Update CHANGELOG for v1.15.7.

The ed25519 block was being used to generate RSA keys.

.circleci/config.yml

@@ -64,4 +64,4 @@ workflows:
   testbuild:
     jobs:
       - testbuild
-#      - lint
+      - lint

.github/workflows/release.yml

@@ -0,0 +1,35 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    name: GoReleaser
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1 +1,5 @@
 .idea
+cmd/cert-bundler/testdata/pkg/*
+# Added by goreleaser init:
+dist/
+cmd/cert-bundler/testdata/bundle/

.golangci.yml

@@ -12,12 +12,31 @@
 
 version: "2"
 
+output:
+  sort-order:
+    - file
+    - linter
+    - severity
+
 issues:
   # Maximum count of issues with the same text.
   # Set to 0 to disable.
   # Default: 3
   max-same-issues: 50
 
+  # Exclude some lints for CLI programs under cmd/ (package main).
+  # The project allows fmt.Print* in command-line tools; keep forbidigo for libraries.
+  exclude-rules:
+    - path: ^cmd/
+      linters:
+        - forbidigo
+    - path: cmd/.*
+      linters:
+        - forbidigo
+    - path: .*/cmd/.*
+      linters:
+        - forbidigo
+
 formatters:
   enable:
     - goimports # checks if the code and import statements are formatted according to the 'goimports' command
@@ -73,7 +92,6 @@ linters:
     - godoclint # checks Golang's documentation practice
     - godot # checks if comments end in a period
     - gomoddirectives # manages the use of 'replace', 'retract', and 'excludes' directives in go.mod
-    - goprintffuncname # checks that printf-like functions are named with f at the end
     - gosec # inspects source code for security problems
     - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
     - iface # checks the incorrect use of interfaces, helping developers avoid interface pollution
@@ -83,7 +101,7 @@ linters:
     - loggercheck # checks key value pairs for common logger libraries (kitlog,klog,logr,zap)
     - makezero # finds slice declarations with non-zero initial length
     - mirror # reports wrong mirror patterns of bytes/strings usage
-    - mnd # detects magic numbers
+    # - mnd # detects magic numbers
     - modernize # suggests simplifications to Go code, using modern language and library features
     - musttag # enforces field tags in (un)marshaled structs
     - nakedret # finds naked returns in functions greater than a specified function length
@@ -228,6 +246,13 @@ linters:
       # Such cases aren't reported by default.
       # Default: false
       check-type-assertions: true
+      exclude-functions:
+        - (*git.wntrmute.dev/kyle/goutils/dbg.DebugPrinter).Write
+        - git.wntrmute.dev/kyle/goutils/lib.Warn
+        - git.wntrmute.dev/kyle/goutils/lib.Warnx
+        - git.wntrmute.dev/kyle/goutils/lib.Err
+        - git.wntrmute.dev/kyle/goutils/lib.Errx
+        - (*git.wntrmute.dev/kyle/goutils/sbuf.Buffer).Write
 
     exhaustive:
       # Program elements to check for exhaustiveness.
@@ -319,6 +344,12 @@ linters:
         # https://github.com/godoc-lint/godoc-lint?tab=readme-ov-file#no-unused-link
         - no-unused-link
 
+    gosec:
+      excludes:
+        - G104 # handled by errcheck
+        - G301
+        - G306
+
     govet:
       # Enable all analyzers.
       # Default: false
@@ -341,11 +372,6 @@ linters:
       skip-single-param: true
 
     mnd:
-      # List of function patterns to exclude from analysis.
-      # Values always ignored: `time.Date`,
-      # `strconv.FormatInt`, `strconv.FormatUint`, `strconv.FormatFloat`,
-      # `strconv.ParseInt`, `strconv.ParseUint`, `strconv.ParseFloat`.
-      # Default: []
       ignored-functions:
         - args.Error
         - flag.Arg
@@ -359,6 +385,15 @@ linters:
         - os.WriteFile
         - prometheus.ExponentialBuckets.*
         - prometheus.LinearBuckets
+      ignored-numbers:
+        - 1
+        - 2
+        - 3
+        - 4
+        - 8
+        - 24
+        - 30
+        - 365
 
     nakedret:
       # Make an issue if func has more lines of code than this setting, and it has naked returns.
@@ -427,6 +462,10 @@ linters:
         # Omit embedded fields from selector expression.
         # https://staticcheck.dev/docs/checks/#QF1008
         - -QF1008
+        # We often explicitly enable old/deprecated ciphers for research.
+        - -SA1019
+        # Covered by revive.
+        - -ST1003
 
     usetesting:
       # Enable/disable `os.TempDir()` detections.
@@ -445,10 +484,20 @@ linters:
     rules:
       - path: 'ahash/ahash.go'
         linters: [ staticcheck, gosec ]
+      - path: 'twofactor/.*.go'
+        linters: [ exhaustive, mnd, revive ]
       - path: 'backoff/backoff_test.go'
         linters: [ testpackage ]
       - path: 'dbg/dbg_test.go'
         linters: [ testpackage ]
+      - path: 'log/logger.go'
+        linters: [ forbidigo ]
+      - path: 'logging/example_test.go'
+        linters: [ testableexamples ]
+      - path: 'main.go'
+        linters: [ forbidigo, mnd, reassign ]
+      - path: 'cmd/cruntar/main.go'
+        linters: [ unparam ]
       - source: 'TODO'
         linters: [ godot ]
       - text: 'should have a package comment'
@@ -470,4 +519,5 @@ linters:
           - goconst
           - gosec
           - noctx
+          - reassign
           - wrapcheck

.goreleaser.yaml

@@ -0,0 +1,445 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    - go generate ./...
+
+builds:
+  - id: atping
+    main: ./cmd/atping/main.go
+    binary: atping
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: ca-signed
+    main: ./cmd/ca-signed/main.go
+    binary: ca-signed
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: cert-bundler
+    main: ./cmd/cert-bundler/main.go
+    binary: cert-bundler
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: cert-revcheck
+    main: ./cmd/cert-revcheck/main.go
+    binary: cert-revcheck
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certchain
+    main: ./cmd/certchain/main.go
+    binary: certchain
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certdump
+    main: ./cmd/certdump/main.go
+    binary: certdump
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certexpiry
+    main: ./cmd/certexpiry/main.go
+    binary: certexpiry
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certser
+    main: ./cmd/certser/main.go
+    binary: certser
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: certverify
+    main: ./cmd/certverify/main.go
+    binary: certverify
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: clustersh
+    main: ./cmd/clustersh/main.go
+    binary: clustersh
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: cruntar
+    main: ./cmd/cruntar/main.go
+    binary: cruntar
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: csrpubdump
+    main: ./cmd/csrpubdump/main.go
+    binary: csrpubdump
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: data_sync
+    main: ./cmd/data_sync/main.go
+    binary: data_sync
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: diskimg
+    main: ./cmd/diskimg/main.go
+    binary: diskimg
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: dumpbytes
+    main: ./cmd/dumpbytes/main.go
+    binary: dumpbytes
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: eig
+    main: ./cmd/eig/main.go
+    binary: eig
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: fragment
+    main: ./cmd/fragment/main.go
+    binary: fragment
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: host
+    main: ./cmd/host/main.go
+    binary: host
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: jlp
+    main: ./cmd/jlp/main.go
+    binary: jlp
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: kgz
+    main: ./cmd/kgz/main.go
+    binary: kgz
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: minmax
+    main: ./cmd/minmax/main.go
+    binary: minmax
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: parts
+    main: ./cmd/parts/main.go
+    binary: parts
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: pem2bin
+    main: ./cmd/pem2bin/main.go
+    binary: pem2bin
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: pembody
+    main: ./cmd/pembody/main.go
+    binary: pembody
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: pemit
+    main: ./cmd/pemit/main.go
+    binary: pemit
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: readchain
+    main: ./cmd/readchain/main.go
+    binary: readchain
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: renfnv
+    main: ./cmd/renfnv/main.go
+    binary: renfnv
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: rhash
+    main: ./cmd/rhash/main.go
+    binary: rhash
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: rolldie
+    main: ./cmd/rolldie/main.go
+    binary: rolldie
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: showimp
+    main: ./cmd/showimp/main.go
+    binary: showimp
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: ski
+    main: ./cmd/ski/main.go
+    binary: ski
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: sprox
+    main: ./cmd/sprox/main.go
+    binary: sprox
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: stealchain
+    main: ./cmd/stealchain/main.go
+    binary: stealchain
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: stealchain-server
+    main: ./cmd/stealchain-server/main.go
+    binary: stealchain-server
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: subjhash
+    main: ./cmd/subjhash/main.go
+    binary: subjhash
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: tlsinfo
+    main: ./cmd/tlsinfo/main.go
+    binary: tlsinfo
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: tlskeypair
+    main: ./cmd/tlskeypair/main.go
+    binary: tlskeypair
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: utc
+    main: ./cmd/utc/main.go
+    binary: utc
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: yamll
+    main: ./cmd/yamll/main.go
+    binary: yamll
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+  - id: zsearch
+    main: ./cmd/zsearch/main.go
+    binary: zsearch
+    env:
+      - CGO_ENABLED=0
+    goos: [linux, darwin]
+    goarch: [amd64, arm64]
+    ignore:
+      - goos: darwin
+        goarch: amd64
+
+archives:
+  - formats: [tar.gz]
+    # archive filename: name_version_os_arch
+    name_template: >-
+      {{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        formats: [zip]
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+release:
+  github:
+    owner: kisom
+    name: goutils
+  footer: >-
+
+    ---
+
+    Released by [GoReleaser](https://github.com/goreleaser/goreleaser).

CHANGELOG

@@ -1,27 +1,271 @@
-Release 1.2.1 - 2018-09-15
+CHANGELOG
 
-+ Add missing format argument to Errorf call in kgz.
+v1.15.7 - 2025-11-19
 
-Release 1.2.0 - 2018-09-15
+Changed:
+- certlib: update FileKind with algo information and fix bug where PEM
+  files didn't have their algorithm set.
+- certlib/certgen: GenerateKey had the blocks for Ed25519 and RSA keys
+  swapped.
+- cmd/tlsinfo: fix type in output.
 
-+ Adds the kgz command line utility.
+v1.15.6 - 2025-11-19
+certlib: add FileKind function to determine file type.
 
-Release 1.1.0 - 2017-11-16
+v1.15.5 - 2025-11-19
+certlib/bundler: add support for crt files that are pem-encoded.
 
-+ A number of new command line utilities were added
+v1.15.4 - 2025-11-19
+Quality of life fixes for CSR generation.
 
-	+ atping
+v1.15.3 - 2025-11-19
-	+ cruntar
+Minor bug fixes.
-	+ renfnv
-        +
-	+ ski
-	+ subjhash
-	+ yamll
 
-+ new package: ahash
+v1.15.2 - 2025-11-19
-	+ package for loading hashes from an algorithm string
+Minor bug fixes.
 
-+ new certificate loading functions in the lib package
+v1.15.1 - 2025-11-19
 
-+ new package: tee
+Changed:
-	+ emulates tee(1)
+- linter fixes.
+
+Removed:
+- mnd removed from linter.
+
+v1.15.0 - 2025-11-19
+
+Changed:
+- lib: fetcher and dialer moved to separate packages.
+- cmd/ca-signed: cleaned up code internally.
+- lib: add base64 encoding to HexEncode.
+- linter fixes.
+
+Added:
+- certlib/certgen: add support for generating and signing certificates.
+
+v1.14.6 - 2025-11-18
+
+Added:
+- certlib: move tlskeypair functions into certlib.
+
+v1.14.5 - 2025-11-18
+
+Changed:
+- certlib/verify: fix a nil-pointer dereference.
+
+v1.14.4 - 2025-11-18
+
+Added:
+- certlib/ski: add support for return certificate SKI.
+- certlib/verify: add support for verifying certificates.
+
+Changed:
+- certlib/dump: moved more functions into the dump package.
+- cmd: many certificate-related commands had their functionality moved into
+  certlib.
+
+v1.14.3 - 2025-11-18
+
+Added:
+- certlib/dump: the certificate dumping functions have been moved into
+  their own package.
+
+Changed:
+- cmd/certdump: refactor out most of the functionality into certlib/dump.
+- cmd/kgz: add extended metadata support.
+
+v1.14.2 - 2025-11-18
+
+Added:
+- lib: add tooling for generating baseline TLS configs.
+
+Changed:
+- cmd: update all commands to allow the use strict TLS configs. Note that
+  many of these tools are intended for debugging broken or insecure TLS
+  systems, and the ability to support insecure TLS configurations is
+  important in this regard.
+
+v1.14.1 - 2025-11-18
+
+Added:
+- build: add missing Dockerfile.
+
+v1.14.0 - 2025-11-18
+
+Added:
+- lib/dialer: introduce proxy-aware dialers and helpers:
+  - NewNetDialer and NewTLSDialer honoring SOCKS5_PROXY, HTTPS_PROXY, HTTP_PROXY
+    (case-insensitive) with precedence SOCKS5 > HTTPS > HTTP.
+  - DialTCP and DialTLS convenience functions; DialTLS performs a TLS handshake
+    and returns a concrete *tls.Conn.
+  - NewHTTPClient: returns a proxy-aware *http.Client. Uses SOCKS5 proxy when
+    configured (disables HTTP(S) proxying to avoid double-proxying); otherwise
+    relies on http.ProxyFromEnvironment (respects HTTP(S)_PROXY and NO_PROXY).
+- build: the releasse-docker.sh builds and pushes the correct Docker images.
+
+Changed:
+- cmd: migrate tools to new proxy-aware helpers where appropriate:
+  - certchain, stealchain, tlsinfo: use lib.DialTLS.
+  - cert-revcheck: use lib.DialTLS for site connects and a proxy-aware
+    HTTP client for OCSP/CRL fetches.
+  - rhash: use proxy-aware HTTP client for downloads.
+- lib/fetch: migrate from certlib/fetch.go to lib/fetch.go and use DialTLS
+  under the hood.
+- go.mod: add golang.org/x/net dependency (for SOCKS5 support) and align x/crypto.
+
+Notes:
+- HTTP(S) proxy CONNECT supports optional basic auth via proxy URL credentials.
+- HTTPS proxies are TLS-wrapped prior to CONNECT.
+- Timeouts apply to TCP connects, proxy handshakes, and TLS handshakes; context
+  cancellation is honored.
+- Some commands retain bespoke dialing (e.g., IPv6-only or unix sockets) and
+  were intentionally left unchanged.
+
+v1.13.6 - 2025-11-18
+
+Changed:
+- build: removing gitea stuff.
+
+v1.13.5 - 2025-11-18
+
+Changed:
+- build: updating goreleaser config.
+
+v1.13.4 - 2025-11-18
+
+Changed:
+- build: updating goreleaser config.
+
+v1.13.3 - 2025-11-18
+
+Added:
+- certlib: introduce `Fetcher` for retrieving certificates.
+- lib: `HexEncode` gains a byte-slice output variant.
+- build: add GoReleaser configuration.
+
+Changed:
+- cmd: migrate programs to use `certlib.Fetcher` for certificate retrieval
+  (includes `certdump`, `ski`, and others).
+- cmd/ski: update display mode.
+
+Misc:
+- repository fixups and small cleanups.
+
+v1.13.2 - 2025-11-17
+
+Add:
+- certlib/bundler: refactor certificate bundling from cmd/cert-bundler
+  into a separate package.
+
+Changed:
+- cmd/cert-bundler: refactor to use bundler package, and update Dockerfile.
+
+v1.13.1 - 2025-11-17
+
+Add:
+- Dockerfile for cert-bundler.
+
+v1.13.0 - 2025-11-16
+
+Add:
+- cmd/certser: print serial numbers for certificates.
+- lib/HexEncode: add a new hex encode function handling multiple output
+  formats, including with and without colons.
+
+v1.12.4 - 2025-11-16
+
+Changed:
+
+- Linting fixes for twofactor that were previously masked.
+
+v1.12.3 erroneously tagged and pushed
+
+v1.12.2 - 2025-11-16
+
+Changed:
+
+- add rsc.io/qr dependency for twofactor.
+
+v1.12.1 - 2025-11-16
+
+Changed:
+- twofactor: Remove go.{mod,sum}.
+
+v1.12.0 - 2025-11-16
+
+Added
+- twofactor: the github.com/kisom/twofactor repo has been subtree'd
+  into this repo.
+
+v1.11.2 - 2025-11-16
+
+Changed
+- cmd/ski, cmd/csrpubdump, cmd/tlskeypair: centralize
+  certificate/private-key/CSR parsing by reusing certlib helpers.
+  This reduces duplication and improves consistency across commands.
+- csr: CSR parsing in the above commands now uses certlib.ParseCSR,
+  which verifies CSR signatures (behavioral hardening compared to
+  prior parsing without signature verification).
+
+v1.11.1 - 2025-11-16
+
+Changed
+- cmd: complete linting fixes across programs; no functional changes.
+
+v1.11.0 - 2025-11-15
+
+Added
+- cache/mru: introduce MRU cache implementation with timestamp utilities.
+
+Changed
+- certlib: complete overhaul to simplify APIs and internals.
+- repo: widespread linting cleanups across many packages (config, dbg, die,
+  fileutil, log/logging, mwc, sbuf, seekbuf, tee, testio, etc.).
+- cmd: general program cleanups; `cert-bundler` lint fixes.
+
+Removed
+- rand: remove unused package.
+- testutil: remove unused code.
+
+
+v1.10.1 — 2025-11-15
+
+Changed
+- certlib: major overhaul and refactor.
+- repo: linter autofixes ahead of release.
+
+
+v1.10.0 — 2025-11-14
+
+Added
+- cmd: add `cert-revcheck` command.
+
+Changed
+- ci/lint: add golangci-lint stage and initial cleanup.
+
+
+v1.9.1 — 2025-11-15
+
+Fixed
+- die: correct calls to `die.With`.
+
+
+v1.9.0 — 2025-11-14
+
+Added
+- cmd: add `cert-bundler` tool.
+
+Changed
+- misc: minor updates and maintenance.
+
+
+v1.8.1 — 2025-11-14
+
+Added
+- cmd: add `tlsinfo` tool.
+
+
+v1.8.0 — 2025-11-14
+
+Baseline
+- Initial baseline for this changelog series.

Dockerfile

@@ -0,0 +1,38 @@
+# syntax=docker/dockerfile:1
+
+# ----- Builder stage: build all cmd/... tools -----
+FROM golang:1.24-alpine AS builder
+
+# Install necessary build dependencies for fetching modules
+RUN apk add --no-cache git ca-certificates && update-ca-certificates
+
+WORKDIR /src
+
+# Cache modules
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go mod download
+
+# Copy the rest of the source
+COPY . .
+
+# Build and install all commands under ./cmd/... into /out
+ENV CGO_ENABLED=0
+ENV GOBIN=/out
+RUN --mount=type=cache,target=/go/pkg/mod \
+    go install ./cmd/...
+
+# ----- Final runtime image: minimal alpine with tools installed -----
+FROM alpine:3.20
+
+# Ensure common utilities are present
+RUN apk add --no-cache bash curl ca-certificates && update-ca-certificates
+
+# Copy binaries from builder
+COPY --from=builder /out/ /usr/local/bin/
+
+# Working directory for mounting the host CWD
+WORKDIR /work
+
+# Default command shows available tools if run without args
+CMD ["/bin/sh", "-lc", "echo 'Tools installed:' && ls -1 /usr/local/bin && echo '\nMount your project with: docker run --rm -it -v $PWD:/work IMAGE <tool> ...'"]

LICENSE

@@ -1,19 +1,194 @@
-Copyright (c) 2015-2023 Kyle Isom <kyle@tyrfingr.is>
+   Copyright 2025 K. Isom <kyle@imap.cc>
 
-Permission to use, copy, modify, and distribute this software for any
+   Licensed under the Apache License, Version 2.0 (the "License");
-purpose with or without fee is hereby granted, provided that the above 
+   you may not use this file except in compliance with the License.
-copyright notice and this permission notice appear in all copies.
+   You may obtain a copy of the License at
 
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+       http://www.apache.org/licenses/LICENSE-2.0
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 
 
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
 
 =======================================================================
+
 The backoff package (written during my time at Cloudflare) is released
 under the following license:
 

README.md

@@ -2,39 +2,52 @@ GOUTILS
 
 This is a collection of small utility code I've written in Go; the `cmd/`
 directory has a number of command-line utilities. Rather than keep all
-of these in superfluous repositories of their own, or rewriting them
+of these in superfluous repositories of their own or rewriting them
 for each project, I'm putting them here.
 
-The project can be built with the standard Go tooling, or it can be built
+The project can be built with the standard Go tooling.
-with Bazel.
 
 Contents:
 
     ahash/          Provides hashes from string algorithm specifiers.
     assert/         Error handling, assertion-style.
     backoff/        Implementation of an intelligent backoff strategy.
+    cache/          Implementations of various caches.
+        lru/        Least-recently-used cache.
+        mru/        Most-recently-used cache.
+    certlib/        Library for working with TLS certificates.
     cmd/
         atping/     Automated TCP ping, meant for putting in cronjobs.
-        certchain/  Display the certificate chain from a
+        ca-signed/  Validate whether a certificate is signed by a CA.
-                    TLS connection.
+        cert-bundler/
+                    Create certificate bundles from a source of PEM
+                    certificates.
+        cert-revcheck/
+                    Check whether a certificate has been revoked or is
+                    expired.
+        certchain/  Display the certificate chain from a TLS connection.
         certdump/   Dump certificate information.
         certexpiry/ Print a list of certificate subjects and expiry times
                     or warn about certificates expiring within a certain
                     window.
-        certverify/ Verify a TLS X.509 certificate, optionally printing
+        certverify/ Verify a TLS X.509 certificate file, optionally printing
                     the time to expiry and checking for revocations.
         clustersh/  Run commands or transfer files across multiple
                     servers via SSH.
-        cruntar/    Untar an archive with hard links, copying instead of
+        cruntar/    (Un)tar an archive with hard links, copying instead of
                     linking.
         csrpubdump/ Dump the public key from an X.509 certificate request.
         data_sync/  Sync the user's homedir to external storage.
         diskimg/    Write a disk image to a device.
+        dumpbytes/  Dump the contents of a file as hex bytes, printing it as
+                    a Go []byte literal.
         eig/        EEPROM image generator.
         fragment/   Print a fragment of a file.
+        host/       Go imlpementation of the host(1) command.
         jlp/        JSON linter/prettifier.
         kgz/        Custom gzip compressor / decompressor that handles 99%
                     of my use cases.
+        minmax/     Generate a minmax code for use in uLisp.
         parts/      Simple parts database management for my collection of
                     electronic components.
         pem2bin/    Dump the binary body of a PEM-encoded block.
@@ -44,37 +57,79 @@ Contents:
                     in a bundle.
         renfnv/     Rename a file to base32-encoded 64-bit FNV-1a hash.
         rhash/      Compute the digest of remote files.
+        rolldie/    Roll some dice.
         showimp/    List the external (e.g. non-stdlib and outside the
                     current working directory) imports for a Go file.
         ski         Display the SKI for PEM-encoded TLS material.
         sprox/      Simple TCP proxy.
-        stealchain/ Dump the verified chain from a TLS
+        stealchain/ Dump the verified chain from a TLS connection to a
-                    connection to a server.
+                    server.
-        stealchain- Dump the verified chain from a TLS
+        stealchain-server/
-          server/   connection from a client.
+                    Dump the verified chain from a TLS connection from
+                    from a client.
         subjhash/   Print or match subject info from a certificate.
+        tlsinfo/    Print information about a TLS connection (the TLS version
+                    and cipher suite).
         tlskeypair/ Check whether a TLS certificate and key file match.
         utc/        Convert times to UTC.
         yamll/      A small YAML linter.
+        zsearch/    Search for a string in directory of gzipped files.
     config/         A simple global configuration system where configuration
                     data is pulled from a file or an environment variable
                     transparently.
+        iniconf/    A simple INI-style configuration system.
     dbg/            A debug printer.
     die/            Death of a program.
     fileutil/       Common file functions.
     lib/            Commonly-useful functions for writing Go programs.
+    log/            A syslog library.
     logging/        A logging library.
     mwc/            MultiwriteCloser implementation.
-    rand/           Utilities for working with math/rand.
     sbuf/           A byte buffer that can be wiped.
     seekbuf/        A read-seekable byte buffer.
     syslog/         Syslog-type logging.
     tee/            Emulate tee(1)'s functionality in io.Writers.
     testio/         Various I/O utilities useful during testing.
-    testutil/       Various utility functions useful during testing.
+	twofactor/      Two-factor authentication.
-
 
 Each program should have a small README in the directory with more
 information.
 
-All code here is licensed under the ISC license.
+All code here is licensed under the Apache 2.0 license.
+
+Error handling
+--------------
+
+This repo standardizes on Go 1.13+ error wrapping and matching. Libraries and
+CLIs should:
+
+- Wrap causes with context using `fmt.Errorf("context: %w", err)`.
+- Use typed, structured errors from `certlib/certerr` for certificate-related
+  operations. These include a typed `*certerr.Error` with `Source` and `Kind`.
+- Match errors programmatically:
+  - `errors.Is(err, certerr.ErrEncryptedPrivateKey)` to detect sentinel states.
+  - `errors.As(err, &e)` (where `var e *certerr.Error`) to inspect
+    `e.Source`/`e.Kind`.
+
+Examples:
+
+```
+cert, err := certlib.LoadCertificate(path)
+if err != nil {
+    // sentinel match:
+    if errors.Is(err, certerr.ErrEmptyCertificate) {
+        // handle empty input
+    }
+
+    // typed error match
+    var ce *certerr.Error
+    if errors.As(err, &ce) {
+        switch ce.Kind {
+        case certerr.KindParse:
+            // parse error handling
+        case certerr.KindLoad:
+            // file loading error handling
+        }
+    }
+}
+```

backoff/backoff_test.go

@@ -91,7 +91,7 @@ func TestReset(t *testing.T) {
 	}
 }
 
-const decay = 5 * time.Millisecond
+const decay = time.Second
 const maxDuration = 10 * time.Millisecond
 const interval = time.Millisecond
 

cache/lru/lru.go

@@ -0,0 +1,179 @@
+// Package lru implements a Least Recently Used cache.
+package lru
+
+import (
+	"errors"
+	"fmt"
+	"sort"
+	"sync"
+
+	"github.com/benbjohnson/clock"
+)
+
+type item[V any] struct {
+	V      V
+	access int64
+}
+
+// A Cache is a map that retains a limited number of items. It must be
+// initialized with New, providing a maximum capacity for the cache.
+// Only the least recently used items are retained.
+type Cache[K comparable, V any] struct {
+	store  map[K]*item[V]
+	access *timestamps[K]
+	cap    int
+	clock  clock.Clock
+	// All public methods that have the possibility of modifying the
+	// cache should lock it.
+	mtx *sync.Mutex
+}
+
+// New must be used to create a new Cache.
+func New[K comparable, V any](icap int) *Cache[K, V] {
+	return &Cache[K, V]{
+		store:  map[K]*item[V]{},
+		access: newTimestamps[K](icap),
+		cap:    icap,
+		clock:  clock.New(),
+		mtx:    &sync.Mutex{},
+	}
+}
+
+// StringKeyCache is a convenience wrapper for cache keyed by string.
+type StringKeyCache[V any] struct {
+	*Cache[string, V]
+}
+
+// NewStringKeyCache creates a new LRU cache keyed by string.
+func NewStringKeyCache[V any](icap int) *StringKeyCache[V] {
+	return &StringKeyCache[V]{Cache: New[string, V](icap)}
+}
+
+func (c *Cache[K, V]) lock() {
+	c.mtx.Lock()
+}
+
+func (c *Cache[K, V]) unlock() {
+	c.mtx.Unlock()
+}
+
+// Len returns the number of items currently in the cache.
+func (c *Cache[K, V]) Len() int {
+	return len(c.store)
+}
+
+// evict should remove the least-recently-used cache item.
+func (c *Cache[K, V]) evict() {
+	if c.access.Len() == 0 {
+		return
+	}
+
+	k := c.access.K(0)
+	c.evictKey(k)
+}
+
+// evictKey should remove the entry given by the key item.
+func (c *Cache[K, V]) evictKey(k K) {
+	delete(c.store, k)
+	i, ok := c.access.Find(k)
+	if !ok {
+		return
+	}
+
+	c.access.Delete(i)
+}
+
+func (c *Cache[K, V]) sanityCheck() {
+	if len(c.store) != c.access.Len() {
+		panic(fmt.Sprintf("LRU cache is out of sync; store len = %d, access len = %d",
+			len(c.store), c.access.Len()))
+	}
+}
+
+// ConsistencyCheck runs a series of checks to ensure that the cache's
+// data structures are consistent. It is not normally required, and it
+// is primarily used in testing.
+func (c *Cache[K, V]) ConsistencyCheck() error {
+	c.lock()
+	defer c.unlock()
+	if err := c.access.ConsistencyCheck(); err != nil {
+		return err
+	}
+
+	if len(c.store) != c.access.Len() {
+		return fmt.Errorf("lru: cache is out of sync; store len = %d, access len = %d",
+			len(c.store), c.access.Len())
+	}
+
+	for i := range c.access.ts {
+		itm, ok := c.store[c.access.K(i)]
+		if !ok {
+			return errors.New("lru: key in access is not in store")
+		}
+
+		if c.access.T(i) != itm.access {
+			return fmt.Errorf("timestamps are out of sync (%d != %d)",
+				itm.access, c.access.T(i))
+		}
+	}
+
+	if !sort.IsSorted(c.access) {
+		return errors.New("lru: timestamps aren't sorted")
+	}
+
+	return nil
+}
+
+// Store adds the value v to the cache under the k.
+func (c *Cache[K, V]) Store(k K, v V) {
+	c.lock()
+	defer c.unlock()
+
+	c.sanityCheck()
+
+	if len(c.store) == c.cap {
+		c.evict()
+	}
+
+	if _, ok := c.store[k]; ok {
+		c.evictKey(k)
+	}
+
+	itm := &item[V]{
+		V:      v,
+		access: c.clock.Now().UnixNano(),
+	}
+
+	c.store[k] = itm
+	c.access.Update(k, itm.access)
+}
+
+// Get returns the value stored in the cache. If the item isn't present,
+// it will return false.
+func (c *Cache[K, V]) Get(k K) (V, bool) {
+	c.lock()
+	defer c.unlock()
+
+	c.sanityCheck()
+
+	itm, ok := c.store[k]
+	if !ok {
+		var zero V
+		return zero, false
+	}
+
+	c.store[k].access = c.clock.Now().UnixNano()
+	c.access.Update(k, itm.access)
+	return itm.V, true
+}
+
+// Has returns true if the cache has an entry for k. It will not update
+// the timestamp on the item.
+func (c *Cache[K, V]) Has(k K) bool {
+	// Don't need to lock as we don't modify anything.
+
+	c.sanityCheck()
+
+	_, ok := c.store[k]
+	return ok
+}

cache/lru/lru_internal_test.go

@@ -0,0 +1,87 @@
+package lru
+
+import (
+	"testing"
+	"time"
+
+	"github.com/benbjohnson/clock"
+)
+
+// These tests mirror the MRU-style behavior present in this LRU package
+// implementation (eviction removes the most-recently-used entry).
+func TestBasicCacheEviction(t *testing.T) {
+	mock := clock.NewMock()
+	c := NewStringKeyCache[int](2)
+	c.clock = mock
+
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if c.Len() != 0 {
+		t.Fatal("cache should have size 0")
+	}
+
+	c.evict()
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	c.Store("raven", 1)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c.store) != 1 {
+		t.Fatalf("store should have length=1, have length=%d", len(c.store))
+	}
+
+	mock.Add(time.Second)
+	c.Store("owl", 2)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c.store) != 2 {
+		t.Fatalf("store should have length=2, have length=%d", len(c.store))
+	}
+
+	mock.Add(time.Second)
+	c.Store("goat", 3)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c.store) != 2 {
+		t.Fatalf("store should have length=2, have length=%d", len(c.store))
+	}
+
+	// Since this implementation evicts the most-recently-used item, inserting
+	// "goat" when full evicts "owl" (the most recent at that time).
+	mock.Add(time.Second)
+	if _, ok := c.Get("owl"); ok {
+		t.Fatal("store should not have an entry for owl (MRU-evicted)")
+	}
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	mock.Add(time.Second)
+	c.Store("elk", 4)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if !c.Has("elk") {
+		t.Fatal("store should contain an entry for 'elk'")
+	}
+
+	// Before storing elk, keys were: raven (older), goat (newer). Evict MRU -> goat.
+	if !c.Has("raven") {
+		t.Fatal("store should contain an entry for 'raven'")
+	}
+
+	if c.Has("goat") {
+		t.Fatal("store should not contain an entry for 'goat'")
+	}
+}

cache/lru/timestamps.go

@@ -0,0 +1,101 @@
+package lru
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"sort"
+)
+
+// timestamps contains datastructures for maintaining a list of keys sortable
+// by timestamp.
+
+type timestamp[K comparable] struct {
+	t int64
+	k K
+}
+
+type timestamps[K comparable] struct {
+	ts  []timestamp[K]
+	cap int
+}
+
+func newTimestamps[K comparable](icap int) *timestamps[K] {
+	return &timestamps[K]{
+		ts:  make([]timestamp[K], 0, icap),
+		cap: icap,
+	}
+}
+
+func (ts *timestamps[K]) K(i int) K {
+	return ts.ts[i].k
+}
+
+func (ts *timestamps[K]) T(i int) int64 {
+	return ts.ts[i].t
+}
+
+func (ts *timestamps[K]) Len() int {
+	return len(ts.ts)
+}
+
+func (ts *timestamps[K]) Less(i, j int) bool {
+	return ts.ts[i].t > ts.ts[j].t
+}
+
+func (ts *timestamps[K]) Swap(i, j int) {
+	ts.ts[i], ts.ts[j] = ts.ts[j], ts.ts[i]
+}
+
+func (ts *timestamps[K]) Find(k K) (int, bool) {
+	for i := range ts.ts {
+		if ts.ts[i].k == k {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+func (ts *timestamps[K]) Update(k K, t int64) bool {
+	i, ok := ts.Find(k)
+	if !ok {
+		ts.ts = append(ts.ts, timestamp[K]{t, k})
+		sort.Sort(ts)
+		return false
+	}
+
+	ts.ts[i].t = t
+	sort.Sort(ts)
+	return true
+}
+
+func (ts *timestamps[K]) ConsistencyCheck() error {
+	if !sort.IsSorted(ts) {
+		return errors.New("lru: timestamps are not sorted")
+	}
+
+	keys := map[K]bool{}
+	for i := range ts.ts {
+		if keys[ts.ts[i].k] {
+			return fmt.Errorf("lru: duplicate key %v detected", ts.ts[i].k)
+		}
+		keys[ts.ts[i].k] = true
+	}
+
+	if len(keys) != len(ts.ts) {
+		return fmt.Errorf("lru: timestamp contains %d duplicate keys",
+			len(ts.ts)-len(keys))
+	}
+
+	return nil
+}
+
+func (ts *timestamps[K]) Delete(i int) {
+	ts.ts = append(ts.ts[:i], ts.ts[i+1:]...)
+}
+
+func (ts *timestamps[K]) Dump(w io.Writer) {
+	for i := range ts.ts {
+		fmt.Fprintf(w, "%d: %v, %d\n", i, ts.K(i), ts.T(i))
+	}
+}

cache/lru/timestamps_internal_test.go

@@ -0,0 +1,50 @@
+package lru
+
+import (
+	"testing"
+	"time"
+
+	"github.com/benbjohnson/clock"
+)
+
+// These tests validate timestamps ordering semantics for the LRU package.
+// Note: The LRU timestamps are sorted with most-recent-first (descending by t).
+func TestTimestamps(t *testing.T) {
+	ts := newTimestamps[string](3)
+	mock := clock.NewMock()
+
+	// raven
+	ts.Update("raven", mock.Now().UnixNano())
+
+	// raven, owl
+	mock.Add(time.Millisecond)
+	ts.Update("owl", mock.Now().UnixNano())
+
+	// raven, owl, goat
+	mock.Add(time.Second)
+	ts.Update("goat", mock.Now().UnixNano())
+
+	if err := ts.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	// make owl the most recent
+	mock.Add(time.Millisecond)
+	ts.Update("owl", mock.Now().UnixNano())
+	if err := ts.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	// For LRU timestamps: most recent first. Expected order: owl, goat, raven.
+	if ts.K(0) != "owl" {
+		t.Fatalf("first key should be owl, have %s", ts.K(0))
+	}
+
+	if ts.K(1) != "goat" {
+		t.Fatalf("second key should be goat, have %s", ts.K(1))
+	}
+
+	if ts.K(2) != "raven" {
+		t.Fatalf("third key should be raven, have %s", ts.K(2))
+	}
+}

cache/mru/mru.go

@@ -0,0 +1,178 @@
+package mru
+
+import (
+	"errors"
+	"fmt"
+	"sort"
+	"sync"
+
+	"github.com/benbjohnson/clock"
+)
+
+type item[V any] struct {
+	V      V
+	access int64
+}
+
+// A Cache is a map that retains a limited number of items. It must be
+// initialized with New, providing a maximum capacity for the cache.
+// Only the most recently used items are retained.
+type Cache[K comparable, V any] struct {
+	store  map[K]*item[V]
+	access *timestamps[K]
+	cap    int
+	clock  clock.Clock
+	// All public methods that have the possibility of modifying the
+	// cache should lock it.
+	mtx *sync.Mutex
+}
+
+// New must be used to create a new Cache.
+func New[K comparable, V any](icap int) *Cache[K, V] {
+	return &Cache[K, V]{
+		store:  map[K]*item[V]{},
+		access: newTimestamps[K](icap),
+		cap:    icap,
+		clock:  clock.New(),
+		mtx:    &sync.Mutex{},
+	}
+}
+
+// StringKeyCache is a convenience wrapper for cache keyed by string.
+type StringKeyCache[V any] struct {
+	*Cache[string, V]
+}
+
+// NewStringKeyCache creates a new MRU cache keyed by string.
+func NewStringKeyCache[V any](icap int) *StringKeyCache[V] {
+	return &StringKeyCache[V]{Cache: New[string, V](icap)}
+}
+
+func (c *Cache[K, V]) lock() {
+	c.mtx.Lock()
+}
+
+func (c *Cache[K, V]) unlock() {
+	c.mtx.Unlock()
+}
+
+// Len returns the number of items currently in the cache.
+func (c *Cache[K, V]) Len() int {
+	return len(c.store)
+}
+
+// evict should remove the least-recently-used cache item.
+func (c *Cache[K, V]) evict() {
+	if c.access.Len() == 0 {
+		return
+	}
+
+	k := c.access.K(0)
+	c.evictKey(k)
+}
+
+// evictKey should remove the entry given by the key item.
+func (c *Cache[K, V]) evictKey(k K) {
+	delete(c.store, k)
+	i, ok := c.access.Find(k)
+	if !ok {
+		return
+	}
+
+	c.access.Delete(i)
+}
+
+func (c *Cache[K, V]) sanityCheck() {
+	if len(c.store) != c.access.Len() {
+		panic(fmt.Sprintf("MRU cache is out of sync; store len = %d, access len = %d",
+			len(c.store), c.access.Len()))
+	}
+}
+
+// ConsistencyCheck runs a series of checks to ensure that the cache's
+// data structures are consistent. It is not normally required, and it
+// is primarily used in testing.
+func (c *Cache[K, V]) ConsistencyCheck() error {
+	c.lock()
+	defer c.unlock()
+	if err := c.access.ConsistencyCheck(); err != nil {
+		return err
+	}
+
+	if len(c.store) != c.access.Len() {
+		return fmt.Errorf("mru: cache is out of sync; store len = %d, access len = %d",
+			len(c.store), c.access.Len())
+	}
+
+	for i := range c.access.ts {
+		itm, ok := c.store[c.access.K(i)]
+		if !ok {
+			return errors.New("mru: key in access is not in store")
+		}
+
+		if c.access.T(i) != itm.access {
+			return fmt.Errorf("timestamps are out of sync (%d != %d)",
+				itm.access, c.access.T(i))
+		}
+	}
+
+	if !sort.IsSorted(c.access) {
+		return errors.New("mru: timestamps aren't sorted")
+	}
+
+	return nil
+}
+
+// Store adds the value v to the cache under the k.
+func (c *Cache[K, V]) Store(k K, v V) {
+	c.lock()
+	defer c.unlock()
+
+	c.sanityCheck()
+
+	if len(c.store) == c.cap {
+		c.evict()
+	}
+
+	if _, ok := c.store[k]; ok {
+		c.evictKey(k)
+	}
+
+	itm := &item[V]{
+		V:      v,
+		access: c.clock.Now().UnixNano(),
+	}
+
+	c.store[k] = itm
+	c.access.Update(k, itm.access)
+}
+
+// Get returns the value stored in the cache. If the item isn't present,
+// it will return false.
+func (c *Cache[K, V]) Get(k K) (V, bool) {
+	c.lock()
+	defer c.unlock()
+
+	c.sanityCheck()
+
+	itm, ok := c.store[k]
+	if !ok {
+		var zero V
+		return zero, false
+	}
+
+	c.store[k].access = c.clock.Now().UnixNano()
+	c.access.Update(k, itm.access)
+	return itm.V, true
+}
+
+// Has returns true if the cache has an entry for k. It will not update
+// the timestamp on the item.
+func (c *Cache[K, V]) Has(k K) bool {
+	// Don't need to lock as we don't modify anything.
+
+	c.sanityCheck()
+
+	_, ok := c.store[k]
+	return ok
+}

cache/mru/mru_internal_test.go

@@ -0,0 +1,92 @@
+package mru
+
+import (
+	"testing"
+	"time"
+
+	"github.com/benbjohnson/clock"
+)
+
+func TestBasicCacheEviction(t *testing.T) {
+	mock := clock.NewMock()
+	c := NewStringKeyCache[int](2)
+	c.clock = mock
+
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if c.Len() != 0 {
+		t.Fatal("cache should have size 0")
+	}
+
+	c.evict()
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	c.Store("raven", 1)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c.store) != 1 {
+		t.Fatalf("store should have length=1, have length=%d", len(c.store))
+	}
+
+	mock.Add(time.Second)
+	c.Store("owl", 2)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c.store) != 2 {
+		t.Fatalf("store should have length=2, have length=%d", len(c.store))
+	}
+
+	mock.Add(time.Second)
+	c.Store("goat", 3)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(c.store) != 2 {
+		t.Fatalf("store should have length=2, have length=%d", len(c.store))
+	}
+
+	mock.Add(time.Second)
+	v, ok := c.Get("owl")
+	if !ok {
+		t.Fatal("store should have an entry for owl")
+	}
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	itm := v
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if itm != 2 {
+		t.Fatalf("stored item should be 2, have %d", itm)
+	}
+
+	mock.Add(time.Second)
+	c.Store("elk", 4)
+	if err := c.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	if !c.Has("elk") {
+		t.Fatal("store should contain an entry for 'elk'")
+	}
+
+	if !c.Has("owl") {
+		t.Fatal("store should contain an entry for 'owl'")
+	}
+
+	if c.Has("goat") {
+		t.Fatal("store should not contain an entry for 'goat'")
+	}
+}

