"", false},
+		{"foo bar.com", false}, // space
+		{"-bad.com", false},    // leading hyphen
+		{"bad-.com", false},    // trailing hyphen
+		{"a..b.com", false},    // empty label
+	}
+
+	for _, tt := range tests {
+		got := isFQDN(tt.input)
+		if got != tt.want {
+			t.Errorf("isFQDN(%q) = %v, want %v", tt.input, got, tt.want)
+		}
+	}
+}
+
+func TestRequestAddsFQDNAsDNSSAN(t *testing.T) {
+	creq := &CertificateRequest{
+		KeySpec: KeySpec{Algorithm: "ecdsa", Size: 256},
+		Subject: Subject{
+			CommonName:   "example.com",
+			Organization: "Test Org",
+		},
+		Profile: Profile{
+			Expiry: "1h",
+		},
+	}
+
+	_, req, err := creq.Generate()
+	if err != nil {
+		t.Fatalf("Generate() error: %v", err)
+	}
+
+	if !slices.Contains(req.DNSNames, "example.com") {
+		t.Errorf("expected DNS SAN to contain %q, got %v", "example.com", req.DNSNames)
+	}
+}
+
+func TestRequestFQDNNotDuplicated(t *testing.T) {
+	creq := &CertificateRequest{
+		KeySpec: KeySpec{Algorithm: "ecdsa", Size: 256},
+		Subject: Subject{
+			CommonName:   "example.com",
+			Organization: "Test Org",
+			DNSNames:     []string{"example.com", "www.example.com"},
+		},
+		Profile: Profile{
+			Expiry: "1h",
+		},
+	}
+
+	_, req, err := creq.Generate()
+	if err != nil {
+		t.Fatalf("Generate() error: %v", err)
+	}
+
+	count := 0
+	for _, name := range req.DNSNames {
+		if name == "example.com" {
+			count++
+		}
+	}
+
+	if count != 1 {
+		t.Errorf("expected exactly 1 occurrence of %q in DNS SANs, got %d: %v", "example.com", count, req.DNSNames)
+	}
+}
+
+func TestProfileAIAFieldsInCertificate(t *testing.T) {
+	caKey := KeySpec{Algorithm: "ecdsa", Size: 256}
+	_, caPriv, err := caKey.Generate()
+	if err != nil {
+		t.Fatalf("generate CA key: %v", err)
+	}
+
+	caProfile := Profile{
+		IsCA:    true,
+		PathLen: 1,
+		KeyUse:  []string{"cert sign", "crl sign"},
+		Expiry:  "8760h",
+	}
+
+	caReq := &CertificateRequest{
+		KeySpec: caKey,
+		Subject: Subject{CommonName: "Test CA", Organization: "Test"},
+		Profile: caProfile,
+	}
+	caCSR, err := caReq.Request(caPriv)
+	if err != nil {
+		t.Fatalf("generate CA CSR: %v", err)
+	}
+	caCert, err := caProfile.SelfSign(caCSR, caPriv)
+	if err != nil {
+		t.Fatalf("self-sign CA: %v", err)
+	}
+
+	leafProfile := Profile{
+		KeyUse:                []string{"digital signature"},
+		ExtKeyUsages:          []string{"server auth"},
+		Expiry:                "24h",
+		OCSPServer:            []string{"https://ocsp.example.com"},
+		IssuingCertificateURL: []string{"https://pki.example.com/ca.pem"},
+	}
+
+	leafReq := &CertificateRequest{
+		KeySpec: KeySpec{Algorithm: "ecdsa", Size: 256},
+		Subject: Subject{CommonName: "leaf.example.com", Organization: "Test"},
+		Profile: leafProfile,
+	}
+	_, leafCSR, err := leafReq.Generate()
+	if err != nil {
+		t.Fatalf("generate leaf CSR: %v", err)
+	}
+
+	leafCert, err := leafProfile.SignRequest(caCert, leafCSR, caPriv)
+	if err != nil {
+		t.Fatalf("sign leaf: %v", err)
+	}
+
+	if len(leafCert.OCSPServer) != 1 || leafCert.OCSPServer[0] != "https://ocsp.example.com" {
+		t.Errorf("OCSPServer = %v, want [https://ocsp.example.com]", leafCert.OCSPServer)
+	}
+	if len(leafCert.IssuingCertificateURL) != 1 || leafCert.IssuingCertificateURL[0] != "https://pki.example.com/ca.pem" {
+		t.Errorf("IssuingCertificateURL = %v, want [https://pki.example.com/ca.pem]", leafCert.IssuingCertificateURL)
+	}
+}
+
+func TestProfileWithoutAIAOmitsExtension(t *testing.T) {
+	profile := Profile{
+		KeyUse:       []string{"digital signature"},
+		ExtKeyUsages: []string{"server auth"},
+		Expiry:       "24h",
+	}
+
+	creq := &CertificateRequest{
+		KeySpec: KeySpec{Algorithm: "ecdsa", Size: 256},
+		Subject: Subject{CommonName: "noaia.example.com", Organization: "Test"},
+		Profile: profile,
+	}
+	cert, _, err := GenerateSelfSigned(creq)
+	if err != nil {
+		t.Fatalf("generate: %v", err)
+	}
+
+	if len(cert.OCSPServer) != 0 {
+		t.Errorf("OCSPServer = %v, want empty", cert.OCSPServer)
+	}
+	if len(cert.IssuingCertificateURL) != 0 {
+		t.Errorf("IssuingCertificateURL = %v, want empty", cert.IssuingCertificateURL)
+	}
+}
+
+func TestRequestNonFQDNCommonNameNotAdded(t *testing.T) {
+	creq := &CertificateRequest{
+		KeySpec: KeySpec{Algorithm: "ecdsa", Size: 256},
+		Subject: Subject{
+			CommonName:   "localhost",
+			Organization: "Test Org",
+		},
+		Profile: Profile{
+			Expiry: "1h",
+		},
+	}
+
+	_, req, err := creq.Generate()
+	if err != nil {
+		t.Fatalf("Generate() error: %v", err)
+	}
+
+	if slices.Contains(req.DNSNames, "localhost") {
+		t.Errorf("expected DNS SANs to not contain %q, got %v", "localhost", req.DNSNames)
+	}
+}

certlib/certgen/keygen.go

@@ -0,0 +1,90 @@
+package certgen
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"errors"
+	"fmt"
+)
+
+// var (
+//	oidEd25519 = asn1.ObjectIdentifier{1, 3, 101, 110}
+//)
+
+const (
+	nameEd25519 = "ed25519"
+)
+
+func GenerateKey(algorithm x509.PublicKeyAlgorithm, bitSize int) (crypto.PublicKey, crypto.PrivateKey, error) {
+	var key crypto.PrivateKey
+	var pub crypto.PublicKey
+	var err error
+
+	switch algorithm {
+	case x509.Ed25519:
+		pub, key, err = ed25519.GenerateKey(rand.Reader)
+	case x509.RSA:
+		key, err = rsa.GenerateKey(rand.Reader, bitSize)
+		if err == nil {
+			rsaPriv, ok := key.(*rsa.PrivateKey)
+			if !ok {
+				panic("failed to cast RSA private key to *rsa.PrivateKey")
+			}
+
+			pub = rsaPriv.Public()
+		}
+	case x509.ECDSA:
+		var curve elliptic.Curve
+
+		switch bitSize {
+		case 256:
+			curve = elliptic.P256()
+		case 384:
+			curve = elliptic.P384()
+		case 521:
+			curve = elliptic.P521()
+		default:
+			return nil, nil, fmt.Errorf("unsupported curve size %d", bitSize)
+		}
+
+		key, err = ecdsa.GenerateKey(curve, rand.Reader)
+		if err == nil {
+			ecPriv, ok := key.(*ecdsa.PrivateKey)
+			if !ok {
+				panic("failed to cast ECDSA private key to *ecdsa.PrivateKey")
+			}
+
+			pub = ecPriv.Public()
+		}
+	case x509.DSA:
+		fallthrough
+	case x509.UnknownPublicKeyAlgorithm:
+		fallthrough
+	default:
+		err = errors.New("unsupported algorithm")
+	}
+
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return pub, key, nil
+}
+
+func getPublic(priv crypto.PrivateKey) crypto.PublicKey {
+	switch priv := priv.(type) {
+	case *rsa.PrivateKey:
+		return &priv.PublicKey
+	case *ecdsa.PrivateKey:
+		return &priv.PublicKey
+	case *ed25519.PrivateKey:
+		return priv.Public()
+	default:
+		return nil
+	}
+}

certlib/certgen/ku.go

@@ -0,0 +1,32 @@
+package certgen
+
+import "crypto/x509"
+
+var keyUsageStrings = map[string]x509.KeyUsage{
+	"signing":            x509.KeyUsageDigitalSignature,
+	"digital signature":  x509.KeyUsageDigitalSignature,
+	"content commitment": x509.KeyUsageContentCommitment,
+	"key encipherment":   x509.KeyUsageKeyEncipherment,
+	"key agreement":      x509.KeyUsageKeyAgreement,
+	"data encipherment":  x509.KeyUsageDataEncipherment,
+	"cert sign":          x509.KeyUsageCertSign,
+	"crl sign":           x509.KeyUsageCRLSign,
+	"encipher only":      x509.KeyUsageEncipherOnly,
+	"decipher only":      x509.KeyUsageDecipherOnly,
+}
+
+var extKeyUsageStrings = map[string]x509.ExtKeyUsage{
+	"any":              x509.ExtKeyUsageAny,
+	"server auth":      x509.ExtKeyUsageServerAuth,
+	"client auth":      x509.ExtKeyUsageClientAuth,
+	"code signing":     x509.ExtKeyUsageCodeSigning,
+	"email protection": x509.ExtKeyUsageEmailProtection,
+	"s/mime":           x509.ExtKeyUsageEmailProtection,
+	"ipsec end system": x509.ExtKeyUsageIPSECEndSystem,
+	"ipsec tunnel":     x509.ExtKeyUsageIPSECTunnel,
+	"ipsec user":       x509.ExtKeyUsageIPSECUser,
+	"timestamping":     x509.ExtKeyUsageTimeStamping,
+	"ocsp signing":     x509.ExtKeyUsageOCSPSigning,
+	"microsoft sgc":    x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+	"netscape sgc":     x509.ExtKeyUsageNetscapeServerGatedCrypto,
+}

certlib/certgen/testca.go

@@ -0,0 +1,213 @@
+package certgen
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"net"
+	"time"
+)
+
+// TestCA is an in-memory certificate authority for use in tests. It
+// provides a root CA certificate and the ability to issue leaf
+// certificates for TLS testing with full verification enabled.
+type TestCA struct {
+	cert *x509.Certificate
+	key  *ecdsa.PrivateKey
+}
+
+// NewTestCA creates a new TestCA with a self-signed P-256 root
+// certificate. The CA is valid for 1 hour.
+func NewTestCA() (*TestCA, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("certgen: generating CA key: %w", err)
+	}
+
+	serial, err := SerialNumber()
+	if err != nil {
+		return nil, fmt.Errorf("certgen: generating serial: %w", err)
+	}
+
+	template := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName:   "Test CA",
+			Organization: []string{"Test"},
+		},
+		NotBefore:             time.Now().Add(-1 * time.Minute),
+		NotAfter:              time.Now().Add(1 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		MaxPathLen:            1,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	if err != nil {
+		return nil, fmt.Errorf("certgen: creating CA certificate: %w", err)
+	}
+
+	cert, err := x509.ParseCertificate(certDER)
+	if err != nil {
+		return nil, fmt.Errorf("certgen: parsing CA certificate: %w", err)
+	}
+
+	return &TestCA{cert: cert, key: key}, nil
+}
+
+// Certificate returns the root CA certificate.
+func (ca *TestCA) Certificate() *x509.Certificate {
+	return ca.cert
+}
+
+// CertificatePEM returns the root CA certificate as a PEM-encoded
+// byte slice.
+func (ca *TestCA) CertificatePEM() []byte {
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: ca.cert.Raw,
+	})
+}
+
+// CertPool returns a certificate pool containing the root CA
+// certificate, suitable for use as a TLS root CA pool.
+func (ca *TestCA) CertPool() *x509.CertPool {
+	pool := x509.NewCertPool()
+	pool.AddCert(ca.cert)
+	return pool
+}
+
+// Issue creates a new leaf certificate signed by the CA for the given
+// DNS names and IP addresses. It returns the leaf private key and
+// certificate. The leaf certificate is valid for 1 hour with key
+// usage appropriate for a TLS server.
+func (ca *TestCA) Issue(dnsNames []string, ips []net.IP) (crypto.Signer, *x509.Certificate, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, fmt.Errorf("certgen: generating leaf key: %w", err)
+	}
+
+	serial, err := SerialNumber()
+	if err != nil {
+		return nil, nil, fmt.Errorf("certgen: generating serial: %w", err)
+	}
+
+	cn := "localhost"
+	if len(dnsNames) > 0 {
+		cn = dnsNames[0]
+	}
+
+	template := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName:   cn,
+			Organization: []string{"Test"},
+		},
+		NotBefore:             time.Now().Add(-1 * time.Minute),
+		NotAfter:              time.Now().Add(1 * time.Hour),
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              dnsNames,
+		IPAddresses:           ips,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, template, ca.cert, &key.PublicKey, ca.key)
+	if err != nil {
+		return nil, nil, fmt.Errorf("certgen: creating leaf certificate: %w", err)
+	}
+
+	cert, err := x509.ParseCertificate(certDER)
+	if err != nil {
+		return nil, nil, fmt.Errorf("certgen: parsing leaf certificate: %w", err)
+	}
+
+	return key, cert, nil
+}
+
+// IssueServer is a convenience wrapper around Issue for the common
+// case of a server certificate for localhost (both DNS and IP).
+func (ca *TestCA) IssueServer() (crypto.Signer, *x509.Certificate, error) {
+	return ca.Issue(
+		[]string{"localhost"},
+		[]net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+	)
+}
+
+// TLSConfig returns a tls.Config (by value) configured with the CA's
+// root pool for verification. The caller can set additional fields
+// (e.g., Certificates) or modify the returned config safely.
+func (ca *TestCA) TLSConfig() tls.Config {
+	return tls.Config{
+		RootCAs:    ca.CertPool(),
+		MinVersion: tls.VersionTLS13,
+	}
+}
+
+// ServerTLSConfig returns a tls.Config (by value) for a TLS server
+// using the given leaf key and certificate, with client verification
+// against the CA root pool. Pass key and cert from Issue or
+// IssueServer.
+func (ca *TestCA) ServerTLSConfig(key crypto.Signer, cert *x509.Certificate) tls.Config {
+	return tls.Config{
+		Certificates: []tls.Certificate{
+			{
+				Certificate: [][]byte{cert.Raw},
+				PrivateKey:  key,
+				Leaf:        cert,
+			},
+		},
+		ClientCAs:  ca.CertPool(),
+		MinVersion: tls.VersionTLS13,
+	}
+}
+
+// TLSKeyPair returns a tls.Certificate from the given key and
+// certificate, suitable for use in a tls.Config.Certificates slice.
+func TLSKeyPair(key crypto.Signer, cert *x509.Certificate) tls.Certificate {
+	return tls.Certificate{
+		Certificate: [][]byte{cert.Raw},
+		PrivateKey:  key,
+		Leaf:        cert,
+	}
+}
+
+// MustTestCA calls NewTestCA and panics on error. Intended for use
+// in TestMain or test helpers where error handling is impractical.
+func MustTestCA() *TestCA {
+	ca, err := NewTestCA()
+	if err != nil {
+		panic("certgen: " + err.Error())
+	}
+	return ca
+}
+
+// CertificatePEM returns a PEM-encoded byte slice for the given
+// certificate.
+func CertificatePEM(cert *x509.Certificate) []byte {
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	})
+}
+
+// PrivateKeyPEM returns a PEM-encoded PKCS#8 byte slice for the
+// given private key.
+func PrivateKeyPEM(key crypto.Signer) ([]byte, error) {
+	der, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("certgen: marshaling private key: %w", err)
+	}
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: der,
+	}), nil
+}
+

