├── .github └── workflows │ └── test.yml ├── .gitignore ├── .golangci.yml ├── LICENSE ├── README.md ├── app ├── app.go ├── app_darwin.go ├── app_unix.go ├── app_windows.go └── version.go ├── ctl ├── ca_bsd.go ├── ca_cgo_darwin.go ├── ca_linux.go ├── ca_unix.go ├── ca_windows.go ├── cert_store.go ├── ctl.go ├── ctl_apple.go ├── ctl_apple_test.go ├── ctl_microsoft.go ├── ctl_microsoft_test.go ├── ctl_mozilla.go ├── ctl_mozilla_test.go ├── misc.go ├── misc_test.go └── testdata │ └── authroot.stl ├── go.mod ├── go.sum ├── main.go └── snapshot.png /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: test 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | schedule: 8 | - cron: '0 13 2 * *' 9 | 10 | jobs: 11 | test: 12 | strategy: 13 | fail-fast: true 14 | matrix: 15 | os: [ubuntu-latest, windows-latest, macos-13] 16 | runs-on: ${{ matrix.os }} 17 | name: test on ${{ matrix.os }} 18 | steps: 19 | - uses: actions/checkout@v4 20 | - name: Set up Go 21 | uses: actions/setup-go@v5 22 | with: 23 | go-version: 'stable' 24 | - name: Test 25 | run: go test -v ./... -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Test binary, build with `go test -c` 9 | *.test 10 | 11 | # Output of the go coverage tool, specifically when used with LiteIDE 12 | *.out -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | linters: 3 | enable-all: false 4 | disable-all: false 5 | enable: 6 | - gofumpt -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 canstand 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ctlcheck [![GoDoc](https://godoc.org/github.com/canstand/ctlcheck?status.svg)](https://godoc.org/github.com/canstand/ctlcheck) [![Go Report Card](https://goreportcard.com/badge/github.com/canstand/ctlcheck)](https://goreportcard.com/report/github.com/canstand/ctlcheck) 2 | 3 | A utility to check the certificate trust list (CTL). 4 | 5 | - Compare the differences between the current system CAs and the latest data from [CCADB](https://www.ccadb.org/) (or [Apple](https://support.apple.com/en-us/HT209143), etc.) 6 | - Shows certificates that have been removed by the vendor (Mozilla, Apple, Microsoft, etc.), and unknown certificates 7 | - Self-signed or company root certificates can be added to the allow list 8 | 9 | ![ctlcheck snapshot](snapshot.png) 10 | 11 | ## Installation 12 | 13 | First install [Go](http://go.dev). 14 | 15 | If you just want to install the binary to your current directory and don't care about the source code, run 16 | 17 | ```bash 18 | GOBIN="$(pwd)" go install github.com/canstand/ctlcheck@latest 19 | ``` 20 | 21 | If needed, create a `ctlcheck.yml` file and add your trusted self-signed root certificates in the following format: 22 | 23 | ```yaml 24 | allow: 25 | D59C2F2036FAF503FCDE00B6412318548D75F67D1F93A9953132EB6963B8CA19: Self Signed CA 26 | E395E72DD44031988FB229CBAC77969AE96188BB6C58AF811B8BD0F31087B9AB: Caddy Local Authority - 2021 ECC Root 27 | ``` 28 | 29 | ## Usage 30 | 31 | ``` 32 | Usage: 33 | ctlcheck [options] 34 | 35 | Options: 36 | -offline 37 | load data from ctlcheck.yml instead of fetch from CCADB 38 | -raw 39 | print unstyled raw output (set it if output is written to a file) 40 | -save 41 | save data to ctlcheck.yml 42 | ``` 43 | 44 | ## Notes 45 | 46 | ### For Windows 47 | **Why are there several Removed Certificates reported in normal Windows OS?