cache/mru/timestamps.go

@@ -0,0 +1,101 @@
+package mru
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"sort"
+)
+
+// timestamps contains datastructures for maintaining a list of keys sortable
+// by timestamp.
+
+type timestamp[K comparable] struct {
+	t int64
+	k K
+}
+
+type timestamps[K comparable] struct {
+	ts  []timestamp[K]
+	cap int
+}
+
+func newTimestamps[K comparable](icap int) *timestamps[K] {
+	return &timestamps[K]{
+		ts:  make([]timestamp[K], 0, icap),
+		cap: icap,
+	}
+}
+
+func (ts *timestamps[K]) K(i int) K {
+	return ts.ts[i].k
+}
+
+func (ts *timestamps[K]) T(i int) int64 {
+	return ts.ts[i].t
+}
+
+func (ts *timestamps[K]) Len() int {
+	return len(ts.ts)
+}
+
+func (ts *timestamps[K]) Less(i, j int) bool {
+	return ts.ts[i].t < ts.ts[j].t
+}
+
+func (ts *timestamps[K]) Swap(i, j int) {
+	ts.ts[i], ts.ts[j] = ts.ts[j], ts.ts[i]
+}
+
+func (ts *timestamps[K]) Find(k K) (int, bool) {
+	for i := range ts.ts {
+		if ts.ts[i].k == k {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+func (ts *timestamps[K]) Update(k K, t int64) bool {
+	i, ok := ts.Find(k)
+	if !ok {
+		ts.ts = append(ts.ts, timestamp[K]{t, k})
+		sort.Sort(ts)
+		return false
+	}
+
+	ts.ts[i].t = t
+	sort.Sort(ts)
+	return true
+}
+
+func (ts *timestamps[K]) ConsistencyCheck() error {
+	if !sort.IsSorted(ts) {
+		return errors.New("mru: timestamps are not sorted")
+	}
+
+	keys := map[K]bool{}
+	for i := range ts.ts {
+		if keys[ts.ts[i].k] {
+			return fmt.Errorf("duplicate key %v detected", ts.ts[i].k)
+		}
+		keys[ts.ts[i].k] = true
+	}
+
+	if len(keys) != len(ts.ts) {
+		return fmt.Errorf("mru: timestamp contains %d duplicate keys",
+			len(ts.ts)-len(keys))
+	}
+
+	return nil
+}
+
+func (ts *timestamps[K]) Delete(i int) {
+	ts.ts = append(ts.ts[:i], ts.ts[i+1:]...)
+}
+
+func (ts *timestamps[K]) Dump(w io.Writer) {
+	for i := range ts.ts {
+		fmt.Fprintf(w, "%d: %v, %d\n", i, ts.K(i), ts.T(i))
+	}
+}

cache/mru/timestamps_internal_test.go

@@ -0,0 +1,49 @@
+package mru
+
+import (
+	"testing"
+	"time"
+
+	"github.com/benbjohnson/clock"
+)
+
+func TestTimestamps(t *testing.T) {
+	ts := newTimestamps[string](3)
+	mock := clock.NewMock()
+
+	// raven
+	ts.Update("raven", mock.Now().UnixNano())
+
+	// raven, owl
+	mock.Add(time.Millisecond)
+
+	ts.Update("owl", mock.Now().UnixNano())
+
+	// raven, owl, goat
+	mock.Add(time.Second)
+	ts.Update("goat", mock.Now().UnixNano())
+
+	if err := ts.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+	mock.Add(time.Millisecond)
+
+	// raven, goat, owl
+	ts.Update("owl", mock.Now().UnixNano())
+	if err := ts.ConsistencyCheck(); err != nil {
+		t.Fatal(err)
+	}
+
+	// at this point, the keys should be raven, goat, owl.
+	if ts.K(0) != "raven" {
+		t.Fatalf("first key should be raven, have %s", ts.K(0))
+	}
+
+	if ts.K(1) != "goat" {
+		t.Fatalf("second key should be goat, have %s", ts.K(1))
+	}
+
+	if ts.K(2) != "owl" {
+		t.Fatalf("third key should be owl, have %s", ts.K(2))
+	}
+}

certlib/bundler/bundler.go

@@ -0,0 +1,695 @@
+package bundler
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"compress/gzip"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"time"
+
+	"gopkg.in/yaml.v2"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+)
+
+const defaultFileMode = 0644
+
+// Config represents the top-level YAML configuration.
+type Config struct {
+	Config struct {
+		Hashes string `yaml:"hashes"`
+		Expiry string `yaml:"expiry"`
+	} `yaml:"config"`
+	Chains map[string]ChainGroup `yaml:"chains"`
+}
+
+// ChainGroup represents a named group of certificate chains.
+type ChainGroup struct {
+	Certs   []CertChain `yaml:"certs"`
+	Outputs Outputs     `yaml:"outputs"`
+}
+
+// CertChain represents a root certificate and its intermediates.
+type CertChain struct {
+	Root          string   `yaml:"root"`
+	Intermediates []string `yaml:"intermediates"`
+}
+
+// Outputs defines output format options.
+type Outputs struct {
+	IncludeSingle     bool     `yaml:"include_single"`
+	IncludeIndividual bool     `yaml:"include_individual"`
+	Manifest          bool     `yaml:"manifest"`
+	Formats           []string `yaml:"formats"`
+	Encoding          string   `yaml:"encoding"`
+}
+
+var formatExtensions = map[string]string{
+	"zip": ".zip",
+	"tgz": ".tar.gz",
+}
+
+// Run performs the bundling operation given a config file path and an output directory.
+func Run(configFile string, outputDir string) error {
+	if configFile == "" {
+		return errors.New("configuration file required")
+	}
+
+	cfg, err := loadConfig(configFile)
+	if err != nil {
+		return fmt.Errorf("loading config: %w", err)
+	}
+
+	expiryDuration := 365 * 24 * time.Hour
+	if cfg.Config.Expiry != "" {
+		expiryDuration, err = parseDuration(cfg.Config.Expiry)
+		if err != nil {
+			return fmt.Errorf("parsing expiry: %w", err)
+		}
+	}
+
+	if err = os.MkdirAll(outputDir, 0750); err != nil {
+		return fmt.Errorf("creating output directory: %w", err)
+	}
+
+	totalFormats := 0
+	for _, group := range cfg.Chains {
+		totalFormats += len(group.Outputs.Formats)
+	}
+	createdFiles := make([]string, 0, totalFormats)
+	for groupName, group := range cfg.Chains {
+		files, perr := processChainGroup(groupName, group, expiryDuration, outputDir)
+		if perr != nil {
+			return fmt.Errorf("processing chain group %s: %w", groupName, perr)
+		}
+		createdFiles = append(createdFiles, files...)
+	}
+
+	if cfg.Config.Hashes != "" {
+		hashFile := filepath.Join(outputDir, cfg.Config.Hashes)
+		if gerr := generateHashFile(hashFile, createdFiles); gerr != nil {
+			return fmt.Errorf("generating hash file: %w", gerr)
+		}
+	}
+
+	return nil
+}
+
+func loadConfig(path string) (*Config, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var cfg Config
+	if uerr := yaml.Unmarshal(data, &cfg); uerr != nil {
+		return nil, uerr
+	}
+
+	return &cfg, nil
+}
+
+func parseDuration(s string) (time.Duration, error) {
+	// Support simple formats like "1y", "6m", "30d"
+	if len(s) < 2 {
+		return 0, fmt.Errorf("invalid duration format: %s", s)
+	}
+
+	unit := s[len(s)-1]
+	value := s[:len(s)-1]
+
+	var multiplier time.Duration
+	switch unit {
+	case 'y', 'Y':
+		multiplier = 365 * 24 * time.Hour
+	case 'm', 'M':
+		multiplier = 30 * 24 * time.Hour
+	case 'd', 'D':
+		multiplier = 24 * time.Hour
+	default:
+		return time.ParseDuration(s)
+	}
+
+	var num int
+	_, err := fmt.Sscanf(value, "%d", &num)
+	if err != nil {
+		return 0, fmt.Errorf("invalid duration value: %s", s)
+	}
+
+	return time.Duration(num) * multiplier, nil
+}
+
+func processChainGroup(
+	groupName string,
+	group ChainGroup,
+	expiryDuration time.Duration,
+	outputDir string,
+) ([]string, error) {
+	// Default encoding to "pem" if not specified
+	encoding := group.Outputs.Encoding
+	if encoding == "" {
+		encoding = "pem"
+	}
+
+	// Collect certificates from all chains in the group
+	singleFileCerts, individualCerts, sourcePaths, err := loadAndCollectCerts(
+		group.Certs,
+		group.Outputs,
+		expiryDuration,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	// Prepare files for inclusion in archives
+	archiveFiles, err := prepareArchiveFiles(singleFileCerts, individualCerts, sourcePaths, group.Outputs, encoding)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create archives for the entire group
+	createdFiles, err := createArchiveFiles(groupName, group.Outputs.Formats, archiveFiles, outputDir)
+	if err != nil {
+		return nil, err
+	}
+
+	return createdFiles, nil
+}
+
+// loadAndCollectCerts loads all certificates from chains and collects them for processing.
+func loadAndCollectCerts(
+	chains []CertChain,
+	outputs Outputs,
+	expiryDuration time.Duration,
+) ([]*x509.Certificate, []certWithPath, []string, error) {
+	var singleFileCerts []*x509.Certificate
+	var individualCerts []certWithPath
+	var sourcePaths []string
+
+	for _, chain := range chains {
+		s, i, cerr := collectFromChain(chain, outputs, expiryDuration)
+		if cerr != nil {
+			return nil, nil, nil, cerr
+		}
+		if len(s) > 0 {
+			singleFileCerts = append(singleFileCerts, s...)
+		}
+		if len(i) > 0 {
+			individualCerts = append(individualCerts, i...)
+		}
+		// Record source paths for timestamp preservation
+		// Only append when loading succeeded
+		sourcePaths = append(sourcePaths, chain.Root)
+		sourcePaths = append(sourcePaths, chain.Intermediates...)
+	}
+
+	return singleFileCerts, individualCerts, sourcePaths, nil
+}
+
+// collectFromChain loads a single chain, performs checks, and returns the certs to include.
+func collectFromChain(
+	chain CertChain,
+	outputs Outputs,
+	expiryDuration time.Duration,
+) (
+	[]*x509.Certificate,
+	[]certWithPath,
+	error,
+) {
+	var single []*x509.Certificate
+	var indiv []certWithPath
+
+	// Load root certificate
+	rootCert, rerr := certlib.LoadCertificate(chain.Root)
+	if rerr != nil {
+		return nil, nil, fmt.Errorf("failed to load root certificate %s: %w", chain.Root, rerr)
+	}
+
+	// Check expiry for root
+	checkExpiry(chain.Root, rootCert, expiryDuration)
+
+	// Add root to collections if needed
+	if outputs.IncludeSingle {
+		single = append(single, rootCert)
+	}
+	if outputs.IncludeIndividual {
+		indiv = append(indiv, certWithPath{cert: rootCert, path: chain.Root})
+	}
+
+	// Load and validate intermediates
+	for _, intPath := range chain.Intermediates {
+		intCert, lerr := certlib.LoadCertificate(intPath)
+		if lerr != nil {
+			return nil, nil, fmt.Errorf("failed to load intermediate certificate %s: %w", intPath, lerr)
+		}
+
+		// Validate that intermediate is signed by root
+		if sigErr := intCert.CheckSignatureFrom(rootCert); sigErr != nil {
+			return nil, nil, fmt.Errorf(
+				"intermediate %s is not properly signed by root %s: %w",
+				intPath,
+				chain.Root,
+				sigErr,
+			)
+		}
+
+		// Check expiry for intermediate
+		checkExpiry(intPath, intCert, expiryDuration)
+
+		// Add intermediate to collections if needed
+		if outputs.IncludeSingle {
+			single = append(single, intCert)
+		}
+		if outputs.IncludeIndividual {
+			indiv = append(indiv, certWithPath{cert: intCert, path: intPath})
+		}
+	}
+
+	return single, indiv, nil
+}
+
+// prepareArchiveFiles prepares all files to be included in archives.
+func prepareArchiveFiles(
+	singleFileCerts []*x509.Certificate,
+	individualCerts []certWithPath,
+	sourcePaths []string,
+	outputs Outputs,
+	encoding string,
+) ([]fileEntry, error) {
+	var archiveFiles []fileEntry
+
+	// Track used filenames to avoid collisions inside archives
+	usedNames := make(map[string]int)
+
+	// Handle a single bundle file
+	if outputs.IncludeSingle && len(singleFileCerts) > 0 {
+		bundleTime := maxModTime(sourcePaths)
+		files, err := encodeCertsToFiles(singleFileCerts, "bundle", encoding, true)
+		if err != nil {
+			return nil, fmt.Errorf("failed to encode single bundle: %w", err)
+		}
+		for i := range files {
+			files[i].name = makeUniqueName(files[i].name, usedNames)
+			files[i].modTime = bundleTime
+			// Best-effort: we do not have a portable birth/creation time.
+			// Use the same timestamp for created time to track deterministically.
+			files[i].createTime = bundleTime
+		}
+		archiveFiles = append(archiveFiles, files...)
+	}
+
+	// Handle individual files
+	if outputs.IncludeIndividual {
+		for _, cp := range individualCerts {
+			baseName := strings.TrimSuffix(filepath.Base(cp.path), filepath.Ext(cp.path))
+			files, err := encodeCertsToFiles([]*x509.Certificate{cp.cert}, baseName, encoding, false)
+			if err != nil {
+				return nil, fmt.Errorf("failed to encode individual cert %s: %w", cp.path, err)
+			}
+			mt := fileModTime(cp.path)
+			for i := range files {
+				files[i].name = makeUniqueName(files[i].name, usedNames)
+				files[i].modTime = mt
+				files[i].createTime = mt
+			}
+			archiveFiles = append(archiveFiles, files...)
+		}
+	}
+
+	// Generate manifest if requested
+	if outputs.Manifest {
+		manifestContent := generateManifest(archiveFiles)
+		manifestName := makeUniqueName("MANIFEST", usedNames)
+		mt := maxModTime(sourcePaths)
+		archiveFiles = append(archiveFiles, fileEntry{
+			name:       manifestName,
+			content:    manifestContent,
+			modTime:    mt,
+			createTime: mt,
+		})
+	}
+
+	return archiveFiles, nil
+}
+
+// createArchiveFiles creates archive files in the specified formats.
+func createArchiveFiles(
+	groupName string,
+	formats []string,
+	archiveFiles []fileEntry,
+	outputDir string,
+) ([]string, error) {
+	createdFiles := make([]string, 0, len(formats))
+
+	for _, format := range formats {
+		ext, ok := formatExtensions[format]
+		if !ok {
+			return nil, fmt.Errorf("unsupported format: %s", format)
+		}
+		archivePath := filepath.Join(outputDir, groupName+ext)
+		switch format {
+		case "zip":
+			if err := createZipArchive(archivePath, archiveFiles); err != nil {
+				return nil, fmt.Errorf("failed to create zip archive: %w", err)
+			}
+		case "tgz":
+			if err := createTarGzArchive(archivePath, archiveFiles); err != nil {
+				return nil, fmt.Errorf("failed to create tar.gz archive: %w", err)
+			}
+		default:
+			return nil, fmt.Errorf("unsupported format: %s", format)
+		}
+		createdFiles = append(createdFiles, archivePath)
+	}
+
+	return createdFiles, nil
+}
+
+func checkExpiry(path string, cert *x509.Certificate, expiryDuration time.Duration) {
+	now := time.Now()
+	expiryThreshold := now.Add(expiryDuration)
+
+	if cert.NotAfter.Before(expiryThreshold) {
+		daysUntilExpiry := int(cert.NotAfter.Sub(now).Hours() / 24)
+		if daysUntilExpiry < 0 {
+			fmt.Fprintf(
+				os.Stderr,
+				"WARNING: Certificate %s has EXPIRED (expired %d days ago)\n",
+				path,
+				-daysUntilExpiry,
+			)
+		} else {
+			fmt.Fprintf(os.Stderr, "WARNING: Certificate %s will expire in %d days (on %s)\n", path, daysUntilExpiry, cert.NotAfter.Format("2006-01-02"))
+		}
+	}
+}
+
+type fileEntry struct {
+	name       string
+	content    []byte
+	modTime    time.Time
+	createTime time.Time
+}
+
+type certWithPath struct {
+	cert *x509.Certificate
+	path string
+}
+
+// encodeCertsToFiles converts certificates to file entries based on encoding type
+// If isSingle is true, certs are concatenated into a single file; otherwise one cert per file.
+func encodeCertsToFiles(
+	certs []*x509.Certificate,
+	baseName string,
+	encoding string,
+	isSingle bool,
+) ([]fileEntry, error) {
+	var files []fileEntry
+
+	switch encoding {
+	case "pem":
+		pemContent := encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".pem",
+			content: pemContent,
+		})
+	case "crt":
+		pemContent := encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".crt",
+			content: pemContent,
+		})
+	case "pemcrt":
+		pemContent := encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".pem",
+			content: pemContent,
+		})
+
+		pemContent = encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".crt",
+			content: pemContent,
+		})
+	case "der":
+		if isSingle {
+			// For single file in DER, concatenate all cert DER bytes
+			var derContent []byte
+			for _, cert := range certs {
+				derContent = append(derContent, cert.Raw...)
+			}
+			files = append(files, fileEntry{
+				name:    baseName + ".crt",
+				content: derContent,
+			})
+		} else if len(certs) > 0 {
+			// Individual DER file (should only have one cert)
+			files = append(files, fileEntry{
+				name:    baseName + ".crt",
+				content: certs[0].Raw,
+			})
+		}
+	case "both":
+		// Add PEM version
+		pemContent := encodeCertsToPEM(certs)
+		files = append(files, fileEntry{
+			name:    baseName + ".pem",
+			content: pemContent,
+		})
+		// Add DER version
+		if isSingle {
+			var derContent []byte
+			for _, cert := range certs {
+				derContent = append(derContent, cert.Raw...)
+			}
+			files = append(files, fileEntry{
+				name:    baseName + ".crt",
+				content: derContent,
+			})
+		} else if len(certs) > 0 {
+			files = append(files, fileEntry{
+				name:    baseName + ".crt",
+				content: certs[0].Raw,
+			})
+		}
+	default:
+		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', or 'both')", encoding)
+	}
+
+	return files, nil
+}
+
+// encodeCertsToPEM encodes certificates to PEM format.
+func encodeCertsToPEM(certs []*x509.Certificate) []byte {
+	var pemContent []byte
+	for _, cert := range certs {
+		pemBlock := &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: cert.Raw,
+		}
+		pemContent = append(pemContent, pem.EncodeToMemory(pemBlock)...)
+	}
+	return pemContent
+}
+
+func generateManifest(files []fileEntry) []byte {
+	// Build a sorted list of files by filename to ensure deterministic manifest ordering
+	sorted := make([]fileEntry, 0, len(files))
+	for _, f := range files {
+		// Defensive: skip any existing manifest entry
+		if f.name == "MANIFEST" {
+			continue
+		}
+		sorted = append(sorted, f)
+	}
+	sort.Slice(sorted, func(i, j int) bool { return sorted[i].name < sorted[j].name })
+
+	var manifest strings.Builder
+	for _, file := range sorted {
+		hash := sha256.Sum256(file.content)
+		manifest.WriteString(fmt.Sprintf("%x  %s\n", hash, file.name))
+	}
+	return []byte(manifest.String())
+}
+
+// closeWithErr attempts to close all provided closers, joining any close errors with baseErr.
+func closeWithErr(baseErr error, closers ...io.Closer) error {
+	for _, c := range closers {
+		if c == nil {
+			continue
+		}
+		if cerr := c.Close(); cerr != nil {
+			baseErr = errors.Join(baseErr, cerr)
+		}
+	}
+	return baseErr
+}
+
+func createZipArchive(path string, files []fileEntry) error {
+	f, zerr := os.Create(path)
+	if zerr != nil {
+		return zerr
+	}
+
+	w := zip.NewWriter(f)
+
+	for _, file := range files {
+		hdr := &zip.FileHeader{
+			Name:   file.name,
+			Method: zip.Deflate,
+		}
+		if !file.modTime.IsZero() {
+			hdr.SetModTime(file.modTime)
+		}
+		fw, werr := w.CreateHeader(hdr)
+		if werr != nil {
+			return closeWithErr(werr, w, f)
+		}
+		if _, werr = fw.Write(file.content); werr != nil {
+			return closeWithErr(werr, w, f)
+		}
+	}
+
+	// Check errors on close operations
+	if cerr := w.Close(); cerr != nil {
+		_ = f.Close()
+		return cerr
+	}
+	return f.Close()
+}
+
+func createTarGzArchive(path string, files []fileEntry) error {
+	f, terr := os.Create(path)
+	if terr != nil {
+		return terr
+	}
+
+	gw := gzip.NewWriter(f)
+	tw := tar.NewWriter(gw)
+
+	for _, file := range files {
+		hdr := &tar.Header{
+			Name: file.name,
+			Uid:  0,
+			Gid:  0,
+			Mode: defaultFileMode,
+			Size: int64(len(file.content)),
+			ModTime: func() time.Time {
+				if file.modTime.IsZero() {
+					return time.Now()
+				}
+				return file.modTime
+			}(),
+		}
+		// Set additional times if supported
+		hdr.AccessTime = hdr.ModTime
+		if !file.createTime.IsZero() {
+			hdr.ChangeTime = file.createTime
+		} else {
+			hdr.ChangeTime = hdr.ModTime
+		}
+		if herr := tw.WriteHeader(hdr); herr != nil {
+			return closeWithErr(herr, tw, gw, f)
+		}
+		if _, werr := tw.Write(file.content); werr != nil {
+			return closeWithErr(werr, tw, gw, f)
+		}
+	}
+
+	// Check errors on close operations in the correct order
+	if cerr := tw.Close(); cerr != nil {
+		_ = gw.Close()
+		_ = f.Close()
+		return cerr
+	}
+	if cerr := gw.Close(); cerr != nil {
+		_ = f.Close()
+		return cerr
+	}
+	return f.Close()
+}
+
+func generateHashFile(path string, files []string) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	for _, file := range files {
+		data, rerr := os.ReadFile(file)
+		if rerr != nil {
+			return rerr
+		}
+
+		hash := sha256.Sum256(data)
+		fmt.Fprintf(f, "%x  %s\n", hash, filepath.Base(file))
+	}
+
+	return nil
+}
+
+// makeUniqueName ensures that each file name within the archive is unique by appending
+// an incremental numeric suffix before the extension when collisions occur.
+// Example: "root.pem" -> "root-2.pem", "root-3.pem", etc.
+func makeUniqueName(name string, used map[string]int) string {
+	// If unused, mark and return as-is
+	if _, ok := used[name]; !ok {
+		used[name] = 1
+		return name
+	}
+
+	ext := filepath.Ext(name)
+	base := strings.TrimSuffix(name, ext)
+	// Track a counter per base+ext key
+	key := base + ext
+	counter := max(used[key], 1)
+	for {
+		counter++
+		candidate := fmt.Sprintf("%s-%d%s", base, counter, ext)
+		if _, exists := used[candidate]; !exists {
+			used[key] = counter
+			used[candidate] = 1
+			return candidate
+		}
+	}
+}
+
+// fileModTime returns the file's modification time, or time.Now() if stat fails.
+func fileModTime(path string) time.Time {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return time.Now()
+	}
+	return fi.ModTime()
+}
+
+// maxModTime returns the latest modification time across provided paths.
+// If the list is empty or stats fail, returns time.Now().
+func maxModTime(paths []string) time.Time {
+	var zero time.Time
+	maxTime := zero
+	for _, p := range paths {
+		fi, err := os.Stat(p)
+		if err != nil {
+			continue
+		}
+		mt := fi.ModTime()
+		if maxTime.IsZero() || mt.After(maxTime) {
+			maxTime = mt
+		}
+	}
+	if maxTime.IsZero() {
+		return time.Now()
+	}
+	return maxTime
+}

certlib/certerr/doc.go

@@ -0,0 +1,33 @@
+// Package certerr provides typed errors and helpers for certificate-related
+// operations across the repository. It standardizes error construction and
+// matching so callers can reliably branch on error source/kind using the
+// Go 1.13+ `errors.Is` and `errors.As` helpers.
+//
+// Guidelines
+//   - Always wrap underlying causes using the helper constructors or with
+//     fmt.Errorf("context: %w", err).
+//   - Do not include sensitive data (keys, passwords, tokens) in error
+//     messages; add only non-sensitive, actionable context.
+//   - Prefer programmatic checks via errors.Is (for sentinel errors) and
+//     errors.As (to retrieve *certerr.Error) rather than relying on error
+//     string contents.
+//
+// Typical usage
+//
+//	if err := doParse(); err != nil {
+//	    return certerr.ParsingError(certerr.ErrorSourceCertificate, err)
+//	}
+//
+// Callers may branch on error kinds and sources:
+//
+//	var e *certerr.Error
+//	if errors.As(err, &e) {
+//	    switch e.Kind {
+//	    case certerr.KindParse:
+//	        // handle parse error
+//	    }
+//	}
+//
+// Sentinel errors are provided for common conditions like
+// `certerr.ErrEncryptedPrivateKey` and can be matched with `errors.Is`.
+package certerr

certlib/certerr/errors.go

@@ -37,43 +37,84 @@ const (
 	ErrorSourceKeypair     ErrorSourceType = 5
 )
 
-// InvalidPEMType is used to indicate that we were expecting one type of PEM
+// ErrorKind is a broad classification describing what went wrong.
+type ErrorKind uint8
+
+const (
+	KindParse ErrorKind = iota + 1
+	KindDecode
+	KindVerify
+	KindLoad
+)
+
+func (k ErrorKind) String() string {
+	switch k {
+	case KindParse:
+		return "parse"
+	case KindDecode:
+		return "decode"
+	case KindVerify:
+		return "verify"
+	case KindLoad:
+		return "load"
+	default:
+		return "unknown"
+	}
+}
+
+// Error is a typed, wrapped error with structured context for programmatic checks.
+// It implements error and supports errors.Is/As via Unwrap.
+type Error struct {
+	Source ErrorSourceType // which domain produced the error (certificate, private key, etc.)
+	Kind   ErrorKind       // operation category (parse, decode, verify, load)
+	Op     string          // optional operation or function name
+	Err    error           // wrapped cause
+}
+
+func (e *Error) Error() string {
+	// Keep message format consistent with existing helpers: "failed to <kind> <source>: <err>"
+	// Do not include Op by default to preserve existing output expectations.
+	return fmt.Sprintf("failed to %s %s: %v", e.Kind.String(), e.Source.String(), e.Err)
+}
+
+func (e *Error) Unwrap() error { return e.Err }
+
+// InvalidPEMTypeError is used to indicate that we were expecting one type of PEM
 // file, but saw another.
-type InvalidPEMType struct {
+type InvalidPEMTypeError struct {
 	have string
 	want []string
 }
 
-func (err *InvalidPEMType) Error() string {
+func (err *InvalidPEMTypeError) Error() string {
 	if len(err.want) == 1 {
 		return fmt.Sprintf("invalid PEM type: have %s, expected %s", err.have, err.want[0])
-	} else {
-		return fmt.Sprintf("invalid PEM type: have %s, expected one of %s", err.have, strings.Join(err.want, ", "))
 	}
+	return fmt.Sprintf("invalid PEM type: have %s, expected one of %s", err.have, strings.Join(err.want, ", "))
 }
 
-// ErrInvalidPEMType returns a new InvalidPEMType error.
+// ErrInvalidPEMType returns a new InvalidPEMTypeError error.
 func ErrInvalidPEMType(have string, want ...string) error {
-	return &InvalidPEMType{
+	return &InvalidPEMTypeError{
 		have: have,
 		want: want,
 	}
 }
 
 func LoadingError(t ErrorSourceType, err error) error {
-	return fmt.Errorf("failed to load %s from disk: %w", t, err)
+	return &Error{Source: t, Kind: KindLoad, Err: err}
 }
 
 func ParsingError(t ErrorSourceType, err error) error {
-	return fmt.Errorf("failed to parse %s: %w", t, err)
+	return &Error{Source: t, Kind: KindParse, Err: err}
 }
 
 func DecodeError(t ErrorSourceType, err error) error {
-	return fmt.Errorf("failed to decode %s: %w", t, err)
+	return &Error{Source: t, Kind: KindDecode, Err: err}
 }
 
 func VerifyError(t ErrorSourceType, err error) error {
-	return fmt.Errorf("failed to verify %s: %w", t, err)
+	return &Error{Source: t, Kind: KindVerify, Err: err}
 }
 
 var ErrEncryptedPrivateKey = errors.New("private key is encrypted")

certlib/certerr/errors_test.go

@@ -0,0 +1,56 @@
+//nolint:testpackage // keep tests in the same package for internal symbol access
+package certerr
+
+import (
+	"errors"
+	"strings"
+	"testing"
+)
+
+func TestTypedErrorWrappingAndFormatting(t *testing.T) {
+	cause := errors.New("bad data")
+	err := DecodeError(ErrorSourceCertificate, cause)
+
+	// Ensure we can retrieve the typed error
+	var e *Error
+	if !errors.As(err, &e) {
+		t.Fatalf("expected errors.As to retrieve *certerr.Error, got %T", err)
+	}
+	if e.Kind != KindDecode {
+		t.Fatalf("unexpected kind: %v", e.Kind)
+	}
+	if e.Source != ErrorSourceCertificate {
+		t.Fatalf("unexpected source: %v", e.Source)
+	}
+
+	// Check message format (no trailing punctuation enforced by content)
+	msg := e.Error()
+	if !strings.Contains(msg, "failed to decode certificate") || !strings.Contains(msg, "bad data") {
+		t.Fatalf("unexpected error message: %q", msg)
+	}
+}
+
+func TestErrorsIsOnWrappedSentinel(t *testing.T) {
+	err := DecodeError(ErrorSourcePrivateKey, ErrEncryptedPrivateKey)
+	if !errors.Is(err, ErrEncryptedPrivateKey) {
+		t.Fatalf("expected errors.Is to match ErrEncryptedPrivateKey")
+	}
+}
+
+func TestInvalidPEMTypeMessageSingle(t *testing.T) {
+	err := ErrInvalidPEMType("FOO", "CERTIFICATE")
+	want := "invalid PEM type: have FOO, expected CERTIFICATE"
+	if err.Error() != want {
+		t.Fatalf("unexpected error message: got %q, want %q", err.Error(), want)
+	}
+}
+
+func TestInvalidPEMTypeMessageMultiple(t *testing.T) {
+	err := ErrInvalidPEMType("FOO", "CERTIFICATE", "NEW CERTIFICATE REQUEST")
+	if !strings.Contains(
+		err.Error(),
+		"invalid PEM type: have FOO, expected one of CERTIFICATE, NEW CERTIFICATE REQUEST",
+	) {
+		t.Fatalf("unexpected error message: %q", err.Error())
+	}
+}

certlib/certgen/config.go

@@ -0,0 +1,224 @@
+package certgen
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"fmt"
+	"math/big"
+	"net"
+	"strings"
+	"time"
+
+	"git.wntrmute.dev/kyle/goutils/lib"
+)
+
+type KeySpec struct {
+	Algorithm string `yaml:"algorithm"`
+	Size      int    `yaml:"size"`
+}
+
+func (ks KeySpec) Generate() (crypto.PublicKey, crypto.PrivateKey, error) {
+	switch strings.ToLower(ks.Algorithm) {
+	case "rsa":
+		return GenerateKey(x509.RSA, ks.Size)
+	case "ecdsa":
+		return GenerateKey(x509.ECDSA, ks.Size)
+	case "ed25519":
+		return GenerateKey(x509.Ed25519, 0)
+	default:
+		return nil, nil, fmt.Errorf("unknown key algorithm: %s", ks.Algorithm)
+	}
+}
+
+func (ks KeySpec) SigningAlgorithm() (x509.SignatureAlgorithm, error) {
+	switch strings.ToLower(ks.Algorithm) {
+	case "rsa":
+		return x509.SHA512WithRSAPSS, nil
+	case "ecdsa":
+		return x509.ECDSAWithSHA512, nil
+	case "ed25519":
+		return x509.PureEd25519, nil
+	default:
+		return 0, fmt.Errorf("unknown key algorithm: %s", ks.Algorithm)
+	}
+}
+
+type Subject struct {
+	CommonName         string   `yaml:"common_name"`
+	Country            string   `yaml:"country"`
+	Locality           string   `yaml:"locality"`
+	Province           string   `yaml:"province"`
+	Organization       string   `yaml:"organization"`
+	OrganizationalUnit string   `yaml:"organizational_unit"`
+	Email              string   `yaml:"email"`
+	DNSNames           []string `yaml:"dns"`
+	IPAddresses        []string `yaml:"ips"`
+}
+
+type CertificateRequest struct {
+	KeySpec KeySpec `yaml:"key"`
+	Subject Subject `yaml:"subject"`
+	Profile Profile `yaml:"profile"`
+}
+
+func (cs CertificateRequest) Request(priv crypto.PrivateKey) (*x509.CertificateRequest, error) {
+	subject := pkix.Name{}
+	subject.CommonName = cs.Subject.CommonName
+	subject.Country = []string{cs.Subject.Country}
+	subject.Locality = []string{cs.Subject.Locality}
+	subject.Province = []string{cs.Subject.Province}
+	subject.Organization = []string{cs.Subject.Organization}
+	subject.OrganizationalUnit = []string{cs.Subject.OrganizationalUnit}
+
+	ipAddresses := make([]net.IP, 0, len(cs.Subject.IPAddresses))
+	for i, ip := range cs.Subject.IPAddresses {
+		ipAddresses = append(ipAddresses, net.ParseIP(ip))
+		if ipAddresses[i] == nil {
+			return nil, fmt.Errorf("invalid IP address: %s", ip)
+		}
+	}
+
+	req := &x509.CertificateRequest{
+		PublicKeyAlgorithm: 0,
+		PublicKey:          getPublic(priv),
+		Subject:            subject,
+		DNSNames:           cs.Subject.DNSNames,
+		IPAddresses:        ipAddresses,
+	}
+
+	reqBytes, err := x509.CreateCertificateRequest(rand.Reader, req, priv)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate request: %w", err)
+	}
+
+	req, err = x509.ParseCertificateRequest(reqBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate request: %w", err)
+	}
+
+	return req, nil
+}
+
+func (cs CertificateRequest) Generate() (crypto.PrivateKey, *x509.CertificateRequest, error) {
+	_, priv, err := cs.KeySpec.Generate()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	req, err := cs.Request(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return priv, req, nil
+}
+
+type Profile struct {
+	IsCA         bool     `yaml:"is_ca"`
+	PathLen      int      `yaml:"path_len"`
+	KeyUse       string   `yaml:"key_uses"`
+	ExtKeyUsages []string `yaml:"ext_key_usages"`
+	Expiry       string   `yaml:"expiry"`
+}
+
+func (p Profile) templateFromRequest(req *x509.CertificateRequest) (*x509.Certificate, error) {
+	serial, err := SerialNumber()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	expiry, err := lib.ParseDuration(p.Expiry)
+	if err != nil {
+		return nil, fmt.Errorf("parsing expiry: %w", err)
+	}
+
+	certTemplate := &x509.Certificate{
+		SignatureAlgorithm:    req.SignatureAlgorithm,
+		PublicKeyAlgorithm:    req.PublicKeyAlgorithm,
+		PublicKey:             req.PublicKey,
+		SerialNumber:          serial,
+		Subject:               req.Subject,
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(expiry),
+		BasicConstraintsValid: true,
+		IsCA:                  p.IsCA,
+		MaxPathLen:            p.PathLen,
+		DNSNames:              req.DNSNames,
+		IPAddresses:           req.IPAddresses,
+	}
+
+	var ok bool
+	certTemplate.KeyUsage, ok = keyUsageStrings[p.KeyUse]
+	if !ok {
+		return nil, fmt.Errorf("invalid key usage: %s", p.KeyUse)
+	}
+
+	var eku x509.ExtKeyUsage
+	for _, extKeyUsage := range p.ExtKeyUsages {
+		eku, ok = extKeyUsageStrings[extKeyUsage]
+		if !ok {
+			return nil, fmt.Errorf("invalid extended key usage: %s", extKeyUsage)
+		}
+		certTemplate.ExtKeyUsage = append(certTemplate.ExtKeyUsage, eku)
+	}
+
+	return certTemplate, nil
+}
+
+func (p Profile) SignRequest(
+	parent *x509.Certificate,
+	req *x509.CertificateRequest,
+	priv crypto.PrivateKey,
+) (*x509.Certificate, error) {
+	tpl, err := p.templateFromRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate template: %w", err)
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, tpl, parent, req.PublicKey, priv)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	return cert, nil
+}
+
+func (p Profile) SelfSign(req *x509.CertificateRequest, priv crypto.PrivateKey) (*x509.Certificate, error) {
+	certTemplate, err := p.templateFromRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create certificate template: %w", err)
+	}
+
+	return p.SignRequest(certTemplate, req, priv)
+}
+
+func SerialNumber() (*big.Int, error) {
+	serialNumberBytes := make([]byte, 20)
+	_, err := rand.Read(serialNumberBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+	}
+	return new(big.Int).SetBytes(serialNumberBytes), nil
+}
+
+// GenerateSelfSigned generates a self-signed certificate using the given certificate request.
+func GenerateSelfSigned(creq *CertificateRequest) (*x509.Certificate, crypto.PrivateKey, error) {
+	priv, req, err := creq.Generate()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to generate certificate request: %w", err)
+	}
+
+	cert, err := creq.Profile.SelfSign(req, priv)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to self-sign certificate: %w", err)
+	}
+
+	return cert, priv, nil
+}

certlib/certgen/keygen.go

@@ -0,0 +1,86 @@
+package certgen
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"errors"
+	"fmt"
+)
+
+// var (
+//	oidEd25519 = asn1.ObjectIdentifier{1, 3, 101, 110}
+//)
+
+func GenerateKey(algorithm x509.PublicKeyAlgorithm, bitSize int) (crypto.PublicKey, crypto.PrivateKey, error) {
+	var key crypto.PrivateKey
+	var pub crypto.PublicKey
+	var err error
+
+	switch algorithm {
+	case x509.Ed25519:
+		pub, key, err = ed25519.GenerateKey(rand.Reader)
+	case x509.RSA:
+		key, err = rsa.GenerateKey(rand.Reader, bitSize)
+		if err == nil {
+			rsaPriv, ok := key.(*rsa.PrivateKey)
+			if !ok {
+				panic("failed to cast RSA private key to *rsa.PrivateKey")
+			}
+
+			pub = rsaPriv.Public()
+		}
+	case x509.ECDSA:
+		var curve elliptic.Curve
+
+		switch bitSize {
+		case 256:
+			curve = elliptic.P256()
+		case 384:
+			curve = elliptic.P384()
+		case 521:
+			curve = elliptic.P521()
+		default:
+			return nil, nil, fmt.Errorf("unsupported curve size %d", bitSize)
+		}
+
+		key, err = ecdsa.GenerateKey(curve, rand.Reader)
+		if err == nil {
+			ecPriv, ok := key.(*ecdsa.PrivateKey)
+			if !ok {
+				panic("failed to cast ECDSA private key to *ecdsa.PrivateKey")
+			}
+
+			pub = ecPriv.Public()
+		}
+	case x509.DSA:
+		fallthrough
+	case x509.UnknownPublicKeyAlgorithm:
+		fallthrough
+	default:
+		err = errors.New("unsupported algorithm")
+	}
+
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return pub, key, nil
+}
+
+func getPublic(priv crypto.PrivateKey) crypto.PublicKey {
+	switch priv := priv.(type) {
+	case *rsa.PrivateKey:
+		return &priv.PublicKey
+	case *ecdsa.PrivateKey:
+		return &priv.PublicKey
+	case *ed25519.PrivateKey:
+		return priv.Public()
+	default:
+		return nil
+	}
+}

certlib/certgen/ku.go

@@ -0,0 +1,32 @@
+package certgen
+
+import "crypto/x509"
+
+var keyUsageStrings = map[string]x509.KeyUsage{
+	"signing":            x509.KeyUsageDigitalSignature,
+	"digital signature":  x509.KeyUsageDigitalSignature,
+	"content commitment": x509.KeyUsageContentCommitment,
+	"key encipherment":   x509.KeyUsageKeyEncipherment,
+	"key agreement":      x509.KeyUsageKeyAgreement,
+	"data encipherment":  x509.KeyUsageDataEncipherment,
+	"cert sign":          x509.KeyUsageCertSign,
+	"crl sign":           x509.KeyUsageCRLSign,
+	"encipher only":      x509.KeyUsageEncipherOnly,
+	"decipher only":      x509.KeyUsageDecipherOnly,
+}
+
+var extKeyUsageStrings = map[string]x509.ExtKeyUsage{
+	"any":              x509.ExtKeyUsageAny,
+	"server auth":      x509.ExtKeyUsageServerAuth,
+	"client auth":      x509.ExtKeyUsageClientAuth,
+	"code signing":     x509.ExtKeyUsageCodeSigning,
+	"email protection": x509.ExtKeyUsageEmailProtection,
+	"s/mime":           x509.ExtKeyUsageEmailProtection,
+	"ipsec end system": x509.ExtKeyUsageIPSECEndSystem,
+	"ipsec tunnel":     x509.ExtKeyUsageIPSECTunnel,
+	"ipsec user":       x509.ExtKeyUsageIPSECUser,
+	"timestamping":     x509.ExtKeyUsageTimeStamping,
+	"ocsp signing":     x509.ExtKeyUsageOCSPSigning,
+	"microsoft sgc":    x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+	"netscape sgc":     x509.ExtKeyUsageNetscapeServerGatedCrypto,
+}

certlib/certlib.go

@@ -1,46 +1,66 @@
 package certlib
 
 import (
+	"bytes"
+	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
-	"io/ioutil"
+	"fmt"
+	"os"
+	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/certlib/certerr"
 )
 
 // ReadCertificate reads a DER or PEM-encoded certificate from the
 // byte slice.
-func ReadCertificate(in []byte) (cert *x509.Certificate, rest []byte, err error) {
+func ReadCertificate(in []byte) (*x509.Certificate, []byte, error) {
+	in = bytes.TrimSpace(in)
 	if len(in) == 0 {
-		err = certerr.ErrEmptyCertificate
+		return nil, nil, certerr.ParsingError(certerr.ErrorSourceCertificate, certerr.ErrEmptyCertificate)
-		return
 	}
 
 	if in[0] == '-' {
 		p, remaining := pem.Decode(in)
 		if p == nil {
-			err = errors.New("certlib: invalid PEM file")
+			return nil, nil, certerr.ParsingError(certerr.ErrorSourceCertificate, errors.New("invalid PEM file"))
-			return
 		}
 
