disable some linter that fail for legacy DSA crypto (needed to anlyse old/broken certs here!)

Author: paepckehh

Makefile

@@ -3,19 +3,14 @@ PROJECT=$(shell basename $(CURDIR))
 all:
 	make -C cmd/$(PROJECT) all
 
-clean:
-	make -C cmd/$(PROJECT) clean
-
-examples:
-	make -C cmd/$(PROJECT) examples
-
 deps: 
 	rm go.mod go.sum
 	go mod init paepcke.de/$(PROJECT)
 	go mod tidy -v	
 
 check: 
-	echo "expect some legacy crypto DSA support complains, need for analysis of bad certs/actors"
 	gofmt -w -s .
-	staticcheck
+	# expect some legacy crypto DSA support complains, need for analysis of bad and old legacy certs
+	# staticcheck
+	# golangci-lint run
 	make -C cmd/$(PROJECT) check

cmd/certinfo/Makefile

@@ -3,10 +3,9 @@ all:
 
 check: 
 	gofmt -w -s .
+	go vet .
 	staticcheck
-
-clean:
+	golangci-lint run
 
 examples:
-	
 	go run main.go example.txt

cmd/certinfo/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"io"
+	"log"
 	"os"
 	"syscall"
 
@@ -51,7 +52,7 @@ func main() {
 			out(certinfo.Decode(readFile(os.Args[i]), report))
 		}
 	default:
-		errExit("no pipe or input parameter found, example: certinfo file.txt")
+		log.Fatal(_app + _err + "no pipe or input parameter found, example: certinfo file.txt")
 	}
 }
 
@@ -64,12 +65,6 @@ func out(msg string) {
 	os.Stdout.Write([]byte(msg))
 }
 
-// errExit
-func errExit(msg string) {
-	out(_app + _err + msg + _linefeed)
-	os.Exit(1)
-}
-
 // isPipe ...
 func isPipe() bool {
 	out, _ := os.Stdin.Stat()
@@ -80,7 +75,7 @@ func isPipe() bool {
 func getPipe() string {
 	pipe, err := io.ReadAll(os.Stdin)
 	if err != nil {
-		errExit("reading data from pipe")
+		log.Fatal(_app + _err + "reading data from pipe")
 	}
 	return string(pipe)
 }
@@ -102,7 +97,7 @@ func isEnv(in string) bool {
 func readFile(filename string) string {
 	file, err := os.ReadFile(filename)
 	if err != nil {
-		errExit("unable to read file: " + err.Error())
+		log.Fatal(_app + _err + "unable to read file: " + err.Error())
 	}
 	return string(file)
 }

generic.go

@@ -40,6 +40,7 @@ const (
 // GENERIC ASCII INPUT HANDLER
 //
 
+// decodeBlock ...
 func decodeBlock(asciiBlock string, r *Report) string {
 	var err error
 	var eval string
@@ -62,6 +63,7 @@ func decodeBlock(asciiBlock string, r *Report) string {
 	return "[certinfo] [unable to decode] [pem:failed] [ssh:failed]"
 }
 
+// multipartDecodeParallel ...
 func multipartDecodeParallel(asciiBlock string, r *Report) string {
 	var (
 		bg    sync.WaitGroup
@@ -93,6 +95,7 @@ func multipartDecodeParallel(asciiBlock string, r *Report) string {
 	return s.String()
 }
 
+// sanitizer ...
 func sanitizer(in string) (full, cut string, err error) {
 	var s strings.Builder
 	scanner := bufio.NewScanner(strings.NewReader(in))
@@ -122,6 +125,7 @@ func sanitizer(in string) (full, cut string, err error) {
 // GENERIC OUTPUT FORMAT HELPER
 //
 
+// errString ...
 func errString(err error) string {
 	var s strings.Builder
 	s.WriteString(_app)
@@ -130,13 +134,15 @@ func errString(err error) string {
 	return s.String()
 }
 
+// short ...
 func short(in string) string {
 	if len(in) > 80 {
 		return in[:80]
 	}
 	return in
 }
 
+// shortMsg ...
 func shortMsg(in string) string {
 	var s strings.Builder
 	s.WriteString(_openbracket)
@@ -150,6 +156,7 @@ func shortMsg(in string) string {
 	return s.String()
 }
 
+// shortMsgArray ...
 func shortMsgArray(in []string) string {
 	if len(in) < 1 {
 		return _empty
@@ -161,6 +168,7 @@ func shortMsgArray(in []string) string {
 	return short(s.String())
 }
 
