Update CHANGELOG for v1.17.1.

CHANGELOG

@@ -1,5 +1,33 @@
 CHANGELOG
 
+v1.17.1 - 2025-11-21
+
+Changed:
+- certlib: various code cleanups.
+
+v1.17.0 - 2025-11-21
+
+Added:
+- cmd/bcuz: unzips bandcamp archives.
+
+Changed:
+- certlib: ergonomic improvements.
+
+v1.16.3 - 2025-11-21
+
+Changed:
+- msg: fixups and testing.
+
+v1.16.2 - 2025-11-21
+
+Changed:
+- msg: fill debug null pointer deref.
+
+v1.16.1 - 2025-11-21
+
+Changed:
+- msg: rename functions for ergonomics.
+
 v1.16.0 - 2025-11-20
 
 Added:

certlib/bundler/bundler.go

@@ -448,13 +448,13 @@ func encodeCertsToFiles(
 				derContent = append(derContent, cert.Raw...)
 			}
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: derContent,
 			})
 		} else if len(certs) > 0 {
 			// Individual DER file (should only have one cert)
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: certs[0].Raw,
 			})
 		}
@@ -472,17 +472,17 @@ func encodeCertsToFiles(
 				derContent = append(derContent, cert.Raw...)
 			}
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: derContent,
 			})
 		} else if len(certs) > 0 {
 			files = append(files, fileEntry{
-				name:    baseName + ".crt",
+				name:    baseName + ".cer",
 				content: certs[0].Raw,
 			})
 		}
 	default:
-		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', or 'both')", encoding)
+		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', 'both', 'crt', 'pemcrt')", encoding)
 	}
 
 	return files, nil

certlib/certgen/config.go

@@ -19,13 +19,21 @@ type KeySpec struct {
 	Size      int    `yaml:"size"`
 }
 
+func (ks KeySpec) String() string {
+	if strings.ToLower(ks.Algorithm) == nameEd25519 {
+		return nameEd25519
+	}
+
+	return fmt.Sprintf("%s-%d", ks.Algorithm, ks.Size)
+}
+
 func (ks KeySpec) Generate() (crypto.PublicKey, crypto.PrivateKey, error) {
 	switch strings.ToLower(ks.Algorithm) {
 	case "rsa":
 		return GenerateKey(x509.RSA, ks.Size)
 	case "ecdsa":
 		return GenerateKey(x509.ECDSA, ks.Size)
-	case "ed25519":
+	case nameEd25519:
 		return GenerateKey(x509.Ed25519, 0)
 	default:
 		return nil, nil, fmt.Errorf("unknown key algorithm: %s", ks.Algorithm)
@@ -38,7 +46,7 @@ func (ks KeySpec) SigningAlgorithm() (x509.SignatureAlgorithm, error) {
 		return x509.SHA512WithRSAPSS, nil
 	case "ecdsa":
 		return x509.ECDSAWithSHA512, nil
-	case "ed25519":
+	case nameEd25519:
 		return x509.PureEd25519, nil
 	default:
 		return 0, fmt.Errorf("unknown key algorithm: %s", ks.Algorithm)
@@ -52,7 +60,7 @@ type Subject struct {
 	Province           string   `yaml:"province"`
 	Organization       string   `yaml:"organization"`
 	OrganizationalUnit string   `yaml:"organizational_unit"`
-	Email              string   `yaml:"email"`
+	Email              []string `yaml:"email"`
 	DNSNames           []string `yaml:"dns"`
 	IPAddresses        []string `yaml:"ips"`
 }
@@ -84,6 +92,7 @@ func (cs CertificateRequest) Request(priv crypto.PrivateKey) (*x509.CertificateR
 		PublicKeyAlgorithm: 0,
 		PublicKey:          getPublic(priv),
 		Subject:            subject,
+		EmailAddresses:     cs.Subject.Email,
 		DNSNames:           cs.Subject.DNSNames,
 		IPAddresses:        ipAddresses,
 	}
@@ -118,7 +127,7 @@ func (cs CertificateRequest) Generate() (crypto.PrivateKey, *x509.CertificateReq
 type Profile struct {
 	IsCA         bool     `yaml:"is_ca"`
 	PathLen      int      `yaml:"path_len"`
-	KeyUse       string   `yaml:"key_uses"`
+	KeyUse       []string `yaml:"key_uses"`
 	ExtKeyUsages []string `yaml:"ext_key_usages"`
 	Expiry       string   `yaml:"expiry"`
 }
@@ -149,15 +158,17 @@ func (p Profile) templateFromRequest(req *x509.CertificateRequest) (*x509.Certif
 		IPAddresses:           req.IPAddresses,
 	}
 