-		rest = remaining
+		rest := remaining
-		if p.Type != "CERTIFICATE" {
+		if p.Type != pemTypeCertificate {
-			err = certerr.ErrInvalidPEMType(p.Type, "CERTIFICATE")
+			return nil, rest, certerr.ParsingError(
-			return
+				certerr.ErrorSourceCertificate,
+				certerr.ErrInvalidPEMType(p.Type, pemTypeCertificate),
+			)
 		}
 
 		in = p.Bytes
+		cert, err := x509.ParseCertificate(in)
+		if err != nil {
+			return nil, rest, certerr.ParsingError(certerr.ErrorSourceCertificate, err)
+		}
+		return cert, rest, nil
 	}
 
-	cert, err = x509.ParseCertificate(in)
+	cert, err := x509.ParseCertificate(in)
-	return
+	if err != nil {
+		return nil, nil, certerr.ParsingError(certerr.ErrorSourceCertificate, err)
+	}
+	return cert, nil, nil
 }
 
 // ReadCertificates tries to read all the certificates in a
 // PEM-encoded collection.
-func ReadCertificates(in []byte) (certs []*x509.Certificate, err error) {
+func ReadCertificates(in []byte) ([]*x509.Certificate, error) {
 	var cert *x509.Certificate
+	var certs []*x509.Certificate
+	var err error
 	for {
 		cert, in, err = ReadCertificate(in)
 		if err != nil {
@@ -64,9 +84,9 @@ func ReadCertificates(in []byte) (certs []*x509.Certificate, err error) {
 // the file contains multiple certificates (e.g. a chain), only the
 // first certificate is returned.
 func LoadCertificate(path string) (*x509.Certificate, error) {
-	in, err := ioutil.ReadFile(path)
+	in, err := os.ReadFile(path)
 	if err != nil {
-		return nil, err
+		return nil, certerr.LoadingError(certerr.ErrorSourceCertificate, err)
 	}
 
 	cert, _, err := ReadCertificate(in)
@@ -76,10 +96,201 @@ func LoadCertificate(path string) (*x509.Certificate, error) {
 // LoadCertificates tries to read all the certificates in a file,
 // returning them in the order that it found them in the file.
 func LoadCertificates(path string) ([]*x509.Certificate, error) {
-	in, err := ioutil.ReadFile(path)
+	in, err := os.ReadFile(path)
 	if err != nil {
-		return nil, err
+		return nil, certerr.LoadingError(certerr.ErrorSourceCertificate, err)
 	}
 
 	return ReadCertificates(in)
 }
+
+func PoolFromBytes(certBytes []byte) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+
+	certs, err := ReadCertificates(certBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read certificates: %w", err)
+	}
+
+	for _, cert := range certs {
+		pool.AddCert(cert)
+	}
+
+	return pool, nil
+}
+
+func ExportPrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error) {
+	keyDER, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+
+	return pem.EncodeToMemory(&pem.Block{Type: pemTypePrivateKey, Bytes: keyDER}), nil
+}
+
+func LoadCSR(path string) (*x509.CertificateRequest, error) {
+	in, err := os.ReadFile(path)
+	if err != nil {
+		return nil, certerr.LoadingError(certerr.ErrorSourceCSR, err)
+	}
+
+	req, _, err := ParseCSR(in)
+	return req, err
+}
+
+func ExportCSRAsPEM(req *x509.CertificateRequest) []byte {
+	return pem.EncodeToMemory(&pem.Block{Type: pemTypeCertificateRequest, Bytes: req.Raw})
+}
+
+type FileFormat uint8
+
+const (
+	FormatPEM FileFormat = iota + 1
+	FormatDER
+)
+
+func (f FileFormat) String() string {
+	switch f {
+	case FormatPEM:
+		return "PEM"
+	case FormatDER:
+		return "DER"
+	default:
+		return "unknown"
+	}
+}
+
+type KeyAlgo struct {
+	Type  x509.PublicKeyAlgorithm
+	Size  int
+	curve elliptic.Curve
+}
+
+func (ka KeyAlgo) String() string {
+	switch ka.Type {
+	case x509.RSA:
+		return fmt.Sprintf("RSA-%d", ka.Size)
+	case x509.ECDSA:
+		return fmt.Sprintf("ECDSA-%s", ka.curve.Params().Name)
+	case x509.Ed25519:
+		return "Ed25519"
+	case x509.DSA:
+		return "DSA"
+	default:
+		return "unknown"
+	}
+}
+
+func publicKeyAlgoFromPublicKey(key crypto.PublicKey) KeyAlgo {
+	switch key := key.(type) {
+	case *rsa.PublicKey:
+		return KeyAlgo{
+			Type: x509.RSA,
+			Size: key.N.BitLen(),
+		}
+	case *ecdsa.PublicKey:
+		return KeyAlgo{
+			Type:  x509.ECDSA,
+			curve: key.Curve,
+			Size:  key.Params().BitSize,
+		}
+	case *ed25519.PublicKey:
+		return KeyAlgo{
+			Type: x509.Ed25519,
+		}
+	case *dsa.PublicKey:
+		return KeyAlgo{
+			Type: x509.DSA,
+		}
+	default:
+		return KeyAlgo{
+			Type: x509.UnknownPublicKeyAlgorithm,
+		}
+	}
+}
+
+func publicKeyAlgoFromKey(key crypto.PrivateKey) KeyAlgo {
+	switch key := key.(type) {
+	case *rsa.PrivateKey:
+		return KeyAlgo{
+			Type: x509.RSA,
+			Size: key.PublicKey.N.BitLen(),
+		}
+	case *ecdsa.PrivateKey:
+		return KeyAlgo{
+			Type:  x509.ECDSA,
+			curve: key.PublicKey.Curve,
+			Size:  key.Params().BitSize,
+		}
+	case *ed25519.PrivateKey:
+		return KeyAlgo{
+			Type: x509.Ed25519,
+		}
+	case *dsa.PrivateKey:
+		return KeyAlgo{
+			Type: x509.DSA,
+		}
+	default:
+		return KeyAlgo{
+			Type: x509.UnknownPublicKeyAlgorithm,
+		}
+	}
+}
+
+func publicKeyAlgoFromCert(cert *x509.Certificate) KeyAlgo {
+	return publicKeyAlgoFromPublicKey(cert.PublicKey)
+}
+
+func publicKeyAlgoFromCSR(csr *x509.CertificateRequest) KeyAlgo {
+	return publicKeyAlgoFromPublicKey(csr.PublicKeyAlgorithm)
+}
+
+type FileType struct {
+	Format FileFormat
+	Type   string
+	Algo   KeyAlgo
+}
+
+func (ft FileType) String() string {
+	if ft.Type == "" {
+		return ft.Format.String()
+	}
+	return fmt.Sprintf("%s %s (%s)", ft.Algo, ft.Type, ft.Format)
+}
+
+// FileKind returns the file type of the given file.
+func FileKind(path string) (*FileType, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	ft := &FileType{Format: FormatDER}
+
+	block, _ := pem.Decode(data)
+	if block != nil {
+		data = block.Bytes
+		ft.Type = strings.ToLower(block.Type)
+		ft.Format = FormatPEM
+	}
+	
+	cert, err := x509.ParseCertificate(data)
+	if err == nil {
+		ft.Algo = publicKeyAlgoFromCert(cert)
+		return ft, nil
+	}
+
+	csr, err := x509.ParseCertificateRequest(data)
+	if err == nil {
+		ft.Algo = publicKeyAlgoFromCSR(csr)
+		return ft, nil
+	}
+
+	priv, err := x509.ParsePKCS8PrivateKey(data)
+	if err == nil {
+		ft.Algo = publicKeyAlgoFromKey(priv)
+		return ft, nil
+	}
+
+	return nil, errors.New("certlib; unknown file type")
+}

certlib/certlib_test.go

@@ -1,7 +1,11 @@
+//nolint:testpackage // keep tests in the same package for internal symbol access
 package certlib
 
 import (
+	"crypto/elliptic"
+	"crypto/x509"
 	"fmt"
+	"strings"
 	"testing"
 
 	"git.wntrmute.dev/kyle/goutils/assert"
@@ -137,3 +141,33 @@ func TestReadCertificates(t *testing.T) {
 		assert.BoolT(t, cert != nil, "lib: expected an actual certificate to have been returned")
 	}
 }
+
+var (
+	ecTestCACert = "testdata/ec-ca-cert.pem"
+	ecTestCAPriv = "testdata/ec-ca-priv.pem"
+	ecTestCAReq  = "testdata/ec-ca-cert.csr"
+)
+
+func TestFileTypeEC(t *testing.T) {
+	ft, err := FileKind(ecTestCAPriv)
+	assert.NoErrorT(t, err)
+
+	if ft.Format != FormatPEM {
+		t.Errorf("certlib: expected format '%s', got '%s'", FormatPEM, ft.Format)
+	}
+
+	if ft.Type != strings.ToLower(pemTypePrivateKey) {
+		t.Errorf("certlib: expected type '%s', got '%s'",
+			strings.ToLower(pemTypePrivateKey), ft.Type)
+	}
+
+	expectedAlgo := KeyAlgo{
+		Type:  x509.ECDSA,
+		Size:  521,
+		curve: elliptic.P521(),
+	}
+
+	if ft.Algo.String() != expectedAlgo.String() {
+		t.Errorf("certlib: expected algo '%s', got '%s'", expectedAlgo, ft.Algo)
+	}
+}

certlib/der_helpers.go

@@ -38,6 +38,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/x509"
+	"errors"
 	"fmt"
 
 	"git.wntrmute.dev/kyle/goutils/certlib/certerr"
@@ -47,29 +48,36 @@ import (
 // private key. The key must not be in PEM format. If an error is returned, it
 // may contain information about the private key, so care should be taken when
 // displaying it directly.
-func ParsePrivateKeyDER(keyDER []byte) (key crypto.Signer, err error) {
+func ParsePrivateKeyDER(keyDER []byte) (crypto.Signer, error) {
-	generalKey, err := x509.ParsePKCS8PrivateKey(keyDER)
+	// Try common encodings in order without deep nesting.
-	if err != nil {
+	if k, err := x509.ParsePKCS8PrivateKey(keyDER); err == nil {
-		generalKey, err = x509.ParsePKCS1PrivateKey(keyDER)
+		switch kk := k.(type) {
-		if err != nil {
+		case *rsa.PrivateKey:
-			generalKey, err = x509.ParseECPrivateKey(keyDER)
+			return kk, nil
-			if err != nil {
+		case *ecdsa.PrivateKey:
-				generalKey, err = ParseEd25519PrivateKey(keyDER)
+			return kk, nil
-				if err != nil {
+		case ed25519.PrivateKey:
-					return nil, certerr.ParsingError(certerr.ErrorSourcePrivateKey, err)
+			return kk, nil
-				}
+		default:
-			}
+			return nil, certerr.ParsingError(certerr.ErrorSourcePrivateKey, fmt.Errorf("unknown key type %T", k))
 		}
 	}
-
+	if k, err := x509.ParsePKCS1PrivateKey(keyDER); err == nil {
-	switch generalKey := generalKey.(type) {
+		return k, nil
-	case *rsa.PrivateKey:
-		return generalKey, nil
-	case *ecdsa.PrivateKey:
-		return generalKey, nil
-	case ed25519.PrivateKey:
-		return generalKey, nil
-	default:
-		return nil, certerr.ParsingError(certerr.ErrorSourcePrivateKey, fmt.Errorf("unknown key type %t", generalKey))
 	}
+	if k, err := x509.ParseECPrivateKey(keyDER); err == nil {
+		return k, nil
+	}
+	if k, err := ParseEd25519PrivateKey(keyDER); err == nil {
+		if kk, ok := k.(ed25519.PrivateKey); ok {
+			return kk, nil
+		}
+		return nil, certerr.ParsingError(certerr.ErrorSourcePrivateKey, fmt.Errorf("unknown key type %T", k))
+	}
+	// If all parsers failed, return the last error from Ed25519 attempt (approximate cause).
+	if _, err := ParseEd25519PrivateKey(keyDER); err != nil {
+		return nil, certerr.ParsingError(certerr.ErrorSourcePrivateKey, err)
+	}
+	// Fallback (should be unreachable)
+	return nil, certerr.ParsingError(certerr.ErrorSourcePrivateKey, errors.New("unknown key encoding"))
 }

certlib/dump/dump.go

@@ -0,0 +1,335 @@
+// Package dump implements tooling for dumping certificate information.
+package dump
+
+import (
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/kr/text"
+
+	"git.wntrmute.dev/kyle/goutils/lib"
+)
+
+const (
+	sSHA256 = "SHA256"
+	sSHA512 = "SHA512"
+)
+
+var keyUsage = map[x509.KeyUsage]string{
+	x509.KeyUsageDigitalSignature:  "digital signature",
+	x509.KeyUsageContentCommitment: "content commitment",
+	x509.KeyUsageKeyEncipherment:   "key encipherment",
+	x509.KeyUsageKeyAgreement:      "key agreement",
+	x509.KeyUsageDataEncipherment:  "data encipherment",
+	x509.KeyUsageCertSign:          "cert sign",
+	x509.KeyUsageCRLSign:           "crl sign",
+	x509.KeyUsageEncipherOnly:      "encipher only",
+	x509.KeyUsageDecipherOnly:      "decipher only",
+}
+
+var extKeyUsages = map[x509.ExtKeyUsage]string{
+	x509.ExtKeyUsageAny:                            "any",
+	x509.ExtKeyUsageServerAuth:                     "server auth",
+	x509.ExtKeyUsageClientAuth:                     "client auth",
+	x509.ExtKeyUsageCodeSigning:                    "code signing",
+	x509.ExtKeyUsageEmailProtection:                "s/mime",
+	x509.ExtKeyUsageIPSECEndSystem:                 "ipsec end system",
+	x509.ExtKeyUsageIPSECTunnel:                    "ipsec tunnel",
+	x509.ExtKeyUsageIPSECUser:                      "ipsec user",
+	x509.ExtKeyUsageTimeStamping:                   "timestamping",
+	x509.ExtKeyUsageOCSPSigning:                    "ocsp signing",
+	x509.ExtKeyUsageMicrosoftServerGatedCrypto:     "microsoft sgc",
+	x509.ExtKeyUsageNetscapeServerGatedCrypto:      "netscape sgc",
+	x509.ExtKeyUsageMicrosoftCommercialCodeSigning: "microsoft commercial code signing",
+	x509.ExtKeyUsageMicrosoftKernelCodeSigning:     "microsoft kernel code signing",
+}
+
+func sigAlgoPK(a x509.SignatureAlgorithm) string {
+	switch a {
+	case x509.MD2WithRSA, x509.MD5WithRSA, x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA:
+		return "RSA"
+	case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
+		return "RSA-PSS"
+	case x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512:
+		return "ECDSA"
+	case x509.DSAWithSHA1, x509.DSAWithSHA256:
+		return "DSA"
+	case x509.PureEd25519:
+		return "Ed25519"
+	case x509.UnknownSignatureAlgorithm:
+		return "unknown public key algorithm"
+	default:
+		return "unknown public key algorithm"
+	}
+}
+
+func sigAlgoHash(a x509.SignatureAlgorithm) string {
+	switch a {
+	case x509.MD2WithRSA:
+		return "MD2"
+	case x509.MD5WithRSA:
+		return "MD5"
+	case x509.SHA1WithRSA, x509.ECDSAWithSHA1, x509.DSAWithSHA1:
+		return "SHA1"
+	case x509.SHA256WithRSA, x509.ECDSAWithSHA256, x509.DSAWithSHA256:
+		return sSHA256
+	case x509.SHA256WithRSAPSS:
+		return sSHA256
+	case x509.SHA384WithRSA, x509.ECDSAWithSHA384:
+		return "SHA384"
+	case x509.SHA384WithRSAPSS:
+		return "SHA384"
+	case x509.SHA512WithRSA, x509.ECDSAWithSHA512:
+		return sSHA512
+	case x509.SHA512WithRSAPSS:
+		return sSHA512
+	case x509.PureEd25519:
+		return sSHA512
+	case x509.UnknownSignatureAlgorithm:
+		return "unknown hash algorithm"
+	default:
+		return "unknown hash algorithm"
+	}
+}
+
+const maxLine = 78
+
+func makeIndent(n int) string {
+	s := "    "
+	var sSb97 strings.Builder
+	for range n {
+		sSb97.WriteString("        ")
+	}
+	s += sSb97.String()
+	return s
+}
+
+func indentLen(n int) int {
+	return 4 + (8 * n)
+}
+
+// this isn't real efficient, but that's not a problem here.
+func wrap(s string, indent int) string {
+	if indent > 3 {
+		indent = 3
+	}
+
+	wrapped := text.Wrap(s, maxLine)
+	lines := strings.SplitN(wrapped, "\n", 2)
+	if len(lines) == 1 {
+		return lines[0]
+	}
+
+	if (maxLine - indentLen(indent)) <= 0 {
+		panic("too much indentation")
+	}
+
+	rest := strings.Join(lines[1:], " ")
+	wrapped = text.Wrap(rest, maxLine-indentLen(indent))
+	return lines[0] + "\n" + text.Indent(wrapped, makeIndent(indent))
+}
+
+func dumpHex(in []byte) string {
+	return lib.HexEncode(in, lib.HexEncodeUpperColon)
+}
+
+func certPublic(cert *x509.Certificate) string {
+	switch pub := cert.PublicKey.(type) {
+	case *rsa.PublicKey:
+		return fmt.Sprintf("RSA-%d", pub.N.BitLen())
+	case *ecdsa.PublicKey:
+		switch pub.Curve {
+		case elliptic.P256():
+			return "ECDSA-prime256v1"
+		case elliptic.P384():
+			return "ECDSA-secp384r1"
+		case elliptic.P521():
+			return "ECDSA-secp521r1"
+		default:
+			return "ECDSA (unknown curve)"
+		}
+	case *dsa.PublicKey:
+		return "DSA"
+	default:
+		return "Unknown"
+	}
+}
+
+func DisplayName(name pkix.Name) string {
+	var ns []string
+
+	if name.CommonName != "" {
+		ns = append(ns, name.CommonName)
+	}
+
+	for i := range name.Country {
+		ns = append(ns, fmt.Sprintf("C=%s", name.Country[i]))
+	}
+
+	for i := range name.Organization {
+		ns = append(ns, fmt.Sprintf("O=%s", name.Organization[i]))
+	}
+
+	for i := range name.OrganizationalUnit {
+		ns = append(ns, fmt.Sprintf("OU=%s", name.OrganizationalUnit[i]))
+	}
+
+	for i := range name.Locality {
+		ns = append(ns, fmt.Sprintf("L=%s", name.Locality[i]))
+	}
+
+	for i := range name.Province {
+		ns = append(ns, fmt.Sprintf("ST=%s", name.Province[i]))
+	}
+
+	if len(ns) > 0 {
+		return "/" + strings.Join(ns, "/")
+	}
+
+	return "*** no subject information ***"
+}
+
+func keyUsages(ku x509.KeyUsage) string {
+	var uses []string
+
+	for u, s := range keyUsage {
+		if (ku & u) != 0 {
+			uses = append(uses, s)
+		}
+	}
+	sort.Strings(uses)
+
+	return strings.Join(uses, ", ")
+}
+
+func extUsage(ext []x509.ExtKeyUsage) string {
+	ns := make([]string, 0, len(ext))
+	for i := range ext {
+		ns = append(ns, extKeyUsages[ext[i]])
+	}
+	sort.Strings(ns)
+
+	return strings.Join(ns, ", ")
+}
+
+func showBasicConstraints(cert *x509.Certificate) {
+	fmt.Fprint(os.Stdout, "\tBasic constraints: ")
+	if cert.BasicConstraintsValid {
+		fmt.Fprint(os.Stdout, "valid")
+	} else {
+		fmt.Fprint(os.Stdout, "invalid")
+	}
+
+	if cert.IsCA {
+		fmt.Fprint(os.Stdout, ", is a CA certificate")
+		if !cert.BasicConstraintsValid {
+			fmt.Fprint(os.Stdout, " (basic constraint failure)")
+		}
+	} else {
+		fmt.Fprint(os.Stdout, ", is not a CA certificate")
+		if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
+			fmt.Fprint(os.Stdout, " (key encipherment usage enabled!)")
+		}
+	}
+
+	if (cert.MaxPathLen == 0 && cert.MaxPathLenZero) || (cert.MaxPathLen > 0) {
+		fmt.Fprintf(os.Stdout, ", max path length %d", cert.MaxPathLen)
+	}
+
+	fmt.Fprintln(os.Stdout)
+}
+
+func wrapPrint(text string, indent int) {
+	tabs := ""
+	var tabsSb140 strings.Builder
+	for range indent {
+		tabsSb140.WriteString("\t")
+	}
+	tabs += tabsSb140.String()
+
+	fmt.Fprintf(os.Stdout, tabs+"%s\n", wrap(text, indent))
+}
+
+func DisplayCert(w io.Writer, cert *x509.Certificate, showHash bool) {
+	fmt.Fprintln(w, "CERTIFICATE")
+	if showHash {
+		fmt.Fprintln(w, wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(cert.Raw)), 0))
+	}
+
+	fmt.Fprintln(w, wrap("Subject: "+DisplayName(cert.Subject), 0))
+	fmt.Fprintln(w, wrap("Issuer: "+DisplayName(cert.Issuer), 0))
+	fmt.Fprintf(w, "\tSignature algorithm: %s / %s\n", sigAlgoPK(cert.SignatureAlgorithm),
+		sigAlgoHash(cert.SignatureAlgorithm))
+	fmt.Fprintln(w, "Details:")
+	wrapPrint("Public key: "+certPublic(cert), 1)
+	fmt.Fprintf(w, "\tSerial number: %s\n", cert.SerialNumber)
+
+	if len(cert.AuthorityKeyId) > 0 {
+		fmt.Fprintf(w, "\t%s\n", wrap("AKI: "+dumpHex(cert.AuthorityKeyId), 1))
+	}
+	if len(cert.SubjectKeyId) > 0 {
+		fmt.Fprintf(w, "\t%s\n", wrap("SKI: "+dumpHex(cert.SubjectKeyId), 1))
+	}
+
+	wrapPrint("Valid from: "+cert.NotBefore.Format(lib.DateShortFormat), 1)
+	fmt.Fprintf(w, "\t     until: %s\n", cert.NotAfter.Format(lib.DateShortFormat))
+	fmt.Fprintf(w, "\tKey usages: %s\n", keyUsages(cert.KeyUsage))
+
+	if len(cert.ExtKeyUsage) > 0 {
+		fmt.Fprintf(w, "\tExtended usages: %s\n", extUsage(cert.ExtKeyUsage))
+	}
+
+	showBasicConstraints(cert)
+
+	validNames := make([]string, 0, len(cert.DNSNames)+len(cert.EmailAddresses)+len(cert.IPAddresses))
+	for i := range cert.DNSNames {
+		validNames = append(validNames, "dns:"+cert.DNSNames[i])
+	}
+
+	for i := range cert.EmailAddresses {
+		validNames = append(validNames, "email:"+cert.EmailAddresses[i])
+	}
+
+	for i := range cert.IPAddresses {
+		validNames = append(validNames, "ip:"+cert.IPAddresses[i].String())
+	}
+
+	sans := fmt.Sprintf("SANs (%d): %s\n", len(validNames), strings.Join(validNames, ", "))
+	wrapPrint(sans, 1)
+
+	l := len(cert.IssuingCertificateURL)
+	if l != 0 {
+		var aia string
+		if l == 1 {
+			aia = "AIA"
+		} else {
+			aia = "AIAs"
+		}
+		wrapPrint(fmt.Sprintf("%d %s:", l, aia), 1)
+		for _, url := range cert.IssuingCertificateURL {
+			wrapPrint(url, 2)
+		}
+	}
+
+	l = len(cert.OCSPServer)
+	if l > 0 {
+		title := "OCSP server"
+		if l > 1 {
+			title += "s"
+		}
+		wrapPrint(title+":\n", 1)
+		for _, ocspServer := range cert.OCSPServer {
+			wrapPrint(fmt.Sprintf("- %s\n", ocspServer), 2)
+		}
+	}
+}

certlib/ed25519.go

@@ -65,12 +65,14 @@ func MarshalEd25519PublicKey(pk crypto.PublicKey) ([]byte, error) {
 		return nil, errEd25519WrongKeyType
 	}
 
+	const bitsPerByte = 8
+
 	spki := subjectPublicKeyInfo{
 		Algorithm: pkix.AlgorithmIdentifier{
 			Algorithm: ed25519OID,
 		},
 		PublicKey: asn1.BitString{
-			BitLength: len(pub) * 8,
+			BitLength: len(pub) * bitsPerByte,
 			Bytes:     pub,
 		},
 	}
@@ -91,7 +93,8 @@ func ParseEd25519PublicKey(der []byte) (crypto.PublicKey, error) {
 		return nil, errEd25519WrongID
 	}
 
-	if spki.PublicKey.BitLength != ed25519.PublicKeySize*8 {
+	const bitsPerByte = 8
+	if spki.PublicKey.BitLength != ed25519.PublicKeySize*bitsPerByte {
 		return nil, errors.New("SubjectPublicKeyInfo PublicKey length mismatch")
 	}
 

certlib/helpers.go

@@ -49,14 +49,14 @@ import (
 	"strings"
 	"time"
 
-	"git.wntrmute.dev/kyle/goutils/certlib/certerr"
-	"git.wntrmute.dev/kyle/goutils/certlib/pkcs7"
-
 	ct "github.com/google/certificate-transparency-go"
 	cttls "github.com/google/certificate-transparency-go/tls"
 	ctx509 "github.com/google/certificate-transparency-go/x509"
 	"golang.org/x/crypto/ocsp"
 	"golang.org/x/crypto/pkcs12"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/certerr"
+	"git.wntrmute.dev/kyle/goutils/certlib/pkcs7"
 )
 
 // OneYear is a time.Duration representing a year's worth of seconds.
@@ -65,57 +65,73 @@ const OneYear = 8760 * time.Hour
 // OneDay is a time.Duration representing a day's worth of seconds.
 const OneDay = 24 * time.Hour
 
-// DelegationUsage  is the OID for the DelegationUseage extensions
+// DelegationUsage  is the OID for the DelegationUseage extensions.
 var DelegationUsage = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 44363, 44}
 
-// DelegationExtension
+// DelegationExtension is a non-critical extension marking delegation usage.
 var DelegationExtension = pkix.Extension{
 	Id:       DelegationUsage,
 	Critical: false,
 	Value:    []byte{0x05, 0x00}, // ASN.1 NULL
 }
 
+const (
+	pemTypeCertificate        = "CERTIFICATE"
+	pemTypeCertificateRequest = "CERTIFICATE REQUEST"
+	pemTypePrivateKey         = "PRIVATE KEY"
+)
+
 // InclusiveDate returns the time.Time representation of a date - 1
 // nanosecond. This allows time.After to be used inclusively.
 func InclusiveDate(year int, month time.Month, day int) time.Time {
 	return time.Date(year, month, day, 0, 0, 0, 0, time.UTC).Add(-1 * time.Nanosecond)
 }
 
+const (
+	year2012 = 2012
+	year2015 = 2015
+	day1     = 1
+)
+
 // Jul2012 is the July 2012 CAB Forum deadline for when CAs must stop
 // issuing certificates valid for more than 5 years.
-var Jul2012 = InclusiveDate(2012, time.July, 01)
+var Jul2012 = InclusiveDate(year2012, time.July, day1)
 
 // Apr2015 is the April 2015 CAB Forum deadline for when CAs must stop
 // issuing certificates valid for more than 39 months.
-var Apr2015 = InclusiveDate(2015, time.April, 01)
+var Apr2015 = InclusiveDate(year2015, time.April, day1)
 
-// KeyLength returns the bit size of ECDSA or RSA PublicKey
+// KeyLength returns the bit size of ECDSA or RSA PublicKey.
-func KeyLength(key interface{}) int {
+func KeyLength(key any) int {
-	if key == nil {
+	switch k := key.(type) {
+	case *ecdsa.PublicKey:
+		if k == nil {
+			return 0
+		}
+		return k.Curve.Params().BitSize
+	case *rsa.PublicKey:
+		if k == nil {
+			return 0
+		}
+		return k.N.BitLen()
+	default:
 		return 0
 	}
-	if ecdsaKey, ok := key.(*ecdsa.PublicKey); ok {
-		return ecdsaKey.Curve.Params().BitSize
-	} else if rsaKey, ok := key.(*rsa.PublicKey); ok {
-		return rsaKey.N.BitLen()
-	}
-
-	return 0
 }
 
 // ExpiryTime returns the time when the certificate chain is expired.
-func ExpiryTime(chain []*x509.Certificate) (notAfter time.Time) {
+func ExpiryTime(chain []*x509.Certificate) time.Time {
+	var notAfter time.Time
 	if len(chain) == 0 {
-		return
+		return notAfter
 	}
-
 	notAfter = chain[0].NotAfter
 	for _, cert := range chain {
 		if notAfter.After(cert.NotAfter) {
 			notAfter = cert.NotAfter
 		}
 	}
-	return
+	return notAfter
 }
 
 // MonthsValid returns the number of months for which a certificate is valid.
@@ -144,109 +160,109 @@ func ValidExpiry(c *x509.Certificate) bool {
 		maxMonths = 39
 	case issued.After(Jul2012):
 		maxMonths = 60
-	case issued.Before(Jul2012):
+	default:
 		maxMonths = 120
 	}
 
-	if MonthsValid(c) > maxMonths {
+	return MonthsValid(c) <= maxMonths
-		return false
+}
-	}
+
-	return true
+// SignatureString returns the TLS signature string corresponding to
+// an X509 signature algorithm.
+var signatureString = map[x509.SignatureAlgorithm]string{
+	x509.UnknownSignatureAlgorithm: "Unknown Signature",
+	x509.MD2WithRSA:                "MD2WithRSA",
+	x509.MD5WithRSA:                "MD5WithRSA",
+	x509.SHA1WithRSA:               "SHA1WithRSA",
+	x509.SHA256WithRSA:             "SHA256WithRSA",
+	x509.SHA384WithRSA:             "SHA384WithRSA",
+	x509.SHA512WithRSA:             "SHA512WithRSA",
+	x509.SHA256WithRSAPSS:          "SHA256WithRSAPSS",
+	x509.SHA384WithRSAPSS:          "SHA384WithRSAPSS",
+	x509.SHA512WithRSAPSS:          "SHA512WithRSAPSS",
+	x509.DSAWithSHA1:               "DSAWithSHA1",
+	x509.DSAWithSHA256:             "DSAWithSHA256",
+	x509.ECDSAWithSHA1:             "ECDSAWithSHA1",
+	x509.ECDSAWithSHA256:           "ECDSAWithSHA256",
+	x509.ECDSAWithSHA384:           "ECDSAWithSHA384",
+	x509.ECDSAWithSHA512:           "ECDSAWithSHA512",
+	x509.PureEd25519:               "PureEd25519",
 }
 
 // SignatureString returns the TLS signature string corresponding to
 // an X509 signature algorithm.
 func SignatureString(alg x509.SignatureAlgorithm) string {
-	switch alg {
+	if s, ok := signatureString[alg]; ok {
-	case x509.MD2WithRSA:
+		return s
-		return "MD2WithRSA"
-	case x509.MD5WithRSA:
-		return "MD5WithRSA"
-	case x509.SHA1WithRSA:
-		return "SHA1WithRSA"
-	case x509.SHA256WithRSA:
-		return "SHA256WithRSA"
-	case x509.SHA384WithRSA:
-		return "SHA384WithRSA"
-	case x509.SHA512WithRSA:
-		return "SHA512WithRSA"
-	case x509.DSAWithSHA1:
-		return "DSAWithSHA1"
-	case x509.DSAWithSHA256:
-		return "DSAWithSHA256"
-	case x509.ECDSAWithSHA1:
-		return "ECDSAWithSHA1"
-	case x509.ECDSAWithSHA256:
-		return "ECDSAWithSHA256"
-	case x509.ECDSAWithSHA384:
-		return "ECDSAWithSHA384"
-	case x509.ECDSAWithSHA512:
-		return "ECDSAWithSHA512"
-	default:
-		return "Unknown Signature"
 	}
+	return "Unknown Signature"
+}
+
+// HashAlgoString returns the hash algorithm name contains in the signature
+// method.
+var hashAlgoString = map[x509.SignatureAlgorithm]string{
+	x509.UnknownSignatureAlgorithm: "Unknown Hash Algorithm",
+	x509.MD2WithRSA:                "MD2",
+	x509.MD5WithRSA:                "MD5",
+	x509.SHA1WithRSA:               "SHA1",
+	x509.SHA256WithRSA:             "SHA256",
+	x509.SHA384WithRSA:             "SHA384",
+	x509.SHA512WithRSA:             "SHA512",
+	x509.SHA256WithRSAPSS:          "SHA256",
+	x509.SHA384WithRSAPSS:          "SHA384",
+	x509.SHA512WithRSAPSS:          "SHA512",
+	x509.DSAWithSHA1:               "SHA1",
+	x509.DSAWithSHA256:             "SHA256",
+	x509.ECDSAWithSHA1:             "SHA1",
+	x509.ECDSAWithSHA256:           "SHA256",
+	x509.ECDSAWithSHA384:           "SHA384",
+	x509.ECDSAWithSHA512:           "SHA512",
+	x509.PureEd25519:               "SHA512", // per x509 docs Ed25519 uses SHA-512 internally
 }
 
 // HashAlgoString returns the hash algorithm name contains in the signature
 // method.
 func HashAlgoString(alg x509.SignatureAlgorithm) string {
-	switch alg {
+	if s, ok := hashAlgoString[alg]; ok {
-	case x509.MD2WithRSA:
+		return s
-		return "MD2"
-	case x509.MD5WithRSA:
-		return "MD5"
-	case x509.SHA1WithRSA:
-		return "SHA1"
-	case x509.SHA256WithRSA:
-		return "SHA256"
-	case x509.SHA384WithRSA:
-		return "SHA384"
-	case x509.SHA512WithRSA:
-		return "SHA512"
-	case x509.DSAWithSHA1:
-		return "SHA1"
-	case x509.DSAWithSHA256:
-		return "SHA256"
-	case x509.ECDSAWithSHA1:
-		return "SHA1"
-	case x509.ECDSAWithSHA256:
-		return "SHA256"
-	case x509.ECDSAWithSHA384:
-		return "SHA384"
-	case x509.ECDSAWithSHA512:
-		return "SHA512"
-	default:
-		return "Unknown Hash Algorithm"
 	}
+	return "Unknown Hash Algorithm"
 }
 
 // StringTLSVersion returns underlying enum values from human names for TLS
-// versions, defaults to current golang default of TLS 1.0
+// versions, defaults to current golang default of TLS 1.0.
 func StringTLSVersion(version string) uint16 {
 	switch version {
+	case "1.3":
+		return tls.VersionTLS13
 	case "1.2":
 		return tls.VersionTLS12
 	case "1.1":
 		return tls.VersionTLS11
+	case "1.0":
+		return tls.VersionTLS10
 	default:
+		// Default to Go's historical default of TLS 1.0 for unknown values
 		return tls.VersionTLS10
 	}
 }
 
-// EncodeCertificatesPEM encodes a number of x509 certificates to PEM
+// EncodeCertificatesPEM encodes a number of x509 certificates to PEM.
 func EncodeCertificatesPEM(certs []*x509.Certificate) []byte {
 	var buffer bytes.Buffer
 	for _, cert := range certs {
-		pem.Encode(&buffer, &pem.Block{
+		if err := pem.Encode(&buffer, &pem.Block{
-			Type:  "CERTIFICATE",
+			Type:  pemTypeCertificate,
 			Bytes: cert.Raw,
-		})
+		}); err != nil {
+			return nil
+		}
 	}
 
 	return buffer.Bytes()
 }
 
-// EncodeCertificatePEM encodes a single x509 certificates to PEM
+// EncodeCertificatePEM encodes a single x509 certificates to PEM.
 func EncodeCertificatePEM(cert *x509.Certificate) []byte {
 	return EncodeCertificatesPEM([]*x509.Certificate{cert})
 }
@@ -269,38 +285,52 @@ func ParseCertificatesPEM(certsPEM []byte) ([]*x509.Certificate, error) {
 		certs = append(certs, cert...)
 	}
 	if len(certsPEM) > 0 {
-		return nil, certerr.DecodeError(certerr.ErrorSourceCertificate, errors.New("trailing data at end of certificate"))
+		return nil, certerr.DecodeError(
+			certerr.ErrorSourceCertificate,
+			errors.New("trailing data at end of certificate"),
+		)
 	}
 	return certs, nil
 }
 
 // ParseCertificatesDER parses a DER encoding of a certificate object and possibly private key,
 // either PKCS #7, PKCS #12, or raw x509.
-func ParseCertificatesDER(certsDER []byte, password string) (certs []*x509.Certificate, key crypto.Signer, err error) {
+func ParseCertificatesDER(certsDER []byte, password string) ([]*x509.Certificate, crypto.Signer, error) {
 	certsDER = bytes.TrimSpace(certsDER)
-	pkcs7data, err := pkcs7.ParsePKCS7(certsDER)
+
-	if err != nil {
+	// First, try PKCS #7
-		var pkcs12data interface{}
+	if pkcs7data, err7 := pkcs7.ParsePKCS7(certsDER); err7 == nil {
-		certs = make([]*x509.Certificate, 1)
-		pkcs12data, certs[0], err = pkcs12.Decode(certsDER, password)
-		if err != nil {
-			certs, err = x509.ParseCertificates(certsDER)
-			if err != nil {
-				return nil, nil, certerr.DecodeError(certerr.ErrorSourceCertificate, err)
-			}
-		} else {
-			key = pkcs12data.(crypto.Signer)
-		}
-	} else {
 		if pkcs7data.ContentInfo != "SignedData" {
-			return nil, nil, certerr.DecodeError(certerr.ErrorSourceCertificate, errors.New("can only extract certificates from signed data content info"))
+			return nil, nil, certerr.DecodeError(
+				certerr.ErrorSourceCertificate,
+				errors.New("can only extract certificates from signed data content info"),
+			)
 		}
-		certs = pkcs7data.Content.SignedData.Certificates
+		certs := pkcs7data.Content.SignedData.Certificates
+		if certs == nil {
+			return nil, nil, certerr.DecodeError(certerr.ErrorSourceCertificate, errors.New("no certificates decoded"))
+		}
+		return certs, nil, nil
 	}
-	if certs == nil {
+
-		return nil, key, certerr.DecodeError(certerr.ErrorSourceCertificate, errors.New("no certificates decoded"))
+	// Next, try PKCS #12
+	if pkcs12data, cert, err12 := pkcs12.Decode(certsDER, password); err12 == nil {
+		signer, ok := pkcs12data.(crypto.Signer)
+		if !ok {
+			return nil, nil, certerr.DecodeError(
+				certerr.ErrorSourcePrivateKey,
+				errors.New("PKCS12 data does not contain a private key"),
+			)
+		}
+		return []*x509.Certificate{cert}, signer, nil
 	}
-	return certs, key, nil
+
+	// Finally, attempt to parse raw X.509 certificates
+	certs, err := x509.ParseCertificates(certsDER)
+	if err != nil {
+		return nil, nil, certerr.DecodeError(certerr.ErrorSourceCertificate, err)
+	}
+	return certs, nil, nil
 }
 
 // ParseSelfSignedCertificatePEM parses a PEM-encoded certificate and check if it is self-signed.
@@ -310,7 +340,8 @@ func ParseSelfSignedCertificatePEM(certPEM []byte) (*x509.Certificate, error) {
 		return nil, err
 	}
 
-	if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
+	err = cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature)
+	if err != nil {
 		return nil, certerr.VerifyError(certerr.ErrorSourceCertificate, err)
 	}
 	return cert, nil
@@ -320,17 +351,26 @@ func ParseSelfSignedCertificatePEM(certPEM []byte) (*x509.Certificate, error) {
 // can handle PEM encoded PKCS #7 structures.
 func ParseCertificatePEM(certPEM []byte) (*x509.Certificate, error) {
 	certPEM = bytes.TrimSpace(certPEM)
-	cert, rest, err := ParseOneCertificateFromPEM(certPEM)
+	certs, rest, err := ParseOneCertificateFromPEM(certPEM)
 	if err != nil {
 		return nil, certerr.ParsingError(certerr.ErrorSourceCertificate, err)
-	} else if cert == nil {
-		return nil, certerr.DecodeError(certerr.ErrorSourceCertificate, errors.New("no certificate decoded"))
-	} else if len(rest) > 0 {
-		return nil, certerr.ParsingError(certerr.ErrorSourceCertificate, errors.New("the PEM file should contain only one object"))
-	} else if len(cert) > 1 {
-		return nil, certerr.ParsingError(certerr.ErrorSourceCertificate, errors.New("the PKCS7 object in the PEM file should contain only one certificate"))
 	}
-	return cert[0], nil
+	if certs == nil {
+		return nil, certerr.DecodeError(certerr.ErrorSourceCertificate, errors.New("no certificate decoded"))
+	}
+	if len(rest) > 0 {
+		return nil, certerr.ParsingError(
+			certerr.ErrorSourceCertificate,
+			errors.New("the PEM file should contain only one object"),
+		)
+	}
+	if len(certs) > 1 {
+		return nil, certerr.ParsingError(
+			certerr.ErrorSourceCertificate,
+			errors.New("the PKCS7 object in the PEM file should contain only one certificate"),
+		)
+	}
+	return certs[0], nil
 }
 
 // ParseOneCertificateFromPEM attempts to parse one PEM encoded certificate object,
@@ -338,7 +378,6 @@ func ParseCertificatePEM(certPEM []byte) (*x509.Certificate, error) {
 // multiple certificates, from the top of certsPEM, which itself may
 // contain multiple PEM encoded certificate objects.
 func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, error) {
-
 	block, rest := pem.Decode(certsPEM)
 	if block == nil {
 		return nil, rest, nil
@@ -346,8 +385,8 @@ func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, e
 
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
-		pkcs7data, err := pkcs7.ParsePKCS7(block.Bytes)
+		pkcs7data, err2 := pkcs7.ParsePKCS7(block.Bytes)
-		if err != nil {
+		if err2 != nil {
 			return nil, rest, err
 		}
 		if pkcs7data.ContentInfo != "SignedData" {
@@ -363,10 +402,49 @@ func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, e
 	return certs, rest, nil
 }
 