+// shortMsgArrayIP ...
 func shortMsgArrayIP(in []net.IP) string {
 	if len(in) < 1 {
 		return _empty
@@ -172,6 +180,7 @@ func shortMsgArrayIP(in []net.IP) string {
 	return short(s.String())
 }
 
+// shortMsgArrayURL ...
 func shortMsgArrayURL(in []*url.URL) string {
 	if len(in) > 0 {
 		return _empty

ssh.go

@@ -1,7 +1,7 @@
 package certinfo
 
 import (
-	//nolint:all yes, we must detect/analyze legecy
+	//lint:ignore SA41019 we need to analyse old and broken certs as well
 	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/ed25519"
@@ -12,6 +12,7 @@ import (
 	"strconv"
 )
 
+// parseRawPrivateKey ...
 func parseRawPrivateKey(in *pem.Block) string {
 	if encryptedBlock(in) {
 		return "Encrypted KEY [PEM BLOCK]"
@@ -31,6 +32,7 @@ func parseRawPrivateKey(in *pem.Block) string {
 	return errString(errors.New("unsupported keytype"))
 }
 
+// getKey ...
 func getKey(pub any) string {
 	switch pub := pub.(type) {
 	case *rsa.PublicKey:
@@ -49,8 +51,10 @@ func getKey(pub any) string {
 // SSH KEY ASCII REP
 //
 
+// dbapo ...
 type dbapo struct{ Y, X int }
 
+// getDBAA ...
 func getDBAA(in string) (out string) {
 	const sep = "+-----------------+\n"
 	var bp []string

x509.go

@@ -1,7 +1,7 @@
 package certinfo
 
 import (
-	//nolint:all yes, we must detect/analyze legecy
+	//lint:ignore SA41019 we need to analyse old and broken certs as well
 	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/ed25519"
@@ -27,6 +27,7 @@ import (
 // INTERNAL LEGACY BACKEND
 //
 
+// certSummary ...
 func certSummary(cert *x509.Certificate, e *reportstyle.Style) string {
 	var s strings.Builder
 	s.WriteString(e.L1 + "X509 Cert Subject          " + e.L2 + shortMsg(cert.Subject.String()) + e.LE)
@@ -73,6 +74,7 @@ func certSummary(cert *x509.Certificate, e *reportstyle.Style) string {
 	return s.String()
 }
 
+// certOpenSSL ...
 func certOpenSSL(cert *x509.Certificate, e *reportstyle.Style) string {
 	ossl := x509UT.CertificateToString(cert2CT(cert))
 	if e.SaniFunc != nil {
@@ -85,23 +87,27 @@ func certOpenSSL(cert *x509.Certificate, e *reportstyle.Style) string {
 	return s.String()
 }
 
+// certPem ...
 func certPem(cert *x509.Certificate, e *reportstyle.Style) string {
 	if e.SaniFunc != nil {
 		return e.PS + e.SaniFunc(string(cert2pem(cert))) + e.PE
 	}
 	return string(cert2pem(cert))
 }
 
+// cert2pem ...
 func cert2pem(cert *x509.Certificate) []byte {
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
 }
 
+// cert2CT ...
 func cert2CT(cert *x509.Certificate) *x509CT.Certificate {
 	pct, _ := pem.Decode(cert2pem(cert))
 	crt, _ := x509CT.ParseCertificate(pct.Bytes)
 	return crt
 }
 
+// decodePemBlock ...
 func decodePemBlock(block *pem.Block, r *Report) string {
 	defer func() {
 		if err := recover(); err != nil {
@@ -138,6 +144,7 @@ func decodePemBlock(block *pem.Block, r *Report) string {
 	return errString(errors.New("no decoder for pem type: " + block.Type))
 }
 
+// sigAlgo ...
 func sigAlgo(in string, e *reportstyle.Style) string {
 	switch in {
 	case "MD2-RSA", "MD5-RSA", "SHA1-RSA", "DSA-SHA1", "ECDSA-SHA1", "DSA-SHA256":
@@ -150,6 +157,7 @@ func sigAlgo(in string, e *reportstyle.Style) string {
 	return e.Fail + _unknown + shortMsg(in)
 }
 
+// pubKey ...
 func pubKey(pub any, e *reportstyle.Style) string {
 	switch pub := pub.(type) {
 	case *rsa.PublicKey:
@@ -172,11 +180,13 @@ func pubKey(pub any, e *reportstyle.Style) string {
 	return e.Fail + "[UNKNOWN]"
 }
 