** 48 | 49 | * The CTL is based on [CCADB](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT) data, and then complements several missing Microsoft built-in certificates from [authroot.stl](http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroot.stl). 50 | * Some certificates are included in authroot.stl, but the "Microsoft Status" has been marked as **Disable** or other status in [CCADB](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). -------------------------------------------------------------------------------- /app/app.go: -------------------------------------------------------------------------------- 1 | package app 2 | 3 | import ( 4 | "flag" 5 | "fmt" 6 | "os" 7 | 8 | "github.com/canstand/ctlcheck/ctl" 9 | "github.com/carlmjohnson/flagext" 10 | "github.com/pterm/pterm" 11 | "gopkg.in/yaml.v3" 12 | ) 13 | 14 | const AppName = "ctlcheck" 15 | 16 | func CLI(args []string) error { 17 | var app appEnv 18 | err := app.ParseArgs(args) 19 | if err != nil { 20 | return err 21 | } 22 | if err = app.Exec(); err != nil { 23 | fmt.Fprintf(os.Stderr, "Error: %v\n", err) 24 | } 25 | return err 26 | } 27 | 28 | func (app *appEnv) ParseArgs(args []string) error { 29 | fl := flag.NewFlagSet(AppName, flag.ContinueOnError) 30 | app.AppleCTL = ctl.NewAppleCTL() 31 | app.MicrosoftCTL = ctl.NewMicrosoftCTL() 32 | app.MozillaCTL = ctl.NewMozillaCTL() 33 | app.Allow = ctl.Entrys{} 34 | 35 | var ( 36 | offline bool 37 | save bool 38 | raw bool 39 | ) 40 | 41 | fl.BoolVar(&offline, "offline", false, "load data from ctlcheck.yml instead of fetch from CCADB") 42 | fl.BoolVar(&save, "save", false, "save data to ctlcheck.yml") 43 | fl.BoolVar(&raw, "raw", false, "print unstyled raw output (set it if output is written to a file)") 44 | 45 | fl.Usage = func() { 46 | fmt.Fprintf(fl.Output(), `ctlcheck - %s 47 | 48 | A utility to check the certificate trust list (CTL) 49 | 50 | Usage: 51 | ctlcheck [options] 52 | 53 | Options: 54 | `, getAppVersion()) 55 | fl.PrintDefaults() 56 | } 57 | if err := fl.Parse(args); err != nil { 58 | return err 59 | } 60 | if err := flagext.ParseEnv(fl, AppName); err != nil { 61 | return err 62 | } 63 | app.offline = offline 64 | app.save = save 65 | if raw { 66 | pterm.DisableStyling() 67 | } 68 | return nil 69 | } 70 | 71 | type appEnv struct { 72 | AppleCTL *ctl.AppleCTL `yaml:"apple_ctl,omitempty"` 73 | MicrosoftCTL *ctl.MicrosoftCTL `yaml:"micrsoft_ctl,omitempty"` 74 | MozillaCTL *ctl.MozillaCTL `yaml:"mozilla_ctl,omitempty"` 75 | Allow ctl.Entrys `yaml:"allow,omitempty"` 76 | offline bool `yaml:"-"` 77 | save bool `yaml:"-"` 78 | } 79 | 80 | func (app *appEnv) Exec() (err error) { 81 | spinnerLoading, _ := pterm.DefaultSpinner.Start("Load CTL...") 82 | 83 | if app.offline { 84 | spinnerLoading.UpdateText("Load CTL...from file") 85 | err = app.Load("ctlcheck.yml") 86 | if err != nil { 87 | spinnerLoading.Fail(err) 88 | return err 89 | } 90 | } else { 91 | _ = app.Load("ctlcheck.yml") // load allow items if file exist 92 | 93 | spinnerLoading.UpdateText("Fetch CTL...") 94 | 95 | err = app.fetchCtl() 96 | if err != nil { 97 | spinnerLoading.Fail(err) 98 | return err 99 | } 100 | if app.save { 101 | spinnerLoading.UpdateText("Fetch CTL..., save to file") 102 | err = app.Save("ctlcheck.yml") 103 | if err != nil { 104 | spinnerLoading.Fail(err) 105 | return err 106 | } 107 | } 108 | } 109 | spinnerLoading.Success() 110 | 111 | roots, err := ctl.LoadSystemRoots() 112 | if err != nil { 113 | pterm.PrintOnErrorf("load system root CAs failed: %v", err) 114 | return err 115 | } 116 | results := app.verify(roots.Certs, app.Allow) 117 | 118 | pterm.DefaultSection.WithLevel(2).Print("System Root CA") 119 | pterm.Print(results.ConsoleReport()) 120 | 121 | return err 122 | } 123 | 124 | // Save as yaml file 125 | func (app *appEnv) Save(file string) error { 126 | data, err := yaml.Marshal(app) 127 | if err != nil { 128 | return err 129 | } 130 | 131 | err = os.WriteFile(file, data, 0o644) 132 | 133 | return err 134 | } 135 | 136 | // Load from yaml file 137 | func (app *appEnv) Load(file string) error { 138 | data, err := os.ReadFile(file) 139 | if err != nil { 140 | return err 141 | } 142 | 143 | err = yaml.Unmarshal(data, app) 144 | 145 | return err 146 | } 147 | -------------------------------------------------------------------------------- /app/app_darwin.go: -------------------------------------------------------------------------------- 1 | //go:build darwin && !ios 2 | 3 | package app 4 | 5 | import "github.com/canstand/ctlcheck/ctl" 6 | 7 | func (app *appEnv) verify(certs []*ctl.Cert, allowedCerts ctl.Entrys) *ctl.VerifyResult { 8 | return app.AppleCTL.Verify(certs, app.Allow) 9 | } 10 | 11 | func (app *appEnv) fetchCtl() error { 12 | return app.AppleCTL.Fetch() 13 | } 14 | -------------------------------------------------------------------------------- /app/app_unix.go: -------------------------------------------------------------------------------- 1 | //go:build aix || dragonfly || freebsd || (js && wasm) || linux || netbsd || openbsd || solaris 2 | 3 | package app 4 | 5 | import "github.com/canstand/ctlcheck/ctl" 6 | 7 | func (app *appEnv) verify(certs []*ctl.Cert, allowedCerts ctl.Entrys) *ctl.VerifyResult { 8 | return app.MozillaCTL.Verify(certs, app.Allow) 9 | } 10 | 11 | func (app *appEnv) fetchCtl() error { 12 | return app.MozillaCTL.Fetch() 13 | } 14 | -------------------------------------------------------------------------------- /app/app_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | 3 | package app 4 | 5 | import "github.com/canstand/ctlcheck/ctl" 6 | 7 | func (app *appEnv) verify(certs []*ctl.Cert, allowedCerts ctl.Entrys) *ctl.VerifyResult { 8 | return app.MicrosoftCTL.Verify(certs, app.Allow) 9 | } 10 | 11 | func (app *appEnv) fetchCtl() error { 12 | return app.MicrosoftCTL.Fetch() 13 | } 14 | -------------------------------------------------------------------------------- /app/version.go: -------------------------------------------------------------------------------- 1 | package app 2 | 3 | import ( 4 | "fmt" 5 | "runtime/debug" 6 | "time" 7 | ) 8 | 9 | var AppVersion string 10 | 11 | func getAppVersion() string { 12 | if len(AppVersion) != 0 { 13 | return AppVersion 14 | } 15 | 16 | bi, ok := debug.ReadBuildInfo() 17 | if !ok { 18 | return "(dev)" 19 | } 20 | 21 | if bi.Main.Version != "(devel)" { 22 | return bi.Main.Version 23 | } 24 | 25 | var vcsRevision string 26 | var vcsTime time.Time 27 | for _, setting := range bi.Settings { 28 | switch setting.Key { 29 | case "vcs.revision": 30 | vcsRevision = setting.Value 31 | case "vcs.time": 32 | vcsTime, _ = time.Parse(time.RFC3339, setting.Value) 33 | } 34 | } 35 | 36 | if vcsRevision != "" { 37 | return fmt.Sprintf("%s, (%s)", vcsRevision, vcsTime) 38 | } 39 | 40 | return "(dev)" 41 | } 42 | -------------------------------------------------------------------------------- /ctl/ca_bsd.go: -------------------------------------------------------------------------------- 1 | // Copyright 2015 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | //go:build dragonfly || freebsd || netbsd || openbsd 6 | // +build dragonfly freebsd netbsd openbsd 7 | 8 | package ctl 9 | 10 | // Possible certificate files; stop after finding one. 11 | var certFiles = []string{ 12 | "/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly 13 | "/etc/ssl/cert.pem", // OpenBSD 14 | "/etc/openssl/certs/ca-certificates.crt", // NetBSD 15 | } 16 | -------------------------------------------------------------------------------- /ctl/ca_cgo_darwin.go: -------------------------------------------------------------------------------- 1 | // Copyright 2011 The Go Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | //go:build cgo && !arm && !arm64 && !ios 6 | // +build cgo,!arm,!arm64,!ios 7 | 8 | package ctl 9 | 10 | /* 11 | #cgo CFLAGS: -mmacosx-version-min=10.10 -D__MAC_OS_X_VERSION_MAX_ALLOWED=101300 12 | #cgo LDFLAGS: -framework CoreFoundation -framework Security 13 | 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | 20 | static Boolean isSSLPolicy(SecPolicyRef policyRef) { 21 | if (!policyRef) { 22 | return false; 23 | } 24 | CFDictionaryRef properties = SecPolicyCopyProperties(policyRef); 25 | if (properties == NULL) { 26 | return false; 27 | } 28 | Boolean isSSL = false; 29 | CFTypeRef value = NULL; 30 | if (CFDictionaryGetValueIfPresent(properties, kSecPolicyOid, (const void **)&value)) { 31 | isSSL = CFEqual(value, kSecPolicyAppleSSL); 32 | } 33 | CFRelease(properties); 34 | return isSSL; 35 | } 36 | 37 | // sslTrustSettingsResult obtains the final kSecTrustSettingsResult value 38 | // for a certificate in the user or admin domain, combining usage constraints 39 | // for the SSL SecTrustSettingsPolicy, ignoring SecTrustSettingsKeyUsage and 40 | // kSecTrustSettingsAllowedError. 41 | // https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting 42 | static SInt32 sslTrustSettingsResult(SecCertificateRef cert) { 43 | CFArrayRef trustSettings = NULL; 44 | OSStatus err = SecTrustSettingsCopyTrustSettings(cert, kSecTrustSettingsDomainUser, &trustSettings); 45 | 46 | // According to Apple's SecTrustServer.c, "user trust settings overrule admin trust settings", 47 | // but the rules of the override are unclear. Let's assume admin trust settings are applicable 48 | // if and only if user trust settings fail to load or are NULL. 49 | if (err != errSecSuccess || trustSettings == NULL) { 50 | if (trustSettings != NULL) CFRelease(trustSettings); 51 | err = SecTrustSettingsCopyTrustSettings(cert, kSecTrustSettingsDomainAdmin, &trustSettings); 52 | } 53 | 54 | // > no trust settings [...] means "this certificate must be verified to a known trusted certificate” 55 | // (Should this cause a fallback from user to admin domain? It's unclear.) 56 | if (err != errSecSuccess || trustSettings == NULL) { 57 | if (trustSettings != NULL) CFRelease(trustSettings); 58 | return kSecTrustSettingsResultUnspecified; 59 | } 60 | 61 | // > An empty trust settings array means "always trust this certificate” with an 62 | // > overall trust setting for the certificate of kSecTrustSettingsResultTrustRoot. 63 | if (CFArrayGetCount(trustSettings) == 0) { 64 | CFRelease(trustSettings); 65 | return kSecTrustSettingsResultTrustRoot; 66 | } 67 | 68 | // kSecTrustSettingsResult is defined as CFSTR("kSecTrustSettingsResult"), 69 | // but the Go linker's internal linking mode can't handle CFSTR relocations. 