Update CHANGELOG for v1.15.3.

CHANGELOG

@@ -1,5 +1,11 @@
 CHANGELOG
 
+v1.15.3 - 2025-11-19
+Minor bug fixes.
+
+v1.15.2 - 2025-11-19
+Minor bug fixes.
+
 v1.15.1 - 2025-11-19
 
 Changed:

certlib/certlib.go

@@ -1,6 +1,8 @@
 package certlib
 
 import (
+	"bytes"
+	"crypto"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
@@ -13,6 +15,7 @@ import (
 // ReadCertificate reads a DER or PEM-encoded certificate from the
 // byte slice.
 func ReadCertificate(in []byte) (*x509.Certificate, []byte, error) {
+	in = bytes.TrimSpace(in)
 	if len(in) == 0 {
 		return nil, nil, certerr.ParsingError(certerr.ErrorSourceCertificate, certerr.ErrEmptyCertificate)
 	}
@@ -24,10 +27,10 @@ func ReadCertificate(in []byte) (*x509.Certificate, []byte, error) {
 		}
 
 		rest := remaining
-		if p.Type != "CERTIFICATE" {
+		if p.Type != pemTypeCertificate {
 			return nil, rest, certerr.ParsingError(
 				certerr.ErrorSourceCertificate,
-				certerr.ErrInvalidPEMType(p.Type, "CERTIFICATE"),
+				certerr.ErrInvalidPEMType(p.Type, pemTypeCertificate),
 			)
 		}
 
@@ -109,3 +112,22 @@ func PoolFromBytes(certBytes []byte) (*x509.CertPool, error) {
 
 	return pool, nil
 }
+
+func ExportPrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error) {
+	keyDER, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: pemTypePrivateKey, Bytes: keyDER}), nil
+}
+
+func LoadCSR(path string) (*x509.CertificateRequest, error) {
+	in, err := os.ReadFile(path)
+	if err != nil {
+		return nil, certerr.LoadingError(certerr.ErrorSourceCSR, err)
+	}
+
+	req, _, err := ParseCSR(in)
+	return req, err
+}

certlib/dump/dump.go

@@ -249,11 +249,6 @@ func showBasicConstraints(cert *x509.Certificate) {
 	fmt.Fprintln(os.Stdout)
 }
 
-var (
-	dateFormat string
-	showHash   bool // if true, print a SHA256 hash of the certificate's Raw field
-)
-
 func wrapPrint(text string, indent int) {
 	tabs := ""
 	var tabsSb140 strings.Builder
@@ -265,11 +260,12 @@ func wrapPrint(text string, indent int) {
 	fmt.Fprintf(os.Stdout, tabs+"%s\n", wrap(text, indent))
 }
 
-func DisplayCert(w io.Writer, cert *x509.Certificate) {
+func DisplayCert(w io.Writer, cert *x509.Certificate, showHash bool) {
 	fmt.Fprintln(w, "CERTIFICATE")
 	if showHash {
 		fmt.Fprintln(w, wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(cert.Raw)), 0))
 	}
+
 	fmt.Fprintln(w, wrap("Subject: "+DisplayName(cert.Subject), 0))
 	fmt.Fprintln(w, wrap("Issuer: "+DisplayName(cert.Issuer), 0))
 	fmt.Fprintf(w, "\tSignature algorithm: %s / %s\n", sigAlgoPK(cert.SignatureAlgorithm),
@@ -285,8 +281,8 @@ func DisplayCert(w io.Writer, cert *x509.Certificate) {
 		fmt.Fprintf(w, "\t%s\n", wrap("SKI: "+dumpHex(cert.SubjectKeyId), 1))
 	}
 
-	wrapPrint("Valid from: "+cert.NotBefore.Format(dateFormat), 1)
+	wrapPrint("Valid from: "+cert.NotBefore.Format(lib.DateShortFormat), 1)
-	fmt.Fprintf(w, "\t     until: %s\n", cert.NotAfter.Format(dateFormat))
+	fmt.Fprintf(w, "\t     until: %s\n", cert.NotAfter.Format(lib.DateShortFormat))
 	fmt.Fprintf(w, "\tKey usages: %s\n", keyUsages(cert.KeyUsage))
 
 	if len(cert.ExtKeyUsage) > 0 {

certlib/helpers.go

@@ -75,6 +75,11 @@ var DelegationExtension = pkix.Extension{
 	Value:    []byte{0x05, 0x00}, // ASN.1 NULL
 }
 
+const (
+	pemTypeCertificate = "CERTIFICATE"
+	pemTypePrivateKey  = "PRIVATE KEY"
+)
+
 // InclusiveDate returns the time.Time representation of a date - 1
 // nanosecond. This allows time.After to be used inclusively.
 func InclusiveDate(year int, month time.Month, day int) time.Time {
@@ -246,7 +251,7 @@ func EncodeCertificatesPEM(certs []*x509.Certificate) []byte {
 	var buffer bytes.Buffer
 	for _, cert := range certs {
 		if err := pem.Encode(&buffer, &pem.Block{
-			Type:  "CERTIFICATE",
+			Type:  pemTypeCertificate,
 			Bytes: cert.Raw,
 		}); err != nil {
 			return nil

cmd/certdump/main.go

@@ -35,12 +35,12 @@ func main() {
 		}
 
 		if config.leafOnly {
-			dump.DisplayCert(os.Stdout, certs[0])
+			dump.DisplayCert(os.Stdout, certs[0], config.showHash)
 			continue
 		}
 
 		for i := range certs {
-			dump.DisplayCert(os.Stdout, certs[i])
+			dump.DisplayCert(os.Stdout, certs[i], config.showHash)
 		}
 	}
 }