-	var ok bool
-	certTemplate.KeyUsage, ok = keyUsageStrings[p.KeyUse]
+	for _, sku := range p.KeyUse {
+		ku, ok := keyUsageStrings[sku]
 		if !ok {
 			return nil, fmt.Errorf("invalid key usage: %s", p.KeyUse)
 		}
 
-	var eku x509.ExtKeyUsage
+		certTemplate.KeyUsage |= ku
+	}
+
 	for _, extKeyUsage := range p.ExtKeyUsages {
-		eku, ok = extKeyUsageStrings[extKeyUsage]
+		eku, ok := extKeyUsageStrings[extKeyUsage]
 		if !ok {
 			return nil, fmt.Errorf("invalid extended key usage: %s", extKeyUsage)
 		}

certlib/certgen/keygen.go

@@ -16,6 +16,10 @@ import (
 //	oidEd25519 = asn1.ObjectIdentifier{1, 3, 101, 110}
 //)
 
+const (
+	nameEd25519 = "ed25519"
+)
+
 func GenerateKey(algorithm x509.PublicKeyAlgorithm, bitSize int) (crypto.PublicKey, crypto.PrivateKey, error) {
 	var key crypto.PrivateKey
 	var pub crypto.PublicKey

certlib/ski/ski.go

@@ -6,6 +6,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/sha1" // #nosec G505 this is the standard
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -15,7 +16,9 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/fileutil"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
 const (
@@ -53,6 +56,30 @@ func (k *KeyInfo) SKI(displayMode lib.HexEncodeMode) (string, error) {
 	return pubHashString, nil
 }
 
+func Lookup(path string, tcfg *tls.Config) (*KeyInfo, error) {
+	if fileutil.FileDoesExist(path) {
+		return ParsePEM(path)
+	}
+
+	server, err := fetch.ParseServer(path, tcfg)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := server.Get()
+	if err != nil {
+		return nil, err
+	}
+
+	material := &KeyInfo{
+		FileType: "certificate",
+	}
+
+	material.PublicKey, material.KeyType = parseCertificate(cert)
+
+	return material, nil
+}
+
 // ParsePEM parses a PEM file and returns the public key and its type.
 func ParsePEM(path string) (*KeyInfo, error) {
 	material := &KeyInfo{}
@@ -79,7 +106,7 @@ func ParsePEM(path string) (*KeyInfo, error) {
 		material.PublicKey, material.KeyType = parseKey(data)
 		material.FileType = "private key"
 	case "CERTIFICATE":
-		material.PublicKey, material.KeyType = parseCertificate(data)
+		material.PublicKey, material.KeyType = parseCertificateFile(data)
 		material.FileType = "certificate"
 	case "CERTIFICATE REQUEST":
 		material.PublicKey, material.KeyType = parseCSR(data)
@@ -113,12 +140,17 @@ func parseKey(data []byte) ([]byte, string) {
 	return public, kt
 }
 
-func parseCertificate(data []byte) ([]byte, string) {
+func parseCertificateFile(data []byte) ([]byte, string) {
 	cert, err := x509.ParseCertificate(data)
 	die.If(err)
 
+	return parseCertificate(cert)
+}
+
+func parseCertificate(cert *x509.Certificate) ([]byte, string) {
 	pub := cert.PublicKey
 	var kt string
+
 	switch pub.(type) {
 	case *rsa.PublicKey:
 		kt = keyTypeRSA

cmd/bcuz/README

@@ -0,0 +1,8 @@
+bcuz: bandcamp unzip
+
+When you download stuff from bandcamp, it gives you a zip file that
+extracts files into the current directory. This is a quick hack tries
+to parse the filename as "artist - album", unpack the contents to
+"artist/album/*", and remove the zip file (which can be kept with
+-k). Works on my machine™, good enough for me.
+