certlib/certgen/testca_test.go

@@ -0,0 +1,223 @@
+package certgen
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestNewTestCA(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	cert := ca.Certificate()
+	if !cert.IsCA {
+		t.Fatal("expected CA certificate")
+	}
+	if cert.Subject.CommonName != "Test CA" {
+		t.Fatalf("got CN %q, want %q", cert.Subject.CommonName, "Test CA")
+	}
+}
+
+func TestCertificatePEMRoundtrip(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	pemBytes := ca.CertificatePEM()
+	block, _ := pem.Decode(pemBytes)
+	if block == nil {
+		t.Fatal("failed to decode PEM")
+	}
+	if block.Type != "CERTIFICATE" {
+		t.Fatalf("got PEM type %q, want CERTIFICATE", block.Type)
+	}
+
+	parsed, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("parse certificate: %v", err)
+	}
+	if !parsed.Equal(ca.Certificate()) {
+		t.Fatal("parsed certificate does not match original")
+	}
+}
+
+func TestCertPool(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	pool := ca.CertPool()
+
+	// Verify the CA cert validates against its own pool.
+	chains, err := ca.Certificate().Verify(x509.VerifyOptions{
+		Roots: pool,
+	})
+	if err != nil {
+		t.Fatalf("verify CA cert against its own pool: %v", err)
+	}
+	if len(chains) == 0 {
+		t.Fatal("expected at least one chain")
+	}
+}
+
+func TestIssue(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	dnsNames := []string{"example.test", "www.example.test"}
+	ips := []net.IP{net.IPv4(10, 0, 0, 1)}
+
+	key, cert, err := ca.Issue(dnsNames, ips)
+	if err != nil {
+		t.Fatalf("Issue: %v", err)
+	}
+	if key == nil {
+		t.Fatal("expected non-nil key")
+	}
+	if cert.IsCA {
+		t.Fatal("leaf cert should not be CA")
+	}
+	if cert.Subject.CommonName != "example.test" {
+		t.Fatalf("got CN %q, want %q", cert.Subject.CommonName, "example.test")
+	}
+
+	// Verify the leaf cert chains to the CA.
+	_, err = cert.Verify(x509.VerifyOptions{
+		Roots:     ca.CertPool(),
+		DNSName:   "example.test",
+		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	})
+	if err != nil {
+		t.Fatalf("verify leaf cert: %v", err)
+	}
+}
+
+func TestIssueServerTLS(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	key, cert, err := ca.IssueServer()
+	if err != nil {
+		t.Fatalf("IssueServer: %v", err)
+	}
+
+	// Start a TLS server with the issued cert.
+	serverCfg := ca.ServerTLSConfig(key, cert)
+	srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	srv.TLS = &serverCfg
+	srv.StartTLS()
+	defer srv.Close()
+
+	// Create a client that verifies the server cert against the CA.
+	clientCfg := ca.TLSConfig()
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &clientCfg,
+		},
+	}
+
+	resp, err := client.Get(srv.URL)
+	if err != nil {
+		t.Fatalf("GET: %v", err)
+	}
+	resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("got status %d, want 200", resp.StatusCode)
+	}
+}
+
+func TestTLSConfigReturnsByValue(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	cfg1 := ca.TLSConfig()
+	cfg2 := ca.TLSConfig()
+
+	// Modifying one should not affect the other.
+	cfg1.ServerName = "modified"
+	if cfg2.ServerName == "modified" {
+		t.Fatal("TLSConfig should return independent values")
+	}
+}
+
+func TestTLSConfigEnforcesTLS13(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	cfg := ca.TLSConfig()
+	if cfg.MinVersion != tls.VersionTLS13 {
+		t.Fatalf("got MinVersion %d, want TLS 1.3 (%d)", cfg.MinVersion, tls.VersionTLS13)
+	}
+}
+
+func TestMustTestCA(t *testing.T) {
+	// Should not panic.
+	ca := MustTestCA()
+	if ca.Certificate() == nil {
+		t.Fatal("expected non-nil certificate")
+	}
+}
+
+func TestPrivateKeyPEM(t *testing.T) {
+	ca, err := NewTestCA()
+	if err != nil {
+		t.Fatalf("NewTestCA: %v", err)
+	}
+
+	key, _, err := ca.IssueServer()
+	if err != nil {
+		t.Fatalf("IssueServer: %v", err)
+	}
+
+	pemBytes, err := PrivateKeyPEM(key)
+	if err != nil {
+		t.Fatalf("PrivateKeyPEM: %v", err)
+	}
+
+	block, _ := pem.Decode(pemBytes)
+	if block == nil {
+		t.Fatal("failed to decode PEM")
+	}
+	if block.Type != "PRIVATE KEY" {
+		t.Fatalf("got PEM type %q, want PRIVATE KEY", block.Type)
+	}
+}
+
+func TestUntrustedCAFails(t *testing.T) {
+	ca1 := MustTestCA()
+	ca2 := MustTestCA()
+
+	// Issue a cert from ca1, try to verify against ca2's pool.
+	_, cert, err := ca1.IssueServer()
+	if err != nil {
+		t.Fatalf("IssueServer: %v", err)
+	}
+
+	_, err = cert.Verify(x509.VerifyOptions{
+		Roots:   ca2.CertPool(),
+		DNSName: "localhost",
+	})
+	if err == nil {
+		t.Fatal("expected verification to fail with wrong CA")
+	}
+}

certlib/certlib.go

@@ -1,11 +1,19 @@
 package certlib
 
 import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
+	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/certlib/certerr"
 )
@@ -13,6 +21,7 @@ import (
 // ReadCertificate reads a DER or PEM-encoded certificate from the
 // byte slice.
 func ReadCertificate(in []byte) (*x509.Certificate, []byte, error) {
+	in = bytes.TrimSpace(in)
 	if len(in) == 0 {
 		return nil, nil, certerr.ParsingError(certerr.ErrorSourceCertificate, certerr.ErrEmptyCertificate)
 	}
@@ -24,10 +33,10 @@ func ReadCertificate(in []byte) (*x509.Certificate, []byte, error) {
 		}
 
 		rest := remaining
-		if p.Type != "CERTIFICATE" {
+		if p.Type != pemTypeCertificate {
 			return nil, rest, certerr.ParsingError(
 				certerr.ErrorSourceCertificate,
-				certerr.ErrInvalidPEMType(p.Type, "CERTIFICATE"),
+				certerr.ErrInvalidPEMType(p.Type, pemTypeCertificate),
 			)
 		}
 
@@ -109,3 +118,184 @@ func PoolFromBytes(certBytes []byte) (*x509.CertPool, error) {
 
 	return pool, nil
 }
+
+func ExportPrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error) {
+	keyDER, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: pemTypePrivateKey, Bytes: keyDER}), nil
+}
+
+func LoadCSR(path string) (*x509.CertificateRequest, error) {
+	in, err := os.ReadFile(path)
+	if err != nil {
+		return nil, certerr.LoadingError(certerr.ErrorSourceCSR, err)
+	}
+
+	req, _, err := ParseCSR(in)
+	return req, err
+}
+
+func ExportCSRAsPEM(req *x509.CertificateRequest) []byte {
+	return pem.EncodeToMemory(&pem.Block{Type: pemTypeCertificateRequest, Bytes: req.Raw})
+}
+
+type FileFormat uint8
+
+const (
+	FormatPEM FileFormat = iota + 1
+	FormatDER
+)
+
+func (f FileFormat) String() string {
+	switch f {
+	case FormatPEM:
+		return "PEM"
+	case FormatDER:
+		return "DER"
+	default:
+		return "unknown"
+	}
+}
+
+type KeyAlgo struct {
+	Type  x509.PublicKeyAlgorithm
+	Size  int
+	curve elliptic.Curve
+}
+
+func (ka KeyAlgo) String() string {
+	switch ka.Type {
+	case x509.RSA:
+		return fmt.Sprintf("RSA-%d", ka.Size)
+	case x509.ECDSA:
+		if ka.curve == nil {
+			return fmt.Sprintf("ECDSA (unknown %d)", ka.Size)
+		}
+		return fmt.Sprintf("ECDSA-%s", ka.curve.Params().Name)
+	case x509.Ed25519:
+		return "Ed25519"
+	case x509.DSA:
+		return "DSA"
+	case x509.UnknownPublicKeyAlgorithm:
+		fallthrough // make linter happy
+	default:
+		return "unknown"
+	}
+}
+
+func publicKeyAlgoFromPublicKey(key crypto.PublicKey) KeyAlgo {
+	switch key := key.(type) {
+	case *rsa.PublicKey:
+		return KeyAlgo{
+			Type: x509.RSA,
+			Size: key.N.BitLen(),
+		}
+	case *ecdsa.PublicKey:
+		return KeyAlgo{
+			Type:  x509.ECDSA,
+			curve: key.Curve,
+			Size:  key.Params().BitSize,
+		}
+	case *ed25519.PublicKey:
+		return KeyAlgo{
+			Type: x509.Ed25519,
+		}
+	case *dsa.PublicKey:
+		return KeyAlgo{
+			Type: x509.DSA,
+		}
+	default:
+		return KeyAlgo{
+			Type: x509.UnknownPublicKeyAlgorithm,
+		}
+	}
+}
+
+func publicKeyAlgoFromKey(key crypto.PrivateKey) KeyAlgo {
+	switch key := key.(type) {
+	case *rsa.PrivateKey:
+		return KeyAlgo{
+			Type: x509.RSA,
+			Size: key.PublicKey.N.BitLen(),
+		}
+	case *ecdsa.PrivateKey:
+		return KeyAlgo{
+			Type:  x509.ECDSA,
+			curve: key.PublicKey.Curve,
+			Size:  key.Params().BitSize,
+		}
+	case *ed25519.PrivateKey:
+		return KeyAlgo{
+			Type: x509.Ed25519,
+		}
+	case *dsa.PrivateKey:
+		return KeyAlgo{
+			Type: x509.DSA,
+		}
+	default:
+		return KeyAlgo{
+			Type: x509.UnknownPublicKeyAlgorithm,
+		}
+	}
+}
+
+func publicKeyAlgoFromCert(cert *x509.Certificate) KeyAlgo {
+	return publicKeyAlgoFromPublicKey(cert.PublicKey)
+}
+
+func publicKeyAlgoFromCSR(csr *x509.CertificateRequest) KeyAlgo {
+	return publicKeyAlgoFromPublicKey(csr.PublicKey)
+}
+
+type FileType struct {
+	Format FileFormat
+	Type   string
+	Algo   KeyAlgo
+}
+
+func (ft FileType) String() string {
+	if ft.Type == "" {
+		return ft.Format.String()
+	}
+	return fmt.Sprintf("%s %s (%s)", ft.Algo, ft.Type, ft.Format)
+}
+
+// FileKind returns the file type of the given file.
+func FileKind(path string) (*FileType, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	ft := &FileType{Format: FormatDER}
+
+	block, _ := pem.Decode(data)
+	if block != nil {
+		data = block.Bytes
+		ft.Type = strings.ToLower(block.Type)
+		ft.Format = FormatPEM
+	}
+
+	cert, err := x509.ParseCertificate(data)
+	if err == nil {
+		ft.Algo = publicKeyAlgoFromCert(cert)
+		return ft, nil
+	}
+
+	csr, err := x509.ParseCertificateRequest(data)
+	if err == nil {
+		ft.Algo = publicKeyAlgoFromCSR(csr)
+		return ft, nil
+	}
+
+	priv, err := x509.ParsePKCS8PrivateKey(data)
+	if err == nil {
+		ft.Algo = publicKeyAlgoFromKey(priv)
+		return ft, nil
+	}
+
+	return nil, errors.New("certlib; unknown file type")
+}

certlib/certlib_test.go

@@ -2,7 +2,10 @@
 package certlib
 
 import (
+	"crypto/elliptic"
+	"crypto/x509"
 	"fmt"
+	"strings"
 	"testing"
 