+// LoadFullCertPool returns a certificate pool with roots and intermediates
+// from disk. If no roots are provided, the system root pool will be used.
+func LoadFullCertPool(roots, intermediates string) (*x509.CertPool, error) {
+	var err error
+
+	pool := x509.NewCertPool()
+
+	if roots == "" {
+		pool, err = x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("loading system cert pool: %w", err)
+		}
+	} else {
+		var rootCerts []*x509.Certificate
+		rootCerts, err = LoadCertificates(roots)
+		if err != nil {
+			return nil, fmt.Errorf("loading roots: %w", err)
+		}
+
+		for _, cert := range rootCerts {
+			pool.AddCert(cert)
+		}
+	}
+
+	if intermediates != "" {
+		var intCerts []*x509.Certificate
+		intCerts, err = LoadCertificates(intermediates)
+		if err != nil {
+			return nil, fmt.Errorf("loading intermediates: %w", err)
+		}
+
+		for _, cert := range intCerts {
+			pool.AddCert(cert)
+		}
+	}
+
+	return pool, nil
+}
+
 // LoadPEMCertPool loads a pool of PEM certificates from file.
 func LoadPEMCertPool(certsFile string) (*x509.CertPool, error) {
 	if certsFile == "" {
-		return nil, nil
+		return nil, nil //nolint:nilnil // no CA file provided -> treat as no pool and no error
 	}
 	pemCerts, err := os.ReadFile(certsFile)
 	if err != nil {
@@ -379,12 +457,12 @@ func LoadPEMCertPool(certsFile string) (*x509.CertPool, error) {
 // PEMToCertPool concerts PEM certificates to a CertPool.
 func PEMToCertPool(pemCerts []byte) (*x509.CertPool, error) {
 	if len(pemCerts) == 0 {
-		return nil, nil
+		return nil, nil //nolint:nilnil // empty input means no pool needed
 	}
 
 	certPool := x509.NewCertPool()
 	if !certPool.AppendCertsFromPEM(pemCerts) {
-		return nil, errors.New("failed to load cert pool")
+		return nil, certerr.LoadingError(certerr.ErrorSourceCertificate, errors.New("failed to load cert pool"))
 	}
 
 	return certPool, nil
@@ -393,14 +471,14 @@ func PEMToCertPool(pemCerts []byte) (*x509.CertPool, error) {
 // ParsePrivateKeyPEM parses and returns a PEM-encoded private
 // key. The private key may be either an unencrypted PKCS#8, PKCS#1,
 // or elliptic private key.
-func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.Signer, err error) {
+func ParsePrivateKeyPEM(keyPEM []byte) (crypto.Signer, error) {
 	return ParsePrivateKeyPEMWithPassword(keyPEM, nil)
 }
 
 // ParsePrivateKeyPEMWithPassword parses and returns a PEM-encoded private
 // key. The private key may be a potentially encrypted PKCS#8, PKCS#1,
 // or elliptic private key.
-func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.Signer, err error) {
+func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (crypto.Signer, error) {
 	keyDER, err := GetKeyDERFromPEM(keyPEM, password)
 	if err != nil {
 		return nil, err
@@ -420,44 +498,47 @@ func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error) {
 			break
 		}
 	}
-	if keyDER != nil {
+	if keyDER == nil {
-		if procType, ok := keyDER.Headers["Proc-Type"]; ok {
+		return nil, certerr.DecodeError(certerr.ErrorSourcePrivateKey, errors.New("failed to decode private key"))
-			if strings.Contains(procType, "ENCRYPTED") {
-				if password != nil {
-					return x509.DecryptPEMBlock(keyDER, password)
-				}
-				return nil, certerr.DecodeError(certerr.ErrorSourcePrivateKey, certerr.ErrEncryptedPrivateKey)
-			}
-		}
-		return keyDER.Bytes, nil
 	}
-
+	if procType, ok := keyDER.Headers["Proc-Type"]; ok && strings.Contains(procType, "ENCRYPTED") {
-	return nil, certerr.DecodeError(certerr.ErrorSourcePrivateKey, errors.New("failed to decode private key"))
+		if password != nil {
+			return x509.DecryptPEMBlock(keyDER, password)
+		}
+		return nil, certerr.DecodeError(certerr.ErrorSourcePrivateKey, certerr.ErrEncryptedPrivateKey)
+	}
+	return keyDER.Bytes, nil
 }
 
 // ParseCSR parses a PEM- or DER-encoded PKCS #10 certificate signing request.
-func ParseCSR(in []byte) (csr *x509.CertificateRequest, rest []byte, err error) {
+func ParseCSR(in []byte) (*x509.CertificateRequest, []byte, error) {
 	in = bytes.TrimSpace(in)
 	p, rest := pem.Decode(in)
-	if p != nil {
+	if p == nil {
-		if p.Type != "NEW CERTIFICATE REQUEST" && p.Type != "CERTIFICATE REQUEST" {
+		csr, err := x509.ParseCertificateRequest(in)
-			return nil, rest, certerr.ParsingError(certerr.ErrorSourceCSR, certerr.ErrInvalidPEMType(p.Type, "NEW CERTIFICATE REQUEST", "CERTIFICATE REQUEST"))
+		if err != nil {
+			return nil, rest, certerr.ParsingError(certerr.ErrorSourceCSR, err)
 		}
-
+		if sigErr := csr.CheckSignature(); sigErr != nil {
-		csr, err = x509.ParseCertificateRequest(p.Bytes)
+			return nil, rest, certerr.VerifyError(certerr.ErrorSourceCSR, sigErr)
-	} else {
+		}
-		csr, err = x509.ParseCertificateRequest(in)
+		return csr, rest, nil
 	}
 
+	if p.Type != "NEW CERTIFICATE REQUEST" && p.Type != "CERTIFICATE REQUEST" {
+		return nil, rest, certerr.ParsingError(
+			certerr.ErrorSourceCSR,
+			certerr.ErrInvalidPEMType(p.Type, "NEW CERTIFICATE REQUEST", "CERTIFICATE REQUEST"),
+		)
+	}
+
+	csr, err := x509.ParseCertificateRequest(p.Bytes)
 	if err != nil {
-		return nil, rest, err
+		return nil, rest, certerr.ParsingError(certerr.ErrorSourceCSR, err)
 	}
-
+	if sigErr := csr.CheckSignature(); sigErr != nil {
-	err = csr.CheckSignature()
+		return nil, rest, certerr.VerifyError(certerr.ErrorSourceCSR, sigErr)
-	if err != nil {
-		return nil, rest, err
 	}
-
 	return csr, rest, nil
 }
 
@@ -465,14 +546,14 @@ func ParseCSR(in []byte) (csr *x509.CertificateRequest, rest []byte, err error)
 // It does not check the signature. This is useful for dumping data from a CSR
 // locally.
 func ParseCSRPEM(csrPEM []byte) (*x509.CertificateRequest, error) {
-	block, _ := pem.Decode([]byte(csrPEM))
+	block, _ := pem.Decode(csrPEM)
 	if block == nil {
 		return nil, certerr.DecodeError(certerr.ErrorSourceCSR, errors.New("PEM block is empty"))
 	}
 	csrObject, err := x509.ParseCertificateRequest(block.Bytes)
 
 	if err != nil {
-		return nil, err
+		return nil, certerr.ParsingError(certerr.ErrorSourceCSR, err)
 	}
 
 	return csrObject, nil
@@ -480,15 +561,20 @@ func ParseCSRPEM(csrPEM []byte) (*x509.CertificateRequest, error) {
 
 // SignerAlgo returns an X.509 signature algorithm from a crypto.Signer.
 func SignerAlgo(priv crypto.Signer) x509.SignatureAlgorithm {
+	const (
+		rsaBits2048 = 2048
+		rsaBits3072 = 3072
+		rsaBits4096 = 4096
+	)
 	switch pub := priv.Public().(type) {
 	case *rsa.PublicKey:
 		bitLength := pub.N.BitLen()
 		switch {
-		case bitLength >= 4096:
+		case bitLength >= rsaBits4096:
 			return x509.SHA512WithRSA
-		case bitLength >= 3072:
+		case bitLength >= rsaBits3072:
 			return x509.SHA384WithRSA
-		case bitLength >= 2048:
+		case bitLength >= rsaBits2048:
 			return x509.SHA256WithRSA
 		default:
 			return x509.SHA1WithRSA
@@ -509,7 +595,7 @@ func SignerAlgo(priv crypto.Signer) x509.SignatureAlgorithm {
 	}
 }
 
-// LoadClientCertificate load key/certificate from pem files
+// LoadClientCertificate load key/certificate from pem files.
 func LoadClientCertificate(certFile string, keyFile string) (*tls.Certificate, error) {
 	if certFile != "" && keyFile != "" {
 		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
@@ -518,10 +604,10 @@ func LoadClientCertificate(certFile string, keyFile string) (*tls.Certificate, e
 		}
 		return &cert, nil
 	}
-	return nil, nil
+	return nil, nil //nolint:nilnil // absence of client cert is not an error
 }
 
-// CreateTLSConfig creates a tls.Config object from certs and roots
+// CreateTLSConfig creates a tls.Config object from certs and roots.
 func CreateTLSConfig(remoteCAs *x509.CertPool, cert *tls.Certificate) *tls.Config {
 	var certs []tls.Certificate
 	if cert != nil {
@@ -530,6 +616,7 @@ func CreateTLSConfig(remoteCAs *x509.CertPool, cert *tls.Certificate) *tls.Confi
 	return &tls.Config{
 		Certificates: certs,
 		RootCAs:      remoteCAs,
+		MinVersion:   tls.VersionTLS12, // secure default
 	}
 }
 
@@ -554,18 +641,24 @@ func DeserializeSCTList(serializedSCTList []byte) ([]ct.SignedCertificateTimesta
 		return nil, err
 	}
 	if len(rest) != 0 {
-		return nil, certerr.ParsingError(certerr.ErrorSourceSCTList, errors.New("serialized SCT list contained trailing garbage"))
+		return nil, certerr.ParsingError(
+			certerr.ErrorSourceSCTList,
+			errors.New("serialized SCT list contained trailing garbage"),
+		)
 	}
 
 	list := make([]ct.SignedCertificateTimestamp, len(sctList.SCTList))
 	for i, serializedSCT := range sctList.SCTList {
 		var sct ct.SignedCertificateTimestamp
-		rest, err := cttls.Unmarshal(serializedSCT.Val, &sct)
+		rest2, err2 := cttls.Unmarshal(serializedSCT.Val, &sct)
-		if err != nil {
+		if err2 != nil {
-			return nil, err
+			return nil, err2
 		}
-		if len(rest) != 0 {
+		if len(rest2) != 0 {
-			return nil, certerr.ParsingError(certerr.ErrorSourceSCTList, errors.New("serialized SCT list contained trailing garbage"))
+			return nil, certerr.ParsingError(
+				certerr.ErrorSourceSCTList,
+				errors.New("serialized SCT list contained trailing garbage"),
+			)
 		}
 		list[i] = sct
 	}
@@ -577,12 +670,12 @@ func DeserializeSCTList(serializedSCTList []byte) ([]ct.SignedCertificateTimesta
 // unmarshalled.
 func SCTListFromOCSPResponse(response *ocsp.Response) ([]ct.SignedCertificateTimestamp, error) {
 	// This loop finds the SCTListExtension in the OCSP response.
-	var SCTListExtension, ext pkix.Extension
+	var sctListExtension, ext pkix.Extension
 	for _, ext = range response.Extensions {
 		// sctExtOid is the ObjectIdentifier of a Signed Certificate Timestamp.
 		sctExtOid := asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 5}
 		if ext.Id.Equal(sctExtOid) {
-			SCTListExtension = ext
+			sctListExtension = ext
 			break
 		}
 	}
@@ -590,10 +683,10 @@ func SCTListFromOCSPResponse(response *ocsp.Response) ([]ct.SignedCertificateTim
 	// This code block extracts the sctList from the SCT extension.
 	var sctList []ct.SignedCertificateTimestamp
 	var err error
-	if numBytes := len(SCTListExtension.Value); numBytes != 0 {
+	if numBytes := len(sctListExtension.Value); numBytes != 0 {
 		var serializedSCTList []byte
 		rest := make([]byte, numBytes)
-		copy(rest, SCTListExtension.Value)
+		copy(rest, sctListExtension.Value)
 		for len(rest) != 0 {
 			rest, err = asn1.Unmarshal(rest, &serializedSCTList)
 			if err != nil {
@@ -611,20 +704,16 @@ func SCTListFromOCSPResponse(response *ocsp.Response) ([]ct.SignedCertificateTim
 // the subsequent file. If no prefix is provided, valFile is assumed to be a
 // file path.
 func ReadBytes(valFile string) ([]byte, error) {
-	switch splitVal := strings.SplitN(valFile, ":", 2); len(splitVal) {
+	prefix, rest, found := strings.Cut(valFile, ":")
-	case 1:
+	if !found {
 		return os.ReadFile(valFile)
-	case 2:
+	}
-		switch splitVal[0] {
+	switch prefix {
-		case "env":
+	case "env":
-			return []byte(os.Getenv(splitVal[1])), nil
+		return []byte(os.Getenv(rest)), nil
-		case "file":
+	case "file":
-			return os.ReadFile(splitVal[1])
+		return os.ReadFile(rest)
-		default:
-			return nil, fmt.Errorf("unknown prefix: %s", splitVal[0])
-		}
 	default:
-		return nil, fmt.Errorf("multiple prefixes: %s",
+		return nil, fmt.Errorf("unknown prefix: %s", prefix)
-			strings.Join(splitVal[:len(splitVal)-1], ", "))
 	}
 }

certlib/hosts/hosts.go

@@ -1,3 +1,13 @@
+// Package hosts provides a simple way to parse hostnames and ports.
+// Supported formats are:
+//   - https://example.com:8080
+//   - https://example.com
+//   - tls://example.com:8080
+//   - tls://example.com
+//   - example.com:8080
+//   - example.com
+//
+// Hosts parsed here are expected to be TLS hosts, and the port defaults to 443.
 package hosts
 
 import (
@@ -9,6 +19,8 @@ import (
 	"strings"
 )
 
+const defaultHTTPSPort = 443
+
 type Target struct {
 	Host string
 	Port int
@@ -24,45 +36,50 @@ func parseURL(host string) (string, int, error) {
 		return "", 0, fmt.Errorf("certlib/hosts: invalid host: %s", host)
 	}
 
-	if strings.ToLower(url.Scheme) != "https" {
+	switch strings.ToLower(url.Scheme) {
+	case "https":
+	// OK
+	case "tls":
+	// OK
+	default:
 		return "", 0, errors.New("certlib/hosts: only https scheme supported")
 	}
 
 	if url.Port() == "" {
-		return url.Hostname(), 443, nil
+		return url.Hostname(), defaultHTTPSPort, nil
 	}
 
-	port, err := strconv.ParseInt(url.Port(), 10, 16)
+	portInt, err2 := strconv.ParseInt(url.Port(), 10, 16)
-	if err != nil {
+	if err2 != nil {
 		return "", 0, fmt.Errorf("certlib/hosts: invalid port: %s", url.Port())
 	}
 
-	return url.Hostname(), int(port), nil
+	return url.Hostname(), int(portInt), nil
 }
 
 func parseHostPort(host string) (string, int, error) {
-	host, sport, err := net.SplitHostPort(host)
+	shost, sport, err := net.SplitHostPort(host)
 	if err == nil {
-		port, err := strconv.ParseInt(sport, 10, 16)
+		portInt, err2 := strconv.ParseInt(sport, 10, 16)
-		if err != nil {
+		if err2 != nil {
 			return "", 0, fmt.Errorf("certlib/hosts: invalid port: %s", sport)
 		}
 
-		return host, int(port), nil
+		return shost, int(portInt), nil
 	}
 
-	return host, 443, nil
+	return host, defaultHTTPSPort, nil
 }
 
 func ParseHost(host string) (*Target, error) {
-	host, port, err := parseURL(host)
+	uhost, port, err := parseURL(host)
 	if err == nil {
-		return &Target{Host: host, Port: port}, nil
+		return &Target{Host: uhost, Port: port}, nil
 	}
 
-	host, port, err = parseHostPort(host)
+	shost, port, err := parseHostPort(host)
 	if err == nil {
-		return &Target{Host: host, Port: port}, nil
+		return &Target{Host: shost, Port: port}, nil
 	}
 
 	return nil, fmt.Errorf("certlib/hosts: invalid host: %s", host)

certlib/hosts/hosts_test.go

@@ -0,0 +1,35 @@
+package hosts_test
+
+import (
+	"testing"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/hosts"
+)
+
+type testCase struct {
+	Host   string
+	Target hosts.Target
+}
+
+var testCases = []testCase{
+	{Host: "server-name", Target: hosts.Target{Host: "server-name", Port: 443}},
+	{Host: "server-name:8443", Target: hosts.Target{Host: "server-name", Port: 8443}},
+	{Host: "tls://server-name", Target: hosts.Target{Host: "server-name", Port: 443}},
+	{Host: "https://server-name", Target: hosts.Target{Host: "server-name", Port: 443}},
+	{Host: "https://server-name:8443", Target: hosts.Target{Host: "server-name", Port: 8443}},
+	{Host: "tls://server-name:8443", Target: hosts.Target{Host: "server-name", Port: 8443}},
+	{Host: "https://server-name/something/else", Target: hosts.Target{Host: "server-name", Port: 443}},
+}
+
+func TestParseHost(t *testing.T) {
+	for i, tc := range testCases {
+		target, err := hosts.ParseHost(tc.Host)
+		if err != nil {
+			t.Fatalf("test case %d: %s", i+1, err)
+		}
+
+		if target.Host != tc.Target.Host {
+			t.Fatalf("test case %d: got host '%s', want host '%s'", i+1, target.Host, tc.Target.Host)
+		}
+	}
+}

certlib/keymatch.go

@@ -0,0 +1,135 @@
+package certlib
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"os"
+)
+
+// LoadPrivateKey loads a private key from disk. It accepts both PEM and DER
+// encodings and supports RSA and ECDSA keys. If the file contains a PEM block,
+// the block type must be one of the recognised private key types.
+func LoadPrivateKey(path string) (crypto.Signer, error) {
+	in, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	in = bytes.TrimSpace(in)
+	if p, _ := pem.Decode(in); p != nil {
+		if !validPEMs[p.Type] {
+			return nil, errors.New("invalid private key file type " + p.Type)
+		}
+		return ParsePrivateKeyPEM(in)
+	}
+
+	return ParsePrivateKeyDER(in)
+}
+
+var validPEMs = map[string]bool{
+	"PRIVATE KEY":     true,
+	"RSA PRIVATE KEY": true,
+	"EC PRIVATE KEY":  true,
+}
+
+const (
+	curveInvalid = iota // any invalid curve
+	curveRSA            // indicates key is an RSA key, not an EC key
+	curveP256
+	curveP384
+	curveP521
+)
+
+func getECCurve(pub any) int {
+	switch pub := pub.(type) {
+	case *ecdsa.PublicKey:
+		switch pub.Curve {
+		case elliptic.P256():
+			return curveP256
+		case elliptic.P384():
+			return curveP384
+		case elliptic.P521():
+			return curveP521
+		default:
+			return curveInvalid
+		}
+	case *rsa.PublicKey:
+		return curveRSA
+	default:
+		return curveInvalid
+	}
+}
+
+// matchRSA compares an RSA public key from certificate against RSA public key from private key.
+// It returns true on match.
+func matchRSA(certPub *rsa.PublicKey, keyPub *rsa.PublicKey) bool {
+	return keyPub.N.Cmp(certPub.N) == 0 && keyPub.E == certPub.E
+}
+
+// matchECDSA compares ECDSA public keys for equality and compatible curve.
+// It returns match=true when they are on the same curve and have the same X/Y.
+// If curves mismatch, match is false.
+func matchECDSA(certPub *ecdsa.PublicKey, keyPub *ecdsa.PublicKey) bool {
+	if getECCurve(certPub) != getECCurve(keyPub) {
+		return false
+	}
+	if keyPub.X.Cmp(certPub.X) != 0 {
+		return false
+	}
+	if keyPub.Y.Cmp(certPub.Y) != 0 {
+		return false
+	}
+	return true
+}
+
+// MatchKeys determines whether the certificate's public key matches the given private key.
+// It returns true if they match; otherwise, it returns false and a human-friendly reason.
+func MatchKeys(cert *x509.Certificate, priv crypto.Signer) (bool, string) {
+	switch keyPub := priv.Public().(type) {
+	case *rsa.PublicKey:
+		switch certPub := cert.PublicKey.(type) {
+		case *rsa.PublicKey:
+			if matchRSA(certPub, keyPub) {
+				return true, ""
+			}
+			return false, "public keys don't match"
+		case *ecdsa.PublicKey:
+			return false, "RSA private key, EC public key"
+		default:
+			return false, fmt.Sprintf("unsupported certificate public key type: %T", cert.PublicKey)
+		}
+	case *ecdsa.PublicKey:
+		switch certPub := cert.PublicKey.(type) {
+		case *ecdsa.PublicKey:
+			if matchECDSA(certPub, keyPub) {
+				return true, ""
+			}
+			// Determine a more precise reason
+			kc := getECCurve(keyPub)
+			cc := getECCurve(certPub)
+			if kc == curveInvalid {
+				return false, "invalid private key curve"
+			}
+			if cc == curveRSA {
+				return false, "private key is EC, certificate is RSA"
+			}
+			if kc != cc {
+				return false, "EC curves don't match"
+			}
+			return false, "public keys don't match"
+		case *rsa.PublicKey:
+			return false, "private key is EC, certificate is RSA"
+		default:
+			return false, fmt.Sprintf("unsupported certificate public key type: %T", cert.PublicKey)
+		}
+	default:
+		return false, fmt.Sprintf("unrecognised private key type: %T", priv.Public())
+	}
+}

certlib/keymatch_test.go

@@ -0,0 +1,49 @@
+package certlib_test
+
+import (
+	"testing"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+)
+
+var (
+	testCert1 = "testdata/cert1.pem"
+	testCert2 = "testdata/cert2.pem"
+	testPriv1 = "testdata/priv1.pem"
+	testPriv2 = "testdata/priv2.pem"
+)
+
+type testCase struct {
+	cert  string
+	key   string
+	match bool
+}
+
+var testCases = []testCase{
+	{testCert1, testPriv1, true},
+	{testCert2, testPriv2, true},
+	{testCert1, testPriv2, false},
+	{testCert2, testPriv1, false},
+}
+
+func TestMatchKeys(t *testing.T) {
+	for i, tc := range testCases {
+		cert, err := certlib.LoadCertificate(tc.cert)
+		if err != nil {
+			t.Fatalf("failed to load cert %d: %v", i, err)
+		}
+
+		priv, err := certlib.LoadPrivateKey(tc.key)
+		if err != nil {
+			t.Fatalf("failed to load key %d: %v", i, err)
+		}
+
+		ok, _ := certlib.MatchKeys(cert, priv)
+		switch {
+		case ok && !tc.match:
+			t.Fatalf("case %d: cert %s/key %s should not match", i, tc.cert, tc.key)
+		case !ok && tc.match:
+			t.Fatalf("case %d: cert %s/key %s should match", i, tc.cert, tc.key)
+		}
+	}
+}

certlib/pkcs7/pkcs7.go

@@ -93,7 +93,7 @@ type signedData struct {
 	Version          int
 	DigestAlgorithms asn1.RawValue
 	ContentInfo      asn1.RawValue
-	Certificates     asn1.RawValue `asn1:"optional" asn1:"tag:0"`
+	Certificates     asn1.RawValue `asn1:"optional"`
 	Crls             asn1.RawValue `asn1:"optional"`
 	SignerInfos      asn1.RawValue
 }
@@ -158,9 +158,9 @@ type EncryptedContentInfo struct {
 	EncryptedContent           []byte `asn1:"tag:0,optional"`
 }
 
-func unmarshalInit(raw []byte) (init initPKCS7, err error) {
+func unmarshalInit(raw []byte) (initPKCS7, error) {
-	_, err = asn1.Unmarshal(raw, &init)
+	var init initPKCS7
-	if err != nil {
+	if _, err := asn1.Unmarshal(raw, &init); err != nil {
 		return initPKCS7{}, certerr.ParsingError(certerr.ErrorSourceCertificate, err)
 	}
 	return init, nil
@@ -207,7 +207,10 @@ func populateEncryptedData(msg *PKCS7, contentBytes []byte) error {
 		return certerr.ParsingError(certerr.ErrorSourceCertificate, err)
 	}
 	if ed.Version != 0 {
-		return certerr.ParsingError(certerr.ErrorSourceCertificate, errors.New("only PKCS #7 encryptedData version 0 is supported"))
+		return certerr.ParsingError(
+			certerr.ErrorSourceCertificate,
+			errors.New("only PKCS #7 encryptedData version 0 is supported"),
+		)
 	}
 	msg.Content.EncryptedData = ed
 	return nil
@@ -215,34 +218,35 @@ func populateEncryptedData(msg *PKCS7, contentBytes []byte) error {
 
 // ParsePKCS7 attempts to parse the DER encoded bytes of a
 // PKCS7 structure.
-func ParsePKCS7(raw []byte) (msg *PKCS7, err error) {
+func ParsePKCS7(raw []byte) (*PKCS7, error) {
-
 	pkcs7, err := unmarshalInit(raw)
 	if err != nil {
 		return nil, err
 	}
 
-	msg = new(PKCS7)
+	msg := new(PKCS7)
 	msg.Raw = pkcs7.Raw
 	msg.ContentInfo = pkcs7.ContentType.String()
 
 	switch msg.ContentInfo {
 	case ObjIDData:
-		if err := populateData(msg, pkcs7.Content); err != nil {
+		if e := populateData(msg, pkcs7.Content); e != nil {
-			return nil, err
+			return nil, e
 		}
 	case ObjIDSignedData:
-		if err := populateSignedData(msg, pkcs7.Content.Bytes); err != nil {
+		if e := populateSignedData(msg, pkcs7.Content.Bytes); e != nil {
-			return nil, err
+			return nil, e
 		}
 	case ObjIDEncryptedData:
-		if err := populateEncryptedData(msg, pkcs7.Content.Bytes); err != nil {
+		if e := populateEncryptedData(msg, pkcs7.Content.Bytes); e != nil {
-			return nil, err
+			return nil, e
 		}
 	default:
-		return nil, certerr.ParsingError(certerr.ErrorSourceCertificate, errors.New("only PKCS# 7 content of type data, signed data or encrypted data can be parsed"))
+		return nil, certerr.ParsingError(
+			certerr.ErrorSourceCertificate,
+			errors.New("only PKCS# 7 content of type data, signed data or encrypted data can be parsed"),
+		)
 	}
 
 	return msg, nil
-
 }

certlib/revoke/revoke.go

@@ -5,6 +5,7 @@ package revoke
 
 import (
 	"bytes"
+	"context"
 	"crypto"
 	"crypto/x509"
 	"encoding/base64"
@@ -89,35 +90,35 @@ func ldapURL(url string) bool {
 // - false, false: an error was encountered while checking revocations.
 // - false, true:  the certificate was checked successfully, and it is not revoked.
 // - true, true:   the certificate was checked successfully, and it is revoked.
-// - true, false:  failure to check revocation status causes verification to fail
+// - true, false:  failure to check revocation status causes verification to fail.
-func revCheck(cert *x509.Certificate) (revoked, ok bool, err error) {
+func revCheck(cert *x509.Certificate) (bool, bool, error) {
 	for _, url := range cert.CRLDistributionPoints {
 		if ldapURL(url) {
 			log.Infof("skipping LDAP CRL: %s", url)
 			continue
 		}
 
-		if revoked, ok, err := certIsRevokedCRL(cert, url); !ok {
+		if rvk, ok2, err2 := certIsRevokedCRL(cert, url); !ok2 {
 			log.Warning("error checking revocation via CRL")
 			if HardFail {
-				return true, false, err
+				return true, false, err2
 			}
-			return false, false, err
+			return false, false, err2
-		} else if revoked {
+		} else if rvk {
 			log.Info("certificate is revoked via CRL")
-			return true, true, err
+			return true, true, err2
 		}
 	}
 
-	if revoked, ok, err := certIsRevokedOCSP(cert, HardFail); !ok {
+	if rvk, ok2, err2 := certIsRevokedOCSP(cert, HardFail); !ok2 {
 		log.Warning("error checking revocation via OCSP")
 		if HardFail {
-			return true, false, err
+			return true, false, err2
 		}
-		return false, false, err
+		return false, false, err2
-	} else if revoked {
+	} else if rvk {
 		log.Info("certificate is revoked via OCSP")
-		return true, true, err
+		return true, true, err2
 	}
 
 	return false, true, nil
@@ -125,13 +126,17 @@ func revCheck(cert *x509.Certificate) (revoked, ok bool, err error) {
 
 // fetchCRL fetches and parses a CRL.
 func fetchCRL(url string) (*x509.RevocationList, error) {
-	resp, err := HTTPClient.Get(url)
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := HTTPClient.Do(req)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
 
-	if resp.StatusCode >= 300 {
+	if resp.StatusCode >= http.StatusMultipleChoices {
 		return nil, errors.New("failed to retrieve CRL")
 	}
 
@@ -154,12 +159,11 @@ func getIssuer(cert *x509.Certificate) *x509.Certificate {
 	}
 
 	return issuer
-
 }
 
 // check a cert against a specific CRL. Returns the same bool pair
 // as revCheck, plus an error if one occurred.
-func certIsRevokedCRL(cert *x509.Certificate, url string) (revoked, ok bool, err error) {
+func certIsRevokedCRL(cert *x509.Certificate, url string) (bool, bool, error) {
 	crlLock.Lock()
 	crl, ok := CRLSet[url]
 	if ok && crl == nil {
@@ -187,10 +191,9 @@ func certIsRevokedCRL(cert *x509.Certificate, url string) (revoked, ok bool, err
 
 		// check CRL signature
 		if issuer != nil {
-			err = crl.CheckSignatureFrom(issuer)
+			if sigErr := crl.CheckSignatureFrom(issuer); sigErr != nil {
-			if err != nil {
+				log.Warningf("failed to verify CRL: %v", sigErr)
-				log.Warningf("failed to verify CRL: %v", err)
+				return false, false, sigErr
-				return false, false, err
 			}
 		}
 
@@ -199,40 +202,44 @@ func certIsRevokedCRL(cert *x509.Certificate, url string) (revoked, ok bool, err
 		crlLock.Unlock()
 	}
 
-	for _, revoked := range crl.RevokedCertificates {
+	for _, entry := range crl.RevokedCertificateEntries {
-		if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 {
+		if cert.SerialNumber.Cmp(entry.SerialNumber) == 0 {
 			log.Info("Serial number match: intermediate is revoked.")
-			return true, true, err
+			return true, true, nil
 		}
 	}
 
-	return false, true, err
+	return false, true, nil
 }
 
 // VerifyCertificate ensures that the certificate passed in hasn't
 // expired and checks the CRL for the server.
-func VerifyCertificate(cert *x509.Certificate) (revoked, ok bool) {
+func VerifyCertificate(cert *x509.Certificate) (bool, bool) {
-	revoked, ok, _ = VerifyCertificateError(cert)
+	revoked, ok, _ := VerifyCertificateError(cert)
 	return revoked, ok
 }
 
 // VerifyCertificateError ensures that the certificate passed in hasn't
 // expired and checks the CRL for the server.
-func VerifyCertificateError(cert *x509.Certificate) (revoked, ok bool, err error) {
+func VerifyCertificateError(cert *x509.Certificate) (bool, bool, error) {
-    if !time.Now().Before(cert.NotAfter) {
+	if !time.Now().Before(cert.NotAfter) {
-        msg := fmt.Sprintf("Certificate expired %s\n", cert.NotAfter)
+		msg := fmt.Sprintf("Certificate expired %s\n", cert.NotAfter)
-        log.Info(msg)
+		log.Info(msg)
-        return true, true, errors.New(msg)
+		return true, true, errors.New(msg)
-    } else if !time.Now().After(cert.NotBefore) {
+	} else if !time.Now().After(cert.NotBefore) {
-        msg := fmt.Sprintf("Certificate isn't valid until %s\n", cert.NotBefore)
+		msg := fmt.Sprintf("Certificate isn't valid until %s\n", cert.NotBefore)
-        log.Info(msg)
+		log.Info(msg)
-        return true, true, errors.New(msg)
+		return true, true, errors.New(msg)
-    }
+	}
-    return revCheck(cert)
+	return revCheck(cert)
 }
 
 func fetchRemote(url string) (*x509.Certificate, error) {
-	resp, err := HTTPClient.Get(url)
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := HTTPClient.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -255,8 +262,12 @@ var ocspOpts = ocsp.RequestOptions{
 	Hash: crypto.SHA1,
 }
 
-func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (revoked, ok bool, e error) {
+const ocspGetURLMaxLen = 256
-	var err error
+
+func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (bool, bool, error) {
+	var revoked bool
+	var ok bool
+	var lastErr error
 
 	ocspURLs := leaf.OCSPServer
 	if len(ocspURLs) == 0 {
@@ -272,15 +283,16 @@ func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (revoked, ok bool, e
 
 	ocspRequest, err := ocsp.CreateRequest(leaf, issuer, &ocspOpts)
 	if err != nil {
-		return revoked, ok, err
+		return false, false, err
 	}
 
 	for _, server := range ocspURLs {
-		resp, err := sendOCSPRequest(server, ocspRequest, leaf, issuer)
+		resp, e := sendOCSPRequest(server, ocspRequest, leaf, issuer)
-		if err != nil {
+		if e != nil {
 			if strict {
-				return revoked, ok, err
+				return false, false, e
 			}
+			lastErr = e
 			continue
 		}
 
@@ -292,9 +304,9 @@ func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (revoked, ok bool, e
 			revoked = true
 		}
 
-		return revoked, ok, err
+		return revoked, ok, nil
 	}
-	return revoked, ok, err
+	return revoked, ok, lastErr
 }
 
 // sendOCSPRequest attempts to request an OCSP response from the
@@ -303,12 +315,21 @@ func certIsRevokedOCSP(leaf *x509.Certificate, strict bool) (revoked, ok bool, e
 func sendOCSPRequest(server string, req []byte, leaf, issuer *x509.Certificate) (*ocsp.Response, error) {
 	var resp *http.Response
 	var err error
-	if len(req) > 256 {
+	if len(req) > ocspGetURLMaxLen {
 		buf := bytes.NewBuffer(req)
-		resp, err = HTTPClient.Post(server, "application/ocsp-request", buf)
+		httpReq, e := http.NewRequestWithContext(context.Background(), http.MethodPost, server, buf)
+		if e != nil {
+			return nil, e
+		}
+		httpReq.Header.Set("Content-Type", "application/ocsp-request")
+		resp, err = HTTPClient.Do(httpReq)
 	} else {
 		reqURL := server + "/" + neturl.QueryEscape(base64.StdEncoding.EncodeToString(req))
-		resp, err = HTTPClient.Get(reqURL)
+		httpReq, e := http.NewRequestWithContext(context.Background(), http.MethodGet, reqURL, nil)
+		if e != nil {
+			return nil, e
+		}
+		resp, err = HTTPClient.Do(httpReq)
 	}
 
 	if err != nil {
@@ -343,21 +364,21 @@ func sendOCSPRequest(server string, req []byte, leaf, issuer *x509.Certificate)
 
 var crlRead = io.ReadAll
 
-// SetCRLFetcher sets the function to use to read from the http response body
+// SetCRLFetcher sets the function to use to read from the http response body.
 func SetCRLFetcher(fn func(io.Reader) ([]byte, error)) {
 	crlRead = fn
 }
 
 var remoteRead = io.ReadAll
 
-// SetRemoteFetcher sets the function to use to read from the http response body
+// SetRemoteFetcher sets the function to use to read from the http response body.
 func SetRemoteFetcher(fn func(io.Reader) ([]byte, error)) {
 	remoteRead = fn
 }
 
 var ocspRead = io.ReadAll
 
-// SetOCSPFetcher sets the function to use to read from the http response body
+// SetOCSPFetcher sets the function to use to read from the http response body.
 func SetOCSPFetcher(fn func(io.Reader) ([]byte, error)) {
 	ocspRead = fn
 }

certlib/revoke/revoke_test.go

@@ -1,3 +1,4 @@
+//nolint:testpackage // keep tests in the same package for internal symbol access
 package revoke
 
 import (
@@ -50,7 +51,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 // to indicate that this is the case.
 
 // 2014/05/22 14:18:17 Certificate expired 2014-04-04 14:14:20 +0000 UTC
-// 2014/05/22 14:18:17 Revoked certificate: misc/intermediate_ca/ActalisServerAuthenticationCA.crt
+// 2014/05/22 14:18:17 Revoked certificate: misc/intermediate_ca/ActalisServerAuthenticationCA.crt.
 var expiredCert = mustParse(`-----BEGIN CERTIFICATE-----
 MIIEXTCCA8agAwIBAgIEBycURTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
 UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
@@ -80,7 +81,7 @@ sESPRwHkcMUNdAp37FLweUw=
 
 // 2014/05/22 14:18:31 Serial number match: intermediate is revoked.
 // 2014/05/22 14:18:31 certificate is revoked via CRL
-// 2014/05/22 14:18:31 Revoked certificate: misc/intermediate_ca/MobileArmorEnterpriseCA.crt
+// 2014/05/22 14:18:31 Revoked certificate: misc/intermediate_ca/MobileArmorEnterpriseCA.crt.
 var revokedCert = mustParse(`-----BEGIN CERTIFICATE-----
 MIIEEzCCAvugAwIBAgILBAAAAAABGMGjftYwDQYJKoZIhvcNAQEFBQAwcTEoMCYG
 A1UEAxMfR2xvYmFsU2lnbiBSb290U2lnbiBQYXJ0bmVycyBDQTEdMBsGA1UECxMU
@@ -106,7 +107,7 @@ Kz5vh+5tmytUPKA8hUgmLWe94lMb7Uqq2wgZKsqun5DAWleKu81w7wEcOrjiiB+x
 jeBHq7OnpWm+ccTOPCE6H4ZN4wWVS7biEBUdop/8HgXBPQHWAdjL
 -----END CERTIFICATE-----`)
 
-// A Comodo intermediate CA certificate with issuer url, CRL url and OCSP url
+// A Comodo intermediate CA certificate with issuer url, CRL url and OCSP url.
 var goodComodoCA = (`-----BEGIN CERTIFICATE-----
 MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
 hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
@@ -153,7 +154,7 @@ func mustParse(pemData string) *x509.Certificate {
 		panic("Invalid PEM type.")
 	}
 