cmd/bcuz/main.go

@@ -0,0 +1,110 @@
+package main
+
+import (
+	"archive/zip"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+var unrestrictedDecompression bool
+
+var keepArchive bool
+
+func removedir(dir string, existed bool) {
+	if !existed {
+		os.RemoveAll(dir)
+	}
+}
+
+func unpackFile(path string) error {
+	var dir string
+	var existed bool
+
+	fmt.Printf("[+] processing %s:\n", path)
+
+	base := filepath.Base(path[:len(path)-4])
+	pieces := strings.SplitN(base, "-", 2)
+	if len(pieces) == 2 {
+		artist := strings.TrimSpace(pieces[0])
+		album := strings.TrimSpace(pieces[1])
+		dir = filepath.Join(artist, album)
+	} else {
+		dir = base
+	}
+
+	_, err := os.Stat(dir)
+	if err == nil {
+		existed = true
+	}
+
+	fmt.Printf("\tunpack directory: %s\n", dir)
+	err = os.MkdirAll(dir, 0755)
+	if err != nil {
+		return err
+	}
+
+	r, err := zip.OpenReader(path)
+	if err != nil {
+		removedir(dir, existed)
+		return err
+	}
+	defer r.Close()
+
+	var rc io.ReadCloser
+	for _, f := range r.File {
+		fmt.Printf("\tunpacking %s\n", f.FileHeader.Name)
+		rc, err = f.Open()
+		if err != nil {
+			rc.Close()
+			removedir(dir, existed)
+			return err
+		}
+
+		if f.UncompressedSize64 > (f.CompressedSize64*32) && !unrestrictedDecompression {
+			rc.Close()
+			removedir(dir, existed)
+			return errors.New("file is too large to decompress (maybe a zip bomb)")
+		}
+
+		var out *os.File
+		out, err = os.Create(filepath.Join(dir, f.FileHeader.Name))
+		if err != nil {
+			rc.Close()
+			removedir(dir, existed)
+			return err
+		}
+
+		_, err = io.Copy(out, rc) // #nosec G110: handled with size check above
+		if err != nil {
+			rc.Close()
+			removedir(dir, existed)
+			return err
+		}
+
+		out.Close()
+		rc.Close()
+	}
+
+	if !keepArchive {
+		return os.Remove(path)
+	}
+	return nil
+}
+
+func main() {
+	flag.BoolVar(&keepArchive, "k", false, "don't remove the archive file after unpacking")
+	flag.BoolVar(&unrestrictedDecompression, "u", false, "allow unrestricted decompression")
+	flag.Parse()
+
+	for _, path := range flag.Args() {
+		err := unpackFile(path)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "[!] failed to process %s: %s\n", path, err)
+		}
+	}
+}

cmd/kgz/main.go

@@ -111,7 +111,7 @@ func buildExtraForPath(st unix.Stat_t, path string, setUID, setGID int) []byte {
 		ctns = clampToInt32(ft.Changed.Nanosecond())
 	}
 
-	return buildKGExtra(uid, gid, mode, cts, ctns)
+	return buildKGExtra(uid, gid, uint32(mode), cts, ctns)
 }
 
 // parseKGExtra scans a gzip Extra blob and returns kgz metadata if present.

go.sum

@@ -29,19 +29,15 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=

msg/msg.go

@@ -2,17 +2,18 @@
 // flags for quiet, verbose, and debug modes. The default is to
 // have all modes disabled.
 //
-// The QPrint messages will only output messages if quiet mode is
+// The Qprint messages will only output messages if quiet mode is
 // disabled
-// The VPrint messages will only output messages if verbose mode
+// The Vprint messages will only output messages if verbose mode
 // is enabled.
-// The DPrint messages will only output messages if debug mode
+// The Dprint messages will only output messages if debug mode
 // is enabled.
 package msg
 
 import (
 	"fmt"
 	"io"
+	"os"
 
 	"git.wntrmute.dev/kyle/goutils/lib"
 
@@ -22,10 +23,19 @@ import (
 var (
 	enableQuiet   bool
 	enableVerbose bool
-	debug         *dbg.DebugPrinter
-	w             io.Writer
+
+	debug           = dbg.New()
+	w     io.Writer = os.Stdout
 )
 
+func Reset() {
+	enableQuiet = false
+	enableVerbose = false
+
+	debug = dbg.New()
+	w = os.Stdout
+}
+
 func SetQuiet(q bool) {
 	enableQuiet = q
 }
@@ -44,7 +54,7 @@ func Set(q, v, d bool) {
 	SetDebug(d)
 }
 
-func QPrint(a ...any) {
+func Qprint(a ...any) {
 	if enableQuiet {
 		return
 	}
@@ -52,7 +62,7 @@ func QPrint(a ...any) {
 	fmt.Fprint(w, a...)
 }
 