 	"git.wntrmute.dev/kyle/goutils/assert"
@@ -138,3 +141,153 @@ func TestReadCertificates(t *testing.T) {
 		assert.BoolT(t, cert != nil, "lib: expected an actual certificate to have been returned")
 	}
 }
+
+var (
+	ecTestCACert  = "testdata/ec-ca-cert.pem"
+	ecTestCAPriv  = "testdata/ec-ca-priv.pem"
+	ecTestCAReq   = "testdata/ec-ca-cert.csr"
+	rsaTestCACert = "testdata/rsa-ca-cert.pem"
+	rsaTestCAPriv = "testdata/rsa-ca-priv.pem"
+	rsaTestCAReq  = "testdata/rsa-ca-cert.csr"
+)
+
+func TestFileTypeECPrivate(t *testing.T) {
+	ft, err := FileKind(ecTestCAPriv)
+	assert.NoErrorT(t, err)
+
+	if ft.Format != FormatPEM {
+		t.Errorf("certlib: expected format '%s', got '%s'", FormatPEM, ft.Format)
+	}
+
+	if ft.Type != strings.ToLower(pemTypePrivateKey) {
+		t.Errorf("certlib: expected type '%s', got '%s'",
+			strings.ToLower(pemTypePrivateKey), ft.Type)
+	}
+
+	expectedAlgo := KeyAlgo{
+		Type:  x509.ECDSA,
+		Size:  521,
+		curve: elliptic.P521(),
+	}
+
+	if ft.Algo.String() != expectedAlgo.String() {
+		t.Errorf("certlib: expected algo '%s', got '%s'", expectedAlgo, ft.Algo)
+	}
+}
+
+func TestFileTypeECCertRequest(t *testing.T) {
+	ft, err := FileKind(ecTestCAReq)
+	assert.NoErrorT(t, err)
+
+	if ft.Format != FormatPEM {
+		t.Errorf("certlib: expected format '%s', got '%s'", FormatPEM, ft.Format)
+	}
+
+	if ft.Type != strings.ToLower(pemTypeCertificateRequest) {
+		t.Errorf("certlib: expected type '%s', got '%s'",
+			strings.ToLower(pemTypeCertificateRequest), ft.Type)
+	}
+
+	expectedAlgo := KeyAlgo{
+		Type:  x509.ECDSA,
+		Size:  521,
+		curve: elliptic.P521(),
+	}
+
+	if ft.Algo.String() != expectedAlgo.String() {
+		t.Errorf("certlib: expected algo '%s', got '%s'", expectedAlgo, ft.Algo)
+	}
+}
+
+func TestFileTypeECCertificate(t *testing.T) {
+	ft, err := FileKind(ecTestCACert)
+	assert.NoErrorT(t, err)
+
+	if ft.Format != FormatPEM {
+		t.Errorf("certlib: expected format '%s', got '%s'", FormatPEM, ft.Format)
+	}
+
+	if ft.Type != strings.ToLower(pemTypeCertificate) {
+		t.Errorf("certlib: expected type '%s', got '%s'",
+			strings.ToLower(pemTypeCertificate), ft.Type)
+	}
+
+	expectedAlgo := KeyAlgo{
+		Type:  x509.ECDSA,
+		Size:  521,
+		curve: elliptic.P521(),
+	}
+
+	if ft.Algo.String() != expectedAlgo.String() {
+		t.Errorf("certlib: expected algo '%s', got '%s'", expectedAlgo, ft.Algo)
+	}
+}
+
+func TestFileTypeRSAPrivate(t *testing.T) {
+	ft, err := FileKind(rsaTestCAPriv)
+	assert.NoErrorT(t, err)
+
+	if ft.Format != FormatPEM {
+		t.Errorf("certlib: expected format '%s', got '%s'", FormatPEM, ft.Format)
+	}
+
+	if ft.Type != strings.ToLower(pemTypePrivateKey) {
+		t.Errorf("certlib: expected type '%s', got '%s'",
+			strings.ToLower(pemTypePrivateKey), ft.Type)
+	}
+
+	expectedAlgo := KeyAlgo{
+		Type: x509.RSA,
+		Size: 4096,
+	}
+
+	if ft.Algo.String() != expectedAlgo.String() {
+		t.Errorf("certlib: expected algo '%s', got '%s'", expectedAlgo, ft.Algo)
+	}
+}
+
+func TestFileTypeRSACertRequest(t *testing.T) {
+	ft, err := FileKind(rsaTestCAReq)
+	assert.NoErrorT(t, err)
+
+	if ft.Format != FormatPEM {
+		t.Errorf("certlib: expected format '%s', got '%s'", FormatPEM, ft.Format)
+	}
+
+	if ft.Type != strings.ToLower(pemTypeCertificateRequest) {
+		t.Errorf("certlib: expected type '%s', got '%s'",
+			strings.ToLower(pemTypeCertificateRequest), ft.Type)
+	}
+
+	expectedAlgo := KeyAlgo{
+		Type: x509.RSA,
+		Size: 4096,
+	}
+
+	if ft.Algo.String() != expectedAlgo.String() {
+		t.Errorf("certlib: expected algo '%s', got '%s'", expectedAlgo, ft.Algo)
+	}
+}
+
+func TestFileTypeRSACertificate(t *testing.T) {
+	ft, err := FileKind(rsaTestCACert)
+	assert.NoErrorT(t, err)
+
+	if ft.Format != FormatPEM {
+		t.Errorf("certlib: expected format '%s', got '%s'", FormatPEM, ft.Format)
+	}
+
+	if ft.Type != strings.ToLower(pemTypeCertificate) {
+		t.Errorf("certlib: expected type '%s', got '%s'",
+			strings.ToLower(pemTypeCertificate), ft.Type)
+	}
+
+	expectedAlgo := KeyAlgo{
+		Type: x509.RSA,
+		Size: 4096,
+	}
+
+	if ft.Algo.String() != expectedAlgo.String() {
+		t.Errorf("certlib: expected algo '%s', got '%s'", expectedAlgo, ft.Algo)
+	}
+}

certlib/dump/dump.go

@@ -165,6 +165,28 @@ func certPublic(cert *x509.Certificate) string {
 	}
 }
 
+func csrPublic(csr *x509.CertificateRequest) string {
+	switch pub := csr.PublicKey.(type) {
+	case *rsa.PublicKey:
+		return fmt.Sprintf("RSA-%d", pub.N.BitLen())
+	case *ecdsa.PublicKey:
+		switch pub.Curve {
+		case elliptic.P256():
+			return "ECDSA-prime256v1"
+		case elliptic.P384():
+			return "ECDSA-secp384r1"
+		case elliptic.P521():
+			return "ECDSA-secp521r1"
+		default:
+			return "ECDSA (unknown curve)"
+		}
+	case *dsa.PublicKey:
+		return "DSA"
+	default:
+		return "Unknown"
+	}
+}
+
 func DisplayName(name pkix.Name) string {
 	var ns []string
 
@@ -249,11 +271,6 @@ func showBasicConstraints(cert *x509.Certificate) {
 	fmt.Fprintln(os.Stdout)
 }
 
-var (
-	dateFormat string
-	showHash   bool // if true, print a SHA256 hash of the certificate's Raw field
-)
-
 func wrapPrint(text string, indent int) {
 	tabs := ""
 	var tabsSb140 strings.Builder
@@ -265,11 +282,12 @@ func wrapPrint(text string, indent int) {
 	fmt.Fprintf(os.Stdout, tabs+"%s\n", wrap(text, indent))
 }
 
-func DisplayCert(w io.Writer, cert *x509.Certificate) {
+func DisplayCert(w io.Writer, cert *x509.Certificate, showHash bool) {
 	fmt.Fprintln(w, "CERTIFICATE")
 	if showHash {
 		fmt.Fprintln(w, wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(cert.Raw)), 0))
 	}
+
 	fmt.Fprintln(w, wrap("Subject: "+DisplayName(cert.Subject), 0))
 	fmt.Fprintln(w, wrap("Issuer: "+DisplayName(cert.Issuer), 0))
 	fmt.Fprintf(w, "\tSignature algorithm: %s / %s\n", sigAlgoPK(cert.SignatureAlgorithm),
@@ -285,8 +303,8 @@ func DisplayCert(w io.Writer, cert *x509.Certificate) {
 		fmt.Fprintf(w, "\t%s\n", wrap("SKI: "+dumpHex(cert.SubjectKeyId), 1))
 	}
 
-	wrapPrint("Valid from: "+cert.NotBefore.Format(dateFormat), 1)
-	fmt.Fprintf(w, "\t     until: %s\n", cert.NotAfter.Format(dateFormat))
+	wrapPrint("Valid from: "+cert.NotBefore.Format(lib.DateShortFormat), 1)
+	fmt.Fprintf(w, "\t     until: %s\n", cert.NotAfter.Format(lib.DateShortFormat))
 	fmt.Fprintf(w, "\tKey usages: %s\n", keyUsages(cert.KeyUsage))
 
 	if len(cert.ExtKeyUsage) > 0 {
@@ -337,3 +355,36 @@ func DisplayCert(w io.Writer, cert *x509.Certificate) {
 		}
 	}
 }
+
+func DisplayCSR(w io.Writer, csr *x509.CertificateRequest, showHash bool) {
+	fmt.Fprintln(w, "CERTIFICATE REQUEST")
+	if showHash {
+		fmt.Fprintln(w, wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(csr.Raw)), 0))
+	}
+
+	fmt.Fprintln(w, wrap("Subject: "+DisplayName(csr.Subject), 0))
+	fmt.Fprintf(w, "\tSignature algorithm: %s / %s\n", sigAlgoPK(csr.SignatureAlgorithm),
+		sigAlgoHash(csr.SignatureAlgorithm))
+	fmt.Fprintln(w, "Details:")
+	wrapPrint("Public key: "+csrPublic(csr), 1)
+
+	validNames := make([]string, 0, len(csr.DNSNames)+len(csr.EmailAddresses)+len(csr.IPAddresses)+len(csr.URIs))
+	for i := range csr.DNSNames {
+		validNames = append(validNames, "dns:"+csr.DNSNames[i])
+	}
+
+	for i := range csr.EmailAddresses {
+		validNames = append(validNames, "email:"+csr.EmailAddresses[i])
+	}
+
+	for i := range csr.IPAddresses {
+		validNames = append(validNames, "ip:"+csr.IPAddresses[i].String())
+	}
+
+	for i := range csr.URIs {
+		validNames = append(validNames, "uri:"+csr.URIs[i].String())
+	}
+
+	sans := fmt.Sprintf("SANs (%d): %s\n", len(validNames), strings.Join(validNames, ", "))
+	wrapPrint(sans, 1)
+}

certlib/helpers.go

@@ -75,6 +75,12 @@ var DelegationExtension = pkix.Extension{
 	Value:    []byte{0x05, 0x00}, // ASN.1 NULL
 }
 
+const (
+	pemTypeCertificate        = "CERTIFICATE"
+	pemTypeCertificateRequest = "CERTIFICATE REQUEST"
+	pemTypePrivateKey         = "PRIVATE KEY"
+)
+
 // InclusiveDate returns the time.Time representation of a date - 1
 // nanosecond. This allows time.After to be used inclusively.
 func InclusiveDate(year int, month time.Month, day int) time.Time {
@@ -246,7 +252,7 @@ func EncodeCertificatesPEM(certs []*x509.Certificate) []byte {
 	var buffer bytes.Buffer
 	for _, cert := range certs {
 		if err := pem.Encode(&buffer, &pem.Block{
-			Type:  "CERTIFICATE",
+			Type:  pemTypeCertificate,
 			Bytes: cert.Raw,
 		}); err != nil {
 			return nil

certlib/hosts/hosts.go

@@ -1,3 +1,13 @@
+// Package hosts provides a simple way to parse hostnames and ports.
+// Supported formats are:
+//   - https://example.com:8080
+//   - https://example.com
+//   - tls://example.com:8080
+//   - tls://example.com
+//   - example.com:8080
+//   - example.com
+//
+// Hosts parsed here are expected to be TLS hosts, and the port defaults to 443.
 package hosts
 
 import (

certlib/keymatch.go

@@ -133,3 +133,48 @@ func MatchKeys(cert *x509.Certificate, priv crypto.Signer) (bool, string) {
 		return false, fmt.Sprintf("unrecognised private key type: %T", priv.Public())
 	}
 }
+
+// MatchKeysCSR determines whether the CSR's public key matches the given private key.
+// It returns true if they match; otherwise, it returns false and a human-friendly reason.
+func MatchKeysCSR(csr *x509.CertificateRequest, priv crypto.Signer) (bool, string) {
+	switch keyPub := priv.Public().(type) {
+	case *rsa.PublicKey:
+		switch csrPub := csr.PublicKey.(type) {
+		case *rsa.PublicKey:
+			if matchRSA(csrPub, keyPub) {
+				return true, ""
+			}
+			return false, "public keys don't match"
+		case *ecdsa.PublicKey:
+			return false, "RSA private key, EC public key"
+		default:
+			return false, fmt.Sprintf("unsupported CSR public key type: %T", csr.PublicKey)
+		}
+	case *ecdsa.PublicKey:
+		switch csrPub := csr.PublicKey.(type) {
+		case *ecdsa.PublicKey:
+			if matchECDSA(csrPub, keyPub) {
+				return true, ""
+			}
+			// Determine a more precise reason
+			kc := getECCurve(keyPub)
+			cc := getECCurve(csrPub)
+			if kc == curveInvalid {
+				return false, "invalid private key curve"
+			}
+			if cc == curveRSA {
+				return false, "private key is EC, CSR is RSA"
+			}
+			if kc != cc {
+				return false, "EC curves don't match"
+			}
+			return false, "public keys don't match"
+		case *rsa.PublicKey:
+			return false, "private key is EC, CSR is RSA"
+		default:
+			return false, fmt.Sprintf("unsupported CSR public key type: %T", csr.PublicKey)
+		}
+	default:
+		return false, fmt.Sprintf("unrecognised private key type: %T", priv.Public())
+	}
+}

certlib/keymatch_test.go

@@ -0,0 +1,49 @@
+package certlib_test
+
+import (
+	"testing"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+)
+
+var (
+	testCert1 = "testdata/cert1.pem"
+	testCert2 = "testdata/cert2.pem"
+	testPriv1 = "testdata/priv1.pem"
+	testPriv2 = "testdata/priv2.pem"
+)
+
+type testCase struct {
+	cert  string
+	key   string
+	match bool
+}
+
+var testCases = []testCase{
+	{testCert1, testPriv1, true},
+	{testCert2, testPriv2, true},
+	{testCert1, testPriv2, false},
+	{testCert2, testPriv1, false},
+}
+
+func TestMatchKeys(t *testing.T) {
+	for i, tc := range testCases {
+		cert, err := certlib.LoadCertificate(tc.cert)
+		if err != nil {
+			t.Fatalf("failed to load cert %d: %v", i, err)
+		}
+
+		priv, err := certlib.LoadPrivateKey(tc.key)
+		if err != nil {
+			t.Fatalf("failed to load key %d: %v", i, err)
+		}
+
+		ok, _ := certlib.MatchKeys(cert, priv)
+		switch {
+		case ok && !tc.match:
+			t.Fatalf("case %d: cert %s/key %s should not match", i, tc.cert, tc.key)
+		case !ok && tc.match:
+			t.Fatalf("case %d: cert %s/key %s should match", i, tc.cert, tc.key)
+		}
+	}
+}

certlib/ski/ski.go

@@ -6,6 +6,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/sha1" // #nosec G505 this is the standard
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -15,7 +16,9 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/fileutil"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
 const (
@@ -53,6 +56,30 @@ func (k *KeyInfo) SKI(displayMode lib.HexEncodeMode) (string, error) {
 	return pubHashString, nil
 }
 
+func Lookup(path string, tcfg *tls.Config) (*KeyInfo, error) {
+	if fileutil.FileDoesExist(path) {
+		return ParsePEM(path)
+	}
+
+	server, err := fetch.ParseServer(path, tcfg)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := server.Get()
+	if err != nil {
+		return nil, err
+	}
+
+	material := &KeyInfo{
+		FileType: "certificate",
+	}
+
+	material.PublicKey, material.KeyType = parseCertificate(cert)
+
+	return material, nil
+}
+
 // ParsePEM parses a PEM file and returns the public key and its type.
 func ParsePEM(path string) (*KeyInfo, error) {
 	material := &KeyInfo{}
@@ -79,7 +106,7 @@ func ParsePEM(path string) (*KeyInfo, error) {
 		material.PublicKey, material.KeyType = parseKey(data)
 		material.FileType = "private key"
 	case "CERTIFICATE":
-		material.PublicKey, material.KeyType = parseCertificate(data)
+		material.PublicKey, material.KeyType = parseCertificateFile(data)
 		material.FileType = "certificate"
 	case "CERTIFICATE REQUEST":
 		material.PublicKey, material.KeyType = parseCSR(data)
@@ -113,12 +140,17 @@ func parseKey(data []byte) ([]byte, string) {
 	return public, kt
 }
 
-func parseCertificate(data []byte) ([]byte, string) {
+func parseCertificateFile(data []byte) ([]byte, string) {
 	cert, err := x509.ParseCertificate(data)
 	die.If(err)
 