-	cert, err := x509.ParseCertificate([]byte(block.Bytes))
+	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		panic(err.Error())
 	}
@@ -182,7 +183,6 @@ func TestGood(t *testing.T) {
 	} else if revoked {
 		t.Fatalf("good certificate should not have been marked as revoked")
 	}
-
 }
 
 func TestLdap(t *testing.T) {
@@ -230,7 +230,6 @@ func TestBadCRLSet(t *testing.T) {
 		t.Fatalf("key emptystring should be deleted from CRLSet")
 	}
 	delete(CRLSet, "")
-
 }
 
 func TestCachedCRLSet(t *testing.T) {
@@ -241,13 +240,11 @@ func TestCachedCRLSet(t *testing.T) {
 }
 
 func TestRemoteFetchError(t *testing.T) {
-
 	badurl := ":"
 
 	if _, err := fetchRemote(badurl); err == nil {
 		t.Fatalf("fetching bad url should result in non-nil error")
 	}
-
 }
 
 func TestNoOCSPServers(t *testing.T) {

certlib/ski/ski.go

@@ -0,0 +1,157 @@
+package ski
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
+	"crypto/sha1" // #nosec G505 this is the standard
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/pem"
+	"fmt"
+	"os"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
+)
+
+const (
+	keyTypeRSA     = "RSA"
+	keyTypeECDSA   = "ECDSA"
+	keyTypeEd25519 = "Ed25519"
+)
+
+type subjectPublicKeyInfo struct {
+	Algorithm        pkix.AlgorithmIdentifier
+	SubjectPublicKey asn1.BitString
+}
+
+type KeyInfo struct {
+	PublicKey []byte
+	KeyType   string
+	FileType  string
+}
+
+func (k *KeyInfo) String() string {
+	return fmt.Sprintf("%s (%s)", lib.HexEncode(k.PublicKey, lib.HexEncodeLowerColon), k.KeyType)
+}
+
+func (k *KeyInfo) SKI(displayMode lib.HexEncodeMode) (string, error) {
+	var subPKI subjectPublicKeyInfo
+
+	_, err := asn1.Unmarshal(k.PublicKey, &subPKI)
+	if err != nil {
+		return "", fmt.Errorf("serializing SKI: %w", err)
+	}
+
+	pubHash := sha1.Sum(subPKI.SubjectPublicKey.Bytes) // #nosec G401 this is the standard
+	pubHashString := lib.HexEncode(pubHash[:], displayMode)
+
+	return pubHashString, nil
+}
+
+// ParsePEM parses a PEM file and returns the public key and its type.
+func ParsePEM(path string) (*KeyInfo, error) {
+	material := &KeyInfo{}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("parsing X.509 material %s: %w", path, err)
+	}
+
+	data = bytes.TrimSpace(data)
+	p, rest := pem.Decode(data)
+	if len(rest) > 0 {
+		lib.Warnx("trailing data in PEM file")
+	}
+
+	if p == nil {
+		return nil, fmt.Errorf("no PEM data in %s", path)
+	}
+
+	data = p.Bytes
+
+	switch p.Type {
+	case "PRIVATE KEY", "RSA PRIVATE KEY", "EC PRIVATE KEY":
+		material.PublicKey, material.KeyType = parseKey(data)
+		material.FileType = "private key"
+	case "CERTIFICATE":
+		material.PublicKey, material.KeyType = parseCertificate(data)
+		material.FileType = "certificate"
+	case "CERTIFICATE REQUEST":
+		material.PublicKey, material.KeyType = parseCSR(data)
+		material.FileType = "certificate request"
+	default:
+		return nil, fmt.Errorf("unknown PEM type %s", p.Type)
+	}
+
+	return material, nil
+}
+
+func parseKey(data []byte) ([]byte, string) {
+	priv, err := certlib.ParsePrivateKeyDER(data)
+	if err != nil {
+		die.If(err)
+	}
+
+	var kt string
+	switch priv.Public().(type) {
+	case *rsa.PublicKey:
+		kt = keyTypeRSA
+	case *ecdsa.PublicKey:
+		kt = keyTypeECDSA
+	default:
+		die.With("unknown private key type %T", priv)
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(priv.Public())
+	die.If(err)
+
+	return public, kt
+}
+
+func parseCertificate(data []byte) ([]byte, string) {
+	cert, err := x509.ParseCertificate(data)
+	die.If(err)
+
+	pub := cert.PublicKey
+	var kt string
+	switch pub.(type) {
+	case *rsa.PublicKey:
+		kt = keyTypeRSA
+	case *ecdsa.PublicKey:
+		kt = keyTypeECDSA
+	case *ed25519.PublicKey:
+		kt = keyTypeEd25519
+	default:
+		die.With("unknown public key type %T", pub)
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(pub)
+	die.If(err)
+	return public, kt
+}
+
+func parseCSR(data []byte) ([]byte, string) {
+	// Use certlib to support both PEM and DER and to centralize validation.
+	csr, _, err := certlib.ParseCSR(data)
+	die.If(err)
+
+	pub := csr.PublicKey
+	var kt string
+	switch pub.(type) {
+	case *rsa.PublicKey:
+		kt = keyTypeRSA
+	case *ecdsa.PublicKey:
+		kt = keyTypeECDSA
+	default:
+		die.With("unknown public key type %T", pub)
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(pub)
+	die.If(err)
+	return public, kt
+}

certlib/testdata/cert1.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2zCCAsOgAwIBAgIUN0qOIUWB0UCmtutt2RH6PCmcuhEwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoM
+GVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNVBAsMFkNyeXB0b2dyYXBo
+aWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0xMB4XDTI1MTExOTA4MjM1
+MFoXDTQ1MTExNDA4MjM1MFowfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExIjAgBgNVBAoMGVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNV
+BAsMFkNyeXB0b2dyYXBoaWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0x
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7sbIJyBfBBF2oHnFOfLS
+rtcIUpZcz0fJ9JNtjzazwfyykVV9nuIC4JyD+VhxxSnSQN1H6kHqmcNNJlsQkGjK
+TcA6wcFxMRcWyaV5MY3U7MTe1WJJXTrpAFYTOoo0pQaoONBaWn48qfdQc9OvtU17
+wgBFhNWfdJaDKDAcyz4pHj9ihl80brvThOwrhUAWRw3ooyZ3m+T8Bgrkqp4ZPv3w
+A8oaAoA91UKT5yKRcIAJHAkE4ep0UZdcNPKhBu7L5Jqh8I4EtG0FnZKkOR7gpw+y
+YhIhuewWlQWRJwXBv3TwX9njmKwfE6Uftgy9HPbc66mK61FR3fEsU9KHaCmkXDwH
+SQIDAQABo1MwUTAdBgNVHQ4EFgQUD2idNc+Yq+6am5/+lizTVJ5HRBUwHwYDVR0j
+BBgwFoAUD2idNc+Yq+6am5/+lizTVJ5HRBUwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAcsa8Htaxw4HhtS8mboC41+FiqFisXfASO0LbsCLGjmrg
+Vi9MP9cg06g1AjxxlYw9KsbSXdn/jdbVqcQJxGItZ+CE1AcwUVg3c4ZmPOGIl4LS
+Pv2p2Lv4nCRWXrbp96O+lmC1xclziUTYGdQO9pNi71LcSapjLNlxWCWyvAJhWrVe
+zZHjGi1nG6ygpPXpldXFyyw61xpjPKc1eghoI125Am5xr3YhPjLM9IGGA1i6R9rC
+TlKjQOy8nUPC00jZrAf+HWdMWSpa320eOPi+qz18qbyfl8KMOBFvmA3mdumoABGn
+Mre0Gq9fUcd/KdPEHu++XAcLH3M8pqmeUQHHHse0gQ==
+-----END CERTIFICATE-----

certlib/testdata/cert2.pem

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF2zCCA8OgAwIBAgIUXosHyc+4br2XvK+fLJ+6uG8G/eYwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoM
+GVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNVBAsMFkNyeXB0b2dyYXBo
+aWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0yMB4XDTI1MTExOTA4MjQy
+MloXDTQ1MTExNDA4MjQyMlowfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExIjAgBgNVBAoMGVdOVFJNVVRFIEhlYXZ5IEluZHVzdHJpZXMxHzAdBgNV
+BAsMFkNyeXB0b2dyYXBoaWMgU2VydmljZXMxFDASBgNVBAMMC3Rlc3QtY2VydC0y
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8G39r3JD0RNTT2d1Omtf
+WSxv2XzSgSmiAZl6wpcmvE/C9smltXskK/74vxTRpTSoTVtMi1dNWbZlYag+BaqF
+60Cp0kGPESIyLDtUQCZpQypKYjOXVPiwd9xXGAdE7Br7dFaUArGRJiWzPX/vjgdK
+mruRk+c3ABFhdbiq3CWCPz3uheu9ekUTgK8CEAFsWg2ehTjWIEJU61M6AITvSIUZ
+GUEaNC3cAeP7Wx3Vy694fT9WoHpyr6dtWsTzbWyuSPtQ8uR2BEcunUxiBtQthio5
+xv20ZgD9C+dJnwr9tE7JKh1MCrFQNkt7EedKABTVYxYxMVATYUUg+jZPy68v1KnL
+kYIeB/TBB6iVGIOc9EKWjGv+luebR7OGgu3sZTFxsW5Dq0LSjzLJqoKROtYEEnJt
+sWo6V1j7WMs1MPl8NtqqmJjlSJx/OUaVuseB/uji107aIMEKgOwTmFDfPdVYDhQG
+eQ3V0Ro25/A/oe5yxEDNnSWGPtOHRq7aSJHM3/0qaPxg+RPrObb3ISRkXs5GBOHV
+ss+Nk4McbCV6Zccy6gi+wrz7fiXHijpSWcVVfN9A61TSTTjAX+S9CphcjkS4I2JW
+OJY5i9ANP62mr73d2NSikoTXavUCgOBlW00m0gAR0JJYNe/31yS96UwvH0xCHxer
+1tX3qwGEjE0fhnwMhxP4tmkCAwEAAaNTMFEwHQYDVR0OBBYEFCs+ZbZ0uorYlg26
+m5PSz4Ov66KEMB8GA1UdIwQYMBaAFCs+ZbZ0uorYlg26m5PSz4Ov66KEMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJneix0lCM4CqdrajmaHa8Y4
+Sdr3URSufzW0l8zoBWss1z88X9aZemWKCd4UDSVpN+T6hEASvAw6zRSd2WkmCsdq
+KnwHFnDDWGANt/CBcbr69Sk09YLMO+F0Cku8Ymp2jcAFy074E/wjwxgT6JJ/BtQE
+q1JJNusanYN2jrYamB1PUnc4lWyOIOOTIU6oqofcJobtTJbSAA7Gvx4p85TMBnQu
+YJdBQ3jnFFH3pjCXA9BXaZnaiJjnfDggsJJT7CXngC4US/ti4qZr7+Poc0Ikb/Pm
+8EChKKvljZEtcxrhLhsVEzsJtk72F9Ravl+q2jS1zDqnS3OY6kf45nuYnvZ4QkX4
+Nk8Y6PmGGk00QCAxyVsiFrm7wZHHvnQyQr8nxjPOv2MryV5e3rW9WAzAG4vHPS1F
+5wi3ELiuivkoO5daDwzfVsKhQ3Nl2uAfS8pvY/NvTVPJnR+wdduJqgLMzAWhbRnx
+r6WxuiY9mdkdkr6PDDnrw/4lm+GRFw8ksn8ErB3nZf73lo1Ai+Iv2FIi5Ore/qeq
+vZjVNvBpZBiMo5d2zDWtp3m8vWgmgXDaKZXn0YAJATkqnhAKbdZ2cmwbGTZhIdrZ
+pqoq2KPY+luirIIDiKDbkW4b2HRxwSM8cI2HxONGcB43FcZHlpMhOtM3DD0Z8lQD
+b2Hi9ZK8kpL8qa2vFpOe
+-----END CERTIFICATE-----

certlib/testdata/ec-ca-cert.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBzTCCAS4CAQAwgYgxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcT
+ADEiMCAGA1UEChMZV05UUk1VVEUgSEVBVlkgSU5EVVNUUklFUzEfMB0GA1UECxMW
+Q1JZUFRPR1JBUEhJQyBTRVJWSUNFUzEeMBwGA1UEAxMVV05UUk1VVEUgVEVTVCBF
+QyBDQSAxMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAQxmTxzo1XOK0HDrtn92b
+exC4sXr8GnU+oATiXied3e1AWVOux9XtaWduY+a+r6Kb1rxMVyebn9KqtwNw+9KS
+XaEB1IN9QzfdxEcJgRIAVtFplOqCip5xKK0B+woo3wXm3ndq2kJts86aONqQ0m2g
+RrsmAKAX4pwmMnAHFF7veBcpsqugADAKBggqhkjOPQQDBAOBjAAwgYgCQgDG8Hdu
+FkC3z0u0MU01+Bi/2MorcVTvdkurLm6Rh2Zf65aaXK8PDdV/cPZ98qx7NoLDSvwF
+83gJuUI/3nVB/Ith7wJCAb6SAkXroT7y41XHayyTYb6+RKSlxxb9e5rtVCp/nG23
+s59r23vUC/wDb4VWJE5jKi5vmXfjY+RAL9FOnpr2wsX0
+-----END CERTIFICATE REQUEST-----

certlib/testdata/ec-ca-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4TCCAkKgAwIBAgIUSnrCuvU8kj0nxNzmTgibiPLrQ8QwCgYIKoZIzj0EAwQw
+gYgxCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEiMCAGA1UEChMZ
+V05UUk1VVEUgSEVBVlkgSU5EVVNUUklFUzEfMB0GA1UECxMWQ1JZUFRPR1JBUEhJ
+QyBTRVJWSUNFUzEeMBwGA1UEAxMVV05UUk1VVEUgVEVTVCBFQyBDQSAxMB4XDTI1
+MTExOTIwNTgwMVoXDTQ1MTExNDIxNTgwMVowgYgxCzAJBgNVBAYTAlVTMQkwBwYD
+VQQIEwAxCTAHBgNVBAcTADEiMCAGA1UEChMZV05UUk1VVEUgSEVBVlkgSU5EVVNU
+UklFUzEfMB0GA1UECxMWQ1JZUFRPR1JBUEhJQyBTRVJWSUNFUzEeMBwGA1UEAxMV
+V05UUk1VVEUgVEVTVCBFQyBDQSAxMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA
+QxmTxzo1XOK0HDrtn92bexC4sXr8GnU+oATiXied3e1AWVOux9XtaWduY+a+r6Kb
+1rxMVyebn9KqtwNw+9KSXaEB1IN9QzfdxEcJgRIAVtFplOqCip5xKK0B+woo3wXm
+3ndq2kJts86aONqQ0m2gRrsmAKAX4pwmMnAHFF7veBcpsqujRTBDMA4GA1UdDwEB
+/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEDMB0GA1UdDgQWBBSNqRkvwUgIHGa2
+jKmA2Q3w6Ju/FzAKBggqhkjOPQQDBAOBjAAwgYgCQgCckIFCjzJExxbV9dqm92nr
+safC3kqhCxjmilf0IYWVj5f1kymoFr3jPpmy0iFcteUk0QTcqpnUT4i140lxtyK8
+NAJCAVxbicZgVns9rgp6hu14l81j0XMpNgzy0QxscjMpWS/17iDJ4Y5vCWpwekrr
+F1cmmRpsodONacAvTml4ehKE2ekx
+-----END CERTIFICATE-----

certlib/testdata/ec-ca-priv.pem

@@ -0,0 +1,8 @@
+-----BEGIN PRIVATE KEY-----
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIAzkf/rvLGJBTVHHHr
+lUhzsRJZgkyzSY5YE3KBReDyFWc+OB48C1gdYB1u7+PxgyfwYACjPx2y1AxN8fJh
+XonY39mhgYkDgYYABABDGZPHOjVc4rQcOu2f3Zt7ELixevwadT6gBOJeJ53d7UBZ
+U67H1e1pZ25j5r6vopvWvExXJ5uf0qq3A3D70pJdoQHUg31DN93ERwmBEgBW0WmU
+6oKKnnEorQH7CijfBebed2raQm2zzpo42pDSbaBGuyYAoBfinCYycAcUXu94Fymy
+qw==
+-----END PRIVATE KEY-----

certlib/testdata/ec-ca.yaml

@@ -0,0 +1,13 @@
+key:
+  algorithm: ecdsa
+  size: 521
+subject:
+  common_name: WNTRMUTE TEST EC CA 1
+  country: US
+  organization: WNTRMUTE HEAVY INDUSTRIES
+  organizational_unit: CRYPTOGRAPHIC SERVICES
+profile:
+  is_ca: true
+  path_len: 3
+  key_uses: cert sign
+  expiry: 20y

certlib/testdata/priv1.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDuxsgnIF8EEXag
+ecU58tKu1whSllzPR8n0k22PNrPB/LKRVX2e4gLgnIP5WHHFKdJA3UfqQeqZw00m
+WxCQaMpNwDrBwXExFxbJpXkxjdTsxN7VYkldOukAVhM6ijSlBqg40Fpafjyp91Bz
+06+1TXvCAEWE1Z90loMoMBzLPikeP2KGXzRuu9OE7CuFQBZHDeijJneb5PwGCuSq
+nhk+/fADyhoCgD3VQpPnIpFwgAkcCQTh6nRRl1w08qEG7svkmqHwjgS0bQWdkqQ5
+HuCnD7JiEiG57BaVBZEnBcG/dPBf2eOYrB8TpR+2DL0c9tzrqYrrUVHd8SxT0odo
+KaRcPAdJAgMBAAECggEALeHOK7CNeYFmj2MeyioWIGkrDP2eM2lqzf+3VYXwKEZH
+xOQN2cY5wdHpjTQY1odZAsRSkZnde/L6o/RrPCiauTKHR9yFRObYJuLQZTyJDf8t
+h4jVqp/Ljpg7pSvR/mUHVbV5qzpnK0zd7Yffk2Hidk6pjSMkexmB9eq62bYl3gz2
+dlgKrLgjlwUmhD0P5OhwCW2Z2rmrGwY1y3pj/FjvIckxpPcEle0o/xUIEbW7lZux
+3fCAu2Lvg+I9qE5MaWIfZX4aUQi5gJmUZpUCuDJjwFIztO+vSqKmw4zOUFKCRrAc
+VsicvHvwmhUCrVT/ebEkf0ntSQq1ED0FARJdYhfOlQKBgQD8ngiviLbVPxVur6Wo
+tMzNUUpaJxfyWfZ4w5eYLWKkYSlax1HMCLYyMU0dwSWdmmri+ibm91+VXEJ5DxQh
+O/nIF5f0DpWcFmnl4C16xlouWiY6kaSTALQfy/PnsEsEd7oljxesqrpdw7s7/S8q
+OUGkTP20M+U0WQQ/RNDWZoyMbQKBgQDx+U1I28ceHSrE6ss/ufWBt2WqiyqvC2NN
+444/WkBps5XWUN0HSOBrr8PlMY4jsxyPXuqDVn6P4yg26zIRrIvBLonZ1v1PAMbk
+nL1kVB78QOxS/xYOOO2Y2YFtPSztmFZnm8b7l/+9YzHAVp4IrpTsny6UyVZaYVSD
+3v7XowlkzQKBgGJrO50P2ZOZQUNfYV4qGoR/gEVBZ93+2LzSDzS1sfGy/QamEyM3
+3awOcyn9fyc46x3FMfTYOcAaMrexfTk5gaZIMuZd7EHkpZtuzKlBsA7RBoXZClJP
+et3MexkwIPn7n2VUq3eVCIjRYhgMGx0LM5zMdieH9GuBptrzd52gVG+9AoGAVhRL
+7AlTMmFJ37dvCoKK1dR6NEtBqfexIfo7lkny9CdQvGcT2g2Q2H40gAo6+HQ1SsOH
+RaW1bFZw7eiJbUQmi1iU7YvPnRU3rAgeT9ylETO/Xl8kZ3bU/zURF91VaEhzJHSE
+Ouh9r8/j2Pp3SbthezO9jGx7bbeGK0te+TMkmlkCgYAwYst1HRndKGMVdNPCEdlW
+aye+R3VtpTWGqDCJiMQCMUsCZF8KcYkCAQk7nXh55putfvTwnWfnqRn91e9yp+/7
+rsE3vnGRcbkjvcgZaFyZL7800pOYWEm8FF2xRSBBC49b8kjZPA1i5OME2P0Y4lon
+naIddZmTj87qOtEaY/MSGQ==
+-----END PRIVATE KEY-----

certlib/testdata/priv2.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDwbf2vckPRE1NP
+Z3U6a19ZLG/ZfNKBKaIBmXrClya8T8L2yaW1eyQr/vi/FNGlNKhNW0yLV01ZtmVh
+qD4FqoXrQKnSQY8RIjIsO1RAJmlDKkpiM5dU+LB33FcYB0TsGvt0VpQCsZEmJbM9
+f++OB0qau5GT5zcAEWF1uKrcJYI/Pe6F6716RROArwIQAWxaDZ6FONYgQlTrUzoA
+hO9IhRkZQRo0LdwB4/tbHdXLr3h9P1agenKvp21axPNtbK5I+1Dy5HYERy6dTGIG
+1C2GKjnG/bRmAP0L50mfCv20TskqHUwKsVA2S3sR50oAFNVjFjExUBNhRSD6Nk/L
+ry/UqcuRgh4H9MEHqJUYg5z0QpaMa/6W55tHs4aC7exlMXGxbkOrQtKPMsmqgpE6
+1gQScm2xajpXWPtYyzUw+Xw22qqYmOVInH85RpW6x4H+6OLXTtogwQqA7BOYUN89
+1VgOFAZ5DdXRGjbn8D+h7nLEQM2dJYY+04dGrtpIkczf/Spo/GD5E+s5tvchJGRe
+zkYE4dWyz42TgxxsJXplxzLqCL7CvPt+JceKOlJZxVV830DrVNJNOMBf5L0KmFyO
+RLgjYlY4ljmL0A0/raavvd3Y1KKShNdq9QKA4GVbTSbSABHQklg17/fXJL3pTC8f
+TEIfF6vW1ferAYSMTR+GfAyHE/i2aQIDAQABAoICAEMrJ1VNgd62HG8xgxGYD6I1
+BOZotdJ51BXIUABvA9ZWHiyd9xp1VYypBcs0QMF7rY029XJ0KFro1vfqbbFdi15G
+yWrA//wUZpnu1UG6uWuXNAKtURjfBUXnG7nNxhaEDz3YNi9udhOHMsT6qe0u4kvK
+HQiJ7tapBGZD+g/YtsN+RNXLHzs6cxFfUx8vlpqt9VxYnZGTlm/L54dfnA3RiUqB
+4pUzPqSUkZNKCYGG+w1alZPtwX6LMsTKAwvN8f7XnyzMYKAfVsmBHl20ByfVQiDy
+neRlYExkCDBTfL9Tx2Vpm+Xc1YDlo3ND/2t4ZojxGTsimNdy3Zypca+AuMcbzI/G
+fTY/qSQHrP/bz07oYwvFXUQhcVzuA6/DPzVL017SSOxCHTM2l4MItV4NE1ZLlEmq
+ehzzqgSMgtyse8axWuYdzCfo7coHJESSJHxdxwbNDyQNZnVeQ0/hQ6w6GsQpKfKT
+QjpxYuZlysLxwFtIB/5Qg9nUjZbWtA08shrSH5vY2YKjdV+84no4ilhfrsm3sNb+
+msrm3NcsNy3lhMDvp15yx9f89j4mpyaxzp6CZa6jhW4BVAUxxRSL0MBaX+06JEsF
+g8WVoZkCGyq3W8CaCzHG0gD0CYf1tKRXrwwDzVEUVN2N/u2BRJRogP5zPyjHi8Fl
+hOu+0f5mlu89n1rse9CVAoIBAQD7Vg7sPaS4et3K/NqIAe7HWElGB0aN/p8Coiwv
+xcamZAKYO3IbT/bgo0tJ2DynJJicBrfq4LMd97rldRjiD3CH88JFBEgm/L7HvYnQ
+wZh/OiLuUyrGKbAgUjbUVDnFDgFrxN1sdSG43l9N5+hJ4Yz47Jek5/8pZ1uOR70N
+usvPSKgcpcW8BJ1MwoOCQhaXhN+Yc/Y5FkPZ35C+IiRXJ/Hl6J0TCX/L48IKTdY9
+9F5wh9gHHxU+y0FFNbsD3PuwzYJsdxlVg0mbHLnHy8rKt9tJ/TDM+dXGsrOzimKG
+uZIIShyhQg1B/C7vOU3e5o2SNd7isaI6JqKWNwF7OLE6jpQrAoIBAQD05B9jYMjt
+NS3423V4Y7Qw0hMXfz/r36VLNUw3tBLbybL/qmBkEt4tYdn7FihVB6u4PRxWDh28
+A3XkQiIp+Awwn5CzixBf5cdSiozN673LzwMWOqHvfEjav5gWGabeCO2R62Zdt9Jt
+VcGwrHU+9F0gBySOB+OAp5HTTf9Y8ItQgcNeYDZUQzgArRJRBMrIZjx3jAYMb6N6
+SVQRYDZ0VDBvLpTGbJ7wDoQkYZ80jou6eBov6O3WXGkEVHJec9ULNWOvUgPU+SOB
+NJ2vLJuKmQxacPjtyo87BePYQoUpmYA389BdQkK+wFy8t/m4cpGb/h0uWAonFCA1
+fAGQFKnEAvG7AoIBAE41LDWUxPHmwadNYQ7bUxrSvRI+Z1T9+yrNneRLrZHPIwON
+0+btzgt+pInY8J6uA5LhgE9lFjdoA88szc5iMYkMb9IcD/uZwB/VOdIsu7AzPfVd
+Cb1Z8YVNL+SIROWtgwGu45vBIvossAlE9YIv3jcDH/jffAW9NL8kUY65JnxcxnsL
+lmj4Ip5lFJjuyariXNVKmD6RUBG2wIp5g0dflaUN6fqnhQ3D1HhyWg0zQkPP8Yfd
+wzWj9656lrQQCn2spT3tHYP/c2MB4Elsf7Du3xy53Xqa70uCBesDT79OdUOBFEGV
+lRyIRW6JLVMD+N+bRbzSu4FOzl7hxOM78+IdxbsCggEBAOD9UUUpX5BngmQXpHZG
+C/+qkbXNyDl6EM/nGK44t/bL+bNgogxvNUa2luFTexyb3o13P7hkYbch6scaZ27t
+oK1vfC8oPZQNdLIF7tUlmAtOlsRue+ad5gVrb1wmlyN5SmL8xeCmiSLAXiJmX5XG
+RmSti00ePEswKQ7coxPgc+40Of1UIbYKx8H/QEvFPlUdcMJYmBoG20f3ZNBN99mq
+m5EaV79xfhiJDairM+zCZeecflq0Awclgapjt2vFud8BXyNtE24wswj7AUA2mHSe
+pjXVgy5dIniUsb83ZkZQ6/b7/twfi1jbPJh54mkugU6zCbZRVoqOuATLeFgaU9ps
+5g8CggEBAIqE5wD2ezkZaN5XHBbYvMqzrnA2TQLxy+KD3XjuPE/EWidPz7nF0Z3q
+ucYBSyeak0dM6ZKcJFRVYcd3zr9Ssee5YO7n6ZE0AJdBJJSY3WAULTAO7GEQiIVS
+e2ptLBkaJv5Wsl558gTVVXzgTXyoprwTVeeOact8VnmIea3mHVghPAG6oPzgG2v8
+PDE64Zdu/OZs5nvEd262u5svsb0dgCPkXtKofkfxRhV7yDRtIkVe7qyK1Gq8BxNA
+wi5i7S0WTO1qmyu3l93JzSGYyca8US34KB7DIYO5u2yQRNhBkbKDRpkvPNIycY+J
+UAkHH7gJHv8bZgg5FVXt0B9875Z9qAI=
+-----END PRIVATE KEY-----

certlib/testdata/rsa-ca-cert.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBCjCBvQIBADCBiTELMAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMA
+MSIwIAYDVQQKExlXTlRSTVVURSBIRUFWWSBJTkRVU1RSSUVTMR8wHQYDVQQLExZD
+UllQVE9HUkFQSElDIFNFUlZJQ0VTMR8wHQYDVQQDExZXTlRSTVVURSBURVNUIFJT
+QSBDQSAxMCowBQYDK2VwAyEA1Lai2WChuUH2kq4LWddp6TlcmpuuBz6G43e9efsZ
+GBqgADAFBgMrZXADQQDbBl1gW07c0g9UQmK2g8QkVIXzr2TLrOjXVAptlcW/3rPO
+M3iQM2mGwZWMwv7t6C4C7xBaLcUkcqT3b4S+MaUK
+-----END CERTIFICATE REQUEST-----

certlib/testdata/rsa-ca-cert.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHDCCAc6gAwIBAgIVAN1AKHhLNsqcBEKYCqgjEMG65hhvMAUGAytlcDCBiTEL
+MAkGA1UEBhMCVVMxCTAHBgNVBAgTADEJMAcGA1UEBxMAMSIwIAYDVQQKExlXTlRS
+TVVURSBIRUFWWSBJTkRVU1RSSUVTMR8wHQYDVQQLExZDUllQVE9HUkFQSElDIFNF
+UlZJQ0VTMR8wHQYDVQQDExZXTlRSTVVURSBURVNUIFJTQSBDQSAxMB4XDTI1MTEx
+OTIxMDQyNVoXDTQ1MTExNDIyMDQyNVowgYkxCzAJBgNVBAYTAlVTMQkwBwYDVQQI
+EwAxCTAHBgNVBAcTADEiMCAGA1UEChMZV05UUk1VVEUgSEVBVlkgSU5EVVNUUklF
+UzEfMB0GA1UECxMWQ1JZUFRPR1JBUEhJQyBTRVJWSUNFUzEfMB0GA1UEAxMWV05U
+Uk1VVEUgVEVTVCBSU0EgQ0EgMTAqMAUGAytlcAMhANS2otlgoblB9pKuC1nXaek5
+XJqbrgc+huN3vXn7GRgao0UwQzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgw
+BgEB/wIBAzAdBgNVHQ4EFgQUetUgY5rlFq+OCeYe0Eqmp8Ek488wBQYDK2VwA0EA
+LIFZo6FQL+8q8h66Bm7favIh2AlqsXA45DpRUN2LpjNm/7NbTPDw52y8cLegUUMc
+UhDyk20fGg5g6cLywC0mDA==
+-----END CERTIFICATE-----

certlib/testdata/rsa-ca-priv.pem

@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIDDkYbIZKArACSevxtX2Rr8MQSeJ4Jz0qJEe/YgHfjzo
+-----END PRIVATE KEY-----

certlib/testdata/rsa-ca.yaml

@@ -0,0 +1,13 @@
+key:
+  algorithm: ed25519
+  size: 4096
+subject:
+  common_name: WNTRMUTE TEST RSA CA 1
+  country: US
+  organization: WNTRMUTE HEAVY INDUSTRIES
+  organizational_unit: CRYPTOGRAPHIC SERVICES
+profile:
+  is_ca: true
+  path_len: 3
+  key_uses: cert sign
+  expiry: 20y

certlib/verify/check.go

@@ -0,0 +1,49 @@
+package verify
+
+import (
+	"crypto/x509"
+	"fmt"
+	"time"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/dump"
+)
+
+const DefaultLeeway = 2160 * time.Hour // three months
+
+type CertCheck struct {
+	Cert   *x509.Certificate
+	leeway time.Duration
+}
+
+func NewCertCheck(cert *x509.Certificate, leeway time.Duration) *CertCheck {
+	return &CertCheck{
+		Cert:   cert,
+		leeway: leeway,
+	}
+}
+
+func (c CertCheck) Expiry() time.Duration {
+	return time.Until(c.Cert.NotAfter)
+}
+
+func (c CertCheck) IsExpiring(leeway time.Duration) bool {
+	return c.Expiry() < leeway
+}
+
+// Err returns nil if the certificate is not expiring within the leeway period.
+func (c CertCheck) Err() error {
+	if !c.IsExpiring(c.leeway) {
+		return nil
+	}
+
+	return fmt.Errorf("%s expires in %s", dump.DisplayName(c.Cert.Subject), c.Expiry())
+}
+
+func (c CertCheck) Name() string {
+	return fmt.Sprintf("%s/SN=%s", dump.DisplayName(c.Cert.Subject),
+		c.Cert.SerialNumber)
+}
+
+func (c CertCheck) String() string {
+	return fmt.Sprintf("%s expires on %s (in %s)\n", c.Name(), c.Cert.NotAfter, c.Expiry())
+}

certlib/verify/verify.go

@@ -0,0 +1,144 @@
+package verify
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
+)
+
+func bundleIntermediates(w io.Writer, chain []*x509.Certificate, pool *x509.CertPool, verbose bool) *x509.CertPool {
+	for _, intermediate := range chain[1:] {
+		if verbose {
+			fmt.Fprintf(w, "[+] adding intermediate with SKI %x\n", intermediate.SubjectKeyId)
+		}
+		pool.AddCert(intermediate)
+	}
+
+	return pool
+}
+
+type Opts struct {
+	Verbose            bool
+	Config             *tls.Config
+	Intermediates      *x509.CertPool
+	ForceIntermediates bool
+	CheckRevocation    bool
+	KeyUsages          []x509.ExtKeyUsage
+}
+
+type verifyResult struct {
+	chain []*x509.Certificate
+	roots *x509.CertPool
+	ints  *x509.CertPool
+}
+
+func prepareVerification(w io.Writer, target string, opts *Opts) (*verifyResult, error) {
+	var (
+		roots, ints *x509.CertPool
+		err         error
+	)
+
+	if opts == nil {
+		opts = &Opts{
+			Config:             dialer.StrictBaselineTLSConfig(),
+			ForceIntermediates: false,
+		}
+	}
+
+	if opts.Config.RootCAs == nil {
+		roots, err = x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("couldn't load system cert pool: %w", err)
+		}
+
+		opts.Config.RootCAs = roots
+	}
+
+	if opts.Intermediates == nil {
+		ints = x509.NewCertPool()
+	} else {
+		ints = opts.Intermediates.Clone()
+	}
+
+	roots = opts.Config.RootCAs.Clone()
+
+	chain, err := fetch.GetCertificateChain(target, opts.Config)
+	if err != nil {
+		return nil, fmt.Errorf("fetching certificate chain: %w", err)
+	}
+
+	if opts.Verbose {
+		fmt.Fprintf(w, "[+] %s has %d certificates\n", target, len(chain))
+	}
+
+	if len(chain) > 1 && opts.ForceIntermediates {
+		ints = bundleIntermediates(w, chain, ints, opts.Verbose)
+	}
+
+	return &verifyResult{
+		chain: chain,
+		roots: roots,
+		ints:  ints,
+	}, nil
+}
+
+// Chain fetches the certificate chain for a target and verifies it.
+func Chain(w io.Writer, target string, opts *Opts) ([]*x509.Certificate, error) {
+	result, err := prepareVerification(w, target, opts)
+	if err != nil {
+		return nil, fmt.Errorf("certificate verification failed: %w", err)
+	}
+
+	chains, err := CertWith(result.chain[0], result.roots, result.ints, opts.CheckRevocation, opts.KeyUsages...)
+	if err != nil {
+		return nil, fmt.Errorf("certificate verification failed: %w", err)
+	}
+
+	return chains, nil
+}
+
+// CertWith verifies a certificate against a set of roots and intermediates.
+func CertWith(
+	cert *x509.Certificate,
+	roots, ints *x509.CertPool,
+	checkRevocation bool,
+	keyUses ...x509.ExtKeyUsage,
+) ([]*x509.Certificate, error) {
+	if len(keyUses) == 0 {
+		keyUses = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
+	}
+
+	opts := x509.VerifyOptions{
+		Intermediates: ints,
+		Roots:         roots,
+		KeyUsages:     keyUses,
+	}
+
+	chains, err := cert.Verify(opts)
+	if err != nil {
+		return nil, err
+	}
+
+	if checkRevocation {
+		revoked, ok := revoke.VerifyCertificate(cert)
+		if !ok {
+			return nil, errors.New("failed to check certificate revocation status")
+		}
+
+		if revoked {
+			return nil, errors.New("certificate is revoked")
+		}
+	}
+
+	if len(chains) == 0 {
+		return nil, errors.New("no valid certificate chain found")
+	}
+
+	return chains[0], nil
+}

cmd/atping/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"net"
@@ -28,10 +29,16 @@ func connect(addr string, dport string, six bool, timeout time.Duration) error {
 
 	if verbose {
 		fmt.Printf("connecting to %s/%s... ", addr, proto)
-		os.Stdout.Sync()
+		if err = os.Stdout.Sync(); err != nil {
+			return err
+		}
 	}
 
-	conn, err := net.DialTimeout(proto, addr, timeout)
+	dialer := &net.Dialer{
+		Timeout: timeout,
+	}
+
+	conn, err := dialer.DialContext(context.Background(), proto, addr)
 	if err != nil {
 		if verbose {
 			fmt.Println("failed.")
@@ -42,8 +49,8 @@ func connect(addr string, dport string, six bool, timeout time.Duration) error {
 	if verbose {
 		fmt.Println("OK")
 	}
-	conn.Close()
+
-	return nil
+	return conn.Close()
 }
 
 func main() {

cmd/ca-signed/main.go

@@ -1,287 +1,193 @@
 package main
 
 import (
+	"bytes"
 	"crypto/x509"
 	"embed"
+	"flag"
 	"fmt"
 	"os"
-	"path/filepath"
-	"time"
 
 	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/certlib/verify"
+	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
-// loadCertsFromFile attempts to parse certificates from a file that may be in
-// PEM or DER/PKCS#7 format. Returns the parsed certificates or an error.
-func loadCertsFromFile(path string) ([]*x509.Certificate, error) {
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	// Try PEM first
-	if certs, err := certlib.ParseCertificatesPEM(data); err == nil {
-		return certs, nil
-	}
-
-	// Try DER/PKCS7/PKCS12 (with no password)
-	if certs, _, err := certlib.ParseCertificatesDER(data, ""); err == nil {
-		return certs, nil
-	} else {
-		return nil, err
-	}
-}
-
-func makePoolFromFile(path string) (*x509.CertPool, error) {
-	// Try PEM via helper (it builds a pool)
-	if pool, err := certlib.LoadPEMCertPool(path); err == nil && pool != nil {
-		return pool, nil
-	}
-
-	// Fallback: read as DER(s), add to a new pool
-	certs, err := loadCertsFromFile(path)
-	if err != nil || len(certs) == 0 {
-		return nil, fmt.Errorf("failed to load CA certificates from %s", path)
-	}
-	pool := x509.NewCertPool()
-	for _, c := range certs {
-		pool.AddCert(c)
-	}
-	return pool, nil
-}
-
 //go:embed testdata/*.pem
 var embeddedTestdata embed.FS
 
-// loadCertsFromBytes attempts to parse certificates from bytes that may be in
+type testCase struct {
-// PEM or DER/PKCS#7 format.
+	name     string
-func loadCertsFromBytes(data []byte) ([]*x509.Certificate, error) {
+	caFile   string
-	// Try PEM first
+	certFile string
-	if certs, err := certlib.ParseCertificatesPEM(data); err == nil {
+	expectOK bool
-		return certs, nil
-	}
-	// Try DER/PKCS7/PKCS12 (with no password)
-	if certs, _, err := certlib.ParseCertificatesDER(data, ""); err == nil {
-		return certs, nil
-	} else {
-		return nil, err
-	}
 }
 
-func makePoolFromBytes(data []byte) (*x509.CertPool, error) {
+func (tc testCase) Run() error {
-    certs, err := loadCertsFromBytes(data)
+	caBytes, err := embeddedTestdata.ReadFile(tc.caFile)
-    if err != nil || len(certs) == 0 {
+	if err != nil {
-        return nil, fmt.Errorf("failed to load CA certificates from embedded bytes")
+		return fmt.Errorf("selftest: failed to read embedded %s: %w", tc.caFile, err)
-    }
+	}
-    pool := x509.NewCertPool()
+
-    for _, c := range certs {
+	certBytes, err := embeddedTestdata.ReadFile(tc.certFile)
-        pool.AddCert(c)
+	if err != nil {
-    }
+		return fmt.Errorf("selftest: failed to read embedded %s: %w", tc.certFile, err)
-    return pool, nil
+	}
+
+	pool, err := certlib.PoolFromBytes(caBytes)
+	if err != nil || pool == nil {
+		return fmt.Errorf("selftest: failed to build CA pool for %s: %w", tc.caFile, err)
+	}
+
+	cert, _, err := certlib.ReadCertificate(certBytes)
+	if err != nil {
+		return fmt.Errorf("selftest: failed to parse certificate from %s: %w", tc.certFile, err)
+	}
+
+	_, err = verify.CertWith(cert, pool, nil, false)
+	ok := err == nil
+
+	if ok != tc.expectOK {
+		return fmt.Errorf("%s: unexpected result: got %v, want %v", tc.name, ok, tc.expectOK)
+	}
+
+	if ok {
+		fmt.Printf("%s: OK (expires %s)\n", tc.name, cert.NotAfter.Format(lib.DateShortFormat))
+	}
+
+	fmt.Printf("%s: INVALID (as expected)\n", tc.name)
+
+	return nil
 }
 
-// isSelfSigned returns true if the given certificate is self-signed.
+var cases = []testCase{
-// It checks that the subject and issuer match and that the certificate's
+	{
-// signature verifies against its own public key.
+		name:     "ISRG Root X1 validates LE E7",
-func isSelfSigned(cert *x509.Certificate) bool {
+		caFile:   "testdata/isrg-root-x1.pem",
-    if cert == nil {
+		certFile: "testdata/le-e7.pem",
-        return false
+		expectOK: true,
-    }
+	},
-    // Quick check: subject and issuer match
+	{
-    if cert.Subject.String() != cert.Issuer.String() {
+		name:     "ISRG Root X1 does NOT validate Google WR2",
-        return false
+		caFile:   "testdata/isrg-root-x1.pem",
-    }
+		certFile: "testdata/goog-wr2.pem",
-    // Cryptographic check: the certificate is signed by itself
+		expectOK: false,
-    if err := cert.CheckSignatureFrom(cert); err != nil {
+	},
-        return false
+	{
-    }
+		name:     "GTS R1 validates Google WR2",
-    return true
+		caFile:   "testdata/gts-r1.pem",
-}
+		certFile: "testdata/goog-wr2.pem",
-
+		expectOK: true,
-func verifyAgainstCA(caPool *x509.CertPool, path string) (ok bool, expiry string) {
+	},
-	certs, err := loadCertsFromFile(path)
+	{
-	if err != nil || len(certs) == 0 {
+		name:     "GTS R1 does NOT validate LE E7",
-		return false, ""
+		caFile:   "testdata/gts-r1.pem",
-	}
+		certFile: "testdata/le-e7.pem",
-
+		expectOK: false,
-	leaf := certs[0]
+	},
-	ints := x509.NewCertPool()
-	if len(certs) > 1 {
-		for _, ic := range certs[1:] {
-			ints.AddCert(ic)
-		}
-	}
-
-	opts := x509.VerifyOptions{
-		Roots:         caPool,
-		Intermediates: ints,
-		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
-	}
-	if _, err := leaf.Verify(opts); err != nil {
-		return false, ""
-	}
-
-	return true, leaf.NotAfter.Format("2006-01-02")
-}
-
-func verifyAgainstCABytes(caPool *x509.CertPool, certData []byte) (ok bool, expiry string) {
-	certs, err := loadCertsFromBytes(certData)
-	if err != nil || len(certs) == 0 {
-		return false, ""
-	}
-
-	leaf := certs[0]
-	ints := x509.NewCertPool()
-	if len(certs) > 1 {
-		for _, ic := range certs[1:] {
-			ints.AddCert(ic)
-		}
-	}
-
-	opts := x509.VerifyOptions{
-		Roots:         caPool,
-		Intermediates: ints,
-		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
-	}
-	if _, err := leaf.Verify(opts); err != nil {
-		return false, ""
-	}
-
-	return true, leaf.NotAfter.Format("2006-01-02")
 }
 
 // selftest runs built-in validation using embedded certificates.
 func selftest() int {
-	type testCase struct {
+	failures := 0
-		name     string
+	for _, tc := range cases {
-		caFile   string
+		err := tc.Run()
-		certFile string
+		if err != nil {
-		expectOK bool
+			fmt.Fprintln(os.Stderr, err)
+			failures++
+			continue
+		}
 	}
 
- cases := []testCase{
+	// Verify that both embedded root CAs are detected as self-signed
-        {name: "ISRG Root X1 validates LE E7", caFile: "testdata/isrg-root-x1.pem", certFile: "testdata/le-e7.pem", expectOK: true},
+	roots := []string{"testdata/gts-r1.pem", "testdata/isrg-root-x1.pem"}
-        {name: "ISRG Root X1 does NOT validate Google WR2", caFile: "testdata/isrg-root-x1.pem", certFile: "testdata/goog-wr2.pem", expectOK: false},
+	for _, root := range roots {
-        {name: "GTS R1 validates Google WR2", caFile: "testdata/gts-r1.pem", certFile: "testdata/goog-wr2.pem", expectOK: true},
+		b, err := embeddedTestdata.ReadFile(root)
-        {name: "GTS R1 does NOT validate LE E7", caFile: "testdata/gts-r1.pem", certFile: "testdata/le-e7.pem", expectOK: false},
+		if err != nil {
-    }
+			fmt.Fprintf(os.Stderr, "selftest: failed to read embedded %s: %v\n", root, err)
+			failures++
+			continue
+		}
 
-    failures := 0
+		certs, err := certlib.ReadCertificates(b)
-    for _, tc := range cases {
+		if err != nil || len(certs) == 0 {
-		caBytes, err := embeddedTestdata.ReadFile(tc.caFile)
+			fmt.Fprintf(os.Stderr, "selftest: failed to parse cert(s) from %s: %v\n", root, err)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "selftest: failed to read embedded %s: %v\n", tc.caFile, err)
 			failures++
 			continue
 		}
-		certBytes, err := embeddedTestdata.ReadFile(tc.certFile)
+
-		if err != nil {
+		leaf := certs[0]
-			fmt.Fprintf(os.Stderr, "selftest: failed to read embedded %s: %v\n", tc.certFile, err)
+		if len(leaf.AuthorityKeyId) == 0 || bytes.Equal(leaf.AuthorityKeyId, leaf.SubjectKeyId) {
-			failures++
+			fmt.Printf("%s: SELF-SIGNED (as expected)\n", root)
-			continue
-		}
-		pool, err := makePoolFromBytes(caBytes)
-		if err != nil || pool == nil {
-			fmt.Fprintf(os.Stderr, "selftest: failed to build CA pool for %s: %v\n", tc.caFile, err)
-			failures++
-			continue
-		}
-		ok, exp := verifyAgainstCABytes(pool, certBytes)
-		if ok != tc.expectOK {
-			fmt.Printf("%s: unexpected result: got %v, want %v\n", tc.name, ok, tc.expectOK)
-			failures++
 		} else {
-			if ok {
+			fmt.Printf("%s: expected SELF-SIGNED, but was not detected as such\n", root)
-				fmt.Printf("%s: OK (expires %s)\n", tc.name, exp)
+			failures++
-			} else {
-				fmt.Printf("%s: INVALID (as expected)\n", tc.name)
-			}
 		}
-    }
+	}
 