70 | // Create our own dynamic string instead and release it below. 71 | CFStringRef _kSecTrustSettingsResult = CFStringCreateWithCString( 72 | NULL, "kSecTrustSettingsResult", kCFStringEncodingUTF8); 73 | CFStringRef _kSecTrustSettingsPolicy = CFStringCreateWithCString( 74 | NULL, "kSecTrustSettingsPolicy", kCFStringEncodingUTF8); 75 | CFStringRef _kSecTrustSettingsPolicyString = CFStringCreateWithCString( 76 | NULL, "kSecTrustSettingsPolicyString", kCFStringEncodingUTF8); 77 | 78 | CFIndex m; SInt32 result = 0; 79 | for (m = 0; m < CFArrayGetCount(trustSettings); m++) { 80 | CFDictionaryRef tSetting = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, m); 81 | 82 | // First, check if this trust setting is constrained to a non-SSL policy. 83 | SecPolicyRef policyRef; 84 | if (CFDictionaryGetValueIfPresent(tSetting, _kSecTrustSettingsPolicy, (const void**)&policyRef)) { 85 | if (!isSSLPolicy(policyRef)) { 86 | continue; 87 | } 88 | } 89 | 90 | if (CFDictionaryContainsKey(tSetting, _kSecTrustSettingsPolicyString)) { 91 | // Restricted to a hostname, not a root. 92 | continue; 93 | } 94 | 95 | CFNumberRef cfNum; 96 | if (CFDictionaryGetValueIfPresent(tSetting, _kSecTrustSettingsResult, (const void**)&cfNum)) { 97 | CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result); 98 | } else { 99 | // > If this key is not present, a default value of 100 | // > kSecTrustSettingsResultTrustRoot is assumed. 101 | result = kSecTrustSettingsResultTrustRoot; 102 | } 103 | 104 | // If multiple dictionaries match, we are supposed to "OR" them, 105 | // the semantics of which are not clear. Since TrustRoot and TrustAsRoot 106 | // are mutually exclusive, Deny should probably override, and Invalid and 107 | // Unspecified be overridden, approximate this by stopping at the first 108 | // TrustRoot, TrustAsRoot or Deny. 109 | if (result == kSecTrustSettingsResultTrustRoot) { 110 | break; 111 | } else if (result == kSecTrustSettingsResultTrustAsRoot) { 112 | break; 113 | } else if (result == kSecTrustSettingsResultDeny) { 114 | break; 115 | } 116 | } 117 | 118 | // If trust settings are present, but none of them match the policy... 119 | // the docs don't tell us what to do. 120 | // 121 | // "Trust settings for a given use apply if any of the dictionaries in the 122 | // certificate’s trust settings array satisfies the specified use." suggests 123 | // that it's as if there were no trust settings at all, so we should probably 124 | // fallback to the admin trust settings. TODO. 125 | if (result == 0) { 126 | result = kSecTrustSettingsResultUnspecified; 127 | } 128 | 129 | CFRelease(_kSecTrustSettingsPolicy); 130 | CFRelease(_kSecTrustSettingsPolicyString); 131 | CFRelease(_kSecTrustSettingsResult); 132 | CFRelease(trustSettings); 133 | 134 | return result; 135 | } 136 | 137 | // isRootCertificate reports whether Subject and Issuer match. 138 | static Boolean isRootCertificate(SecCertificateRef cert, CFErrorRef *errRef) { 139 | CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, errRef); 140 | if (*errRef != NULL) { 141 | return false; 142 | } 143 | CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, errRef); 144 | if (*errRef != NULL) { 145 | CFRelease(subjectName); 146 | return false; 147 | } 148 | Boolean equal = CFEqual(subjectName, issuerName); 149 | CFRelease(subjectName); 150 | CFRelease(issuerName); 151 | return equal; 152 | } 153 | 154 | // CopyPEMRootsCTX509 fetches the system's list of trusted X.509 root certificates 155 | // for the kSecTrustSettingsPolicy SSL. 156 | // 157 | // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root 158 | // certificates of the system. On failure, the function returns -1. 