+	return parseCertificate(cert)
+}
+
+func parseCertificate(cert *x509.Certificate) ([]byte, string) {
 	pub := cert.PublicKey
 	var kt string
+
 	switch pub.(type) {
 	case *rsa.PublicKey:
 		kt = keyTypeRSA

certlib/testdata/cert1.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2zCCAsOgAwIBAgIUN0qOIUWB0UCmtutt2RH6PCmcuhEwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoM
+GVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNVBAsMFkNyeXB0b2dyYXBo
+aWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0xMB4XDTI1MTExOTA4MjM1
+MFoXDTQ1MTExNDA4MjM1MFowfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExIjAgBgNVBAoMGVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNV
+BAsMFkNyeXB0b2dyYXBoaWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0x
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7sbIJyBfBBF2oHnFOfLS
+rtcIUpZcz0fJ9JNtjzazwfyykVV9nuIC4JyD+VhxxSnSQN1H6kHqmcNNJlsQkGjK
+TcA6wcFxMRcWyaV5MY3U7MTe1WJJXTrpAFYTOoo0pQaoONBaWn48qfdQc9OvtU17
+wgBFhNWfdJaDKDAcyz4pHj9ihl80brvThOwrhUAWRw3ooyZ3m+T8Bgrkqp4ZPv3w
+A8oaAoA91UKT5yKRcIAJHAkE4ep0UZdcNPKhBu7L5Jqh8I4EtG0FnZKkOR7gpw+y
+YhIhuewWlQWRJwXBv3TwX9njmKwfE6Uftgy9HPbc66mK61FR3fEsU9KHaCmkXDwH
+SQIDAQABo1MwUTAdBgNVHQ4EFgQUD2idNc+Yq+6am5/+lizTVJ5HRBUwHwYDVR0j
+BBgwFoAUD2idNc+Yq+6am5/+lizTVJ5HRBUwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAcsa8Htaxw4HhtS8mboC41+FiqFisXfASO0LbsCLGjmrg
+Vi9MP9cg06g1AjxxlYw9KsbSXdn/jdbVqcQJxGItZ+CE1AcwUVg3c4ZmPOGIl4LS
+Pv2p2Lv4nCRWXrbp96O+lmC1xclziUTYGdQO9pNi71LcSapjLNlxWCWyvAJhWrVe
+zZHjGi1nG6ygpPXpldXFyyw61xpjPKc1eghoI125Am5xr3YhPjLM9IGGA1i6R9rC
+TlKjQOy8nUPC00jZrAf+HWdMWSpa320eOPi+qz18qbyfl8KMOBFvmA3mdumoABGn
+Mre0Gq9fUcd/KdPEHu++XAcLH3M8pqmeUQHHHse0gQ==
+-----END CERTIFICATE-----

certlib/testdata/cert2.pem

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF2zCCA8OgAwIBAgIUXosHyc+4br2XvK+fLJ+6uG8G/eYwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoM
+GVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNVBAsMFkNyeXB0b2dyYXBo
+aWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0yMB4XDTI1MTExOTA4MjQy
+MloXDTQ1MTExNDA4MjQyMlowfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExIjAgBgNVBAoMGVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNV
+BAsMFkNyeXB0b2dyYXBoaWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0y
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8G39r3JD0RNTT2d1Omtf
+WSxv2XzSgSmiAZl6wpcmvE/C9smltXskK/74vxTRpTSoTVtMi1dNWbZlYag+BaqF
+60Cp0kGPESIyLDtUQCZpQypKYjOXVPiwd9xXGAdE7Br7dFaUArGRJiWzPX/vjgdK
+mruRk+c3ABFhdbiq3CWCPz3uheu9ekUTgK8CEAFsWg2ehTjWIEJU61M6AITvSIUZ
+GUEaNC3cAeP7Wx3Vy694fT9WoHpyr6dtWsTzbWyuSPtQ8uR2BEcunUxiBtQthio5
+xv20ZgD9C+dJnwr9tE7JKh1MCrFQNkt7EedKABTVYxYxMVATYUUg+jZPy68v1KnL
+kYIeB/TBB6iVGIOc9EKWjGv+luebR7OGgu3sZTFxsW5Dq0LSjzLJqoKROtYEEnJt
+sWo6V1j7WMs1MPl8NtqqmJjlSJx/OUaVuseB/uji107aIMEKgOwTmFDfPdVYDhQG
+eQ3V0Ro25/A/oe5yxEDNnSWGPtOHRq7aSJHM3/0qaPxg+RPrObb3ISRkXs5GBOHV
+ss+Nk4McbCV6Zccy6gi+wrz7fiXHijpSWcVVfN9A61TSTTjAX+S9CphcjkS4I2JW
+OJY5i9ANP62mr73d2NSikoTXavUCgOBlW00m0gAR0JJYNe/31yS96UwvH0xCHxer
+1tX3qwGEjE0fhnwMhxP4tmkCAwEAAaNTMFEwHQYDVR0OBBYEFCs+ZbZ0uorYlg26
+m5PSz4Ov66KEMB8GA1UdIwQYMBaAFCs+ZbZ0uorYlg26m5PSz4Ov66KEMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJneix0lCM4CqdrajmaHa8Y4
+Sdr3URSufzW0l8zoBWss1z88X9aZemWKCd4UDSVpN+T6hEASvAw6zRSd2WkmCsdq
+KnwHFnDDWGANt/CBcbr69Sk09YLMO+F0Cku8Ymp2jcAFy074E/wjwxgT6JJ/BtQE
+q1JJNusanYN2jrYamB1PUnc4lWyOIOOTIU6oqofcJobtTJbSAA7Gvx4p85TMBnQu
+YJdBQ3jnFFH3pjCXA9BXaZnaiJjnfDggsJJT7CXngC4US/ti4qZr7+Poc0Ikb/Pm
+8EChKKvljZEtcxrhLhsVEzsJtk72F9Ravl+q2jS1zDqnS3OY6kf45nuYnvZ4QkX4
+Nk8Y6PmGGk00QCAxyVsiFrm7wZHHvnQyQr8nxjPOv2MryV5e3rW9WAzAG4vHPS1F
+5wi3ELiuivkoO5daDwzfVsKhQ3Nl2uAfS8pvY/NvTVPJnR+wdduJqgLMzAWhbRnx
+r6WxuiY9mdkdkr6PDDnrw/4lm+GRFw8ksn8ErB3nZf73lo1Ai+Iv2FIi5Ore/qeq
+vZjVNvBpZBiMo5d2zDWtp3m8vWgmgXDaKZXn0YAJATkqnhAKbdZ2cmwbGTZhIdrZ
+pqoq2KPY+luirIIDiKDbkW4b2HRxwSM8cI2HxONGcB43FcZHlpMhOtM3DD0Z8lQD
+b2Hi9ZK8kpL8qa2vFpOe
+-----END CERTIFICATE-----

certlib/testdata/ec-ca-cert.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBzTCCAS4CAQAwgYgxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcT
+ADEiMCAGA1UEChMZV05UUk1VVEUgSEVBVlkgSU5EVVNUUklFUzEfMB0GA1UECxMW
+Q1JZUFRPR1JBUEhJQyBTRVJWSUNFUzEeMBwGA1UEAxMVV05UUk1VVEUgVEVTVCBF
+QyBDQSAxMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAQxmTxzo1XOK0HDrtn92b
+exC4sXr8GnU+oATiXied3e1AWVOux9XtaWduY+a+r6Kb1rxMVyebn9KqtwNw+9KS
+XaEB1IN9QzfdxEcJgRIAVtFplOqCip5xKK0B+woo3wXm3ndq2kJts86aONqQ0m2g
+RrsmAKAX4pwmMnAHFF7veBcpsqugADAKBggqhkjOPQQDBAOBjAAwgYgCQgDG8Hdu
+FkC3z0u0MU01+Bi/2MorcVTvdkurLm6Rh2Zf65aaXK8PDdV/cPZ98qx7NoLDSvwF
+83gJuUI/3nVB/Ith7wJCAb6SAkXroT7y41XHayyTYb6+RKSlxxb9e5rtVCp/nG23
+s59r23vUC/wDb4VWJE5jKi5vmXfjY+RAL9FOnpr2wsX0
+-----END CERTIFICATE REQUEST-----

certlib/testdata/ec-ca-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAkKgAwIBAgIUSnrCuvU8kj0nxNzmTgibiPLrQ8QwCgYIKoZIzj0EAwQw
+gYgxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEiMCAGA1UEChMZ
+V05UUk1VVEUgSEVBVlkgSU5EVVNUUklFUzEfMB0GA1UECxMWQ1JZUFRPR1JBUEhJ
+QyBTRVJWSUNFUzEeMBwGA1UEAxMVV05UUk1VVEUgVEVTVCBFQyBDQSAxMB4XDTI1
+MTExOTIwNTgwMVoXDTQ1MTExNDIxNTgwMVowgYgxCzAJBgNVBAYTAlVTMQkwBwYD
+VQQIEwAxCTAHBgNVBAcTADEiMCAGA1UEChMZV05UUk1VVEUgSEVBVlkgSU5EVVNU
+UklFUzEfMB0GA1UECxMWQ1JZUFRPR1JBUEhJQyBTRVJWSUNFUzEeMBwGA1UEAxMV
+V05UUk1VVEUgVEVTVCBFQyBDQSAxMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA
+QxmTxzo1XOK0HDrtn92bexC4sXr8GnU+oATiXied3e1AWVOux9XtaWduY+a+r6Kb
+1rxMVyebn9KqtwNw+9KSXaEB1IN9QzfdxEcJgRIAVtFplOqCip5xKK0B+woo3wXm
+3ndq2kJts86aONqQ0m2gRrsmAKAX4pwmMnAHFF7veBcpsqujRTBDMA4GA1UdDwEB
+/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEDMB0GA1UdDgQWBBSNqRkvwUgIHGa2
+jKmA2Q3w6Ju/FzAKBggqhkjOPQQDBAOBjAAwgYgCQgCckIFCjzJExxbV9dqm92nr
+safC3kqhCxjmilf0IYWVj5f1kymoFr3jPpmy0iFcteUk0QTcqpnUT4i140lxtyK8
+NAJCAVxbicZgVns9rgp6hu14l81j0XMpNgzy0QxscjMpWS/17iDJ4Y5vCWpwekrr
+F1cmmRpsodONacAvTml4ehKE2ekx
+-----END CERTIFICATE-----

certlib/testdata/ec-ca-priv.pem

@@ -0,0 +1,8 @@
+-----BEGIN PRIVATE KEY-----
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIAzkf/rvLGJBTVHHHr
+lUhzsRJZgkyzSY5YE3KBReDyFWc+OB48C1gdYB1u7+PxgyfwYACjPx2y1AxN8fJh
+XonY39mhgYkDgYYABABDGZPHOjVc4rQcOu2f3Zt7ELixevwadT6gBOJeJ53d7UBZ
+U67H1e1pZ25j5r6vopvWvExXJ5uf0qq3A3D70pJdoQHUg31DN93ERwmBEgBW0WmU
+6oKKnnEorQH7CijfBebed2raQm2zzpo42pDSbaBGuyYAoBfinCYycAcUXu94Fymy
+qw==
+-----END PRIVATE KEY-----

certlib/testdata/ec-ca.yaml

@@ -0,0 +1,14 @@
+key:
+  algorithm: ecdsa
+  size: 521
+subject:
+  common_name: WNTRMUTE TEST EC CA 1
+  country: US
+  organization: WNTRMUTE HEAVY INDUSTRIES
+  organizational_unit: CRYPTOGRAPHIC SERVICES
+profile:
+  is_ca: true
+  path_len: 3
+  key_uses:
+    - cert sign
+  expiry: 20y

certlib/testdata/priv1.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDuxsgnIF8EEXag
+ecU58tKu1whSllzPR8n0k22PNrPB/LKRVX2e4gLgnIP5WHHFKdJA3UfqQeqZw00m
+WxCQaMpNwDrBwXExFxbJpXkxjdTsxN7VYkldOukAVhM6ijSlBqg40Fpafjyp91Bz
+06+1TXvCAEWE1Z90loMoMBzLPikeP2KGXzRuu9OE7CuFQBZHDeijJneb5PwGCuSq
+nhk+/fADyhoCgD3VQpPnIpFwgAkcCQTh6nRRl1w08qEG7svkmqHwjgS0bQWdkqQ5
+HuCnD7JiEiG57BaVBZEnBcG/dPBf2eOYrB8TpR+2DL0c9tzrqYrrUVHd8SxT0odo
+KaRcPAdJAgMBAAECggEALeHOK7CNeYFmj2MeyioWIGkrDP2eM2lqzf+3VYXwKEZH
+xOQN2cY5wdHpjTQY1odZAsRSkZnde/L6o/RrPCiauTKHR9yFRObYJuLQZTyJDf8t
+h4jVqp/Ljpg7pSvR/mUHVbV5qzpnK0zd7Yffk2Hidk6pjSMkexmB9eq62bYl3gz2
+dlgKrLgjlwUmhD0P5OhwCW2Z2rmrGwY1y3pj/FjvIckxpPcEle0o/xUIEbW7lZux
+3fCAu2Lvg+I9qE5MaWIfZX4aUQi5gJmUZpUCuDJjwFIztO+vSqKmw4zOUFKCRrAc
+VsicvHvwmhUCrVT/ebEkf0ntSQq1ED0FARJdYhfOlQKBgQD8ngiviLbVPxVur6Wo
+tMzNUUpaJxfyWfZ4w5eYLWKkYSlax1HMCLYyMU0dwSWdmmri+ibm91+VXEJ5DxQh
+O/nIF5f0DpWcFmnl4C16xlouWiY6kaSTALQfy/PnsEsEd7oljxesqrpdw7s7/S8q
+OUGkTP20M+U0WQQ/RNDWZoyMbQKBgQDx+U1I28ceHSrE6ss/ufWBt2WqiyqvC2NN
+444/WkBps5XWUN0HSOBrr8PlMY4jsxyPXuqDVn6P4yg26zIRrIvBLonZ1v1PAMbk
+nL1kVB78QOxS/xYOOO2Y2YFtPSztmFZnm8b7l/+9YzHAVp4IrpTsny6UyVZaYVSD
+3v7XowlkzQKBgGJrO50P2ZOZQUNfYV4qGoR/gEVBZ93+2LzSDzS1sfGy/QamEyM3
+3awOcyn9fyc46x3FMfTYOcAaMrexfTk5gaZIMuZd7EHkpZtuzKlBsA7RBoXZClJP
+et3MexkwIPn7n2VUq3eVCIjRYhgMGx0LM5zMdieH9GuBptrzd52gVG+9AoGAVhRL
+7AlTMmFJ37dvCoKK1dR6NEtBqfexIfo7lkny9CdQvGcT2g2Q2H40gAo6+HQ1SsOH
+RaW1bFZw7eiJbUQmi1iU7YvPnRU3rAgeT9ylETO/Xl8kZ3bU/zURF91VaEhzJHSE
+Ouh9r8/j2Pp3SbthezO9jGx7bbeGK0te+TMkmlkCgYAwYst1HRndKGMVdNPCEdlW
+aye+R3VtpTWGqDCJiMQCMUsCZF8KcYkCAQk7nXh55putfvTwnWfnqRn91e9yp+/7
+rsE3vnGRcbkjvcgZaFyZL7800pOYWEm8FF2xRSBBC49b8kjZPA1i5OME2P0Y4lon
+naIddZmTj87qOtEaY/MSGQ==
+-----END PRIVATE KEY-----