-    // Verify that both embedded root CAs are detected as self-signed
+	if failures == 0 {
-    roots := []string{"testdata/gts-r1.pem", "testdata/isrg-root-x1.pem"}
+		fmt.Println("selftest: PASS")
-    for _, root := range roots {
+		return 0
-        b, err := embeddedTestdata.ReadFile(root)
+	}
-        if err != nil {
+	fmt.Fprintf(os.Stderr, "selftest: FAIL (%d failure(s))\n", failures)
-            fmt.Fprintf(os.Stderr, "selftest: failed to read embedded %s: %v\n", root, err)
+	return 1
-            failures++
-            continue
-        }
-        certs, err := loadCertsFromBytes(b)
-        if err != nil || len(certs) == 0 {
-            fmt.Fprintf(os.Stderr, "selftest: failed to parse cert(s) from %s: %v\n", root, err)
-            failures++
-            continue
-        }
-        leaf := certs[0]
-        if isSelfSigned(leaf) {
-            fmt.Printf("%s: SELF-SIGNED (as expected)\n", root)
-        } else {
-            fmt.Printf("%s: expected SELF-SIGNED, but was not detected as such\n", root)
-            failures++
-        }
-    }
-
-    if failures == 0 {
-        fmt.Println("selftest: PASS")
-        return 0
-    }
-    fmt.Fprintf(os.Stderr, "selftest: FAIL (%d failure(s))\n", failures)
-    return 1
 }
 
 func main() {
-	// Special selftest mode: single argument "selftest"
+	var skipVerify, useStrict bool
-	if len(os.Args) == 2 && os.Args[1] == "selftest" {
+
+	dialer.StrictTLSFlag(&useStrict)
+	flag.BoolVar(&skipVerify, "k", false, "don't verify certificates")
+	flag.Parse()
+
+	tcfg, err := dialer.BaselineTLSConfig(skipVerify, useStrict)
+	die.If(err)
+
+	args := flag.Args()
+
+	if len(args) == 1 && args[0] == "selftest" {
 		os.Exit(selftest())
 	}
 
-	if len(os.Args) < 3 {
+	if len(args) < 2 {
-		prog := filepath.Base(os.Args[0])
+		fmt.Println("No certificates to check.")
-		fmt.Fprintf(os.Stderr, "Usage:\n  %s ca.pem cert1.pem cert2.pem ...\n  %s selftest\n", prog, prog)
-		os.Exit(2)
-	}
-
-	caPath := os.Args[1]
-	caPool, err := makePoolFromFile(caPath)
-	if err != nil || caPool == nil {
-		fmt.Fprintf(os.Stderr, "failed to load CA certificate(s): %v\n", err)
 		os.Exit(1)
 	}
 
-    for _, certPath := range os.Args[2:] {
+	caFile := args[0]
-        ok, exp := verifyAgainstCA(caPool, certPath)
+	args = args[1:]
-        name := filepath.Base(certPath)
-        // Load the leaf once for self-signed detection and potential expiry fallback
-        var leaf *x509.Certificate
-        if certs, err := loadCertsFromFile(certPath); err == nil && len(certs) > 0 {
-            leaf = certs[0]
-        }
 
-        // If the certificate is self-signed, prefer the SELF-SIGNED label
+	caCert, err := certlib.LoadCertificates(caFile)
-        if isSelfSigned(leaf) {
+	die.If(err)
-            fmt.Printf("%s: SELF-SIGNED\n", name)
-            continue
-        }
 
-        if ok {
+	if len(caCert) != 1 {
-            // Display with the requested format
+		die.With("only one CA certificate should be presented.")
-            // Example: file: OK (expires 2031-01-01)
+	}
-            // Ensure deterministic date formatting
+
-            // Note: no timezone displayed; date only as per example
+	roots := x509.NewCertPool()
-            // If exp ended up empty for some reason, recompute safely
+	roots.AddCert(caCert[0])
-            if exp == "" {
+
-                if leaf != nil {
+	for _, arg := range args {
-                    exp = leaf.NotAfter.Format("2006-01-02")
+		var cert *x509.Certificate
-                } else {
+
-                    // fallback to the current date to avoid empty; though shouldn't happen
+		cert, err = fetch.GetCertificate(arg, tcfg)
-                    exp = time.Now().Format("2006-01-02")
+		if err != nil {
-                }
+			lib.Warn(err, "while parsing certificate from %s", arg)
-            }
+			continue
-            fmt.Printf("%s: OK (expires %s)\n", name, exp)
+		}
-        } else {
+
-            fmt.Printf("%s: INVALID\n", name)
+		if bytes.Equal(cert.AuthorityKeyId, caCert[0].AuthorityKeyId) {
-        }
+			fmt.Printf("%s: SELF-SIGNED\n", arg)
-    }
+			continue
+		}
+
+		if _, err = verify.CertWith(cert, roots, nil, false); err != nil {
+			fmt.Printf("%s: INVALID\n", arg)
+		} else {
+			fmt.Printf("%s: OK (expires %s)\n", arg, cert.NotAfter.Format(lib.DateShortFormat))
+		}
+	}
 }

cmd/cert-bundler/Dockerfile

@@ -0,0 +1,28 @@
+# Build and runtime image for cert-bundler
+# Usage (from repo root or cmd/cert-bundler directory):
+#   docker build -t cert-bundler:latest -f cmd/cert-bundler/Dockerfile .
+#   docker run --rm -v "$PWD":/work cert-bundler:latest
+# This expects a /work/bundle.yaml file in the mounted directory and
+# will write generated bundles to /work/bundle.
+
+# Build stage
+FROM golang:1.24.3-alpine AS build
+WORKDIR /src
+
+# Copy go module files and download dependencies first for better caching
+RUN go install git.wntrmute.dev/kyle/goutils/cmd/cert-bundler@v1.13.2 && \
+    mv /go/bin/cert-bundler /usr/local/bin/cert-bundler
+
+# Runtime stage (kept as golang:alpine per requirement)
+FROM golang:1.24.3-alpine
+
+# Create a work directory that users will typically mount into
+WORKDIR /work
+VOLUME ["/work"]
+
+# Copy the built binary from the builder stage
+COPY --from=build /usr/local/bin/cert-bundler /usr/local/bin/cert-bundler
+
+# Default command: read bundle.yaml from current directory and output to ./bundle
+ENTRYPOINT ["/usr/local/bin/cert-bundler"]
+CMD ["-c", "/work/bundle.yaml", "-o", "/work/bundle"]

cmd/cert-bundler/main.go

@@ -1,64 +1,19 @@
 package main
 
 import (
-	"archive/tar"
-	"archive/zip"
-	"compress/gzip"
-	"crypto/sha256"
-	"crypto/x509"
 	_ "embed"
-	"encoding/pem"
 	"flag"
 	"fmt"
 	"os"
-	"path/filepath"
-	"strings"
-	"time"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/certlib/bundler"
-	"gopkg.in/yaml.v2"
 )
 
-// Config represents the top-level YAML configuration
-type Config struct {
-	Config struct {
-		Hashes string `yaml:"hashes"`
-		Expiry string `yaml:"expiry"`
-	} `yaml:"config"`
-	Chains map[string]ChainGroup `yaml:"chains"`
-}
-
-// ChainGroup represents a named group of certificate chains
-type ChainGroup struct {
-	Certs   []CertChain `yaml:"certs"`
-	Outputs Outputs     `yaml:"outputs"`
-}
-
-// CertChain represents a root certificate and its intermediates
-type CertChain struct {
-	Root          string   `yaml:"root"`
-	Intermediates []string `yaml:"intermediates"`
-}
-
-// Outputs defines output format options
-type Outputs struct {
-	IncludeSingle     bool     `yaml:"include_single"`
-	IncludeIndividual bool     `yaml:"include_individual"`
-	Manifest          bool     `yaml:"manifest"`
-	Formats           []string `yaml:"formats"`
-	Encoding          string   `yaml:"encoding"`
-}
-
 var (
 	configFile string
 	outputDir  string
 )
 
-var formatExtensions = map[string]string{
-	"zip": ".zip",
-	"tgz": ".tar.gz",
-}
-
 //go:embed README.txt
 var readmeContent string
 
@@ -77,452 +32,10 @@ func main() {
 		os.Exit(1)
 	}
 
-	// Load and parse configuration
+	if err := bundler.Run(configFile, outputDir); err != nil {
-	cfg, err := loadConfig(configFile)
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "Error loading config: %v\n", err)
 		os.Exit(1)
 	}
 
-	// Parse expiry duration (default 1 year)
-	expiryDuration := 365 * 24 * time.Hour
-	if cfg.Config.Expiry != "" {
-		expiryDuration, err = parseDuration(cfg.Config.Expiry)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Error parsing expiry: %v\n", err)
-			os.Exit(1)
-		}
-	}
-
-	// Create output directory if it doesn't exist
-	if err := os.MkdirAll(outputDir, 0755); err != nil {
-		fmt.Fprintf(os.Stderr, "Error creating output directory: %v\n", err)
-		os.Exit(1)
-	}
-
-	// Process each chain group
-	// Pre-allocate createdFiles based on total number of formats across all groups
-	totalFormats := 0
-	for _, group := range cfg.Chains {
-		totalFormats += len(group.Outputs.Formats)
-	}
-	createdFiles := make([]string, 0, totalFormats)
-	for groupName, group := range cfg.Chains {
-		files, err := processChainGroup(groupName, group, expiryDuration)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Error processing chain group %s: %v\n", groupName, err)
-			os.Exit(1)
-		}
-		createdFiles = append(createdFiles, files...)
-	}
-
-	// Generate hash file for all created archives
-	if cfg.Config.Hashes != "" {
-		hashFile := filepath.Join(outputDir, cfg.Config.Hashes)
-		if err := generateHashFile(hashFile, createdFiles); err != nil {
-			fmt.Fprintf(os.Stderr, "Error generating hash file: %v\n", err)
-			os.Exit(1)
-		}
-	}
-
 	fmt.Println("Certificate bundling completed successfully")
 }
-
-func loadConfig(path string) (*Config, error) {
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	var cfg Config
-	if err := yaml.Unmarshal(data, &cfg); err != nil {
-		return nil, err
-	}
-
-	return &cfg, nil
-}
-
-func parseDuration(s string) (time.Duration, error) {
-	// Support simple formats like "1y", "6m", "30d"
-	if len(s) < 2 {
-		return 0, fmt.Errorf("invalid duration format: %s", s)
-	}
-
-	unit := s[len(s)-1]
-	value := s[:len(s)-1]
-
-	var multiplier time.Duration
-	switch unit {
-	case 'y', 'Y':
-		multiplier = 365 * 24 * time.Hour
-	case 'm', 'M':
-		multiplier = 30 * 24 * time.Hour
-	case 'd', 'D':
-		multiplier = 24 * time.Hour
-	default:
-		return time.ParseDuration(s)
-	}
-
-	var num int
-	_, err := fmt.Sscanf(value, "%d", &num)
-	if err != nil {
-		return 0, fmt.Errorf("invalid duration value: %s", s)
-	}
-
-	return time.Duration(num) * multiplier, nil
-}
-
-func processChainGroup(groupName string, group ChainGroup, expiryDuration time.Duration) ([]string, error) {
-	// Default encoding to "pem" if not specified
-	encoding := group.Outputs.Encoding
-	if encoding == "" {
-		encoding = "pem"
-	}
-
-	// Collect certificates from all chains in the group
-	singleFileCerts, individualCerts, err := loadAndCollectCerts(group.Certs, group.Outputs, expiryDuration)
-	if err != nil {
-		return nil, err
-	}
-
-	// Prepare files for inclusion in archives
-	archiveFiles, err := prepareArchiveFiles(singleFileCerts, individualCerts, group.Outputs, encoding)
-	if err != nil {
-		return nil, err
-	}
-
-	// Create archives for the entire group
-	createdFiles, err := createArchiveFiles(groupName, group.Outputs.Formats, archiveFiles)
-	if err != nil {
-		return nil, err
-	}
-
-	return createdFiles, nil
-}
-
-// loadAndCollectCerts loads all certificates from chains and collects them for processing
-func loadAndCollectCerts(chains []CertChain, outputs Outputs, expiryDuration time.Duration) ([]*x509.Certificate, []certWithPath, error) {
-	var singleFileCerts []*x509.Certificate
-	var individualCerts []certWithPath
-
-	for _, chain := range chains {
-		// Load root certificate
-		rootCert, err := certlib.LoadCertificate(chain.Root)
-		if err != nil {
-			return nil, nil, fmt.Errorf("failed to load root certificate %s: %v", chain.Root, err)
-		}
-
-		// Check expiry for root
-		checkExpiry(chain.Root, rootCert, expiryDuration)
-
-		// Add root to collections if needed
-		if outputs.IncludeSingle {
-			singleFileCerts = append(singleFileCerts, rootCert)
-		}
-		if outputs.IncludeIndividual {
-			individualCerts = append(individualCerts, certWithPath{
-				cert: rootCert,
-				path: chain.Root,
-			})
-		}
-
-		// Load and validate intermediates
-		for _, intPath := range chain.Intermediates {
-			intCert, err := certlib.LoadCertificate(intPath)
-			if err != nil {
-				return nil, nil, fmt.Errorf("failed to load intermediate certificate %s: %v", intPath, err)
-			}
-
-			// Validate that intermediate is signed by root
-			if err := intCert.CheckSignatureFrom(rootCert); err != nil {
-				return nil, nil, fmt.Errorf("intermediate %s is not properly signed by root %s: %v", intPath, chain.Root, err)
-			}
-
-			// Check expiry for intermediate
-			checkExpiry(intPath, intCert, expiryDuration)
-
-			// Add intermediate to collections if needed
-			if outputs.IncludeSingle {
-				singleFileCerts = append(singleFileCerts, intCert)
-			}
-			if outputs.IncludeIndividual {
-				individualCerts = append(individualCerts, certWithPath{
-					cert: intCert,
-					path: intPath,
-				})
-			}
-		}
-	}
-
-	return singleFileCerts, individualCerts, nil
-}
-
-// prepareArchiveFiles prepares all files to be included in archives
-func prepareArchiveFiles(singleFileCerts []*x509.Certificate, individualCerts []certWithPath, outputs Outputs, encoding string) ([]fileEntry, error) {
-	var archiveFiles []fileEntry
-
-	// Handle a single bundle file
-	if outputs.IncludeSingle && len(singleFileCerts) > 0 {
-		files, err := encodeCertsToFiles(singleFileCerts, "bundle", encoding, true)
-		if err != nil {
-			return nil, fmt.Errorf("failed to encode single bundle: %v", err)
-		}
-		archiveFiles = append(archiveFiles, files...)
-	}
-
-	// Handle individual files
-	if outputs.IncludeIndividual {
-		for _, cp := range individualCerts {
-			baseName := strings.TrimSuffix(filepath.Base(cp.path), filepath.Ext(cp.path))
-			files, err := encodeCertsToFiles([]*x509.Certificate{cp.cert}, baseName, encoding, false)
-			if err != nil {
-				return nil, fmt.Errorf("failed to encode individual cert %s: %v", cp.path, err)
-			}
-			archiveFiles = append(archiveFiles, files...)
-		}
-	}
-
-	// Generate manifest if requested
-	if outputs.Manifest {
-		manifestContent := generateManifest(archiveFiles)
-		archiveFiles = append(archiveFiles, fileEntry{
-			name:    "MANIFEST",
-			content: manifestContent,
-		})
-	}
-
-	return archiveFiles, nil
-}
-
-// createArchiveFiles creates archive files in the specified formats
-func createArchiveFiles(groupName string, formats []string, archiveFiles []fileEntry) ([]string, error) {
-	createdFiles := make([]string, 0, len(formats))
-
-	for _, format := range formats {
-		ext, ok := formatExtensions[format]
-		if !ok {
-			return nil, fmt.Errorf("unsupported format: %s", format)
-		}
-		archivePath := filepath.Join(outputDir, groupName+ext)
-		switch format {
-		case "zip":
-			if err := createZipArchive(archivePath, archiveFiles); err != nil {
-				return nil, fmt.Errorf("failed to create zip archive: %v", err)
-			}
-		case "tgz":
-			if err := createTarGzArchive(archivePath, archiveFiles); err != nil {
-				return nil, fmt.Errorf("failed to create tar.gz archive: %v", err)
-			}
-		default:
-			return nil, fmt.Errorf("unsupported format: %s", format)
-		}
-		createdFiles = append(createdFiles, archivePath)
-	}
-
-	return createdFiles, nil
-}
-
-func checkExpiry(path string, cert *x509.Certificate, expiryDuration time.Duration) {
-	now := time.Now()
-	expiryThreshold := now.Add(expiryDuration)
-
-	if cert.NotAfter.Before(expiryThreshold) {
-		daysUntilExpiry := int(cert.NotAfter.Sub(now).Hours() / 24)
-		if daysUntilExpiry < 0 {
-			fmt.Fprintf(os.Stderr, "WARNING: Certificate %s has EXPIRED (expired %d days ago)\n", path, -daysUntilExpiry)
-		} else {
-			fmt.Fprintf(os.Stderr, "WARNING: Certificate %s will expire in %d days (on %s)\n", path, daysUntilExpiry, cert.NotAfter.Format("2006-01-02"))
-		}
-	}
-}
-
-type fileEntry struct {
-	name    string
-	content []byte
-}
-
-type certWithPath struct {
-	cert *x509.Certificate
-	path string
-}
-
-// encodeCertsToFiles converts certificates to file entries based on encoding type
-// If isSingle is true, certs are concatenated into a single file; otherwise one cert per file
-func encodeCertsToFiles(certs []*x509.Certificate, baseName string, encoding string, isSingle bool) ([]fileEntry, error) {
-	var files []fileEntry
-
-	switch encoding {
-	case "pem":
-		pemContent := encodeCertsToPEM(certs)
-		files = append(files, fileEntry{
-			name:    baseName + ".pem",
-			content: pemContent,
-		})
-	case "der":
-		if isSingle {
-			// For single file in DER, concatenate all cert DER bytes
-			var derContent []byte
-			for _, cert := range certs {
-				derContent = append(derContent, cert.Raw...)
-			}
-			files = append(files, fileEntry{
-				name:    baseName + ".crt",
-				content: derContent,
-			})
-		} else {
-			// Individual DER file (should only have one cert)
-			if len(certs) > 0 {
-				files = append(files, fileEntry{
-					name:    baseName + ".crt",
-					content: certs[0].Raw,
-				})
-			}
-		}
-	case "both":
-		// Add PEM version
-		pemContent := encodeCertsToPEM(certs)
-		files = append(files, fileEntry{
-			name:    baseName + ".pem",
-			content: pemContent,
-		})
-		// Add DER version
-		if isSingle {
-			var derContent []byte
-			for _, cert := range certs {
-				derContent = append(derContent, cert.Raw...)
-			}
-			files = append(files, fileEntry{
-				name:    baseName + ".crt",
-				content: derContent,
-			})
-		} else {
-			if len(certs) > 0 {
-				files = append(files, fileEntry{
-					name:    baseName + ".crt",
-					content: certs[0].Raw,
-				})
-			}
-		}
-	default:
-		return nil, fmt.Errorf("unsupported encoding: %s (must be 'pem', 'der', or 'both')", encoding)
-	}
-
-	return files, nil
-}
-
-// encodeCertsToPEM encodes certificates to PEM format
-func encodeCertsToPEM(certs []*x509.Certificate) []byte {
-	var pemContent []byte
-	for _, cert := range certs {
-		pemBlock := &pem.Block{
-			Type:  "CERTIFICATE",
-			Bytes: cert.Raw,
-		}
-		pemContent = append(pemContent, pem.EncodeToMemory(pemBlock)...)
-	}
-	return pemContent
-}
-
-func generateManifest(files []fileEntry) []byte {
-	var manifest strings.Builder
-	for _, file := range files {
-		if file.name == "MANIFEST" {
-			continue
-		}
-		hash := sha256.Sum256(file.content)
-		manifest.WriteString(fmt.Sprintf("%x  %s\n", hash, file.name))
-	}
-	return []byte(manifest.String())
-}
-
-func createZipArchive(path string, files []fileEntry) error {
-	f, err := os.Create(path)
-	if err != nil {
-		return err
-	}
-
-	w := zip.NewWriter(f)
-
-	for _, file := range files {
-		fw, err := w.Create(file.name)
-		if err != nil {
-			w.Close()
-			f.Close()
-			return err
-		}
-		if _, err := fw.Write(file.content); err != nil {
-			w.Close()
-			f.Close()
-			return err
-		}
-	}
-
-	// Check errors on close operations
-	if err := w.Close(); err != nil {
-		f.Close()
-		return err
-	}
-	return f.Close()
-}
-
-func createTarGzArchive(path string, files []fileEntry) error {
-	f, err := os.Create(path)
-	if err != nil {
-		return err
-	}
-
-	gw := gzip.NewWriter(f)
-	tw := tar.NewWriter(gw)
-
-	for _, file := range files {
-		hdr := &tar.Header{
-			Name: file.name,
-			Mode: 0644,
-			Size: int64(len(file.content)),
-		}
-		if err := tw.WriteHeader(hdr); err != nil {
-			tw.Close()
-			gw.Close()
-			f.Close()
-			return err
-		}
-		if _, err := tw.Write(file.content); err != nil {
-			tw.Close()
-			gw.Close()
-			f.Close()
-			return err
-		}
-	}
-
-	// Check errors on close operations in the correct order
-	if err := tw.Close(); err != nil {
-		gw.Close()
-		f.Close()
-		return err
-	}
-	if err := gw.Close(); err != nil {
-		f.Close()
-		return err
-	}
-	return f.Close()
-}
-
-func generateHashFile(path string, files []string) error {
-	f, err := os.Create(path)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	for _, file := range files {
-		data, err := os.ReadFile(file)
-		if err != nil {
-			return err
-		}
-
-		hash := sha256.Sum256(data)
-		fmt.Fprintf(f, "%x  %s\n", hash, filepath.Base(file))
-	}
-
-	return nil
-}

cmd/cert-bundler/prompt.txt

@@ -1,197 +0,0 @@
-This project is an exploration into the utility of Jetbrains' Junie
-to write smaller but tedious programs.
-
-Task: build a certificate bundling tool in cmd/cert-bundler. It
-creates archives of certificates chains.
-
-A YAML file for this looks something like:
-
-``` yaml
-config:
-  hashes: bundle.sha256
-  expiry: 1y
-chains:
-  core_certs:
-    certs:
-      - root: roots/core-ca.pem
-        intermediates:
-          - int/cca1.pem
-  	- int/cca2.pem
-  	- int/cca3.pem
-      - root: roots/ssh-ca.pem
-        intermediates:
-          - ssh/ssh_dmz1.pem
-  	- ssh/ssh_internal.pem
-  outputs:
-    include_single: true
-    include_individual: true
-    manifest: true
-    formats:
-      - zip
-      - tgz
-```
-
-Some requirements:
-
-1. First, all the certificates should be loaded.
-2. For each root, each of the indivudal intermediates should be
-   checked to make sure they are properly signed by the root CA.
-3. The program should optionally take an expiration period (defaulting
-   to one year), specified in config.expiration, and if any certificate
-   is within that expiration period, a warning should be printed.
-4. If outputs.include_single is true, all certificates under chains
-   should be concatenated into a single file.
-5. If outputs.include_individual is true, all certificates under
-   chains should be included at the root level (e.g. int/cca2.pem
-   would be cca2.pem in the archive).
-6. If bundle.manifest is true, a "MANIFEST" file is created with
-   SHA256 sums of each file included in the archive.
-7. For each of the formats, create an archive file in the output
-   directory (specified with `-o`) with that format.
-   - If zip is included, create a .zip file.
-   - If tgz is included, create a .tar.gz file with default compression
-     levels.
-   - All archive files should include any generated files (single
-     and/or individual) in the top-level directory.
-8. In the output directory, create a file with the same name as
-   config.hashes that contains the SHA256 sum of all files created.
-
------
-
-The outputs.include_single and outputs.include_individual describe
-what should go in the final archive. If both are specified, the output
-archive should include both a single bundle.pem and each individual
-certificate, for example.
-
------
-
-As it stands, given the following `bundle.yaml`:
-
-``` yaml
-config:
-  hashes: bundle.sha256
-  expiry: 1y
-chains:
-  core_certs:
-    certs:
-      - root: pems/gts-r1.pem
-        intermediates:
-          - pems/goog-wr2.pem
-        outputs:
-          include_single: true
-          include_individual: true
-          manifest: true
-          formats:
-            - zip
-            - tgz
-      - root: pems/isrg-root-x1.pem
-        intermediates:
-          - pems/le-e7.pem
-        outputs:
-          include_single: true
-          include_individual: false
-          manifest: true
-          formats:
-            - zip
-            - tgz
-  google_certs:
-    certs:
-      - root: pems/gts-r1.pem
-        intermediates:
-          - pems/goog-wr2.pem
-        outputs:
-          include_single: true
-          include_individual: false
-          manifest: true
-          formats:
-            - tgz
-  lets_encrypt:
-    certs:
-      - root: pems/isrg-root-x1.pem
-        intermediates:
-          - pems/le-e7.pem
-        outputs:
-          include_single: false
-          include_individual: true
-          manifest: false
-          formats:
-            - zip
-```
-
-The program outputs the following files:
-
-- bundle.sha256
-- core_certs_0.tgz (contains individual certs)
-- core_certs_0.zip (contains individual certs)
-- core_certs_1.tgz (contains core_certs.pem)
-- core_certs_1.zip (contains core_certs.pem)
-- google_certs_0.tgz
-- lets_encrypt_0.zip
-
-It should output
-
-- bundle.sha256
-- core_certs.tgz
-- core_certs.zip
-- google_certs.tgz
-- lets_encrypt.zip
-
-core_certs.* should contain `bundle.pem` and all the individual
-certs. There should be no _$n$ variants of archives.
-
------
-
-Add an additional field to outputs: encoding. It should accept one of
-`der`, `pem`, or `both`. If `der`, certificates should be output as a
-`.crt` file containing a DER-encoded certificate. If `pem`, certificates
-should be output as a `.pem` file containing a PEM-encoded certificate.
-If both, both the `.crt` and `.pem` certificate should be included.
-
-For example, given the previous config, if `encoding` is der, the
-google_certs.tgz archive should contain
-
-- bundle.crt
-- MANIFEST
-
-Or with lets_encrypt.zip:
-
-- isrg-root-x1.crt
-- le-e7.crt
-
-However, if `encoding` is pem, the lets_encrypt.zip archive should contain:
-
-- isrg-root-x1.pem
-- le-e7.pem
-
-And if it `encoding` is both, the lets_encrypt.zip archive should contain:
-
-- isrg-root-x1.crt
-- isrg-root-x1.pem
-- le-e7.crt
-- le-e7.pem
-
------
-
-The tgz format should output a `.tar.gz` file instead of a `.tgz` file.
-
------
-
-Move the format extensions to a global variable.
-
------
-
-Write a README.txt with a description of the bundle.yaml format.
-
-Additionally, update the help text for the program (e.g. with `-h`)
-to provide the same detailed information.
-
------
-
-It may be easier to embed the README.txt in the program on build.
-
------
-
-For the archive (tar.gz and zip) writers, make sure errors are
-checked at the end, and don't just defer the close operations.
-
-

cmd/cert-bundler/testdata/bundle.yaml

@@ -2,6 +2,20 @@ config:
   hashes: bundle.sha256
   expiry: 1y
 chains:
+  weird:
+    certs:
+      - root: pems/gts-r1.pem
+        intermediates:
+          - pems/goog-wr2.pem
+      - root: pems/isrg-root-x1.pem
+    outputs:
+      include_single: true
+      include_individual: true
+      manifest: true
+      encoding: pemcrt
+      formats:
+        - zip
+        - tgz
   core_certs:
     certs:
       - root: pems/gts-r1.pem
@@ -40,4 +54,4 @@ chains:
       manifest: false
       encoding: both
       formats:
-        - zip
+        - zip

cmd/cert-bundler/testdata/pkg/bundle.sha256

@@ -1,4 +0,0 @@
-5ed8bf9ed693045faa8a5cb0edc4a870052e56aef6291ce8b1604565affbc2a4  core_certs.zip
-e59eddc590d2f7b790a87c5b56e81697088ab54be382c0e2c51b82034006d308  core_certs.tgz
-51b9b63b1335118079e90700a3a5b847c363808e9116e576ca84f301bc433289  google_certs.tgz
-3d1910ca8835c3ded1755a8c7d6c48083c2f3ff68b2bfbf932aaf27e29d0a232  lets_encrypt.zip

cmd/cert-revcheck/main.go

@@ -1,20 +1,21 @@
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"flag"
 	"errors"
+	"flag"
 	"fmt"
-	"io/ioutil"
-	"net"
 	"os"
+	"strings"
 	"time"
 
 	"git.wntrmute.dev/kyle/goutils/certlib"
 	hosts "git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
 	"git.wntrmute.dev/kyle/goutils/fileutil"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 var (
@@ -23,6 +24,13 @@ var (
 	verbose  bool
 )
 
+var (
+	strOK      = "OK"
+	strExpired = "EXPIRED"
+	strRevoked = "REVOKED"
+	strUnknown = "UNKNOWN"
+)
+
 func main() {
 	flag.BoolVar(&hardfail, "hardfail", false, "treat revocation check failures as fatal")
 	flag.DurationVar(&timeout, "timeout", 10*time.Second, "network timeout for OCSP/CRL fetches and TLS site connects")
@@ -30,8 +38,10 @@ func main() {
 	flag.Parse()
 
 	revoke.HardFail = hardfail
-	// Set HTTP client timeout for revocation library
+	// Build a proxy-aware HTTP client for OCSP/CRL fetches
-	revoke.HTTPClient.Timeout = timeout
+	if httpClient, err := dialer.NewHTTPClient(dialer.Opts{Timeout: timeout}); err == nil {
+		revoke.HTTPClient = httpClient
+	}
 
 	if flag.NArg() == 0 {
 		fmt.Fprintf(os.Stderr, "Usage: %s [options] <target> [<target>...]\n", os.Args[0])
@@ -42,16 +52,16 @@ func main() {
 	for _, target := range flag.Args() {
 		status, err := processTarget(target)
 		switch status {
-		case "OK":
+		case strOK:
-			fmt.Printf("%s: OK\n", target)
+			fmt.Printf("%s: %s\n", target, strOK)
-		case "EXPIRED":
+		case strExpired:
-			fmt.Printf("%s: EXPIRED: %v\n", target, err)
+			fmt.Printf("%s: %s: %v\n", target, strExpired, err)
 			exitCode = 1
-		case "REVOKED":
+		case strRevoked:
-			fmt.Printf("%s: REVOKED\n", target)
+			fmt.Printf("%s: %s\n", target, strRevoked)
 			exitCode = 1
-		case "UNKNOWN":
+		case strUnknown:
-			fmt.Printf("%s: UNKNOWN: %v\n", target, err)
+			fmt.Printf("%s: %s: %v\n", target, strUnknown, err)
 			if hardfail {
 				// In hardfail, treat unknown as failure
 				exitCode = 1
@@ -67,74 +77,68 @@ func processTarget(target string) (string, error) {
 		return checkFile(target)
 	}
 
-	// Not a file; treat as site
 	return checkSite(target)
 }
 
 func checkFile(path string) (string, error) {
-	in, err := ioutil.ReadFile(path)
+	// Prefer high-level helpers from certlib to load certificates from disk
-	if err != nil {
+	if certs, err := certlib.LoadCertificates(path); err == nil && len(certs) > 0 {
-		return "UNKNOWN", err
+		// Evaluate the first certificate (leaf) by default
+		return evaluateCert(certs[0])
 	}
 
-	// Try PEM first; if that fails, try single DER cert
+	cert, err := certlib.LoadCertificate(path)
-	certs, err := certlib.ReadCertificates(in)
+	if err != nil || cert == nil {
-	if err != nil || len(certs) == 0 {
+		return strUnknown, err
-		cert, _, derr := certlib.ReadCertificate(in)
-		if derr != nil || cert == nil {
-			if err == nil {
-				err = derr
-			}
-			return "UNKNOWN", err
-		}
-		return evaluateCert(cert)
 	}
-
+	return evaluateCert(cert)
-	// Evaluate the first certificate (leaf) by default
-	return evaluateCert(certs[0])
 }
 
 func checkSite(hostport string) (string, error) {
 	// Use certlib/hosts to parse host/port (supports https URLs and host:port)
 	target, err := hosts.ParseHost(hostport)
 	if err != nil {
-		return "UNKNOWN", err
+		return strUnknown, err
 	}
 
-	d := &net.Dialer{Timeout: timeout}
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	conn, err := tls.DialWithDialer(d, "tcp", target.String(), &tls.Config{InsecureSkipVerify: true, ServerName: target.Host})
+	defer cancel()
+
+	// Use proxy-aware TLS dialer
+	conn, err := dialer.DialTLS(ctx, target.String(), dialer.Opts{Timeout: timeout, TLSConfig: &tls.Config{
+		InsecureSkipVerify: true, // #nosec G402 -- CLI tool only verifies revocation
+		ServerName:         target.Host,
+	}})
 	if err != nil {
-		return "UNKNOWN", err
+		return strUnknown, err
 	}
 	defer conn.Close()
-
 	state := conn.ConnectionState()
 	if len(state.PeerCertificates) == 0 {
-		return "UNKNOWN", errors.New("no peer certificates presented")
+		return strUnknown, errors.New("no peer certificates presented")
 	}
 	return evaluateCert(state.PeerCertificates[0])
 }
 
 func evaluateCert(cert *x509.Certificate) (string, error) {
-	// Expiry check
+	// Delegate validity and revocation checks to certlib/revoke helper.
-	now := time.Now()
+	// It returns revoked=true for both revoked and expired/not-yet-valid.
-	if !now.Before(cert.NotAfter) {
+	// Map those cases back to our statuses using the returned error text.
-		return "EXPIRED", fmt.Errorf("expired at %s", cert.NotAfter)
-	}
-	if !now.After(cert.NotBefore) {
-		return "EXPIRED", fmt.Errorf("not valid until %s", cert.NotBefore)
-	}
-
-	// Revocation check using certlib/revoke
 	revoked, ok, err := revoke.VerifyCertificateError(cert)
 	if revoked {
-		// If revoked is true, ok will be true per implementation, err may describe why
+		if err != nil {
-		return "REVOKED", err
+			msg := err.Error()
+			if strings.Contains(msg, "expired") || strings.Contains(msg, "isn't valid until") ||
+				strings.Contains(msg, "not valid until") {
+				return strExpired, err
+			}
+		}
+		return strRevoked, err
 	}
 	if !ok {
 		// Revocation status could not be determined
-		return "UNKNOWN", err
+		return strUnknown, err
 	}
 
-	return "OK", nil
+	return strOK, nil
 }

cmd/certchain/main.go

@@ -1,13 +1,17 @@
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"encoding/pem"
 	"flag"
 	"fmt"
+	"os"
 	"regexp"
+	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 var hasPort = regexp.MustCompile(`:\d+$`)
@@ -20,20 +24,26 @@ func main() {
 			server += ":443"
 		}
 
-		var chain string
+		// Use proxy-aware TLS dialer
-
+		conn, err := dialer.DialTLS(
-		conn, err := tls.Dial("tcp", server, nil)
+			context.Background(),
+			server,
+			dialer.Opts{TLSConfig: &tls.Config{}},
+		) // #nosec G402
 		die.If(err)
 
+		defer conn.Close()
+
 		details := conn.ConnectionState()
+		var chain strings.Builder
 		for _, cert := range details.PeerCertificates {
 			p := pem.Block{
 				Type:  "CERTIFICATE",
 				Bytes: cert.Raw,
 			}
-			chain += string(pem.EncodeToMemory(&p))
+			chain.Write(pem.EncodeToMemory(&p))
 		}
 
-		fmt.Println(chain)
+		fmt.Fprintln(os.Stdout, chain.String())
 	}
 }

cmd/certdump/certdump.go

@@ -1,328 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"flag"
-	"fmt"
-	"io"
-	"os"
-	"sort"
-	"strings"
-
-	"git.wntrmute.dev/kyle/goutils/certlib"
-	"git.wntrmute.dev/kyle/goutils/lib"
-)
-
-func certPublic(cert *x509.Certificate) string {
-	switch pub := cert.PublicKey.(type) {
-	case *rsa.PublicKey:
-		return fmt.Sprintf("RSA-%d", pub.N.BitLen())
-	case *ecdsa.PublicKey:
-		switch pub.Curve {
-		case elliptic.P256():
-			return "ECDSA-prime256v1"
-		case elliptic.P384():
-			return "ECDSA-secp384r1"
-		case elliptic.P521():
-			return "ECDSA-secp521r1"
-		default:
-			return "ECDSA (unknown curve)"
-		}
-	case *dsa.PublicKey:
-		return "DSA"
-	default:
-		return "Unknown"
-	}
-}
-
-func displayName(name pkix.Name) string {
-	var ns []string
-
-	if name.CommonName != "" {
-		ns = append(ns, name.CommonName)
-	}
-
-	for i := range name.Country {
-		ns = append(ns, fmt.Sprintf("C=%s", name.Country[i]))
-	}
-
-	for i := range name.Organization {
-		ns = append(ns, fmt.Sprintf("O=%s", name.Organization[i]))
-	}
-
-	for i := range name.OrganizationalUnit {
-		ns = append(ns, fmt.Sprintf("OU=%s", name.OrganizationalUnit[i]))
-	}
-
-	for i := range name.Locality {
-		ns = append(ns, fmt.Sprintf("L=%s", name.Locality[i]))
-	}
-
-	for i := range name.Province {
-		ns = append(ns, fmt.Sprintf("ST=%s", name.Province[i]))
-	}
-
-	if len(ns) > 0 {
-		return "/" + strings.Join(ns, "/")
-	}
-
-	return "*** no subject information ***"
-}
-
-func keyUsages(ku x509.KeyUsage) string {
-	var uses []string
-
-	for u, s := range keyUsage {
-		if (ku & u) != 0 {
-			uses = append(uses, s)
-		}
-	}
-	sort.Strings(uses)
-
-	return strings.Join(uses, ", ")
-}
-
-func extUsage(ext []x509.ExtKeyUsage) string {
-	ns := make([]string, 0, len(ext))
-	for i := range ext {
-		ns = append(ns, extKeyUsages[ext[i]])
-	}
-	sort.Strings(ns)
-
-	return strings.Join(ns, ", ")
-}
-
-func showBasicConstraints(cert *x509.Certificate) {
-	fmt.Printf("\tBasic constraints: ")
-	if cert.BasicConstraintsValid {
-		fmt.Printf("valid")
-	} else {
-		fmt.Printf("invalid")
-	}
-
-	if cert.IsCA {
-		fmt.Printf(", is a CA certificate")
-		if !cert.BasicConstraintsValid {
-			fmt.Printf(" (basic constraint failure)")
-		}
-	} else {
-		fmt.Printf("is not a CA certificate")
-		if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
-			fmt.Printf(" (key encipherment usage enabled!)")
-		}
-	}
-
-	if (cert.MaxPathLen == 0 && cert.MaxPathLenZero) || (cert.MaxPathLen > 0) {
-		fmt.Printf(", max path length %d", cert.MaxPathLen)
-	}
-
-	fmt.Printf("\n")
-}
-
-const oneTrueDateFormat = "2006-01-02T15:04:05-0700"
-
-var (
-	dateFormat string
-	showHash   bool // if true, print a SHA256 hash of the certificate's Raw field
-)
-
-func wrapPrint(text string, indent int) {
-	tabs := ""
-	for i := 0; i < indent; i++ {
-		tabs += "\t"
-	}
-
-	fmt.Printf(tabs+"%s\n", wrap(text, indent))
-}
-
-func displayCert(cert *x509.Certificate) {
-	fmt.Println("CERTIFICATE")
-	if showHash {
-		fmt.Println(wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(cert.Raw)), 0))
-	}
-	fmt.Println(wrap("Subject: "+displayName(cert.Subject), 0))
-	fmt.Println(wrap("Issuer: "+displayName(cert.Issuer), 0))
-	fmt.Printf("\tSignature algorithm: %s / %s\n", sigAlgoPK(cert.SignatureAlgorithm),
-		sigAlgoHash(cert.SignatureAlgorithm))
-	fmt.Println("Details:")
-	wrapPrint("Public key: "+certPublic(cert), 1)
-	fmt.Printf("\tSerial number: %s\n", cert.SerialNumber)
-
-	if len(cert.AuthorityKeyId) > 0 {
-		fmt.Printf("\t%s\n", wrap("AKI: "+dumpHex(cert.AuthorityKeyId), 1))
-	}
-	if len(cert.SubjectKeyId) > 0 {
-		fmt.Printf("\t%s\n", wrap("SKI: "+dumpHex(cert.SubjectKeyId), 1))
-	}
-
-	wrapPrint("Valid from: "+cert.NotBefore.Format(dateFormat), 1)
-	fmt.Printf("\t     until: %s\n", cert.NotAfter.Format(dateFormat))
-	fmt.Printf("\tKey usages: %s\n", keyUsages(cert.KeyUsage))
-
-	if len(cert.ExtKeyUsage) > 0 {
-		fmt.Printf("\tExtended usages: %s\n", extUsage(cert.ExtKeyUsage))
-	}
-
-	showBasicConstraints(cert)
-
-	validNames := make([]string, 0, len(cert.DNSNames)+len(cert.EmailAddresses)+len(cert.IPAddresses))
-	for i := range cert.DNSNames {
-		validNames = append(validNames, "dns:"+cert.DNSNames[i])
-	}
-
-	for i := range cert.EmailAddresses {
-		validNames = append(validNames, "email:"+cert.EmailAddresses[i])
-	}
-
-	for i := range cert.IPAddresses {
-		validNames = append(validNames, "ip:"+cert.IPAddresses[i].String())
-	}
-
-	sans := fmt.Sprintf("SANs (%d): %s\n", len(validNames), strings.Join(validNames, ", "))
-	wrapPrint(sans, 1)
-
-	l := len(cert.IssuingCertificateURL)
-	if l != 0 {
-		var aia string
-		if l == 1 {
-			aia = "AIA"
-		} else {
-			aia = "AIAs"
-		}
-		wrapPrint(fmt.Sprintf("%d %s:", l, aia), 1)
-		for _, url := range cert.IssuingCertificateURL {
-			wrapPrint(url, 2)
-		}
-	}
-
-	l = len(cert.OCSPServer)
-	if l > 0 {
-		title := "OCSP server"
-		if l > 1 {
-			title += "s"
-		}
-		wrapPrint(title+":\n", 1)
-		for _, ocspServer := range cert.OCSPServer {
-			wrapPrint(fmt.Sprintf("- %s\n", ocspServer), 2)
-		}
-	}
-}
-
-func displayAllCerts(in []byte, leafOnly bool) {
-	certs, err := certlib.ParseCertificatesPEM(in)
-	if err != nil {
-		certs, _, err = certlib.ParseCertificatesDER(in, "")
-		if err != nil {
-			lib.Warn(err, "failed to parse certificates")
-			return
-		}
-	}
-
-	if len(certs) == 0 {
-		lib.Warnx("no certificates found")
-		return
-	}
-
-	if leafOnly {
-		displayCert(certs[0])
-		return
-	}
-
-	for i := range certs {
-		displayCert(certs[i])
-	}
-}
-
-func displayAllCertsWeb(uri string, leafOnly bool) {
-	ci := getConnInfo(uri)
-	conn, err := tls.Dial("tcp", ci.Addr, permissiveConfig())
-	if err != nil {
-		lib.Warn(err, "couldn't connect to %s", ci.Addr)
-		return
-	}
-	defer conn.Close()
-
-	state := conn.ConnectionState()
-	conn.Close()
-
-	conn, err = tls.Dial("tcp", ci.Addr, verifyConfig(ci.Host))
-	if err == nil {
-		err = conn.VerifyHostname(ci.Host)
-		if err == nil {
-			state = conn.ConnectionState()
-		}
-		conn.Close()
-	} else {
-		lib.Warn(err, "TLS verification error with server name %s", ci.Host)
-	}
-
-	if len(state.PeerCertificates) == 0 {
-		lib.Warnx("no certificates found")
-		return
-	}
-
-	if leafOnly {
-		displayCert(state.PeerCertificates[0])
-		return
-	}
-
-	if len(state.VerifiedChains) == 0 {
-		lib.Warnx("no verified chains found; using peer chain")
-		for i := range state.PeerCertificates {
-			displayCert(state.PeerCertificates[i])
-		}
-	} else {
-		fmt.Println("TLS chain verified successfully.")
-		for i := range state.VerifiedChains {
-			fmt.Printf("--- Verified certificate chain %d ---\n", i+1)
-			for j := range state.VerifiedChains[i] {
-				displayCert(state.VerifiedChains[i][j])
-			}
-		}
-	}
-}
-
-func main() {
-	var leafOnly bool
-	flag.BoolVar(&showHash, "d", false, "show hashes of raw DER contents")
-	flag.StringVar(&dateFormat, "s", oneTrueDateFormat, "date `format` in Go time format")
-	flag.BoolVar(&leafOnly, "l", false, "only show the leaf certificate")
-	flag.Parse()
-
-	if flag.NArg() == 0 || (flag.NArg() == 1 && flag.Arg(0) == "-") {
-		certs, err := io.ReadAll(os.Stdin)
-		if err != nil {
-			lib.Warn(err, "couldn't read certificates from standard input")
-			os.Exit(1)
-		}
-
-		// This is needed for getting certs from JSON/jq.
-		certs = bytes.TrimSpace(certs)
-		certs = bytes.Replace(certs, []byte(`\n`), []byte{0xa}, -1)
-		certs = bytes.Trim(certs, `"`)
-		displayAllCerts(certs, leafOnly)
-	} else {
-		for _, filename := range flag.Args() {
-			fmt.Printf("--%s ---\n", filename)
-			if strings.HasPrefix(filename, "https://") {
-				displayAllCertsWeb(filename, leafOnly)
-			} else {
-				in, err := os.ReadFile(filename)
-				if err != nil {
-					lib.Warn(err, "couldn't read certificate")
-					continue
-				}
-
-				displayAllCerts(in, leafOnly)
-			}
-		}
-	}
-}