-func QPrintf(format string, a ...any) {
+func Qprintf(format string, a ...any) {
 	if enableQuiet {
 		return
 	}
@@ -60,7 +70,7 @@ func QPrintf(format string, a ...any) {
 	fmt.Fprintf(w, format, a...)
 }
 
-func QPrintln(a ...any) {
+func Qprintln(a ...any) {
 	if enableQuiet {
 		return
 	}
@@ -68,15 +78,15 @@ func QPrintln(a ...any) {
 	fmt.Fprintln(w, a...)
 }
 
-func DPrint(a ...any) {
+func Dprint(a ...any) {
 	debug.Print(a...)
 }
 
-func DPrintf(format string, a ...any) {
+func Dprintf(format string, a ...any) {
 	debug.Printf(format, a...)
 }
 
-func DPrintln(a ...any) {
+func Dprintln(a ...any) {
 	debug.Println(a...)
 }
 
@@ -84,7 +94,7 @@ func StackTrace() {
 	debug.StackTrace()
 }
 
-func VPrint(a ...any) {
+func Vprint(a ...any) {
 	if !enableVerbose {
 		return
 	}
@@ -92,7 +102,7 @@ func VPrint(a ...any) {
 	fmt.Fprint(w, a...)
 }
 
-func VPrintf(format string, a ...any) {
+func Vprintf(format string, a ...any) {
 	if !enableVerbose {
 		return
 	}
@@ -100,7 +110,7 @@ func VPrintf(format string, a ...any) {
 	fmt.Fprintf(w, format, a...)
 }
 
-func VPrintln(a ...any) {
+func Vprintln(a ...any) {
 	if !enableVerbose {
 		return
 	}
@@ -123,5 +133,7 @@ func Println(a ...any) {
 // SetWriter changes the output for messages.
 func SetWriter(dst io.Writer) {
 	w = dst
+	dbgEnabled := debug.Enabled
 	debug = dbg.To(lib.WithCloser(w))
+	debug.Enabled = dbgEnabled
 }

msg/msg_test.go

@@ -0,0 +1,147 @@
+package msg_test
+
+import (
+	"bytes"
+	"testing"
+
+	"git.wntrmute.dev/kyle/goutils/msg"
+)
+
+func checkExpected(buf *bytes.Buffer, expected string) bool {
+	return buf.String() == expected
+}
+
+func resetBuf() *bytes.Buffer {
+	buf := &bytes.Buffer{}
+	msg.SetWriter(buf)
+
+	return buf
+}
+
+func TestVerbosePrint(t *testing.T) {
+	buf := resetBuf()
+
+	msg.SetVerbose(false) // ensure verbose is explicitly not set
+
+	msg.Vprint("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Vprintf("hello, %s", "world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Vprintln("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.SetVerbose(true)
+	msg.Vprint("hello, world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Vprintf("hello, %s", "world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Vprintln("hello, world")
+	if !checkExpected(buf, "hello, world\n") {
+		t.Fatalf("expected output %q, have %q", "hello, world\n", buf.String())
+	}
+}
+
+func TestQuietPrint(t *testing.T) {
+	buf := resetBuf()
+
+	msg.SetQuiet(true)
+
+	msg.Qprint("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Qprintf("hello, %s", "world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Qprintln("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.SetQuiet(false)
+	msg.Qprint("hello, world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Qprintf("hello, %s", "world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Qprintln("hello, world")
+	if !checkExpected(buf, "hello, world\n") {
+		t.Fatalf("expected output %q, have %q", "hello, world\n", buf.String())
+	}
+}
+
+func TestDebugPrint(t *testing.T) {
+	buf := resetBuf()
+
+	msg.SetDebug(false) // ensure debug is explicitly not set
+
+	msg.Dprint("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Dprintf("hello, %s", "world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.Dprintln("hello, world")
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.StackTrace()
+	if buf.Len() != 0 {
+		t.Fatalf("expected no output, have %s", buf.String())
+	}
+
+	msg.SetDebug(true)
+	msg.Dprint("hello, world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Dprintf("hello, %s", "world")
+	if !checkExpected(buf, "hello, world") {
+		t.Fatalf("expected output %q, have %q", "hello, world", buf.String())
+	}
+	buf.Reset()
+
+	msg.Dprintln("hello, world")
+	if !checkExpected(buf, "hello, world\n") {
+		t.Fatalf("expected output %q, have %q", "hello, world\n", buf.String())
+	}
+	buf.Reset()
+
+	msg.StackTrace()
+	if buf.Len() == 0 {
+		t.Fatal("expected stack trace output, received no output")
+	}
+}