certlib/testdata/priv2.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDwbf2vckPRE1NP
+Z3U6a19ZLG/ZfNKBKaIBmXrClya8T8L2yaW1eyQr/vi/FNGlNKhNW0yLV01ZtmVh
+qD4FqoXrQKnSQY8RIjIsO1RAJmlDKkpiM5dU+LB33FcYB0TsGvt0VpQCsZEmJbM9
+f++OB0qau5GT5zcAEWF1uKrcJYI/Pe6F6716RROArwIQAWxaDZ6FONYgQlTrUzoA
+hO9IhRkZQRo0LdwB4/tbHdXLr3h9P1agenKvp21axPNtbK5I+1Dy5HYERy6dTGIG
+1C2GKjnG/bRmAP0L50mfCv20TskqHUwKsVA2S3sR50oAFNVjFjExUBNhRSD6Nk/L
+ry/UqcuRgh4H9MEHqJUYg5z0QpaMa/6W55tHs4aC7exlMXGxbkOrQtKPMsmqgpE6
+1gQScm2xajpXWPtYyzUw+Xw22qqYmOVInH85RpW6x4H+6OLXTtogwQqA7BOYUN89
+1VgOFAZ5DdXRGjbn8D+h7nLEQM2dJYY+04dGrtpIkczf/Spo/GD5E+s5tvchJGRe
+zkYE4dWyz42TgxxsJXplxzLqCL7CvPt+JceKOlJZxVV830DrVNJNOMBf5L0KmFyO
+RLgjYlY4ljmL0A0/raavvd3Y1KKShNdq9QKA4GVbTSbSABHQklg17/fXJL3pTC8f
+TEIfF6vW1ferAYSMTR+GfAyHE/i2aQIDAQABAoICAEMrJ1VNgd62HG8xgxGYD6I1
+BOZotdJ51BXIUABvA9ZWHiyd9xp1VYypBcs0QMF7rY029XJ0KFro1vfqbbFdi15G
+yWrA//wUZpnu1UG6uWuXNAKtURjfBUXnG7nNxhaEDz3YNi9udhOHMsT6qe0u4kvK
+HQiJ7tapBGZD+g/YtsN+RNXLHzs6cxFfUx8vlpqt9VxYnZGTlm/L54dfnA3RiUqB
+4pUzPqSUkZNKCYGG+w1alZPtwX6LMsTKAwvN8f7XnyzMYKAfVsmBHl20ByfVQiDy
+neRlYExkCDBTfL9Tx2Vpm+Xc1YDlo3ND/2t4ZojxGTsimNdy3Zypca+AuMcbzI/G
+fTY/qSQHrP/bz07oYwvFXUQhcVzuA6/DPzVL017SSOxCHTM2l4MItV4NE1ZLlEmq
+ehzzqgSMgtyse8axWuYdzCfo7coHJESSJHxdxwbNDyQNZnVeQ0/hQ6w6GsQpKfKT
+QjpxYuZlysLxwFtIB/5Qg9nUjZbWtA08shrSH5vY2YKjdV+84no4ilhfrsm3sNb+
+msrm3NcsNy3lhMDvp15yx9f89j4mpyaxzp6CZa6jhW4BVAUxxRSL0MBaX+06JEsF
+g8WVoZkCGyq3W8CaCzHG0gD0CYf1tKRXrwwDzVEUVN2N/u2BRJRogP5zPyjHi8Fl
+hOu+0f5mlu89n1rse9CVAoIBAQD7Vg7sPaS4et3K/NqIAe7HWElGB0aN/p8Coiwv
+xcamZAKYO3IbT/bgo0tJ2DynJJicBrfq4LMd97rldRjiD3CH88JFBEgm/L7HvYnQ
+wZh/OiLuUyrGKbAgUjbUVDnFDgFrxN1sdSG43l9N5+hJ4Yz47Jek5/8pZ1uOR70N
+usvPSKgcpcW8BJ1MwoOCQhaXhN+Yc/Y5FkPZ35C+IiRXJ/Hl6J0TCX/L48IKTdY9
+9F5wh9gHHxU+y0FFNbsD3PuwzYJsdxlVg0mbHLnHy8rKt9tJ/TDM+dXGsrOzimKG
+uZIIShyhQg1B/C7vOU3e5o2SNd7isaI6JqKWNwF7OLE6jpQrAoIBAQD05B9jYMjt
+NS3423V4Y7Qw0hMXfz/r36VLNUw3tBLbybL/qmBkEt4tYdn7FihVB6u4PRxWDh28
+A3XkQiIp+Awwn5CzixBf5cdSiozN673LzwMWOqHvfEjav5gWGabeCO2R62Zdt9Jt
+VcGwrHU+9F0gBySOB+OAp5HTTf9Y8ItQgcNeYDZUQzgArRJRBMrIZjx3jAYMb6N6
+SVQRYDZ0VDBvLpTGbJ7wDoQkYZ80jou6eBov6O3WXGkEVHJec9ULNWOvUgPU+SOB
+NJ2vLJuKmQxacPjtyo87BePYQoUpmYA389BdQkK+wFy8t/m4cpGb/h0uWAonFCA1
+fAGQFKnEAvG7AoIBAE41LDWUxPHmwadNYQ7bUxrSvRI+Z1T9+yrNneRLrZHPIwON
+0+btzgt+pInY8J6uA5LhgE9lFjdoA88szc5iMYkMb9IcD/uZwB/VOdIsu7AzPfVd
+Cb1Z8YVNL+SIROWtgwGu45vBIvossAlE9YIv3jcDH/jffAW9NL8kUY65JnxcxnsL
+lmj4Ip5lFJjuyariXNVKmD6RUBG2wIp5g0dflaUN6fqnhQ3D1HhyWg0zQkPP8Yfd
+wzWj9656lrQQCn2spT3tHYP/c2MB4Elsf7Du3xy53Xqa70uCBesDT79OdUOBFEGV
+lRyIRW6JLVMD+N+bRbzSu4FOzl7hxOM78+IdxbsCggEBAOD9UUUpX5BngmQXpHZG
+C/+qkbXNyDl6EM/nGK44t/bL+bNgogxvNUa2luFTexyb3o13P7hkYbch6scaZ27t
+oK1vfC8oPZQNdLIF7tUlmAtOlsRue+ad5gVrb1wmlyN5SmL8xeCmiSLAXiJmX5XG
+RmSti00ePEswKQ7coxPgc+40Of1UIbYKx8H/QEvFPlUdcMJYmBoG20f3ZNBN99mq
+m5EaV79xfhiJDairM+zCZeecflq0Awclgapjt2vFud8BXyNtE24wswj7AUA2mHSe
+pjXVgy5dIniUsb83ZkZQ6/b7/twfi1jbPJh54mkugU6zCbZRVoqOuATLeFgaU9ps
+5g8CggEBAIqE5wD2ezkZaN5XHBbYvMqzrnA2TQLxy+KD3XjuPE/EWidPz7nF0Z3q
+ucYBSyeak0dM6ZKcJFRVYcd3zr9Ssee5YO7n6ZE0AJdBJJSY3WAULTAO7GEQiIVS
+e2ptLBkaJv5Wsl558gTVVXzgTXyoprwTVeeOact8VnmIea3mHVghPAG6oPzgG2v8
+PDE64Zdu/OZs5nvEd262u5svsb0dgCPkXtKofkfxRhV7yDRtIkVe7qyK1Gq8BxNA
+wi5i7S0WTO1qmyu3l93JzSGYyca8US34KB7DIYO5u2yQRNhBkbKDRpkvPNIycY+J
+UAkHH7gJHv8bZgg5FVXt0B9875Z9qAI=
+-----END PRIVATE KEY-----

certlib/testdata/rsa-ca-cert.csr

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEzzCCArcCAQAwgYkxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcT
+ADEiMCAGA1UEChMZV05UUk1VVEUgSEVBVlkgSU5EVVNUUklFUzEfMB0GA1UECxMW
+Q1JZUFRPR1JBUEhJQyBTRVJWSUNFUzEfMB0GA1UEAxMWV05UUk1VVEUgVEVTVCBS
+U0EgQ0EgMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANq2EqMMNnQD
+x/FwQ9Xf+UqYJCsdeSxeRDk9CGRbsToKeBlYfsOMgZ3pghsZ1srnJyB+pF1cSM1q
+PJCXCvRdn11Q+FfZ25ye3pOaAY589GJSbEpcxitweJ7dsiY3sbqZjh5XnmwX5qHy
+CE2qamKKJoAUkJ1YH/gWqX4bMYPG5oRo6KpCxb6pKi5ScMTl7kvn9fagkHEVJLf2
+ZrQMWzTDwijjJGsKcjMWVZQegP9ODC+wut4uq1ZIFaXGW+dlrQkowVIZXZrBkL3l
+s3u4RJiDadOSvEH3VJB9yjz9/LKT+JFUzgbMWCyZ2Gq3gr/HY+Xsodu8JsPqQxAW
+PCxi19gi+Mx7Mk7jOqBShfDXby15mnqJxFU5VcjPtX5jPPIvDsF46IJX5lOwSNJa
+VQsp/s54OL4bzbel/BsHWztRcDNzAxvOW3edZHzCE+o7UWkMwvJER+ciAfJSSm8s
+oG5QiL5GdMvtiqwQe/l8bkbEws4OAnks9U+U9/5S3kLJq93Mw+oeId4m8bRGqCFB
+QF9OWaZOOHO5kET89jr/UF0Udi6IMNIvj1fbTJVKZdM4gDEcLHTiev3Wqhmsy+4m
+R7nVdr0bC8y5INLQ4aI4N4BUlzWUopWdFBasZYaJdWqt5sBVYHvEVvkThlJoDlCm
+mBPQC7TtvqUA0lEhIgWteR33FU/D+OfTAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
+AgEAOVmZNOOcyFMCF7p1ea7POU2Ev6l5x3vBnxqss+spRj07qWGKbKaFi6/smGoy
+If2SYSFY0bJi1wzuz78m2DQfQDl1AAxKdd33prFs1+nOsQPKuVAmMETKW8t+ZRQd
+hLq1I7aGcJjCU0nXnXEFM7XHJ2uUf1Af4WTCYOV8BvKanCz+xuTnjjW0fOYx6pZU
+3lPAl5e4lNlbrsF9SNomX6u0zdmjECxSmDbDl/XIx5NB0wzdBwmm6QO2Ulp+ytr1
+85OmOC6RxL+cBIS42k9WIZpYo6xRtJSoHhtpPHyWkDOnL32okxcZ4hfas3rXmpS+
+E0S+r39+f3a7W3U3sq6lkZ1o5EUuqzkwX70XSMHVypRN1HZDEXPvH5CM9pns4iTq
+FQoKWFjn7ZY9eazILtzlwAk5JalK0U4oQZwbtBl4EP5Dhmeok5u3QByAxD1wXC3p
+RZvEBEXmZ4BvNjol6aHPLTb7ff2urnLMWRJklM4JN9OB+IdWPvDzjbzwPwxGuwow
+TUr/Mmheps4YlcWQZxWsRJHAqCr/cw3EczMLqJ46KFqjj8qu5w8y5zKgt48PckD8
+MnV35R2B04STrxnN2vINt7/SkCxlwk45/wMnyi2/GKO2N9GS9DI10SbVrvul3TTk
+t0DJsQobX+ew2Cn4aSbHSSQG2tsE3gUVomwEjuyGDP1TIFY=
+-----END CERTIFICATE REQUEST-----

certlib/testdata/rsa-ca-cert.pem

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF6DCCA9CgAwIBAgIVANc3mjaz6CKa3IT0+lJZ/hxvcbw6MA0GCSqGSIb3DQEB
+CwUAMIGJMQswCQYDVQQGEwJVUzEJMAcGA1UECBMAMQkwBwYDVQQHEwAxIjAgBgNV
+BAoTGVdOVFJNVVRFIEhFQVZZIElORFVTVFJJRVMxHzAdBgNVBAsTFkNSWVBUT0dS
+QVBISUMgU0VSVklDRVMxHzAdBgNVBAMTFldOVFJNVVRFIFRFU1QgUlNBIENBIDEw
+HhcNMjUxMTE5MjE1NzQ1WhcNNDUxMTE0MjI1NzQ1WjCBiTELMAkGA1UEBhMCVVMx
+CTAHBgNVBAgTADEJMAcGA1UEBxMAMSIwIAYDVQQKExlXTlRSTVVURSBIRUFWWSBJ
+TkRVU1RSSUVTMR8wHQYDVQQLExZDUllQVE9HUkFQSElDIFNFUlZJQ0VTMR8wHQYD
+VQQDExZXTlRSTVVURSBURVNUIFJTQSBDQSAxMIICIjANBgkqhkiG9w0BAQEFAAOC
+Ag8AMIICCgKCAgEA2rYSoww2dAPH8XBD1d/5SpgkKx15LF5EOT0IZFuxOgp4GVh+
+w4yBnemCGxnWyucnIH6kXVxIzWo8kJcK9F2fXVD4V9nbnJ7ek5oBjnz0YlJsSlzG
+K3B4nt2yJjexupmOHleebBfmofIITapqYoomgBSQnVgf+Bapfhsxg8bmhGjoqkLF
+vqkqLlJwxOXuS+f19qCQcRUkt/ZmtAxbNMPCKOMkawpyMxZVlB6A/04ML7C63i6r
+VkgVpcZb52WtCSjBUhldmsGQveWze7hEmINp05K8QfdUkH3KPP38spP4kVTOBsxY
+LJnYareCv8dj5eyh27wmw+pDEBY8LGLX2CL4zHsyTuM6oFKF8NdvLXmaeonEVTlV
+yM+1fmM88i8OwXjoglfmU7BI0lpVCyn+zng4vhvNt6X8GwdbO1FwM3MDG85bd51k
+fMIT6jtRaQzC8kRH5yIB8lJKbyygblCIvkZ0y+2KrBB7+XxuRsTCzg4CeSz1T5T3
+/lLeQsmr3czD6h4h3ibxtEaoIUFAX05Zpk44c7mQRPz2Ov9QXRR2Logw0i+PV9tM
+lUpl0ziAMRwsdOJ6/daqGazL7iZHudV2vRsLzLkg0tDhojg3gFSXNZSilZ0UFqxl
+hol1aq3mwFVge8RW+ROGUmgOUKaYE9ALtO2+pQDSUSEiBa15HfcVT8P459MCAwEA
+AaNFMEMwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQMwHQYDVR0O
+BBYEFAf60HUhXFOzcdtO8MJC2sN5qsmmMA0GCSqGSIb3DQEBCwUAA4ICAQAHBYjp
+hN6U00cqqU/tk1CyUuJsPq2tGGIb3PxN+PvGLrhx27P+F8a5Sn2zBbkweX5vCu+i
+o8EPavHAARIA+gF0UyM5MwPZdjdhNHDRGdASPphx7ZBa0e5Qp2XFyruw6EwHztyK
+m7cF45MslGiEjRc7cciR5AUElRFhgY2QAlCcA8Tp6h3XJVSlaDhf+sS1EWlseVJN
+GU5+Mu1L9vA6aiCKVtDviETfr7PmSY1obMrq9pDIoyo1jwflu/kTtmqDkDMkI1MI
+mGKoHuKfAtZHiavjL7DMilO6X6ZMNPSYl4snm2hovHnoemifGuwlJ/V+HnDIMQAs
+B5U3NY+IV6vlEYW3CmUfTsFjUzVpS/o/X5GBhG3pTAg9jUgpVsLNuVJrCg5PNpSL
+xXMWRxj/y5ITm0m0/agNAd80KEDvCTbdORdDz4iYVG/L/GoaH3yPcmrBsE+2pPQb
+rR1ihPU02wjY/oqlVt3mNzqczXZYoOW7FoW3O4dpP10kPA4O17nUJJ0FOU/vWXCS
+7TgJwdlzoTPptK7c9zoZcHwPY2j0BVVgSofKlKlR1tJvqxbDA16pw2nsWl+r53Uc
+Emw7SdHQfvDdbt42PL9g1CYqiYba7J9WkRWOYegSdOYLuaddYKN36xhCwT6p2/HM
+EaRCxfUq2tmFzL2NhJLJlvNhpe7Zt5s/UF1oiQ==
+-----END CERTIFICATE-----