+// keyPin ...
 func keyPin(cert *x509.Certificate) []byte {
 	digest := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
 	return digest[:]
 }
 
+// isSelfSigned ...
 func isSelfSigned(cert *x509.Certificate, e *reportstyle.Style) (string, bool) {
 	selfsigned, status := _no, false
 	if cert.IsCA && cert.Issuer.String() == cert.Subject.String() {
@@ -188,6 +198,7 @@ func isSelfSigned(cert *x509.Certificate, e *reportstyle.Style) (string, bool) {
 	return selfsigned, status
 }
 
+// subCA ..
 func subCA(cert *x509.Certificate, e *reportstyle.Style) string {
 	if cert.IsCA {
 		if cert.MaxPathLen > 0 {
@@ -201,6 +212,7 @@ func subCA(cert *x509.Certificate, e *reportstyle.Style) string {
 	return _no
 }
 
+// isCA ...
 func isCA(cert *x509.Certificate, e *reportstyle.Style) string {
 	state, alert := "", ""
 	if cert.IsCA {
@@ -217,6 +229,7 @@ func isCA(cert *x509.Certificate, e *reportstyle.Style) string {
 	return state + alert
 }
 
+// signatureState ...
 func signatureState(cert *x509.Certificate, e *reportstyle.Style) string {
 	_, err := cert.Verify(x509.VerifyOptions{})
 	if err != nil {
@@ -225,6 +238,7 @@ func signatureState(cert *x509.Certificate, e *reportstyle.Style) string {
 	return e.Valid + " [trusted via system trust store]"
 }
 
+// validFor ...
 func validFor(cert *x509.Certificate, e *reportstyle.Style) string {
 	// result, t := e.Fail, cert.NotAfter.Sub(time.Now())
 	t := time.Until(cert.NotAfter)
@@ -252,10 +266,12 @@ func validFor(cert *x509.Certificate, e *reportstyle.Style) string {
 	return result
 }
 
+// encryptedBlock ...
 func encryptedBlock(block *pem.Block) bool {
 	return strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED")
 }
 
+// certRequestSummary ...
 func certRequestSummary(csr *x509.CertificateRequest, e *reportstyle.Style) string {
 	err := csr.CheckSignature()
 	if err != nil {
@@ -264,6 +280,7 @@ func certRequestSummary(csr *x509.CertificateRequest, e *reportstyle.Style) stri
 	return e.Valid
 }
 
+// keyUsage ...
 func keyUsage(cert *x509.Certificate, e *reportstyle.Style) string {
 	var s strings.Builder
 	caAlert := false
@@ -285,6 +302,7 @@ func keyUsage(cert *x509.Certificate, e *reportstyle.Style) string {
 	return s.String()
 }
 
+// exgtendedKeyUsage ...
 func extendedKeyUsage(cert *x509.Certificate, e *reportstyle.Style) string {
 	var s strings.Builder
 	count, critical := oidInExtensions(oidExtensionExtendedKeyUsage, cert.Extensions)
@@ -303,6 +321,7 @@ func extendedKeyUsage(cert *x509.Certificate, e *reportstyle.Style) string {
 	return s.String()
 }
 
+// sct ...
 func sct(cert *x509.Certificate, _ *reportstyle.Style) string {
 	var s strings.Builder
 	count, critical := oidInExtensions(oidExtensionCTPoison, cert.Extensions)
@@ -354,6 +373,7 @@ var (
 	oidExtensionCTSCT            = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2}
 )
 
+// oidInExtensions ...
 func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) (int, bool) {
 	count := 0
 	critical := false
@@ -368,6 +388,7 @@ func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) (in
 	return count, critical
 }
 
+// keyUsageToString ...
 func keyUsageToString(k x509.KeyUsage) (string, bool) {
 	var s strings.Builder
 	caAlert := false
@@ -402,6 +423,7 @@ func keyUsageToString(k x509.KeyUsage) (string, bool) {
 	return s.String(), caAlert
 }
 
+// extKeyUsageToString ...
 func extKeyUsageToString(u x509.ExtKeyUsage, e *reportstyle.Style) string {
 	var s strings.Builder
 	switch u {
@@ -442,6 +464,7 @@ func extKeyUsageToString(u x509.ExtKeyUsage, e *reportstyle.Style) string {
 	return s.String()
 }
 
+// isCurveValid ...
 func isCurveValid(curve elliptic.Curve) (string, bool) {
 	switch curve {
 	case elliptic.P256():