cmd/certdump/main.go

@@ -0,0 +1,46 @@
+//lint:file-ignore SA1019 allow strict compatibility for old certs
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"os"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/dump"
+	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
+)
+
+var config struct {
+	showHash   bool
+	dateFormat string
+	leafOnly   bool
+}
+
+func main() {
+	flag.BoolVar(&config.showHash, "d", false, "show hashes of raw DER contents")
+	flag.StringVar(&config.dateFormat, "s", lib.OneTrueDateFormat, "date `format` in Go time format")
+	flag.BoolVar(&config.leafOnly, "l", false, "only show the leaf certificate")
+	flag.Parse()
+
+	tlsCfg := &tls.Config{InsecureSkipVerify: true} // #nosec G402 - tool intentionally inspects broken TLS
+
+	for _, filename := range flag.Args() {
+		fmt.Fprintf(os.Stdout, "--%s ---%s", filename, "\n")
+		certs, err := fetch.GetCertificateChain(filename, tlsCfg)
+		if err != nil {
+			lib.Warn(err, "couldn't read certificate")
+			continue
+		}
+
+		if config.leafOnly {
+			dump.DisplayCert(os.Stdout, certs[0], config.showHash)
+			continue
+		}
+
+		for i := range certs {
+			dump.DisplayCert(os.Stdout, certs[i], config.showHash)
+		}
+	}
+}

cmd/certdump/util.go

@@ -1,176 +0,0 @@
-package main
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"net"
-	"strings"
-
-	"github.com/kr/text"
-)
-
-// following two lifted from CFSSL, (replace-regexp "\(.+\): \(.+\),"
-// "\2: \1,")
-
-var keyUsage = map[x509.KeyUsage]string{
-	x509.KeyUsageDigitalSignature:  "digital signature",
-	x509.KeyUsageContentCommitment: "content committment",
-	x509.KeyUsageKeyEncipherment:   "key encipherment",
-	x509.KeyUsageKeyAgreement:      "key agreement",
-	x509.KeyUsageDataEncipherment:  "data encipherment",
-	x509.KeyUsageCertSign:          "cert sign",
-	x509.KeyUsageCRLSign:           "crl sign",
-	x509.KeyUsageEncipherOnly:      "encipher only",
-	x509.KeyUsageDecipherOnly:      "decipher only",
-}
-
-var extKeyUsages = map[x509.ExtKeyUsage]string{
-	x509.ExtKeyUsageAny:                        "any",
-	x509.ExtKeyUsageServerAuth:                 "server auth",
-	x509.ExtKeyUsageClientAuth:                 "client auth",
-	x509.ExtKeyUsageCodeSigning:                "code signing",
-	x509.ExtKeyUsageEmailProtection:            "s/mime",
-	x509.ExtKeyUsageIPSECEndSystem:             "ipsec end system",
-	x509.ExtKeyUsageIPSECTunnel:                "ipsec tunnel",
-	x509.ExtKeyUsageIPSECUser:                  "ipsec user",
-	x509.ExtKeyUsageTimeStamping:               "timestamping",
-	x509.ExtKeyUsageOCSPSigning:                "ocsp signing",
-	x509.ExtKeyUsageMicrosoftServerGatedCrypto: "microsoft sgc",
-	x509.ExtKeyUsageNetscapeServerGatedCrypto:  "netscape sgc",
-}
-
-func pubKeyAlgo(a x509.PublicKeyAlgorithm) string {
-	switch a {
-	case x509.RSA:
-		return "RSA"
-	case x509.ECDSA:
-		return "ECDSA"
-	case x509.DSA:
-		return "DSA"
-	default:
-		return "unknown public key algorithm"
-	}
-}
-
-func sigAlgoPK(a x509.SignatureAlgorithm) string {
-	switch a {
-
-	case x509.MD2WithRSA, x509.MD5WithRSA, x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA:
-		return "RSA"
-	case x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512:
-		return "ECDSA"
-	case x509.DSAWithSHA1, x509.DSAWithSHA256:
-		return "DSA"
-	default:
-		return "unknown public key algorithm"
-	}
-}
-
-func sigAlgoHash(a x509.SignatureAlgorithm) string {
-	switch a {
-	case x509.MD2WithRSA:
-		return "MD2"
-	case x509.MD5WithRSA:
-		return "MD5"
-	case x509.SHA1WithRSA, x509.ECDSAWithSHA1, x509.DSAWithSHA1:
-		return "SHA1"
-	case x509.SHA256WithRSA, x509.ECDSAWithSHA256, x509.DSAWithSHA256:
-		return "SHA256"
-	case x509.SHA384WithRSA, x509.ECDSAWithSHA384:
-		return "SHA384"
-	case x509.SHA512WithRSA, x509.ECDSAWithSHA512:
-		return "SHA512"
-	default:
-		return "unknown hash algorithm"
-	}
-}
-
-const maxLine = 78
-
-func makeIndent(n int) string {
-	s := "    "
-	for i := 0; i < n; i++ {
-		s += "        "
-	}
-	return s
-}
-
-func indentLen(n int) int {
-	return 4 + (8 * n)
-}
-
-// this isn't real efficient, but that's not a problem here
-func wrap(s string, indent int) string {
-	if indent > 3 {
-		indent = 3
-	}
-
-	wrapped := text.Wrap(s, maxLine)
-	lines := strings.SplitN(wrapped, "\n", 2)
-	if len(lines) == 1 {
-		return lines[0]
-	}
-
-	if (maxLine - indentLen(indent)) <= 0 {
-		panic("too much indentation")
-	}
-
-	rest := strings.Join(lines[1:], " ")
-	wrapped = text.Wrap(rest, maxLine-indentLen(indent))
-	return lines[0] + "\n" + text.Indent(wrapped, makeIndent(indent))
-}
-
-func dumpHex(in []byte) string {
-	var s string
-	for i := range in {
-		s += fmt.Sprintf("%02X:", in[i])
-	}
-
-	return strings.Trim(s, ":")
-}
-
-// permissiveConfig returns a maximally-accepting TLS configuration;
-// the purpose is to look at the cert, not verify the security properties
-// of the connection.
-func permissiveConfig() *tls.Config {
-	return &tls.Config{
-		InsecureSkipVerify: true,
-	}
-}
-
-// verifyConfig returns a config that will verify the connection.
-func verifyConfig(hostname string) *tls.Config {
-	return &tls.Config{
-		ServerName: hostname,
-	}
-}
-
-type connInfo struct {
-	// The original URI provided.
-	URI string
-
-	// The hostname of the server.
-	Host string
-
-	// The port to connect on.
-	Port string
-
-	// The address to connect to.
-	Addr string
-}
-
-func getConnInfo(uri string) *connInfo {
-	ci := &connInfo{URI: uri}
-	ci.Host = uri[len("https://"):]
-
-	host, port, err := net.SplitHostPort(ci.Host)
-	if err != nil {
-		ci.Port = "443"
-	} else {
-		ci.Host = host
-		ci.Port = port
-	}
-	ci.Addr = net.JoinHostPort(ci.Host, ci.Port)
-	return ci
-}

cmd/certexpiry/main.go

@@ -2,99 +2,54 @@ package main
 
 import (
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"flag"
 	"fmt"
-	"io/ioutil"
-	"os"
-	"strings"
-	"time"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/certlib/verify"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
 )
 
-var warnOnly bool
-var leeway = 2160 * time.Hour // three months
-
-func displayName(name pkix.Name) string {
-	var ns []string
-
-	if name.CommonName != "" {
-		ns = append(ns, name.CommonName)
-	}
-
-	for i := range name.Country {
-		ns = append(ns, fmt.Sprintf("C=%s", name.Country[i]))
-	}
-
-	for i := range name.Organization {
-		ns = append(ns, fmt.Sprintf("O=%s", name.Organization[i]))
-	}
-
-	for i := range name.OrganizationalUnit {
-		ns = append(ns, fmt.Sprintf("OU=%s", name.OrganizationalUnit[i]))
-	}
-
-	for i := range name.Locality {
-		ns = append(ns, fmt.Sprintf("L=%s", name.Locality[i]))
-	}
-
-	for i := range name.Province {
-		ns = append(ns, fmt.Sprintf("ST=%s", name.Province[i]))
-	}
-
-	if len(ns) > 0 {
-		return "/" + strings.Join(ns, "/")
-	}
-
-	die.With("no subject information in root")
-	return ""
-}
-
-func expires(cert *x509.Certificate) time.Duration {
-	return cert.NotAfter.Sub(time.Now())
-}
-
-func inDanger(cert *x509.Certificate) bool {
-	return expires(cert) < leeway
-}
-
-func checkCert(cert *x509.Certificate) {
-	warn := inDanger(cert)
-	name := displayName(cert.Subject)
-	name = fmt.Sprintf("%s/SN=%s", name, cert.SerialNumber)
-	expiry := expires(cert)
-	if warnOnly {
-		if warn {
-			fmt.Fprintf(os.Stderr, "%s expires on %s (in %s)\n", name, cert.NotAfter, expiry)
-		}
-	} else {
-		fmt.Printf("%s expires on %s (in %s)\n", name, cert.NotAfter, expiry)
-	}
-}
-
 func main() {
+	var (
+		skipVerify bool
+		strictTLS  bool
+		leeway     = verify.DefaultLeeway
+		warnOnly   bool
+	)
+
+	dialer.StrictTLSFlag(&strictTLS)
+
+	flag.BoolVar(&skipVerify, "k", false, "skip server verification") // #nosec G402
 	flag.BoolVar(&warnOnly, "q", false, "only warn about expiring certs")
 	flag.DurationVar(&leeway, "t", leeway, "warn if certificates are closer than this to expiring")
 	flag.Parse()
 
-	for _, file := range flag.Args() {
+	tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
-		in, err := ioutil.ReadFile(file)
+	die.If(err)
-		if err != nil {
-			lib.Warn(err, "failed to read file")
-			continue
-		}
 
-		certs, err := certlib.ParseCertificatesPEM(in)
+	for _, file := range flag.Args() {
+		var certs []*x509.Certificate
+
+		certs, err = fetch.GetCertificateChain(file, tlsCfg)
 		if err != nil {
-			lib.Warn(err, "while parsing certificates")
+			_, _ = lib.Warn(err, "while parsing certificates")
 			continue
 		}
 
 		for _, cert := range certs {
-			checkCert(cert)
+			check := verify.NewCertCheck(cert, leeway)
+
+			if warnOnly {
+				if err = check.Err(); err != nil {
+					lib.Warn(err, "certificate is expiring")
+				}
+			} else {
+				fmt.Printf("%s expires on %s (in %s)\n", check.Name(),
+					cert.NotAfter, check.Expiry())
+			}
 		}
 	}
 }

cmd/certser/main.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"crypto/x509"
+	"flag"
+	"fmt"
+	"strings"
+
+	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+	"git.wntrmute.dev/kyle/goutils/lib/fetch"
+)
+
+const displayInt lib.HexEncodeMode = iota
+
+func parseDisplayMode(mode string) lib.HexEncodeMode {
+	mode = strings.ToLower(mode)
+
+	if mode == "int" {
+		return displayInt
+	}
+
+	return lib.ParseHexEncodeMode(mode)
+}
+
+func serialString(cert *x509.Certificate, mode lib.HexEncodeMode) string {
+	if mode == displayInt {
+		return cert.SerialNumber.String()
+	}
+
+	return lib.HexEncode(cert.SerialNumber.Bytes(), mode)
+}
+
+func main() {
+	var skipVerify bool
+	var strictTLS bool
+	dialer.StrictTLSFlag(&strictTLS)
+	displayAs := flag.String("d", "int", "display mode (int, hex, uhex)")
+	showExpiry := flag.Bool("e", false, "show expiry date")
+	flag.BoolVar(&skipVerify, "k", false, "skip server verification") // #nosec G402
+	flag.Parse()
+
+	tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
+	die.If(err)
+
+	displayMode := parseDisplayMode(*displayAs)
+
+	for _, arg := range flag.Args() {
+		var cert *x509.Certificate
+
+		cert, err = fetch.GetCertificate(arg, tlsCfg)
+		die.If(err)
+
+		fmt.Printf("%s: %s", arg, serialString(cert, displayMode))
+		if *showExpiry {
+			fmt.Printf(" (%s)", cert.NotAfter.Format("2006-01-02"))
+		}
+		fmt.Println()
+	}
+}

cmd/certverify/main.go

@@ -4,109 +4,91 @@ import (
 	"crypto/x509"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
-	"time"
 
 	"git.wntrmute.dev/kyle/goutils/certlib"
-	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
+	"git.wntrmute.dev/kyle/goutils/certlib/verify"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
-func printRevocation(cert *x509.Certificate) {
+type appConfig struct {
-	remaining := time.Until(cert.NotAfter)
+	caFile, intFile             string
-	fmt.Printf("certificate expires in %s.\n", lib.Duration(remaining))
+	forceIntermediateBundle     bool
+	revexp, skipVerify, verbose bool
+	strictTLS                   bool
+}
 
-	revoked, ok := revoke.VerifyCertificate(cert)
+func parseFlags() appConfig {
-	if !ok {
+	var cfg appConfig
-		fmt.Fprintf(os.Stderr, "[!] the revocation check failed (failed to determine whether certificate\nwas revoked)")
+	flag.StringVar(&cfg.caFile, "ca", "", "CA certificate `bundle`")
-		return
+	flag.StringVar(&cfg.intFile, "i", "", "intermediate `bundle`")
+	flag.BoolVar(&cfg.forceIntermediateBundle, "f", false,
+		"force the use of the intermediate bundle, ignoring any intermediates bundled with certificate")
+	flag.BoolVar(&cfg.skipVerify, "k", false, "skip CA verification")
+	flag.BoolVar(&cfg.revexp, "r", false, "print revocation and expiry information")
+	flag.BoolVar(&cfg.verbose, "v", false, "verbose")
+	dialer.StrictTLSFlag(&cfg.strictTLS)
+	flag.Parse()
+
+	if flag.NArg() == 0 {
+		die.With("usage: certverify targets...")
 	}
 
-	if revoked {
+	return cfg
-		fmt.Fprintf(os.Stderr, "[!] the certificate has been revoked\n")
-		return
-	}
 }
 
 func main() {
-	var caFile, intFile string
+	var (
-	var forceIntermediateBundle, revexp, verbose bool
+		roots, ints *x509.CertPool
-	flag.StringVar(&caFile, "ca", "", "CA certificate `bundle`")
+		err         error
-	flag.StringVar(&intFile, "i", "", "intermediate `bundle`")
+		failed      bool
-	flag.BoolVar(&forceIntermediateBundle, "f", false,
+	)
-		"force the use of the intermediate bundle, ignoring any intermediates bundled with certificate")
-	flag.BoolVar(&revexp, "r", false, "print revocation and expiry information")
-	flag.BoolVar(&verbose, "v", false, "verbose")
-	flag.Parse()
 
-	var roots *x509.CertPool
+	cfg := parseFlags()
-	if caFile != "" {
+
-		var err error
+	opts := &verify.Opts{
-		if verbose {
+		CheckRevocation:    cfg.revexp,
-			fmt.Println("[+] loading root certificates from", caFile)
+		ForceIntermediates: cfg.forceIntermediateBundle,
+		Verbose:            cfg.verbose,
+	}
+
+	if cfg.caFile != "" {
+		if cfg.verbose {
+			fmt.Printf("loading CA certificates from %s\n", cfg.caFile)
 		}
-		roots, err = certlib.LoadPEMCertPool(caFile)
+
+		roots, err = certlib.LoadPEMCertPool(cfg.caFile)
 		die.If(err)
 	}
 
-	var ints *x509.CertPool
+	if cfg.intFile != "" {
-	if intFile != "" {
+		if cfg.verbose {
-		var err error
+			fmt.Printf("loading intermediate certificates from %s\n", cfg.intFile)
-		if verbose {
-			fmt.Println("[+] loading intermediate certificates from", intFile)
 		}
-		ints, err = certlib.LoadPEMCertPool(caFile)
+
+		ints, err = certlib.LoadPEMCertPool(cfg.intFile)
 		die.If(err)
-	} else {
-		ints = x509.NewCertPool()
 	}
 
-	if flag.NArg() != 1 {
+	opts.Config, err = dialer.BaselineTLSConfig(cfg.skipVerify, cfg.strictTLS)
-		fmt.Fprintf(os.Stderr, "Usage: %s [-ca bundle] [-i bundle] cert",
-			lib.ProgName())
-	}
-
-	fileData, err := ioutil.ReadFile(flag.Arg(0))
 	die.If(err)
 
-	chain, err := certlib.ParseCertificatesPEM(fileData)
+	opts.Config.RootCAs = roots
-	die.If(err)
+	opts.Intermediates = ints
-	if verbose {
-		fmt.Printf("[+] %s has %d certificates\n", flag.Arg(0), len(chain))
-	}
 
-	cert := chain[0]
+	for _, arg := range flag.Args() {
-	if len(chain) > 1 {
+		_, err = verify.Chain(os.Stdout, arg, opts)
-		if !forceIntermediateBundle {
+		if err != nil {
-			for _, intermediate := range chain[1:] {
+			lib.Warn(err, "while verifying %s", arg)
-				if verbose {
+			failed = true
-					fmt.Printf("[+] adding intermediate with SKI %x\n", intermediate.SubjectKeyId)
+		} else {
-				}
+			fmt.Printf("%s: OK\n", arg)
-
-				ints.AddCert(intermediate)
-			}
 		}
 	}
 
-	opts := x509.VerifyOptions{
+	if failed {
-		Intermediates: ints,
-		Roots:         roots,
-		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
-	}
-
-	_, err = cert.Verify(opts)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "Verification failed: %v\n", err)
 		os.Exit(1)
 	}
-
-	if verbose {
-		fmt.Println("OK")
-	}
-
-	if revexp {
-		printRevocation(cert)
-	}
 }

cmd/clustersh/main.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"bufio"
+	"context"
+	"errors"
 	"flag"
 	"fmt"
 	"io"
@@ -56,7 +58,7 @@ var modes = ssh.TerminalModes{
 }
 
 func sshAgent() ssh.AuthMethod {
-	a, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
+	a, err := (&net.Dialer{}).DialContext(context.Background(), "unix", os.Getenv("SSH_AUTH_SOCK"))
 	if err == nil {
 		return ssh.PublicKeysCallback(agent.NewClient(a).Signers)
 	}
@@ -82,7 +84,7 @@ func scanner(host string, in io.Reader, out io.Writer) {
 	}
 }
 
-func logError(host string, err error, format string, args ...interface{}) {
+func logError(host string, err error, format string, args ...any) {
 	msg := fmt.Sprintf(format, args...)
 	log.Printf("[%s] FAILED: %s: %v\n", host, msg, err)
 }
@@ -93,7 +95,7 @@ func exec(wg *sync.WaitGroup, user, host string, commands []string) {
 	defer func() {
 		for i := len(shutdown) - 1; i >= 0; i-- {
 			err := shutdown[i]()
-			if err != nil && err != io.EOF {
+			if err != nil && !errors.Is(err, io.EOF) {
 				logError(host, err, "shutting down")
 			}
 		}
@@ -115,7 +117,7 @@ func exec(wg *sync.WaitGroup, user, host string, commands []string) {
 	}
 	shutdown = append(shutdown, session.Close)
 
-	if err := session.RequestPty("xterm", 80, 40, modes); err != nil {
+	if err = session.RequestPty("xterm", 80, 40, modes); err != nil {
 		session.Close()
 		logError(host, err, "request for pty failed")
 		return
@@ -150,7 +152,7 @@ func upload(wg *sync.WaitGroup, user, host, local, remote string) {
 	defer func() {
 		for i := len(shutdown) - 1; i >= 0; i-- {
 			err := shutdown[i]()
-			if err != nil && err != io.EOF {
+			if err != nil && !errors.Is(err, io.EOF) {
 				logError(host, err, "shutting down")
 			}
 		}
@@ -199,7 +201,7 @@ func upload(wg *sync.WaitGroup, user, host, local, remote string) {
 			fmt.Printf("[%s] wrote %d-byte chunk\n", host, n)
 		}
 
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
 		} else if err != nil {
 			logError(host, err, "reading chunk")
@@ -215,7 +217,7 @@ func download(wg *sync.WaitGroup, user, host, local, remote string) {
 	defer func() {
 		for i := len(shutdown) - 1; i >= 0; i-- {
 			err := shutdown[i]()
-			if err != nil && err != io.EOF {
+			if err != nil && !errors.Is(err, io.EOF) {
 				logError(host, err, "shutting down")
 			}
 		}
@@ -265,7 +267,7 @@ func download(wg *sync.WaitGroup, user, host, local, remote string) {
 			fmt.Printf("[%s] wrote %d-byte chunk\n", host, n)
 		}
 
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
 		} else if err != nil {
 			logError(host, err, "reading chunk")

cmd/cruntar/main.go

@@ -10,6 +10,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/fileutil"
@@ -26,7 +27,7 @@ func setupFile(hdr *tar.Header, file *os.File) error {
 		if verbose {
 			fmt.Printf("\tchmod %0#o\n", hdr.Mode)
 		}
-		err := file.Chmod(os.FileMode(hdr.Mode))
+		err := file.Chmod(os.FileMode(hdr.Mode & 0xFFFFFFFF)) // #nosec G115
 		if err != nil {
 			return err
 		}
@@ -48,73 +49,105 @@ func linkTarget(target, top string) string {
 		return target
 	}
 
-	return filepath.Clean(filepath.Join(target, top))
+	return filepath.Clean(filepath.Join(top, target))
+}
+
+// safeJoin joins base and elem and ensures the resulting path does not escape base.
+func safeJoin(base, elem string) (string, error) {
+	cleanBase := filepath.Clean(base)
+	joined := filepath.Clean(filepath.Join(cleanBase, elem))
+
+	absBase, err := filepath.Abs(cleanBase)
+	if err != nil {
+		return "", err
+	}
+	absJoined, err := filepath.Abs(joined)
+	if err != nil {
+		return "", err
+	}
+	rel, err := filepath.Rel(absBase, absJoined)
+	if err != nil {
+		return "", err
+	}
+	if rel == ".." || strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
+		return "", fmt.Errorf("path traversal detected: %s escapes %s", elem, base)
+	}
+	return joined, nil
+}
+
+func handleTypeReg(tfr *tar.Reader, hdr *tar.Header, filePath string) error {
+	file, err := os.Create(filePath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	if _, err = io.Copy(file, tfr); err != nil {
+		return err
+	}
+	return setupFile(hdr, file)
+}
+
+func handleTypeLink(hdr *tar.Header, top, filePath string) error {
+	file, err := os.Create(filePath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	srcPath, err := safeJoin(top, hdr.Linkname)
+	if err != nil {
+		return err
+	}
+	source, err := os.Open(srcPath)
+	if err != nil {
+		return err
+	}
+	defer source.Close()
+
+	if _, err = io.Copy(file, source); err != nil {
+		return err
+	}
+	return setupFile(hdr, file)
+}
+
+func handleTypeSymlink(hdr *tar.Header, top, filePath string) error {
+	if !fileutil.ValidateSymlink(hdr.Linkname, top) {
+		return fmt.Errorf("symlink %s is outside the top-level %s", hdr.Linkname, top)
+	}
+	path := linkTarget(hdr.Linkname, top)
+	if ok, err := filepath.Match(top+"/*", filepath.Clean(path)); !ok {
+		return fmt.Errorf("symlink %s isn't in %s", hdr.Linkname, top)
+	} else if err != nil {
+		return err
+	}
+	return os.Symlink(linkTarget(hdr.Linkname, top), filePath)
+}
+
+func handleTypeDir(hdr *tar.Header, filePath string) error {
+	return os.MkdirAll(filePath, os.FileMode(hdr.Mode&0xFFFFFFFF)) // #nosec G115
 }
 
 func processFile(tfr *tar.Reader, hdr *tar.Header, top string) error {
 	if verbose {
 		fmt.Println(hdr.Name)
 	}
-	filePath := filepath.Clean(filepath.Join(top, hdr.Name))
-	switch hdr.Typeflag {
-	case tar.TypeReg:
-		file, err := os.Create(filePath)
-		if err != nil {
-			return err
-		}
 
-		_, err = io.Copy(file, tfr)
+	filePath, err := safeJoin(top, hdr.Name)
-		if err != nil {
+	if err != nil {
-			return err
+		return err
-		}
-
-		err = setupFile(hdr, file)
-		if err != nil {
-			return err
-		}
-	case tar.TypeLink:
-		file, err := os.Create(filePath)
-		if err != nil {
-			return err
-		}
-
-		source, err := os.Open(hdr.Linkname)
-		if err != nil {
-			return err
-		}
-
-		_, err = io.Copy(file, source)
-		if err != nil {
-			return err
-		}
-
-		err = setupFile(hdr, file)
-		if err != nil {
-			return err
-		}
-	case tar.TypeSymlink:
-		if !fileutil.ValidateSymlink(hdr.Linkname, top) {
-			return fmt.Errorf("symlink %s is outside the top-level %s",
-				hdr.Linkname, top)
-		}
-		path := linkTarget(hdr.Linkname, top)
-		if ok, err := filepath.Match(top+"/*", filepath.Clean(path)); !ok {
-			return fmt.Errorf("symlink %s isn't in %s", hdr.Linkname, top)
-		} else if err != nil {
-			return err
-		}
-
-		err := os.Symlink(linkTarget(hdr.Linkname, top), filePath)
-		if err != nil {
-			return err
-		}
-	case tar.TypeDir:
-		err := os.MkdirAll(filePath, os.FileMode(hdr.Mode))
-		if err != nil {
-			return err
-		}
 	}
 
+	switch hdr.Typeflag {
+	case tar.TypeReg:
+		return handleTypeReg(tfr, hdr, filePath)
+	case tar.TypeLink:
+		return handleTypeLink(hdr, top, filePath)
+	case tar.TypeSymlink:
+		return handleTypeSymlink(hdr, top, filePath)
+	case tar.TypeDir:
+		return handleTypeDir(hdr, filePath)
+	}
 	return nil
 }
 
@@ -261,16 +294,16 @@ func main() {
 	die.If(err)
 
 	tfr := tar.NewReader(r)
+	var hdr *tar.Header
 	for {
-		hdr, err := tfr.Next()
+		hdr, err = tfr.Next()
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
 		}
 		die.If(err)
 
 		err = processFile(tfr, hdr, top)
 		die.If(err)
-
 	}
 
 	r.Close()

cmd/csrpubdump/main.go

@@ -7,9 +7,9 @@ import (
 	"encoding/pem"
 	"flag"
 	"fmt"
-	"io/ioutil"
+	"os"
-	"log"
 
+	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 )
 
@@ -17,17 +17,10 @@ func main() {
 	flag.Parse()
 
 	for _, fileName := range flag.Args() {
-		in, err := ioutil.ReadFile(fileName)
+		in, err := os.ReadFile(fileName)
 		die.If(err)
 
-		if p, _ := pem.Decode(in); p != nil {
+		csr, _, err := certlib.ParseCSR(in)
-			if p.Type != "CERTIFICATE REQUEST" {
-				log.Fatal("INVALID FILE TYPE")
-			}
-			in = p.Bytes
-		}
-
-		csr, err := x509.ParseCertificateRequest(in)
 		die.If(err)
 
 		out, err := x509.MarshalPKIXPublicKey(csr.PublicKey)
@@ -48,8 +41,8 @@ func main() {
 			Bytes: out,
 		}
 
-		err = ioutil.WriteFile(fileName+".pub", pem.EncodeToMemory(p), 0644)
+		err = os.WriteFile(fileName+".pub", pem.EncodeToMemory(p), 0o644) // #nosec G306
 		die.If(err)
-		fmt.Printf("[+] wrote %s.\n", fileName+".pub")
+		fmt.Fprintf(os.Stdout, "[+] wrote %s.\n", fileName+".pub")
 	}
 }

cmd/data_sync/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"io"
@@ -152,7 +153,7 @@ func rsync(syncDir, target, excludeFile string, verboseRsync bool) error {
 		return err
 	}
 
-	cmd := exec.Command(path, args...)
+	cmd := exec.CommandContext(context.Background(), path, args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	return cmd.Run()
@@ -163,7 +164,6 @@ func init() {
 }
 
 func main() {
-
 	var logLevel, mountDir, syncDir, target string
 	var dryRun, quietMode, noSyslog, verboseRsync bool
 
@@ -219,7 +219,7 @@ func main() {
 	if excludeFile != "" {
 		defer func() {
 			log.Infof("removing exclude file %s", excludeFile)
-			if err := os.Remove(excludeFile); err != nil {
+			if rmErr := os.Remove(excludeFile); rmErr != nil {
 				log.Warningf("failed to remove temp file %s", excludeFile)
 			}
 		}()

cmd/diskimg/main.go

@@ -15,43 +15,41 @@ import (
 const defaultHashAlgorithm = "sha256"
 
 var (
-	hAlgo      string
+	hAlgo string
 	debug = dbg.New()
 )
 
-
+func openImage(imageFile string) (*os.File, []byte, error) {
-func openImage(imageFile string) (image *os.File, hash []byte, err error) {
+	f, err := os.Open(imageFile)
-	image, err = os.Open(imageFile)
 	if err != nil {
-		return
+		return nil, nil, err
 	}
 
-	hash, err = ahash.SumReader(hAlgo, image)
+	h, err := ahash.SumReader(hAlgo, f)
 	if err != nil {
-		return
+		return nil, nil, err
 	}
 
-	_, err = image.Seek(0, 0)
+	if _, err = f.Seek(0, 0); err != nil {
-	if err != nil {
+		return nil, nil, err
-		return
 	}
 
-	debug.Printf("%s  %x\n", imageFile, hash)
+	debug.Printf("%s  %x\n", imageFile, h)
-	return
+	return f, h, nil
 }
 
-func openDevice(devicePath string) (device *os.File, err error) {
+func openDevice(devicePath string) (*os.File, error) {
 	fi, err := os.Stat(devicePath)
 	if err != nil {
-		return
+		return nil, err
 	}
 
-	device, err = os.OpenFile(devicePath, os.O_RDWR|os.O_SYNC, fi.Mode())
+	device, err := os.OpenFile(devicePath, os.O_RDWR|os.O_SYNC, fi.Mode())
 	if err != nil {
-		return
+		return nil, err
 	}
 
-	return
+	return device, nil
 }
 
 func main() {
@@ -105,12 +103,12 @@ func main() {
 	die.If(err)
 
 	if !bytes.Equal(deviceHash, hash) {
-		fmt.Fprintln(os.Stderr, "Hash mismatch:")
+		buf := &bytes.Buffer{}
-		fmt.Fprintf(os.Stderr, "\t%s: %s\n", imageFile, hash)
+		fmt.Fprintln(buf, "Hash mismatch:")
-		fmt.Fprintf(os.Stderr, "\t%s: %s\n", devicePath, deviceHash)
+		fmt.Fprintf(buf, "\t%s: %s\n", imageFile, hash)
-		os.Exit(1)
+		fmt.Fprintf(buf, "\t%s: %s\n", devicePath, deviceHash)
+		die.With(buf.String())
 	}
 
 	debug.Println("OK")
-	os.Exit(0)
 }

cmd/dumpbytes/main.go

@@ -1,30 +1,33 @@
 package main
 
 import (
+	"errors"
 	"flag"
 	"fmt"
-	"git.wntrmute.dev/kyle/goutils/die"
 	"io"
 	"os"
+	"strings"
+
+	"git.wntrmute.dev/kyle/goutils/die"
 )
 
 func usage(w io.Writer, exc int) {
-	fmt.Fprintln(w, `usage: dumpbytes <file>`)
+	fmt.Fprintln(w, `usage: dumpbytes -n tabs <file>`)
 	os.Exit(exc)
 }
 
 func printBytes(buf []byte) {
 	fmt.Printf("\t")
-	for i := 0; i < len(buf); i++ {
+	for i := range buf {
 		fmt.Printf("0x%02x, ", buf[i])
 	}
 	fmt.Println()
 }
 
 func dumpFile(path string, indentLevel int) error {
-	indent := ""
+	var indent strings.Builder
-	for i := 0; i < indentLevel; i++ {
+	for range indentLevel {
-		indent += "\t"
+		indent.WriteByte('\t')
 	}
 
 	file, err := os.Open(path)
@@ -34,13 +37,14 @@ func dumpFile(path string, indentLevel int) error {
 
 	defer file.Close()
 
-	fmt.Printf("%svar buffer = []byte{\n", indent)
+	fmt.Printf("%svar buffer = []byte{\n", indent.String())
+	var n int
 	for {
 		buf := make([]byte, 8)
-		n, err := file.Read(buf)
+		n, err = file.Read(buf)
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			if n > 0 {
-				fmt.Printf("%s", indent)
+				fmt.Printf("%s", indent.String())
 				printBytes(buf[:n])
 			}
 			break
@@ -50,11 +54,11 @@ func dumpFile(path string, indentLevel int) error {
 			return err
 		}
 
-		fmt.Printf("%s", indent)
+		fmt.Printf("%s", indent.String())
 		printBytes(buf[:n])
 	}
 
-	fmt.Printf("%s}\n", indent)
+	fmt.Printf("%s}\n", indent.String())
 	return nil
 }
 

cmd/eig/main.go

@@ -7,7 +7,7 @@ import (
 	"git.wntrmute.dev/kyle/goutils/die"
 )
 
-// size of a kilobit in bytes
+// size of a kilobit in bytes.
 const kilobit = 128
 const pageSize = 4096
 
@@ -26,10 +26,10 @@ func main() {
 		path = flag.Arg(0)
 	}
 
-	fillByte := uint8(*fill)
+	fillByte := uint8(*fill & 0xff) // #nosec G115 clearing out of bounds bits
 
 	buf := make([]byte, pageSize)
-	for i := 0; i < pageSize; i++ {
+	for i := range pageSize {
 		buf[i] = fillByte
 	}
 
@@ -40,7 +40,7 @@ func main() {
 	die.If(err)
 	defer file.Close()
 
-	for i := 0; i < pages; i++ {
+	for range pages {
 		_, err = file.Write(buf)
 		die.If(err)
 	}

cmd/fragment/main.go

@@ -72,15 +72,13 @@ func main() {
 
 	if end < start {
 		fmt.Fprintln(os.Stderr, "[!] end < start, swapping values")
-		tmp := end
+		start, end = end, start
-		end = start
-		start = tmp
 	}
 
 	var fmtStr string
 
 	if !*quiet {
-		maxLine := fmt.Sprintf("%d", len(lines))
+		maxLine := strconv.Itoa(len(lines))
 		fmtStr = fmt.Sprintf("%%0%dd: %%s", len(maxLine))
 	}
 
@@ -98,9 +96,9 @@ func main() {
 	fmtStr += "\n"
 	for i := start; !endFunc(i); i++ {
 		if *quiet {
-			fmt.Println(lines[i])
+			fmt.Fprintln(os.Stdout, lines[i])
 		} else {
-			fmt.Printf(fmtStr, i, lines[i])
+			fmt.Fprintf(os.Stdout, fmtStr, i, lines[i])
 		}
 	}
 }

cmd/host/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"log"
@@ -8,7 +9,8 @@ import (
 )
 
 func lookupHost(host string) error {
-	cname, err := net.LookupCNAME(host)
+	r := &net.Resolver{}
+	cname, err := r.LookupCNAME(context.Background(), host)
 	if err != nil {
 		return err
 	}
@@ -18,7 +20,7 @@ func lookupHost(host string) error {
 		host = cname
 	}
 
-	addrs, err := net.LookupHost(host)
+	addrs, err := r.LookupHost(context.Background(), host)
 	if err != nil {
 		return err
 	}

cmd/jlp/main.go

@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 
 	"git.wntrmute.dev/kyle/goutils/lib"
@@ -16,20 +16,20 @@ func prettify(file string, validateOnly bool) error {
 	var err error
 
 	if file == "-" {
-		in, err = ioutil.ReadAll(os.Stdin)
+		in, err = io.ReadAll(os.Stdin)
 	} else {
-		in, err = ioutil.ReadFile(file)
+		in, err = os.ReadFile(file)
 	}
 
 	if err != nil {
-		lib.Warn(err, "ReadFile")
+		_, _ = lib.Warn(err, "ReadFile")
 		return err
 	}
 
 	var buf = &bytes.Buffer{}
 	err = json.Indent(buf, in, "", "    ")
 	if err != nil {
-		lib.Warn(err, "%s", file)
+		_, _ = lib.Warn(err, "%s", file)
 		return err
 	}
 
@@ -40,11 +40,11 @@ func prettify(file string, validateOnly bool) error {
 	if file == "-" {
 		_, err = os.Stdout.Write(buf.Bytes())
 	} else {
-		err = ioutil.WriteFile(file, buf.Bytes(), 0644)
+		err = os.WriteFile(file, buf.Bytes(), 0o644)
 	}
 
 	if err != nil {
-		lib.Warn(err, "WriteFile")
+		_, _ = lib.Warn(err, "WriteFile")
 	}
 
 	return err
@@ -55,20 +55,20 @@ func compact(file string, validateOnly bool) error {
 	var err error
 
 	if file == "-" {
-		in, err = ioutil.ReadAll(os.Stdin)
+		in, err = io.ReadAll(os.Stdin)
 	} else {
-		in, err = ioutil.ReadFile(file)
+		in, err = os.ReadFile(file)
 	}
 
 	if err != nil {
-		lib.Warn(err, "ReadFile")
+		_, _ = lib.Warn(err, "ReadFile")
 		return err
 	}
 
 	var buf = &bytes.Buffer{}
 	err = json.Compact(buf, in)
 	if err != nil {
-		lib.Warn(err, "%s", file)
+		_, _ = lib.Warn(err, "%s", file)
 		return err
 	}
 
@@ -79,11 +79,11 @@ func compact(file string, validateOnly bool) error {
 	if file == "-" {
 		_, err = os.Stdout.Write(buf.Bytes())
 	} else {
-		err = ioutil.WriteFile(file, buf.Bytes(), 0644)
+		err = os.WriteFile(file, buf.Bytes(), 0o644)
 	}
 
 	if err != nil {
-		lib.Warn(err, "WriteFile")
+		_, _ = lib.Warn(err, "WriteFile")
 	}
 
 	return err
@@ -91,7 +91,7 @@ func compact(file string, validateOnly bool) error {
 
 func usage() {
 	progname := lib.ProgName()
-	fmt.Printf(`Usage: %s [-h] files...
+	fmt.Fprintf(os.Stdout, `Usage: %s [-h] files...
 	%s is used to lint and prettify (or compact) JSON files. The
 	files will be updated in-place.
 
@@ -100,7 +100,6 @@ func usage() {
 	-h	Print this help message.
 	-n	Don't prettify; only perform validation.
 `, progname, progname)
-
 }
 
 func init() {

cmd/kgz/README

@@ -3,15 +3,31 @@ kgz
 kgz is like gzip, but supports compressing and decompressing to a different
 directory than the source file is in.
 
-Usage: kgz [-l] source [target]
+Usage: kgz [-l] [-k] [-m] [-x] [--uid N] [--gid N] source [target]
 
-If target is a directory, the basename of the sourcefile will be used
+If target is a directory, the basename of the source file will be used
 as the target filename. Compression and decompression is selected
 based on whether the source filename ends in ".gz".
 