certlib/testdata/rsa-ca-priv.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDathKjDDZ0A8fx
+cEPV3/lKmCQrHXksXkQ5PQhkW7E6CngZWH7DjIGd6YIbGdbK5ycgfqRdXEjNajyQ
+lwr0XZ9dUPhX2ducnt6TmgGOfPRiUmxKXMYrcHie3bImN7G6mY4eV55sF+ah8ghN
+qmpiiiaAFJCdWB/4Fql+GzGDxuaEaOiqQsW+qSouUnDE5e5L5/X2oJBxFSS39ma0
+DFs0w8Io4yRrCnIzFlWUHoD/TgwvsLreLqtWSBWlxlvnZa0JKMFSGV2awZC95bN7
+uESYg2nTkrxB91SQfco8/fyyk/iRVM4GzFgsmdhqt4K/x2Pl7KHbvCbD6kMQFjws
+YtfYIvjMezJO4zqgUoXw128teZp6icRVOVXIz7V+YzzyLw7BeOiCV+ZTsEjSWlUL
+Kf7OeDi+G823pfwbB1s7UXAzcwMbzlt3nWR8whPqO1FpDMLyREfnIgHyUkpvLKBu
+UIi+RnTL7YqsEHv5fG5GxMLODgJ5LPVPlPf+Ut5CyavdzMPqHiHeJvG0RqghQUBf
+TlmmTjhzuZBE/PY6/1BdFHYuiDDSL49X20yVSmXTOIAxHCx04nr91qoZrMvuJke5
+1Xa9GwvMuSDS0OGiODeAVJc1lKKVnRQWrGWGiXVqrebAVWB7xFb5E4ZSaA5QppgT
+0Au07b6lANJRISIFrXkd9xVPw/jn0wIDAQABAoICAFk4c0veXIxhSnx8zr99+eVr
+QT3xbRAjeHNdKYI/QYIq6Sl1x2igdfPkYTYLCWuGdpiz8PtA/VYG46QcadScKLnZ
+oSW9cvBmguf1qHLnGI7PjuubAyCPZjVwvQ8II1G6+JX6Kl9wNJ6V7Ls6LOH7947C
+VOhLHeeH3ybZkw5t4nXbkiZ6zM5llhaFfQllvxtqChXNFH99H5iIRQdoDwDsZtVl
+K+MaxNGAZ/LfqsH7pc8CqoiewziUeXhB/hXcjYUyAgMq49uQ4SoGfXyYBCuvWEl+
+D5xdeDrlhc3x0tdKs9kdnlp5m/K94+JM8GKpxV/zc2f/TlUXyLnUSEHXJLRAN/v5
+oMeZ/3N+gbOUZtu8E/xsYLCSgjVdnWlqBxhnNJ9KsrlhHNzM0FQMOMSHf2aQVUjS
+yhSPwhwOmNJ3sOznHF27yZS52MS+lgIE+Te7swRAUt/Rb3Vx2SUwbfBHWLeSY0Wy
+DOYljRSc7jliNxgN9FGdReHQpLRbysotBV9XkyYks5nrkbqFJP5gfRm0Y8nk2Nlr
+NJFi3fTDVjKF5PXaSskymwL7RQdYdBD//wsRdcqZxbs93we7xjM5POZqEcX7WUvr
+LqivREko+ZaUR0BSLZVYRMIDFwFUFJuTy3uEdWvhaB0KYdL/nu85iLHqLg86Jteg
+aMkVEgFlyfMZI17DEhjBAoIBAQDnzGWl1JCMnuNNOeQw4mcRuuKun6cCPaoU0Nl/
+SLOFd6P6XLUy4kTIvDopo9mg9Qi5EpWUDaLEWuqFIv45KN90n0/7uGEerkGob6ic
+DjHJiVoqsRV2/keQsGk/vIoKWXemdDIFIVy6AEQ7GEV/EWPIDSS3Xr8EymPtpuYP
+kqp6o0iMFpvkaAPNj33Lz2RigNKYPTJ/tjIPE4yw2B1zuanMwTBCHahJeMZqF3qL
+nqdDfRqdEB8/LLwRibRY1lvKzPQPxoUdv2MGKXZ/T3oPQEblMpOAU8EhifUZPpef
+vZYeJ/XURLcBNsdYdJQzeuzxr+rxl3gEdpErZafBh9DXgtXzAoIBAQDxi+AnpIlr
+jmIec4aFDoS+PjzIhe4sZEuLnTlYe8XarbhN8kedYaRhvZQ5L7QVpmuk8jyMORB8
+VKfabmQKQoYKtKb9nHS8C/WW4dJRhWu7vcr22BHEh+ylwsJmBPLywpybjo0YX9k6
+epbMzgIIP+woFCzo5IeQ9fd4XzQTFF8nJmNv+vOzj3PMf7Cc5/q7DqiDKDnXGl5b
+u2mdZCM5GFY6wjpEkJllSE82JjEY18N0wsJMfcNckY9oq4ZkWdPfhT4ZcnknZjqC
+uJABe28r+CE3lAtRSgD5XLFCvPuP0FbGe1MovuOFFPbkVKA6ECGF0az/A8F4t8PB
+sSuzoNu8Ar6hAoIBAQC04KahFJIHaSTt6jLKgqDzEOY6ZZKpCP1jaOWPkWekyotG
+nnk2z6HlEhxAyf7UvuCjqoDWGx3cIyXF5lyCtgZItthvEJ2Yl1nc2eS0gc8P+QJH
+NhAN3rZxjXdTqQf+s3nOhfVSU4pMClEz2+i/Ew7N2JPCE0jzsAryM75qgIRPVoMR
+7cKQJSpyiXocRCWNSAENkxOI3N+LLDIo/TteRo7dnBLQRNxBGOGbf968fH0BCOpv
+jVkUrw/Cj7YPbJYMVopMlRji8amP8WLqTVZt+DZaO3EmPjUCuuhrXpBqskImHgCS
+N1ymsdw0hiPvWAj1P9UR2KRqtyrotlaFijnJMetJAoIBADDQD5BzU8IEmBeHSRwC
+fxjjAu2TAzq9Wfbw4vHasXUrvh8iYw6O+OU3poiX91CYvRAsU8gSkB5QDUu7G0Rn
+hScMsuJ1h7GoyQygvhvzVn4uMKIJsC2DOnOVFCwBvAcLBRL6j9DpLcD/nRHuX8LD
+CDphOWInLK5CxqvwsVlZuJD01QuAL1eOGdytwUc0Khs7LxqyOl4Z2g+3o/RGlEep
+f2OIdLX+csFhB4Dt3uYiVEF4SkOi9qPyVoTUhOgqrwJwrsf9tjYcFp7sJU3nX+QG
+1M+if1cCGYhLDxdpkXzSoXai3X9SdDAkuHAUGf0h3WRppwgx/hsjJ9AwuaAnVcB8
+3YECggEBALBNp7jHCdmRJeZk1pLrG8v5cMFvZfHV8u80Pk8FXe1ULSQzDx7Pse/G
+s9K1Q5j3KbWW+WfD2klq1TlJuYyLCF1gEl0dYIbHSSGauzZDRZ+NzlgYBt2MFKcz
+qCuqbI7wU5Ou60jJoVG4E2F6xwLyQuHRP5sZn+dN2jsxqouBCRltkpd2mlL2+AU0
+StbDpQ5k70/6OhJsZjNDUiUiLUaM73wiIPoOQEslxVaWyuud2U13kbGeB9SKyipR
+Te53TuEakRGEmrgkqQYIX/w90LAkobKdATkrYk/IIr6y7wvvY80nacZgYyZ14FSC
+eWRtwt2K2iouhIrKnXvlgEnfRUd9XXI=
+-----END PRIVATE KEY-----

certlib/testdata/rsa-ca.yaml

@@ -0,0 +1,14 @@
+key:
+  algorithm: rsa
+  size: 4096
+subject:
+  common_name: WNTRMUTE TEST RSA CA 1
+  country: US
+  organization: WNTRMUTE HEAVY INDUSTRIES
+  organizational_unit: CRYPTOGRAPHIC SERVICES
+profile:
+  is_ca: true
+  path_len: 3
+  key_uses:
+    - cert sign
+  expiry: 20y

certlib/verify/verify.go

@@ -8,7 +8,8 @@ import (
 	"io"
 
 	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
-	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
 func bundleIntermediates(w io.Writer, chain []*x509.Certificate, pool *x509.CertPool, verbose bool) *x509.CertPool {
@@ -45,7 +46,7 @@ func prepareVerification(w io.Writer, target string, opts *Opts) (*verifyResult,
 
 	if opts == nil {
 		opts = &Opts{
-			Config:             lib.StrictBaselineTLSConfig(),
+			Config:             dialer.StrictBaselineTLSConfig(),
 			ForceIntermediates: false,
 		}
 	}
@@ -67,7 +68,7 @@ func prepareVerification(w io.Writer, target string, opts *Opts) (*verifyResult,
 
 	roots = opts.Config.RootCAs.Clone()
 
-	chain, err := lib.GetCertificateChain(target, opts.Config)
+	chain, err := fetch.GetCertificateChain(target, opts.Config)
 	if err != nil {
 		return nil, fmt.Errorf("fetching certificate chain: %w", err)
 	}

cmd/bcuz/README

@@ -0,0 +1,8 @@
+bcuz: bandcamp unzip
+
+When you download stuff from bandcamp, it gives you a zip file that
+extracts files into the current directory. This is a quick hack tries
+to parse the filename as "artist - album", unpack the contents to
+"artist/album/*", and remove the zip file (which can be kept with
+-k). Works on my machine™, good enough for me.
+

cmd/bcuz/main.go

@@ -0,0 +1,110 @@
+package main
+
+import (
+	"archive/zip"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+var unrestrictedDecompression bool
+
+var keepArchive bool
+
+func removedir(dir string, existed bool) {
+	if !existed {
+		os.RemoveAll(dir)
+	}
+}
+
+func unpackFile(path string) error {
+	var dir string
+	var existed bool
+
+	fmt.Printf("[+] processing %s:\n", path)
+
+	base := filepath.Base(path[:len(path)-4])
+	pieces := strings.SplitN(base, "-", 2)
+	if len(pieces) == 2 {
+		artist := strings.TrimSpace(pieces[0])
+		album := strings.TrimSpace(pieces[1])
+		dir = filepath.Join(artist, album)
+	} else {
+		dir = base
+	}
+
+	_, err := os.Stat(dir)
+	if err == nil {
+		existed = true
+	}
+
+	fmt.Printf("\tunpack directory: %s\n", dir)
+	err = os.MkdirAll(dir, 0755)
+	if err != nil {
+		return err
+	}
+
+	r, err := zip.OpenReader(path)
+	if err != nil {
+		removedir(dir, existed)
+		return err
+	}
+	defer r.Close()
+
+	var rc io.ReadCloser
+	for _, f := range r.File {
+		fmt.Printf("\tunpacking %s\n", f.FileHeader.Name)
+		rc, err = f.Open()
+		if err != nil {
+			rc.Close()
+			removedir(dir, existed)
+			return err
+		}
+
+		if f.UncompressedSize64 > (f.CompressedSize64*32) && !unrestrictedDecompression {
+			rc.Close()
+			removedir(dir, existed)
+			return errors.New("file is too large to decompress (maybe a zip bomb)")
+		}
+
+		var out *os.File
+		out, err = os.Create(filepath.Join(dir, f.FileHeader.Name))
+		if err != nil {
+			rc.Close()
+			removedir(dir, existed)
+			return err
+		}
+
+		_, err = io.Copy(out, rc) // #nosec G110: handled with size check above
+		if err != nil {
+			rc.Close()
+			removedir(dir, existed)
+			return err
+		}
+
+		out.Close()
+		rc.Close()
+	}
+
+	if !keepArchive {
+		return os.Remove(path)
+	}
+	return nil
+}
+
+func main() {
+	flag.BoolVar(&keepArchive, "k", false, "don't remove the archive file after unpacking")
+	flag.BoolVar(&unrestrictedDecompression, "u", false, "allow unrestricted decompression")
+	flag.Parse()
+
+	for _, path := range flag.Args() {
+		err := unpackFile(path)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "[!] failed to process %s: %s\n", path, err)
+		}
+	}
+}

cmd/ca-signed/main.go

@@ -12,6 +12,8 @@ import (
 	"git.wntrmute.dev/kyle/goutils/certlib/verify"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
 //go:embed testdata/*.pem
@@ -137,11 +139,11 @@ func selftest() int {
 func main() {
 	var skipVerify, useStrict bool
 
-	lib.StrictTLSFlag(&useStrict)
+	dialer.StrictTLSFlag(&useStrict)
 	flag.BoolVar(&skipVerify, "k", false, "don't verify certificates")
 	flag.Parse()
 
-	tcfg, err := lib.BaselineTLSConfig(skipVerify, useStrict)
+	tcfg, err := dialer.BaselineTLSConfig(skipVerify, useStrict)
 	die.If(err)
 
 	args := flag.Args()
@@ -171,7 +173,7 @@ func main() {
 	for _, arg := range args {
 		var cert *x509.Certificate
 
-		cert, err = lib.GetCertificate(arg, tcfg)
+		cert, err = fetch.GetCertificate(arg, tcfg)
 		if err != nil {
 			lib.Warn(err, "while parsing certificate from %s", arg)
 			continue

cmd/ccfind/main.go

@@ -0,0 +1,46 @@
+package main
+
+// Prompt:
+// The current main.go should accept a list of paths to search. In each
+// of those paths, without recursing, it should find all files ending in
+// C/C++ source extensions and print them one per line.
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+)
+
+var extensions = []string{
+	".c", ".cpp", ".cc", ".cxx",
+	".h", ".hpp", ".hh", ".hxx",
+}
+
+func main() {
+	if len(os.Args) < 2 {
+		fmt.Fprintf(os.Stderr, "Usage: %s <path> [path...]\n", os.Args[0])
+		os.Exit(1)
+	}
+
+	for _, path := range os.Args[1:] {
+		entries, err := os.ReadDir(path)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error reading %s: %v\n", path, err)
+			continue
+		}
+
+		for _, entry := range entries {
+			if entry.IsDir() {
+				continue
+			}
+
+			name := entry.Name()
+			ext := filepath.Ext(name)
+			if slices.Contains(extensions, strings.ToLower(ext)) {
+				fmt.Println(filepath.Join(path, name))
+			}
+		}
+	}
+}

cmd/cert-bundler/testdata/bundle.yaml

@@ -12,6 +12,7 @@ chains:
       include_single: true
       include_individual: true
       manifest: true
+      encoding: pemcrt
       formats:
         - zip
         - tgz

cmd/cert-revcheck/main.go

@@ -15,7 +15,7 @@ import (
 	hosts "git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
 	"git.wntrmute.dev/kyle/goutils/fileutil"
-	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 var (
@@ -39,7 +39,7 @@ func main() {
 
 	revoke.HardFail = hardfail
 	// Build a proxy-aware HTTP client for OCSP/CRL fetches
-	if httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: timeout}); err == nil {
+	if httpClient, err := dialer.NewHTTPClient(dialer.Opts{Timeout: timeout}); err == nil {
 		revoke.HTTPClient = httpClient
 	}
 
@@ -105,7 +105,7 @@ func checkSite(hostport string) (string, error) {
 	defer cancel()
 
 	// Use proxy-aware TLS dialer
-	conn, err := lib.DialTLS(ctx, target.String(), lib.DialerOpts{Timeout: timeout, TLSConfig: &tls.Config{
+	conn, err := dialer.DialTLS(ctx, target.String(), dialer.Opts{Timeout: timeout, TLSConfig: &tls.Config{
 		InsecureSkipVerify: true, // #nosec G402 -- CLI tool only verifies revocation
 		ServerName:         target.Host,
 	}})

cmd/certchain/main.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/die"
-	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 var hasPort = regexp.MustCompile(`:\d+$`)
@@ -25,7 +25,11 @@ func main() {
 		}
 
 		// Use proxy-aware TLS dialer
-		conn, err := lib.DialTLS(context.Background(), server, lib.DialerOpts{TLSConfig: &tls.Config{}}) // #nosec G402
+		conn, err := dialer.DialTLS(
+			context.Background(),
+			server,
+			dialer.Opts{TLSConfig: &tls.Config{}},
+		) // #nosec G402
 		die.If(err)
 
 		defer conn.Close()

cmd/certdump/main.go

@@ -9,6 +9,7 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/certlib/dump"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
 var config struct {
@@ -27,19 +28,19 @@ func main() {
 
 	for _, filename := range flag.Args() {
 		fmt.Fprintf(os.Stdout, "--%s ---%s", filename, "\n")
-		certs, err := lib.GetCertificateChain(filename, tlsCfg)
+		certs, err := fetch.GetCertificateChain(filename, tlsCfg)
 		if err != nil {
 			lib.Warn(err, "couldn't read certificate")
 			continue
 		}
 
 		if config.leafOnly {
-			dump.DisplayCert(os.Stdout, certs[0])
+			dump.DisplayCert(os.Stdout, certs[0], config.showHash)
 			continue
 		}
 
 		for i := range certs {
-			dump.DisplayCert(os.Stdout, certs[i])
+			dump.DisplayCert(os.Stdout, certs[i], config.showHash)
 		}
 	}
 }

cmd/certexpiry/main.go

@@ -8,6 +8,8 @@ import (
 	"git.wntrmute.dev/kyle/goutils/certlib/verify"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
 func main() {
@@ -18,20 +20,20 @@ func main() {
 		warnOnly   bool
 	)
 
-	lib.StrictTLSFlag(&strictTLS)
+	dialer.StrictTLSFlag(&strictTLS)
 
 	flag.BoolVar(&skipVerify, "k", false, "skip server verification") // #nosec G402
 	flag.BoolVar(&warnOnly, "q", false, "only warn about expiring certs")
 	flag.DurationVar(&leeway, "t", leeway, "warn if certificates are closer than this to expiring")
 	flag.Parse()
 
-	tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
+	tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
 	die.If(err)
 
 	for _, file := range flag.Args() {
 		var certs []*x509.Certificate
 
-		certs, err = lib.GetCertificateChain(file, tlsCfg)
+		certs, err = fetch.GetCertificateChain(file, tlsCfg)
 		if err != nil {
 			_, _ = lib.Warn(err, "while parsing certificates")
 			continue

cmd/certser/main.go

@@ -8,6 +8,8 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
 const displayInt lib.HexEncodeMode = iota
@@ -33,13 +35,13 @@ func serialString(cert *x509.Certificate, mode lib.HexEncodeMode) string {
 func main() {
 	var skipVerify bool
 	var strictTLS bool
-	lib.StrictTLSFlag(&strictTLS)
+	dialer.StrictTLSFlag(&strictTLS)
 	displayAs := flag.String("d", "int", "display mode (int, hex, uhex)")
 	showExpiry := flag.Bool("e", false, "show expiry date")
 	flag.BoolVar(&skipVerify, "k", false, "skip server verification") // #nosec G402
 	flag.Parse()
 
-	tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
+	tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
 	die.If(err)
 
 	displayMode := parseDisplayMode(*displayAs)
@@ -47,7 +49,7 @@ func main() {
 	for _, arg := range flag.Args() {
 		var cert *x509.Certificate
 
-		cert, err = lib.GetCertificate(arg, tlsCfg)
+		cert, err = fetch.GetCertificate(arg, tlsCfg)
 		die.If(err)
 
 		fmt.Printf("%s: %s", arg, serialString(cert, displayMode))

cmd/certverify/main.go

@@ -10,6 +10,7 @@ import (
 	"git.wntrmute.dev/kyle/goutils/certlib/verify"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 type appConfig struct {
@@ -28,7 +29,7 @@ func parseFlags() appConfig {
 	flag.BoolVar(&cfg.skipVerify, "k", false, "skip CA verification")
 	flag.BoolVar(&cfg.revexp, "r", false, "print revocation and expiry information")
 	flag.BoolVar(&cfg.verbose, "v", false, "verbose")
-	lib.StrictTLSFlag(&cfg.strictTLS)
+	dialer.StrictTLSFlag(&cfg.strictTLS)
 	flag.Parse()
 
 	if flag.NArg() == 0 {
@@ -71,7 +72,7 @@ func main() {
 		die.If(err)
 	}
 
-	opts.Config, err = lib.BaselineTLSConfig(cfg.skipVerify, cfg.strictTLS)
+	opts.Config, err = dialer.BaselineTLSConfig(cfg.skipVerify, cfg.strictTLS)
 	die.If(err)
 
 	opts.Config.RootCAs = roots

cmd/kgz/main.go

@@ -101,7 +101,7 @@ func buildExtraForPath(st unix.Stat_t, path string, setUID, setGID int) []byte {
 			gid = uint32(setGID & 0xFFFFFFFF) //#nosec G115 - masked
 		}
 	}
-	mode := uint32(st.Mode & 0o7777)
+	mode := st.Mode & 0o7777
 
 	// Use portable helper to gather ctime
 	var cts int64
@@ -111,7 +111,7 @@ func buildExtraForPath(st unix.Stat_t, path string, setUID, setGID int) []byte {
 		ctns = clampToInt32(ft.Changed.Nanosecond())
 	}
 
-	return buildKGExtra(uid, gid, mode, cts, ctns)
+	return buildKGExtra(uid, gid, uint32(mode), cts, ctns)
 }
 
 // parseKGExtra scans a gzip Extra blob and returns kgz metadata if present.

cmd/rhash/main.go

@@ -14,6 +14,7 @@ import (
 	"git.wntrmute.dev/kyle/goutils/ahash"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 func usage(w io.Writer) {
@@ -84,7 +85,7 @@ func main() {
 			continue
 		}
 		// Use proxy-aware HTTP client with a reasonable timeout for connects/handshakes
-		httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: 30 * time.Second})
+		httpClient, err := dialer.NewHTTPClient(dialer.Opts{Timeout: 30 * time.Second})
 		if err != nil {
 			_, _ = lib.Warn(err, "building HTTP client for %s", remote)
 			continue

cmd/stealchain/main.go

@@ -11,20 +11,20 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
-	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 func main() {
 	var sysRoot, serverName string
 	var skipVerify bool
 	var strictTLS bool
-	lib.StrictTLSFlag(&strictTLS)
+	dialer.StrictTLSFlag(&strictTLS)
 	flag.StringVar(&sysRoot, "ca", "", "provide an alternate CA bundle")
 	flag.StringVar(&serverName, "sni", "", "provide an SNI name")
 	flag.BoolVar(&skipVerify, "noverify", false, "don't verify certificates")
 	flag.Parse()
 
-	tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
+	tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
 	die.If(err)
 
 	if sysRoot != "" {
@@ -43,7 +43,7 @@ func main() {
 		}
 
 		var conn *tls.Conn
-		conn, err = lib.DialTLS(context.Background(), site, lib.DialerOpts{TLSConfig: tlsCfg})
+		conn, err = dialer.DialTLS(context.Background(), site, dialer.Opts{TLSConfig: tlsCfg})
 		die.If(err)
 
 		cs := conn.ConnectionState()

cmd/tlsinfo/main.go

@@ -9,7 +9,7 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/die"
-	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 func main() {
@@ -22,10 +22,10 @@ func main() {
 	die.If(err)
 
 	// Use proxy-aware TLS dialer; skip verification as before
-	conn, err := lib.DialTLS(
+	conn, err := dialer.DialTLS(
 		context.Background(),
 		hostPort.String(),
-		lib.DialerOpts{TLSConfig: &tls.Config{InsecureSkipVerify: true}},
+		dialer.Opts{TLSConfig: &tls.Config{InsecureSkipVerify: true}},
 	) // #nosec G402
 	die.If(err)
 
@@ -65,7 +65,7 @@ func printPeerCertificates(certificates []*x509.Certificate) {
 		fmt.Printf("\tSubject: %s\n", cert.Subject)
 		fmt.Printf("\tIssuer: %s\n", cert.Issuer)
 		fmt.Printf("\tDNS Names:	%v\n", cert.DNSNames)
-		fmt.Printf("\tNot Before: %s\n:", cert.NotBefore)
+		fmt.Printf("\tNot Before: %s\n", cert.NotBefore)
 		fmt.Printf("\tNot After: %s\n", cert.NotAfter)
 	}
 }

go.sum

@@ -29,19 +29,15 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=

lib/dialer/dialer.go

@@ -1,5 +1,5 @@
-// Package lib contains reusable helpers. This file provides proxy-aware
-// dialers for plain TCP and TLS connections using environment variables.
+// Package dialer provides proxy-aware dialers for plain TCP and TLS
+// connections using environment variables.
 //
 // Supported proxy environment variables (checked case-insensitively):
 //   - SOCKS5_PROXY  (e.g., socks5://user:pass@host:1080)
@@ -12,7 +12,7 @@
 //  3. HTTP_PROXY
 //
 // Both uppercase and lowercase variable names are honored.
-package lib
+package dialer
 
 import (
 	"bufio"
@@ -66,7 +66,7 @@ func BaselineTLSConfig(skipVerify bool, secure bool) (*tls.Config, error) {
 
 var debug = dbg.NewFromEnv()
 
-// DialerOpts controls creation of proxy-aware dialers.
+// Opts controls creation of proxy-aware dialers.
 //
 // Timeout controls the maximum amount of time spent establishing the
 // underlying TCP connection and any proxy handshake. If zero, a
@@ -75,7 +75,7 @@ var debug = dbg.NewFromEnv()
 // TLSConfig is used by the TLS dialer to configure the TLS handshake to
 // the target endpoint. If TLSConfig.ServerName is empty, it will be set
 // from the host portion of the address passed to DialContext.
-type DialerOpts struct {
+type Opts struct {
 	Timeout   time.Duration
 	TLSConfig *tls.Config
 }
@@ -88,7 +88,7 @@ type ContextDialer interface {
 // DialTCP is a convenience helper that dials a TCP connection to address
 // using a proxy-aware dialer derived from opts. It honors SOCKS5_PROXY,
 // HTTPS_PROXY, and HTTP_PROXY environment variables.
-func DialTCP(ctx context.Context, address string, opts DialerOpts) (net.Conn, error) {
+func DialTCP(ctx context.Context, address string, opts Opts) (net.Conn, error) {
 	d, err := NewNetDialer(opts)
 	if err != nil {
 		return nil, err
@@ -100,7 +100,7 @@ func DialTCP(ctx context.Context, address string, opts DialerOpts) (net.Conn, er
 // address using a proxy-aware dialer derived from opts. It returns a *tls.Conn.
 // It honors SOCKS5_PROXY, HTTPS_PROXY, and HTTP_PROXY environment variables and
 // uses opts.TLSConfig for the handshake (filling ServerName from address if empty).
-func DialTLS(ctx context.Context, address string, opts DialerOpts) (*tls.Conn, error) {
+func DialTLS(ctx context.Context, address string, opts Opts) (*tls.Conn, error) {
 	d, err := NewTLSDialer(opts)
 	if err != nil {
 		return nil, err
@@ -123,7 +123,7 @@ func DialTLS(ctx context.Context, address string, opts DialerOpts) (*tls.Conn, e
 // proxies discovered from the environment (SOCKS5_PROXY, HTTPS_PROXY, HTTP_PROXY).
 // The returned dialer supports context cancellation for direct and HTTP(S)
 // proxies and applies the configured timeout to connection/proxy handshake.
-func NewNetDialer(opts DialerOpts) (ContextDialer, error) {
+func NewNetDialer(opts Opts) (ContextDialer, error) {
 	if opts.Timeout <= 0 {
 		opts.Timeout = 30 * time.Second
 	}
@@ -165,7 +165,7 @@ func NewNetDialer(opts DialerOpts) (ContextDialer, error) {
 //
 // The returned dialer performs proxy negotiation (if any), then completes a
 // TLS handshake to the target using opts.TLSConfig.
-func NewTLSDialer(opts DialerOpts) (ContextDialer, error) {
+func NewTLSDialer(opts Opts) (ContextDialer, error) {
 	if opts.Timeout <= 0 {
 		opts.Timeout = 30 * time.Second
 	}
@@ -247,7 +247,7 @@ func getProxyURLFromEnv(name string) *url.URL {
 //     HTTPS_PROXY, and NO_PROXY/no_proxy.
 //   - Connection and TLS handshake timeouts are derived from opts.Timeout.
 //   - For HTTPS targets, opts.TLSConfig is applied to the transport.
-func NewHTTPClient(opts DialerOpts) (*http.Client, error) {
+func NewHTTPClient(opts Opts) (*http.Client, error) {
 	if opts.Timeout <= 0 {
 		opts.Timeout = 30 * time.Second
 	}
@@ -422,7 +422,7 @@ func drainHeaders(br *bufio.Reader) error {
 }
 