 Flags:
-	-l level	Compression level (0-9). Only meaninful when
+	-l level    Compression level (0-9). Only meaningful when compressing.
-			compressing a file.
+    -u          Do not restrict the size during decompression. As
+                a safeguard against gzip bombs, the maximum size
+                allowed is 32 * the compressed file size.
+    -k          Keep the source file (do not remove it after successful
+                compression or decompression).
+    -m          On decompression, set the file mtime from the gzip header.
+    -x          On compression, include uid/gid/mode/ctime in the gzip Extra
+                field so that decompression can restore them. The Extra payload
+                is an ASN.1 DER-encoded struct.
+    --uid N     When used with -x, set UID in Extra to N (override source).
+    --gid N     When used with -x, set GID in Extra to N (override source).
+
+Metadata notes:
+- mtime is stored in the standard gzip header and restored with -m.
+- uid/gid/mode/ctime are stored in a kgz-specific Extra subfield as an ASN.1
+  DER-encoded struct. Restoring
+  uid/gid may fail without sufficient privileges; such errors are ignored.
 
 
 

cmd/kgz/main.go

@@ -3,81 +3,276 @@ package main
 import (
 	"compress/flate"
 	"compress/gzip"
+	"encoding/asn1"
+	"encoding/binary"
 	"flag"
 	"fmt"
 	"io"
+	"math"
 	"os"
 	"path/filepath"
 	"strings"
 
-	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+
+	goutilslib "git.wntrmute.dev/kyle/goutils/lib"
 )
 
 const gzipExt = ".gz"
 
-func compress(path, target string, level int) error {
+// kgzExtraID is the two-byte subfield identifier used in the gzip Extra field
+// for kgz-specific metadata.
+var kgzExtraID = [2]byte{'K', 'G'}
+
+// buildKGExtra constructs the gzip Extra subfield payload for kgz metadata.
+//
+// The payload is an ASN.1 DER-encoded struct with the following fields:
+//
+//	Version    INTEGER (currently 1)
+//	UID        INTEGER
+//	GID        INTEGER
+//	Mode       INTEGER (permission bits)
+//	CTimeSec   INTEGER (seconds)
+//	CTimeNSec  INTEGER (nanoseconds)
+//
+// The ASN.1 blob is wrapped in a gzip Extra subfield with ID 'K','G'.
+func buildKGExtra(uid, gid, mode uint32, ctimeS int64, ctimeNs int32) []byte {
+	// Define the ASN.1 structure to encode
+	type KGZExtra struct {
+		Version   int
+		UID       int
+		GID       int
+		Mode      int
+		CTimeSec  int64
+		CTimeNSec int32
+	}
+
+	payload, err := asn1.Marshal(KGZExtra{
+		Version:   1,
+		UID:       int(uid),
+		GID:       int(gid),
+		Mode:      int(mode),
+		CTimeSec:  ctimeS,
+		CTimeNSec: ctimeNs,
+	})
+	if err != nil {
+		// On marshal failure, return empty to avoid breaking compression
+		return nil
+	}
+
+	// Wrap in gzip subfield: [ID1 ID2 LEN(lo) LEN(hi) PAYLOAD]
+	// Guard against payload length overflow to uint16 for the extra subfield length.
+	if len(payload) > int(math.MaxUint16) {
+		return nil
+	}
+	extra := make([]byte, 4+len(payload))
+	extra[0] = kgzExtraID[0]
+	extra[1] = kgzExtraID[1]
+	binary.LittleEndian.PutUint16(extra[2:], uint16(len(payload)&0xFFFF)) //#nosec G115 - masked
+	copy(extra[4:], payload)
+	return extra
+}
+
+// clampToInt32 clamps an int value into the int32 range using a switch to
+// satisfy linters that prefer switch over if-else chains for ordered checks.
+func clampToInt32(v int) int32 {
+	switch {
+	case v > int(math.MaxInt32):
+		return math.MaxInt32
+	case v < int(math.MinInt32):
+		return math.MinInt32
+	default:
+		return int32(v)
+	}
+}
+
+// buildExtraForPath prepares the gzip Extra field for kgz by collecting
+// uid/gid/mode and ctime information, applying any overrides, and encoding it.
+func buildExtraForPath(st unix.Stat_t, path string, setUID, setGID int) []byte {
+	uid := st.Uid
+	gid := st.Gid
+	if setUID >= 0 {
+		if uint64(setUID) <= math.MaxUint32 {
+			uid = uint32(setUID & 0xFFFFFFFF) //#nosec G115 - masked
+		}
+	}
+	if setGID >= 0 {
+		if uint64(setGID) <= math.MaxUint32 {
+			gid = uint32(setGID & 0xFFFFFFFF) //#nosec G115 - masked
+		}
+	}
+	mode := uint32(st.Mode & 0o7777)
+
+	// Use portable helper to gather ctime
+	var cts int64
+	var ctns int32
+	if ft, err := goutilslib.LoadFileTime(path); err == nil {
+		cts = ft.Changed.Unix()
+		ctns = clampToInt32(ft.Changed.Nanosecond())
+	}
+
+	return buildKGExtra(uid, gid, mode, cts, ctns)
+}
+
+// parseKGExtra scans a gzip Extra blob and returns kgz metadata if present.
+func parseKGExtra(extra []byte) (uint32, uint32, uint32, int64, int32, bool) {
+	i := 0
+	for i+4 <= len(extra) {
+		id1 := extra[i]
+		id2 := extra[i+1]
+		l := int(binary.LittleEndian.Uint16(extra[i+2 : i+4]))
+		i += 4
+		if i+l > len(extra) {
+			break
+		}
+		if id1 == kgzExtraID[0] && id2 == kgzExtraID[1] {
+			// ASN.1 decode payload
+			payload := extra[i : i+l]
+			var s struct {
+				Version   int
+				UID       int
+				GID       int
+				Mode      int
+				CTimeSec  int64
+				CTimeNSec int32
+			}
+			if _, err := asn1.Unmarshal(payload, &s); err != nil {
+				return 0, 0, 0, 0, 0, false
+			}
+			if s.Version != 1 {
+				return 0, 0, 0, 0, 0, false
+			}
+			// Validate ranges before converting from int -> uint32 to avoid overflow.
+			if s.UID < 0 || s.GID < 0 || s.Mode < 0 {
+				return 0, 0, 0, 0, 0, false
+			}
+			if uint64(s.UID) > math.MaxUint32 || uint64(s.GID) > math.MaxUint32 || uint64(s.Mode) > math.MaxUint32 {
+				return 0, 0, 0, 0, 0, false
+			}
+
+			return uint32(s.UID & 0xFFFFFFFF), uint32(s.GID & 0xFFFFFFFF),
+				uint32(s.Mode & 0xFFFFFFFF), s.CTimeSec, s.CTimeNSec, true //#nosec G115 - masked
+		}
+		i += l
+	}
+	return 0, 0, 0, 0, 0, false
+}
+
+func compress(path, target string, level int, includeExtra bool, setUID, setGID int) error {
 	sourceFile, err := os.Open(path)
 	if err != nil {
-		return errors.Wrap(err, "opening file for read")
+		return fmt.Errorf("opening file for read: %w", err)
 	}
 	defer sourceFile.Close()
 
+	// Gather file metadata
+	var st unix.Stat_t
+	if err = unix.Stat(path, &st); err != nil {
+		return fmt.Errorf("stat source: %w", err)
+	}
+	fi, err := sourceFile.Stat()
+	if err != nil {
+		return fmt.Errorf("stat source file: %w", err)
+	}
+
 	destFile, err := os.Create(target)
 	if err != nil {
-		return errors.Wrap(err, "opening file for write")
+		return fmt.Errorf("opening file for write: %w", err)
 	}
 	defer destFile.Close()
 
 	gzipCompressor, err := gzip.NewWriterLevel(destFile, level)
 	if err != nil {
-		return errors.Wrap(err, "invalid compression level")
+		return fmt.Errorf("invalid compression level: %w", err)
+	}
+	// Set header metadata
+	gzipCompressor.ModTime = fi.ModTime()
+	if includeExtra {
+		gzipCompressor.Extra = buildExtraForPath(st, path, setUID, setGID)
 	}
 	defer gzipCompressor.Close()
 
 	_, err = io.Copy(gzipCompressor, sourceFile)
 	if err != nil {
-		return errors.Wrap(err, "compressing file")
+		return fmt.Errorf("compressing file: %w", err)
 	}
 
 	return nil
 }
 
-func uncompress(path, target string) error {
+func uncompress(path, target string, unrestrict bool, preserveMtime bool) error {
 	sourceFile, err := os.Open(path)
 	if err != nil {
-		return errors.Wrap(err, "opening file for read")
+		return fmt.Errorf("opening file for read: %w", err)
 	}
 	defer sourceFile.Close()
 
+	fi, err := sourceFile.Stat()
+	if err != nil {
+		return fmt.Errorf("reading file stats: %w", err)
+	}
+
+	maxDecompressionSize := fi.Size() * 32
+
 	gzipUncompressor, err := gzip.NewReader(sourceFile)
 	if err != nil {
-		return errors.Wrap(err, "reading gzip headers")
+		return fmt.Errorf("reading gzip headers: %w", err)
 	}
 	defer gzipUncompressor.Close()
 
+	var reader io.Reader = &io.LimitedReader{
+		R: gzipUncompressor,
+		N: maxDecompressionSize,
+	}
+
+	if unrestrict {
+		reader = gzipUncompressor
+	}
+
 	destFile, err := os.Create(target)
 	if err != nil {
-		return errors.Wrap(err, "opening file for write")
+		return fmt.Errorf("opening file for write: %w", err)
 	}
 	defer destFile.Close()
 
-	_, err = io.Copy(destFile, gzipUncompressor)
+	_, err = io.Copy(destFile, reader)
 	if err != nil {
-		return errors.Wrap(err, "uncompressing file")
+		return fmt.Errorf("uncompressing file: %w", err)
+	}
+	// Apply metadata from Extra (uid/gid/mode) if present
+	if gzipUncompressor.Header.Extra != nil {
+		if uid, gid, mode, _, _, ok := parseKGExtra(gzipUncompressor.Header.Extra); ok {
+			// Chmod
+			_ = os.Chmod(target, os.FileMode(mode))
+			// Chown (may fail without privileges)
+			_ = os.Chown(target, int(uid), int(gid))
+		}
+	}
+	// Preserve mtime if requested
+	if preserveMtime {
+		mt := gzipUncompressor.Header.ModTime
+		if !mt.IsZero() {
+			// Set both atime and mtime to mt for simplicity
+			_ = os.Chtimes(target, mt, mt)
+		}
 	}
-
 	return nil
 }
 
 func usage(w io.Writer) {
-	fmt.Fprintf(w, `Usage: %s [-l] source [target]
+	fmt.Fprintf(w, `Usage: %s [-l] [-k] [-m] [-x] [--uid N] [--gid N] source [target]
 
 kgz is like gzip, but supports compressing and decompressing to a different
 directory than the source file is in.
 
 Flags:
-	-l level	Compression level (0-9). Only meaninful when
+    -l level    Compression level (0-9). Only meaningful when compressing.
-			compressing a file.
+    -u          Do not restrict the size during decompression (gzip bomb guard is 32x).
+    -k          Keep the source file (do not remove it after successful (de)compression).
+    -m          On decompression, set the file mtime from the gzip header.
+    -x          On compression, include uid/gid/mode/ctime in the gzip Extra field.
+    --uid N     When used with -x, set UID in Extra to N (overrides source owner).
+    --gid N     When used with -x, set GID in Extra to N (overrides source group).
 `, os.Args[0])
 }
 
@@ -89,8 +284,8 @@ func isDir(path string) bool {
 	file, err := os.Open(path)
 	if err == nil {
 		defer file.Close()
-		stat, err := file.Stat()
+		stat, err2 := file.Stat()
-		if err != nil {
+		if err2 != nil {
 			return false
 		}
 
@@ -109,7 +304,7 @@ func pathForUncompressing(source, dest string) (string, error) {
 
 	source = filepath.Base(source)
 	if !strings.HasSuffix(source, gzipExt) {
-		return "", errors.Errorf("%s is a not gzip-compressed file", source)
+		return "", fmt.Errorf("%s is a not gzip-compressed file", source)
 	}
 	outFile := source[:len(source)-len(gzipExt)]
 	outFile = filepath.Join(dest, outFile)
@@ -123,7 +318,7 @@ func pathForCompressing(source, dest string) (string, error) {
 
 	source = filepath.Base(source)
 	if strings.HasSuffix(source, gzipExt) {
-		return "", errors.Errorf("%s is a gzip-compressed file", source)
+		return "", fmt.Errorf("%s is a gzip-compressed file", source)
 	}
 
 	dest = filepath.Join(dest, source+gzipExt)
@@ -134,8 +329,21 @@ func main() {
 	var level int
 	var path string
 	var target = "."
+	var err error
+	var unrestrict bool
+	var keep bool
+	var preserveMtime bool
+	var includeExtra bool
+	var setUID int
+	var setGID int
 
 	flag.IntVar(&level, "l", flate.DefaultCompression, "compression level")
+	flag.BoolVar(&unrestrict, "u", false, "do not restrict decompression")
+	flag.BoolVar(&keep, "k", false, "keep the source file (do not remove it)")
+	flag.BoolVar(&preserveMtime, "m", false, "on decompression, set mtime from gzip header")
+	flag.BoolVar(&includeExtra, "x", false, "on compression, include uid/gid/mode/ctime in gzip Extra")
+	flag.IntVar(&setUID, "uid", -1, "when used with -x, set UID in Extra to this value")
+	flag.IntVar(&setGID, "gid", -1, "when used with -x, set GID in Extra to this value")
 	flag.Parse()
 
 	if flag.NArg() < 1 || flag.NArg() > 2 {
@@ -149,30 +357,37 @@ func main() {
 	}
 
 	if strings.HasSuffix(path, gzipExt) {
-		target, err := pathForUncompressing(path, target)
+		target, err = pathForUncompressing(path, target)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "%s\n", err)
 			os.Exit(1)
 		}
 
-		err = uncompress(path, target)
+		err = uncompress(path, target, unrestrict, preserveMtime)
 		if err != nil {
 			os.Remove(target)
 			fmt.Fprintf(os.Stderr, "%s\n", err)
 			os.Exit(1)
 		}
-	} else {
+		if !keep {
-		target, err := pathForCompressing(path, target)
+			_ = os.Remove(path)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "%s\n", err)
-			os.Exit(1)
 		}
+		return
+	}
 
-		err = compress(path, target, level)
+	target, err = pathForCompressing(path, target)
-		if err != nil {
+	if err != nil {
-			os.Remove(target)
+		fmt.Fprintf(os.Stderr, "%s\n", err)
-			fmt.Fprintf(os.Stderr, "%s\n", err)
+		os.Exit(1)
-			os.Exit(1)
+	}
-		}
+
+	err = compress(path, target, level, includeExtra, setUID, setGID)
+	if err != nil {
+		os.Remove(target)
+		fmt.Fprintf(os.Stderr, "%s\n", err)
+		os.Exit(1)
+	}
+	if !keep {
+		_ = os.Remove(path)
 	}
 }

cmd/minmax/main.go

@@ -40,14 +40,14 @@ func main() {
 		usage()
 	}
 
-	min, err := strconv.Atoi(flag.Arg(1))
+	minVal, err := strconv.Atoi(flag.Arg(1))
 	dieIf(err)
 
-	max, err := strconv.Atoi(flag.Arg(2))
+	maxVal, err := strconv.Atoi(flag.Arg(2))
 	dieIf(err)
 
 	code := kind << 6
-	code += (min << 3)
+	code += (minVal << 3)
-	code += max
+	code += maxVal
-	fmt.Printf("%0o\n", code)
+	fmt.Fprintf(os.Stdout, "%0o\n", code)
 }

cmd/parts/main.go

@@ -5,7 +5,6 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sort"
@@ -47,7 +46,7 @@ func help(w io.Writer) {
 }
 
 func loadDatabase() {
-	data, err := ioutil.ReadFile(dbFile)
+	data, err := os.ReadFile(dbFile)
 	if err != nil && os.IsNotExist(err) {
 		partsDB = &database{
 			Version: dbVersion,
@@ -74,7 +73,7 @@ func writeDB() {
 	data, err := json.Marshal(partsDB)
 	die.If(err)
 
-	err = ioutil.WriteFile(dbFile, data, 0644)
+	err = os.WriteFile(dbFile, data, 0644)
 	die.If(err)
 }
 

cmd/pem2bin/main.go

@@ -4,14 +4,13 @@ import (
 	"encoding/pem"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 )
 
 var ext = ".bin"
 
 func stripPEM(path string) error {
-	data, err := ioutil.ReadFile(path)
+	data, err := os.ReadFile(path)
 	if err != nil {
 		return err
 	}
@@ -22,7 +21,7 @@ func stripPEM(path string) error {
 		fmt.Fprintf(os.Stderr, "          (only the first object will be decoded)\n")
 	}
 
-	return ioutil.WriteFile(path+ext, p.Bytes, 0644)
+	return os.WriteFile(path+ext, p.Bytes, 0644)
 }
 
 func main() {

cmd/pembody/main.go

@@ -3,8 +3,7 @@ package main
 import (
 	"encoding/pem"
 	"flag"
-	"fmt"
+	"io"
-	"io/ioutil"
 	"os"
 
 	"git.wntrmute.dev/kyle/goutils/lib"
@@ -21,9 +20,9 @@ func main() {
 
 	path := flag.Arg(0)
 	if path == "-" {
-		in, err = ioutil.ReadAll(os.Stdin)
+		in, err = io.ReadAll(os.Stdin)
 	} else {
-		in, err = ioutil.ReadFile(flag.Arg(0))
+		in, err = os.ReadFile(flag.Arg(0))
 	}
 	if err != nil {
 		lib.Err(lib.ExitFailure, err, "couldn't read file")
@@ -33,5 +32,7 @@ func main() {
 	if p == nil {
 		lib.Errx(lib.ExitFailure, "%s isn't a PEM-encoded file", flag.Arg(0))
 	}
-	fmt.Printf("%s", p.Bytes)
+	if _, err = os.Stdout.Write(p.Bytes); err != nil {
+		lib.Err(lib.ExitFailure, err, "writing body")
+	}
 }

cmd/pemit/main.go

@@ -70,7 +70,7 @@ func main() {
 			lib.Err(lib.ExitFailure, err, "failed to read input")
 		}
 	case argc > 1:
-		for i := 0; i < argc; i++ {
+		for i := range argc {
 			path := flag.Arg(i)
 			err = copyFile(path, buf)
 			if err != nil {

cmd/readchain/main.go

@@ -5,7 +5,6 @@ import (
 	"encoding/pem"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 )
 
@@ -13,14 +12,14 @@ func main() {
 	flag.Parse()
 
 	for _, fileName := range flag.Args() {
-		data, err := ioutil.ReadFile(fileName)
+		data, err := os.ReadFile(fileName)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "[!] %s: %v\n", fileName, err)
 			continue
 		}
 
-		fmt.Printf("[+] %s:\n", fileName)
+		fmt.Fprintf(os.Stdout, "[+] %s:\n", fileName)
-		rest := data[:]
+		rest := data
 		for {
 			var p *pem.Block
 			p, rest = pem.Decode(rest)
@@ -28,13 +27,14 @@ func main() {
 				break
 			}
 
-			cert, err := x509.ParseCertificate(p.Bytes)
+			var cert *x509.Certificate
+			cert, err = x509.ParseCertificate(p.Bytes)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "[!] %s: %v\n", fileName, err)
 				break
 			}
 
-			fmt.Printf("\t%+v\n", cert.Subject.CommonName)
+			fmt.Fprintf(os.Stdout, "\t%+v\n", cert.Subject.CommonName)
 		}
 	}
 }

cmd/renfnv/main.go

@@ -43,7 +43,7 @@ func newName(path string) (string, error) {
 	return hashName(path, encodedHash), nil
 }
 
-func move(dst, src string, force bool) (err error) {
+func move(dst, src string, force bool) error {
 	if fileutil.FileDoesExist(dst) && !force {
 		return fmt.Errorf("%s exists (pass the -f flag to overwrite)", dst)
 	}
@@ -52,21 +52,23 @@ func move(dst, src string, force bool) (err error) {
 		return err
 	}
 
-	defer func(e error) {
+	var retErr error
+	defer func(e *error) {
 		dstFile.Close()
-		if e != nil {
+		if *e != nil {
 			os.Remove(dst)
 		}
-	}(err)
+	}(&retErr)
 
 	srcFile, err := os.Open(src)
 	if err != nil {
+		retErr = err
 		return err
 	}
 	defer srcFile.Close()
 
-	_, err = io.Copy(dstFile, srcFile)
+	if _, err = io.Copy(dstFile, srcFile); err != nil {
-	if err != nil {
+		retErr = err
 		return err
 	}
 
@@ -94,6 +96,44 @@ func init() {
 	flag.Usage = func() { usage(os.Stdout) }
 }
 
+type options struct {
+	dryRun, force, printChanged, verbose bool
+}
+
+func processOne(file string, opt options) error {
+	renamed, err := newName(file)
+	if err != nil {
+		_, _ = lib.Warn(err, "failed to get new file name")
+		return err
+	}
+	if opt.verbose && !opt.printChanged {
+		fmt.Fprintln(os.Stdout, file)
+	}
+	if renamed == file {
+		return nil
+	}
+	if !opt.dryRun {
+		if err = move(renamed, file, opt.force); err != nil {
+			_, _ = lib.Warn(err, "failed to rename file from %s to %s", file, renamed)
+			return err
+		}
+	}
+	if opt.printChanged && !opt.verbose {
+		fmt.Fprintln(os.Stdout, file, "->", renamed)
+	}
+	return nil
+}
+
+func run(dryRun, force, printChanged, verbose bool, files []string) {
+	if verbose && printChanged {
+		printChanged = false
+	}
+	opt := options{dryRun: dryRun, force: force, printChanged: printChanged, verbose: verbose}
+	for _, file := range files {
+		_ = processOne(file, opt)
+	}
+}
+
 func main() {
 	var dryRun, force, printChanged, verbose bool
 	flag.BoolVar(&force, "f", false, "force overwriting of files if there is a collision")
@@ -102,34 +142,5 @@ func main() {
 	flag.BoolVar(&verbose, "v", false, "list all processed files")
 
 	flag.Parse()
-
+	run(dryRun, force, printChanged, verbose, flag.Args())
-	if verbose && printChanged {
-		printChanged = false
-	}
-
-	for _, file := range flag.Args() {
-		renamed, err := newName(file)
-		if err != nil {
-			lib.Warn(err, "failed to get new file name")
-			continue
-		}
-
-		if verbose && !printChanged {
-			fmt.Println(file)
-		}
-
-		if renamed != file {
-			if !dryRun {
-				err = move(renamed, file, force)
-				if err != nil {
-					lib.Warn(err, "failed to rename file from %s to %s", file, renamed)
-					continue
-				}
-			}
-
-			if printChanged && !verbose {
-				fmt.Println(file, "->", renamed)
-			}
-		}
-	}
 }

cmd/rhash/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"io"
@@ -8,10 +9,12 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"time"
 
 	"git.wntrmute.dev/kyle/goutils/ahash"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
 )
 
 func usage(w io.Writer) {
@@ -66,24 +69,30 @@ func main() {
 	for _, remote := range flag.Args() {
 		u, err := url.Parse(remote)
 		if err != nil {
-			lib.Warn(err, "parsing %s", remote)
+			_, _ = lib.Warn(err, "parsing %s", remote)
 			continue
 		}
 
 		name := filepath.Base(u.Path)
 		if name == "" {
-			lib.Warnx("source URL doesn't appear to name a file")
+			_, _ = lib.Warnx("source URL doesn't appear to name a file")
 			continue
 		}
 
-		resp, err := http.Get(remote)
+		req, reqErr := http.NewRequestWithContext(context.Background(), http.MethodGet, remote, nil)
-		if err != nil {
+		if reqErr != nil {
-			lib.Warn(err, "fetching %s", remote)
+			_, _ = lib.Warn(reqErr, "building request for %s", remote)
 			continue
 		}
-
+		// Use proxy-aware HTTP client with a reasonable timeout for connects/handshakes
+		httpClient, err := dialer.NewHTTPClient(dialer.Opts{Timeout: 30 * time.Second})
 		if err != nil {
-			lib.Warn(err, "fetching %s", remote)
+			_, _ = lib.Warn(err, "building HTTP client for %s", remote)
+			continue
+		}
+		resp, err := httpClient.Do(req)
+		if err != nil {
+			_, _ = lib.Warn(err, "fetching %s", remote)
 			continue
 		}
 

cmd/rolldie/main.go

@@ -3,7 +3,7 @@ package main
 import (
 	"flag"
 	"fmt"
-	"math/rand"
+	"math/rand/v2"
 	"os"
 	"regexp"
 	"strconv"
@@ -17,8 +17,8 @@ func rollDie(count, sides int) []int {
 	sum := 0
 	var rolls []int
 
-	for i := 0; i < count; i++ {
+	for range count {
-		roll := rand.Intn(sides) + 1
+		roll := rand.IntN(sides) + 1 // #nosec G404
 		sum += roll
 		rolls = append(rolls, roll)
 	}

cmd/showimp/main.go

@@ -53,7 +53,7 @@ func init() {
 	project = wd[len(gopath):]
 }
 
-func walkFile(path string, info os.FileInfo, err error) error {
+func walkFile(path string, _ os.FileInfo, err error) error {
 	if ignores[path] {
 		return filepath.SkipDir
 	}
@@ -62,22 +62,27 @@ func walkFile(path string, info os.FileInfo, err error) error {
 		return nil
 	}
 
-	debug.Println(path)
-
-	f, err := parser.ParseFile(fset, path, nil, parser.ImportsOnly)
 	if err != nil {
 		return err
 	}
 
+	debug.Println(path)
+
+	f, err2 := parser.ParseFile(fset, path, nil, parser.ImportsOnly)
+	if err2 != nil {
+		return err2
+	}
+
 	for _, importSpec := range f.Imports {
 		importPath := strings.Trim(importSpec.Path.Value, `"`)
-		if stdLibRegexp.MatchString(importPath) {
+		switch {
+		case stdLibRegexp.MatchString(importPath):
 			debug.Println("standard lib:", importPath)
 			continue
-		} else if strings.HasPrefix(importPath, project) {
+		case strings.HasPrefix(importPath, project):
 			debug.Println("internal import:", importPath)
 			continue
-		} else if strings.HasPrefix(importPath, "golang.org/") {
+		case strings.HasPrefix(importPath, "golang.org/"):
 			debug.Println("extended lib:", importPath)
 			continue
 		}
@@ -102,7 +107,7 @@ func main() {
 		ignores["vendor"] = true
 	}
 
-	for _, word := range strings.Split(ignoreLine, ",") {
+	for word := range strings.SplitSeq(ignoreLine, ",") {
 		ignores[strings.TrimSpace(word)] = true
 	}
 

cmd/ski/main.go

@@ -1,22 +1,15 @@
 package main
 
 import (
-	"bytes"
+
-	"crypto"
+	// #nosec G505
-	"crypto/ecdsa"
+
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/pem"
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
-	"strings"
 
+	"git.wntrmute.dev/kyle/goutils/certlib/ski"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
@@ -28,10 +21,10 @@ Usage:
 	ski [-hm] files...
 
 Flags:
+	-d  Hex encoding mode.
 	-h	Print this help message.
 	-m	All SKIs should match; as soon as an SKI mismatch is found,
 		it is reported.
-
 `)
 }
 
@@ -39,153 +32,37 @@ func init() {
 	flag.Usage = func() { usage(os.Stderr) }
 }
 
-func parse(path string) (public []byte, kt, ft string) {
-	data, err := ioutil.ReadFile(path)
-	die.If(err)
-
-	data = bytes.TrimSpace(data)
-	p, rest := pem.Decode(data)
-	if len(rest) > 0 {
-		lib.Warnx("trailing data in PEM file")
-	}
-
-	if p == nil {
-		die.With("no PEM data found")
-	}
-
-	data = p.Bytes
-
-	switch p.Type {
-	case "PRIVATE KEY", "RSA PRIVATE KEY", "EC PRIVATE KEY":
-		public, kt = parseKey(data)
-		ft = "private key"
-	case "CERTIFICATE":
-		public, kt = parseCertificate(data)
-		ft = "certificate"
-	case "CERTIFICATE REQUEST":
-		public, kt = parseCSR(data)
-		ft = "certificate request"
-	default:
-		die.With("unknown PEM type %s", p.Type)
-	}
-
-	return
-}
-
-func parseKey(data []byte) (public []byte, kt string) {
-	privInterface, err := x509.ParsePKCS8PrivateKey(data)
-	if err != nil {
-		privInterface, err = x509.ParsePKCS1PrivateKey(data)
-		if err != nil {
-			privInterface, err = x509.ParseECPrivateKey(data)
-			if err != nil {
-				die.With("couldn't parse private key.")
-			}
-		}
-	}
-
-	var priv crypto.Signer
-	switch privInterface.(type) {
-	case *rsa.PrivateKey:
-		priv = privInterface.(*rsa.PrivateKey)
-		kt = "RSA"
-	case *ecdsa.PrivateKey:
-		priv = privInterface.(*ecdsa.PrivateKey)
-		kt = "ECDSA"
-	default:
-		die.With("unknown private key type %T", privInterface)
-	}
-
-	public, err = x509.MarshalPKIXPublicKey(priv.Public())
-	die.If(err)
-
-	return
-}
-
-func parseCertificate(data []byte) (public []byte, kt string) {
-	cert, err := x509.ParseCertificate(data)
-	die.If(err)
-
-	pub := cert.PublicKey
-	switch pub.(type) {
-	case *rsa.PublicKey:
-		kt = "RSA"
-	case *ecdsa.PublicKey:
-		kt = "ECDSA"
-	default:
-		die.With("unknown public key type %T", pub)
-	}
-
-	public, err = x509.MarshalPKIXPublicKey(pub)
-	die.If(err)
-	return
-}
-
-func parseCSR(data []byte) (public []byte, kt string) {
-	csr, err := x509.ParseCertificateRequest(data)
-	die.If(err)
-
-	pub := csr.PublicKey
-	switch pub.(type) {
-	case *rsa.PublicKey:
-		kt = "RSA"
-	case *ecdsa.PublicKey:
-		kt = "ECDSA"
-	default:
-		die.With("unknown public key type %T", pub)
-	}
-
-	public, err = x509.MarshalPKIXPublicKey(pub)
-	die.If(err)
-	return
-}
-
-func dumpHex(in []byte) string {
-	var s string
-	for i := range in {
-		s += fmt.Sprintf("%02X:", in[i])
-	}
-
-	return strings.Trim(s, ":")
-}
-
-type subjectPublicKeyInfo struct {
-	Algorithm        pkix.AlgorithmIdentifier
-	SubjectPublicKey asn1.BitString
-}
-
 func main() {
 	var help, shouldMatch bool
+	var displayModeString string
+	flag.StringVar(&displayModeString, "d", "lower", "hex encoding mode")
 	flag.BoolVar(&help, "h", false, "print a help message and exit")
 	flag.BoolVar(&shouldMatch, "m", false, "all SKIs should match")
 	flag.Parse()
 
+	displayMode := lib.ParseHexEncodeMode(displayModeString)
+
 	if help {
 		usage(os.Stdout)
 		os.Exit(0)
 	}
 
-	var ski string
+	var matchSKI string
 	for _, path := range flag.Args() {
-		public, kt, ft := parse(path)
+		keyInfo, err := ski.ParsePEM(path)
+		die.If(err)
 
-		var subPKI subjectPublicKeyInfo
+		keySKI, err := keyInfo.SKI(displayMode)
-		_, err := asn1.Unmarshal(public, &subPKI)
+		die.If(err)
-		if err != nil {
+
-			lib.Warn(err, "failed to get subject PKI")
+		if matchSKI == "" {
-			continue
+			matchSKI = keySKI
 		}
 
-		pubHash := sha1.Sum(subPKI.SubjectPublicKey.Bytes)
+		if shouldMatch && matchSKI != keySKI {
-		pubHashString := dumpHex(pubHash[:])
+			_, _ = lib.Warnx("%s: SKI mismatch (%s != %s)",
-		if ski == "" {
+				path, matchSKI, keySKI)
-			ski = pubHashString
 		}
-
+		fmt.Printf("%s  %s (%s %s)\n", path, keySKI, keyInfo.KeyType, keyInfo.FileType)
-		if shouldMatch && ski != pubHashString {
-			lib.Warnx("%s: SKI mismatch (%s != %s)",
-				path, ski, pubHashString)
-		}
-		fmt.Printf("%s  %s (%s %s)\n", path, pubHashString, kt, ft)
 	}
 }

cmd/sprox/main.go

@@ -1,16 +1,17 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"io"
-	"log"
 	"net"
 
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func proxy(conn net.Conn, inside string) error {
-	proxyConn, err := net.Dial("tcp", inside)
+	proxyConn, err := (&net.Dialer{}).DialContext(context.Background(), "tcp", inside)
 	if err != nil {
 		return err
 	}
@@ -19,7 +20,7 @@ func proxy(conn net.Conn, inside string) error {
 	defer conn.Close()
 
 	go func() {
-		io.Copy(conn, proxyConn)
+		_, _ = io.Copy(conn, proxyConn)
 	}()
 	_, err = io.Copy(proxyConn, conn)
 	return err
@@ -31,16 +32,22 @@ func main() {
 	flag.StringVar(&inside, "p", "4000", "inside port")
 	flag.Parse()
 
-	l, err := net.Listen("tcp", "0.0.0.0:"+outside)
+	lc := &net.ListenConfig{}
+	l, err := lc.Listen(context.Background(), "tcp", "0.0.0.0:"+outside)
 	die.If(err)
 
 	for {
-		conn, err := l.Accept()
+		var conn net.Conn
+		conn, err = l.Accept()
 		if err != nil {
-			log.Println(err)
+			_, _ = lib.Warn(err, "accept failed")
 			continue
 		}
 
-		go proxy(conn, "127.0.0.1:"+inside)
+		go func() {
+			if err = proxy(conn, "127.0.0.1:"+inside); err != nil {
+				_, _ = lib.Warn(err, "proxy error")
+			}
+		}()
 	}
 }

cmd/stealchain-server/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
@@ -8,7 +9,6 @@ import (
 	"encoding/pem"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
 
@@ -16,7 +16,7 @@ import (
 )
 
 func main() {
-	cfg := &tls.Config{}
+	cfg := &tls.Config{} // #nosec G402
 
 	var sysRoot, listenAddr, certFile, keyFile string
 	var verify bool
@@ -47,7 +47,8 @@ func main() {
 	}
 	cfg.Certificates = append(cfg.Certificates, cert)
 	if sysRoot != "" {
-		pemList, err := ioutil.ReadFile(sysRoot)
+		var pemList []byte
+		pemList, err = os.ReadFile(sysRoot)
 		die.If(err)
 
 		roots := x509.NewCertPool()
@@ -59,48 +60,54 @@ func main() {
 		cfg.RootCAs = roots
 	}
 
-	l, err := net.Listen("tcp", listenAddr)
+	lc := &net.ListenConfig{}
+	l, err := lc.Listen(context.Background(), "tcp", listenAddr)
 	if err != nil {
 		fmt.Println(err.Error())
 		os.Exit(1)
 	}
 
 	for {
-		conn, err := l.Accept()
+		var conn net.Conn
+		conn, err = l.Accept()
 		if err != nil {
 			fmt.Println(err.Error())
-		}
-
-		raddr := conn.RemoteAddr()
-		tconn := tls.Server(conn, cfg)
-		err = tconn.Handshake()
-		if err != nil {
-			fmt.Printf("[+] %v: failed to complete handshake: %v\n", raddr, err)
 			continue
 		}
-		cs := tconn.ConnectionState()
+		handleConn(conn, cfg)
-		if len(cs.PeerCertificates) == 0 {
-			fmt.Printf("[+] %v: no chain presented\n", raddr)
-			continue
-		}
-
-		var chain []byte
-		for _, cert := range cs.PeerCertificates {
-			p := &pem.Block{
-				Type:  "CERTIFICATE",
-				Bytes: cert.Raw,
-			}
-			chain = append(chain, pem.EncodeToMemory(p)...)
-		}
-
-		var nonce [16]byte
-		_, err = rand.Read(nonce[:])
-		if err != nil {
-			panic(err)
-		}
-		fname := fmt.Sprintf("%v-%v.pem", raddr, hex.EncodeToString(nonce[:]))
-		err = ioutil.WriteFile(fname, chain, 0644)
-		die.If(err)
-		fmt.Printf("%v: [+] wrote %v.\n", raddr, fname)
 	}
 }
+
+// handleConn performs a TLS handshake, extracts the peer chain, and writes it to a file.
+func handleConn(conn net.Conn, cfg *tls.Config) {
+	defer conn.Close()
+	raddr := conn.RemoteAddr()
+	tconn := tls.Server(conn, cfg)
+	if err := tconn.HandshakeContext(context.Background()); err != nil {
+		fmt.Printf("[+] %v: failed to complete handshake: %v\n", raddr, err)
+		return
+	}
+	cs := tconn.ConnectionState()
+	if len(cs.PeerCertificates) == 0 {
+		fmt.Printf("[+] %v: no chain presented\n", raddr)
+		return
+	}
+
+	var chain []byte
+	for _, cert := range cs.PeerCertificates {
+		p := &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
+		chain = append(chain, pem.EncodeToMemory(p)...)
+	}
+
+	var nonce [16]byte
+	if _, err := rand.Read(nonce[:]); err != nil {
+		fmt.Printf("[+] %v: failed to generate filename nonce: %v\n", raddr, err)
+		return
+	}
+	fname := fmt.Sprintf("%v-%v.pem", raddr, hex.EncodeToString(nonce[:]))
+	if err := os.WriteFile(fname, chain, 0o644); err != nil {
+		fmt.Printf("[+] %v: failed to write %v: %v\n", raddr, fname, err)
+		return
+	}
+	fmt.Printf("%v: [+] wrote %v.\n", raddr, fname)
+}

cmd/stealchain/main.go

@@ -0,0 +1,65 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"net"
+	"os"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib/dialer"
+)
+
+func main() {
+	var sysRoot, serverName string
+	var skipVerify bool
+	var strictTLS bool
+	dialer.StrictTLSFlag(&strictTLS)
+	flag.StringVar(&sysRoot, "ca", "", "provide an alternate CA bundle")
+	flag.StringVar(&serverName, "sni", "", "provide an SNI name")
+	flag.BoolVar(&skipVerify, "noverify", false, "don't verify certificates")
+	flag.Parse()
+
+	tlsCfg, err := dialer.BaselineTLSConfig(skipVerify, strictTLS)
+	die.If(err)
+
+	if sysRoot != "" {
+		tlsCfg.RootCAs, err = certlib.LoadPEMCertPool(sysRoot)
+		die.If(err)
+	}
+
+	if serverName != "" {
+		tlsCfg.ServerName = serverName
+	}
+
+	for _, site := range flag.Args() {
+		_, _, err = net.SplitHostPort(site)
+		if err != nil {
+			site += ":443"
+		}
+
+		var conn *tls.Conn
+		conn, err = dialer.DialTLS(context.Background(), site, dialer.Opts{TLSConfig: tlsCfg})
+		die.If(err)
+
+		cs := conn.ConnectionState()
+		var chain []byte
+
+		for _, cert := range cs.PeerCertificates {
+			p := &pem.Block{
+				Type:  "CERTIFICATE",
+				Bytes: cert.Raw,
+			}
+			chain = append(chain, pem.EncodeToMemory(p)...)
+		}
+
+		err = os.WriteFile(site+".pem", chain, 0644)
+		die.If(err)
+
+		fmt.Printf("[+] wrote %s.pem.\n", site)
+	}
+}

cmd/stealchain/thief.go

@@ -1,68 +0,0 @@
-package main
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"flag"
-	"fmt"
-	"io/ioutil"
-	"net"
-	"os"
-
-	"git.wntrmute.dev/kyle/goutils/die"
-)
-
-func main() {
-	var cfg = &tls.Config{}
-
-	var sysRoot, serverName string
-	flag.StringVar(&sysRoot, "ca", "", "provide an alternate CA bundle")
-	flag.StringVar(&cfg.ServerName, "sni", cfg.ServerName, "provide an SNI name")
-	flag.BoolVar(&cfg.InsecureSkipVerify, "noverify", false, "don't verify certificates")
-	flag.Parse()
-
-	if sysRoot != "" {
-		pemList, err := ioutil.ReadFile(sysRoot)
-		die.If(err)
-
-		roots := x509.NewCertPool()
-		if !roots.AppendCertsFromPEM(pemList) {
-			fmt.Printf("[!] no valid roots found")
-			roots = nil
-		}
-
-		cfg.RootCAs = roots
-	}
-
-	if serverName != "" {
-		cfg.ServerName = serverName
-	}
-
-	for _, site := range flag.Args() {
-		_, _, err := net.SplitHostPort(site)
-		if err != nil {
-			site += ":443"
-		}
-		conn, err := tls.Dial("tcp", site, cfg)
-		if err != nil {
-			fmt.Println(err.Error())
-			os.Exit(1)
-		}
-
-		cs := conn.ConnectionState()
-		var chain []byte
-
-		for _, cert := range cs.PeerCertificates {
-			p := &pem.Block{
-				Type:  "CERTIFICATE",
-				Bytes: cert.Raw,
-			}
-			chain = append(chain, pem.EncodeToMemory(p)...)
-		}
-
-		err = ioutil.WriteFile(site+".pem", chain, 0644)
-		die.If(err)
-		fmt.Printf("[+] wrote %s.pem.\n", site)
-	}
-}

cmd/subjhash/main.go

@@ -60,7 +60,7 @@ func printDigests(paths []string, issuer bool) {
 	for _, path := range paths {
 		cert, err := certlib.LoadCertificate(path)
 		if err != nil {
-			lib.Warn(err, "failed to load certificate from %s", path)
+			_, _ = lib.Warn(err, "failed to load certificate from %s", path)
 			continue
 		}
 
@@ -75,20 +75,19 @@ func matchDigests(paths []string, issuer bool) {
 	}
 
 	var invalid int
-	for {
+	for len(paths) > 0 {
-		if len(paths) == 0 {
-			break
-		}
 		fst := paths[0]
 		snd := paths[1]
 		paths = paths[2:]
 
 		fstCert, err := certlib.LoadCertificate(fst)
 		die.If(err)
+
 		sndCert, err := certlib.LoadCertificate(snd)
 		die.If(err)
+
 		if !bytes.Equal(getSubjectInfoHash(fstCert, issuer), getSubjectInfoHash(sndCert, issuer)) {
-			lib.Warnx("certificates don't match: %s and %s", fst, snd)
+			_, _ = lib.Warnx("certificates don't match: %s and %s", fst, snd)
 			invalid++
 		}
 	}