 // newSOCKS5Dialer builds a context-aware wrapper over the x/net/proxy dialer.
-func newSOCKS5Dialer(u *url.URL, opts DialerOpts) (ContextDialer, error) {
+func newSOCKS5Dialer(u *url.URL, opts Opts) (ContextDialer, error) {
 	var auth *xproxy.Auth
 	if u.User != nil {
 		user := u.User.Username()

lib/duration/duration.go

@@ -0,0 +1 @@
+package duration

lib/fetch/fetch.go

@@ -1,4 +1,4 @@
-package lib
+package fetch
 
 import (
 	"context"
@@ -12,6 +12,8 @@ import (
 	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/fileutil"
+	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 // Note: Previously this package exposed a FetcherOpts type. It has been
@@ -20,59 +22,63 @@ import (
 // Fetcher is an interface for fetching certificates from a remote source. It
 // currently supports fetching from a server or a file.
 type Fetcher interface {
+	// Get retrieves the leaf certificate from the source.
 	Get() (*x509.Certificate, error)
+
+	// GetChain retrieves the entire chain from the Fetcher.
 	GetChain() ([]*x509.Certificate, error)
+
+	// String returns a string representation of the Fetcher.
 	String() string
 }
 
+func NewFetcher(spec string, tcfg *tls.Config) (Fetcher, error) {
+	if fileutil.FileDoesExist(spec) || spec == "-" {
+		return NewFileFetcher(spec), nil
+	}
+
+	fetcher, err := ParseServer(spec, tcfg)
+	if err != nil {
+		return nil, err
+	}
+
+	fetcher.config = tcfg
+
+	return fetcher, nil
+}
+
+// ServerFetcher retrieves certificates from a TLS connection.
 type ServerFetcher struct {
-	host     string
-	port     int
-	insecure bool
-	roots    *x509.CertPool
-}
-
-// WithRoots sets the roots for the ServerFetcher.
-func WithRoots(roots *x509.CertPool) func(*ServerFetcher) {
-	return func(sf *ServerFetcher) {
-		sf.roots = roots
-	}
-}
-
-// WithSkipVerify sets the insecure flag for the ServerFetcher.
-func WithSkipVerify() func(*ServerFetcher) {
-	return func(sf *ServerFetcher) {
-		sf.insecure = true
-	}
+	host   string
+	port   int
+	config *tls.Config
 }
 
 // ParseServer parses a server string into a ServerFetcher. It can be a URL or a
 // a host:port pair.
-func ParseServer(host string) (*ServerFetcher, error) {
+func ParseServer(host string, cfg *tls.Config) (*ServerFetcher, error) {
 	target, err := hosts.ParseHost(host)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse server: %w", err)
 	}
 
 	return &ServerFetcher{
-		host: target.Host,
-		port: target.Port,
+		host:   target.Host,
+		port:   target.Port,
+		config: cfg,
 	}, nil
 }
 
 func (sf *ServerFetcher) String() string {
-	return fmt.Sprintf("tls://%s", net.JoinHostPort(sf.host, Itoa(sf.port, -1)))
+	return fmt.Sprintf("tls://%s", net.JoinHostPort(sf.host, lib.Itoa(sf.port, -1)))
 }
 
 func (sf *ServerFetcher) GetChain() ([]*x509.Certificate, error) {
-	opts := DialerOpts{
-		TLSConfig: &tls.Config{
-			InsecureSkipVerify: sf.insecure, // #nosec G402 - no shit sherlock
-			RootCAs:            sf.roots,
-		},
+	opts := dialer.Opts{
+		TLSConfig: sf.config,
 	}
 
-	conn, err := DialTLS(context.Background(), net.JoinHostPort(sf.host, Itoa(sf.port, -1)), opts)
+	conn, err := dialer.DialTLS(context.Background(), net.JoinHostPort(sf.host, lib.Itoa(sf.port, -1)), opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to dial server: %w", err)
 	}
@@ -91,6 +97,7 @@ func (sf *ServerFetcher) Get() (*x509.Certificate, error) {
 	return certs[0], nil
 }
 
+// FileFetcher retrieves certificates from files on disk.
 type FileFetcher struct {
 	path string
 }
@@ -137,20 +144,11 @@ func (ff *FileFetcher) Get() (*x509.Certificate, error) {
 // configuration will be used to control verification behavior (e.g.,
 // InsecureSkipVerify, RootCAs).
 func GetCertificateChain(spec string, cfg *tls.Config) ([]*x509.Certificate, error) {
-	if fileutil.FileDoesExist(spec) {
-		return NewFileFetcher(spec).GetChain()
-	}
-
-	fetcher, err := ParseServer(spec)
+	fetcher, err := NewFetcher(spec, cfg)
 	if err != nil {
 		return nil, err
 	}
 
-	if cfg != nil {
-		fetcher.insecure = cfg.InsecureSkipVerify
-		fetcher.roots = cfg.RootCAs
-	}
-
 	return fetcher.GetChain()
 }
 

lib/lib.go

@@ -3,9 +3,12 @@ package lib
 import (
 	"encoding/base64"
 	"encoding/hex"
+	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 )
@@ -112,6 +115,88 @@ func Duration(d time.Duration) string {
 	return s
 }
 
+// IsDigit checks if a byte is a decimal digit.
+func IsDigit(b byte) bool {
+	return b >= '0' && b <= '9'
+}
+
+const signedaMask64 = 1<<63 - 1
+
+// ParseDuration parses a duration string into a time.Duration.
+// It supports standard units (ns, us/µs, ms, s, m, h) plus extended units:
+// d (days, 24h), w (weeks, 7d), y (years, 365d).
+// Units can be combined without spaces, e.g., "1y2w3d4h5m6s".
+// Case-insensitive. Years and days are approximations (no leap seconds/months).
+// Returns an error for invalid input.
+func ParseDuration(s string) (time.Duration, error) {
+	s = strings.ToLower(s) // Normalize to lowercase for case-insensitivity.
+	if s == "" {
+		return 0, errors.New("empty duration string")
+	}
+
+	var total time.Duration
+	i := 0
+	for i < len(s) {
+		// Parse the number part.
+		start := i
+		for i < len(s) && IsDigit(s[i]) {
+			i++
+		}
+		if start == i {
+			return 0, fmt.Errorf("expected number at position %d", start)
+		}
+		numStr := s[start:i]
+		num, err := strconv.ParseUint(numStr, 10, 64)
+		if err != nil {
+			return 0, fmt.Errorf("invalid number %q: %w", numStr, err)
+		}
+
+		// Parse the unit part.
+		if i >= len(s) {
+			return 0, fmt.Errorf("expected unit after number %q", numStr)
+		}
+		unitStart := i
+		i++ // Consume the first char of the unit.
+		unit := s[unitStart:i]
+
+		// Handle potential two-char units like "ms".
+		if unit == "m" && i < len(s) && s[i] == 's' {
+			i++ // Consume the 's'.
+			unit = "ms"
+		}
+
+		// Convert to duration based on unit.
+		var d time.Duration
+		switch unit {
+		case "ns":
+			d = time.Nanosecond * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "us", "µs":
+			d = time.Microsecond * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "ms":
+			d = time.Millisecond * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "s":
+			d = time.Second * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "m":
+			d = time.Minute * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "h":
+			d = time.Hour * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "d":
+			d = 24 * time.Hour * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "w":
+			d = 7 * 24 * time.Hour * time.Duration(num&signedaMask64) // #nosec G115 - masked off
+		case "y":
+			// Approximate, non-leap year.
+			d = 365 * 24 * time.Hour * time.Duration(num&signedaMask64) // #nosec G115 - masked off;
+		default:
+			return 0, fmt.Errorf("unknown unit %q at position %d", s[unitStart:i], unitStart)
+		}
+
+		total += d
+	}
+
+	return total, nil
+}
+
 type HexEncodeMode uint8
 
 const (
@@ -245,3 +330,20 @@ func HexEncode(b []byte, mode HexEncodeMode) string {
 		panic("invalid hex encode mode")
 	}
 }
+
+// DummyWriteCloser wraps an io.Writer in a struct with a no-op Close.
+type DummyWriteCloser struct {
+	w io.Writer
+}
+
+func WithCloser(w io.Writer) io.WriteCloser {
+	return &DummyWriteCloser{w: w}
+}
+
+func (dwc *DummyWriteCloser) Write(p []byte) (int, error) {
+	return dwc.w.Write(p)
+}
+
+func (dwc *DummyWriteCloser) Close() error {
+	return nil
+}

lib/lib_test.go

@@ -2,10 +2,46 @@ package lib_test
 
 import (
 	"testing"
+	"time"
 
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
+func TestParseDuration(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected time.Duration
+		wantErr  bool
+	}{
+		// Valid durations
+		{"hour", "1h", time.Hour, false},
+		{"day", "2d", 2 * 24 * time.Hour, false},
+		{"minute", "3m", 3 * time.Minute, false},
+		{"second", "4s", 4 * time.Second, false},
+
+		// Edge cases
+		{"zero seconds", "0s", 0, false},
+		{"empty string", "", 0, true},
+		{"no numeric before unit", "h", 0, true},
+		{"invalid unit", "1x", 0, true},
+		{"non-numeric input", "abc", 0, true},
+		{"missing unit", "10", 0, true},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got, err := lib.ParseDuration(tc.input)
+			if (err != nil) != tc.wantErr {
+				t.Fatalf("unexpected error: %v, wantErr: %v", err, tc.wantErr)
+			}
+			if got != tc.expected {
+				t.Fatalf("expected %v, got %v", tc.expected, got)
+			}
+		})
+	}
+}
+
 func TestHexEncode_LowerUpper(t *testing.T) {
 	b := []byte{0x0f, 0xa1, 0x00, 0xff}
 

msg/msg.go

@@ -0,0 +1,139 @@
+// Package msg is a tool for handling commandline output based on
+// flags for quiet, verbose, and debug modes. The default is to
+// have all modes disabled.
+//
+// The Qprint messages will only output messages if quiet mode is
+// disabled
+// The Vprint messages will only output messages if verbose mode
+// is enabled.
+// The Dprint messages will only output messages if debug mode
+// is enabled.
+package msg
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"git.wntrmute.dev/kyle/goutils/lib"
+
+	"git.wntrmute.dev/kyle/goutils/dbg"
+)
+
+var (
+	enableQuiet   bool
+	enableVerbose bool
+
+	debug           = dbg.New()
+	w     io.Writer = os.Stdout
+)
+
+func Reset() {
+	enableQuiet = false
+	enableVerbose = false
+
+	debug = dbg.New()
+	w = os.Stdout
+}
+
+func SetQuiet(q bool) {
+	enableQuiet = q
+}
+
+func SetVerbose(v bool) {
+	enableVerbose = v
+}
+
+func SetDebug(d bool) {
+	debug.Enabled = d
+}
+
+func Set(q, v, d bool) {
+	SetQuiet(q)
+	SetVerbose(v)
+	SetDebug(d)
+}
+
+func Qprint(a ...any) {
+	if enableQuiet {
+		return
+	}
+
+	fmt.Fprint(w, a...)
+}
+
+func Qprintf(format string, a ...any) {
+	if enableQuiet {
+		return
+	}
+
+	fmt.Fprintf(w, format, a...)
+}
+
+func Qprintln(a ...any) {
+	if enableQuiet {
+		return
+	}
+
+	fmt.Fprintln(w, a...)
+}
+
+func Dprint(a ...any) {
+	debug.Print(a...)
+}
+
+func Dprintf(format string, a ...any) {
+	debug.Printf(format, a...)
+}
+
+func Dprintln(a ...any) {
+	debug.Println(a...)
+}
+
+func StackTrace() {
+	debug.StackTrace()
+}
+
+func Vprint(a ...any) {
+	if !enableVerbose {
+		return
+	}
+
+	fmt.Fprint(w, a...)
+}
+
+func Vprintf(format string, a ...any) {
+	if !enableVerbose {
+		return
+	}
+
+	fmt.Fprintf(w, format, a...)
+}
+
+func Vprintln(a ...any) {
+	if !enableVerbose {
+		return
+	}
+
+	fmt.Fprintln(w, a...)
+}
+
+func Print(a ...any) {
+	fmt.Fprint(w, a...)
+}
+
+func Printf(format string, a ...any) {
+	fmt.Fprintf(w, format, a...)
+}
+
+func Println(a ...any) {
+	fmt.Fprintln(w, a...)
+}
+
+// SetWriter changes the output for messages.
+func SetWriter(dst io.Writer) {
+	w = dst
+	dbgEnabled := debug.Enabled
+	debug = dbg.To(lib.WithCloser(w))
+	debug.Enabled = dbgEnabled
+}

msg/msg_test.go

@@ -0,0 +1,147 @@
+package msg_test
+
+import (
+	"bytes"
+	"testing"
+
+	"git.wntrmute.dev/kyle/goutils/msg"
+)
+
+func checkExpected(buf *bytes.Buffer, expected string) bool {
+	return buf.String() == expected
+}
+
+func resetBuf() *bytes.Buffer {
+	buf := &bytes.Buffer{}
+	msg.SetWriter(buf)
+
+	return buf
+}
+
+func TestVerbosePrint(t *testing.T) {
+	buf := resetBuf()
+
+	msg.SetVerbose(false) // ensure verbose is explicitly not set
+
+	msg.Vprint("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Vprintf("hello, %s", "world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Vprintln("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.SetVerbose(true)
+	msg.Vprint("hello, world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Vprintf("hello, %s", "world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Vprintln("hello, world")
+	if !checkExpected(buf, "hello, world\n") {
+		t.Fatalf("expected output %q, have %q", "hello, world\n", buf.String())
+	}
+}
+
+func TestQuietPrint(t *testing.T) {
+	buf := resetBuf()
+
+	msg.SetQuiet(true)
+
+	msg.Qprint("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Qprintf("hello, %s", "world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Qprintln("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.SetQuiet(false)
+	msg.Qprint("hello, world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Qprintf("hello, %s", "world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Qprintln("hello, world")
+	if !checkExpected(buf, "hello, world\n") {
+		t.Fatalf("expected output %q, have %q", "hello, world\n", buf.String())
+	}
+}
+
+func TestDebugPrint(t *testing.T) {
+	buf := resetBuf()
+
+	msg.SetDebug(false) // ensure debug is explicitly not set
+
+	msg.Dprint("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Dprintf("hello, %s", "world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Dprintln("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.StackTrace()
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.SetDebug(true)
+	msg.Dprint("hello, world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Dprintf("hello, %s", "world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Dprintln("hello, world")
+	if !checkExpected(buf, "hello, world\n") {
+		t.Fatalf("expected output %q, have %q", "hello, world\n", buf.String())
+	}
+	buf.Reset()
+
+	msg.StackTrace()
+	if buf.Len() == 0 {
+		t.Fatal("expected stack trace output, received no output")
+	}
+}