159 | // Additionally, it fills untrustedPemRoots with certs that must be removed from pemRoots. 160 | // 161 | // Note: The CFDataRef returned in pemRoots and untrustedPemRoots must 162 | // be released (using CFRelease) after we've consumed its content. 163 | static int CopyPEMRootsCTX509(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots, bool debugDarwinRoots) { 164 | int i; 165 | 166 | if (debugDarwinRoots) { 167 | fprintf(stderr, "crypto/x509: kSecTrustSettingsResultInvalid = %d\n", kSecTrustSettingsResultInvalid); 168 | fprintf(stderr, "crypto/x509: kSecTrustSettingsResultTrustRoot = %d\n", kSecTrustSettingsResultTrustRoot); 169 | fprintf(stderr, "crypto/x509: kSecTrustSettingsResultTrustAsRoot = %d\n", kSecTrustSettingsResultTrustAsRoot); 170 | fprintf(stderr, "crypto/x509: kSecTrustSettingsResultDeny = %d\n", kSecTrustSettingsResultDeny); 171 | fprintf(stderr, "crypto/x509: kSecTrustSettingsResultUnspecified = %d\n", kSecTrustSettingsResultUnspecified); 172 | } 173 | 174 | // Get certificates from all domains, not just System, this lets 175 | // the user add CAs to their "login" keychain, and Admins to add 176 | // to the "System" keychain 177 | SecTrustSettingsDomain domains[] = { kSecTrustSettingsDomainSystem, 178 | kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainUser }; 179 | 180 | int numDomains = sizeof(domains)/sizeof(SecTrustSettingsDomain); 181 | if (pemRoots == NULL || untrustedPemRoots == NULL) { 182 | return -1; 183 | } 184 | 185 | CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0); 186 | CFMutableDataRef combinedUntrustedData = CFDataCreateMutable(kCFAllocatorDefault, 0); 187 | for (i = 0; i < numDomains; i++) { 188 | int j; 189 | CFArrayRef certs = NULL; 190 | OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs); 191 | if (err != noErr) { 192 | continue; 193 | } 194 | 195 | CFIndex numCerts = CFArrayGetCount(certs); 196 | for (j = 0; j < numCerts; j++) { 197 | SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j); 198 | if (cert == NULL) { 199 | continue; 200 | } 201 | 202 | SInt32 result; 203 | if (domains[i] == kSecTrustSettingsDomainSystem) { 204 | // Certs found in the system domain are always trusted. If the user 205 | // configures "Never Trust" on such a cert, it will also be found in the 206 | // admin or user domain, causing it to be added to untrustedPemRoots. The 207 | // Go code will then clean this up. 208 | result = kSecTrustSettingsResultTrustRoot; 209 | } else { 210 | result = sslTrustSettingsResult(cert); 211 | if (debugDarwinRoots) { 212 | CFErrorRef errRef = NULL; 213 | CFStringRef summary = SecCertificateCopyShortDescription(NULL, cert, &errRef); 214 | if (errRef != NULL) { 215 | fprintf(stderr, "crypto/x509: SecCertificateCopyShortDescription failed\n"); 216 | CFRelease(errRef); 217 | continue; 218 | } 219 | 220 | CFIndex length = CFStringGetLength(summary); 221 | CFIndex maxSize = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1; 222 | char *buffer = malloc(maxSize); 223 | if (CFStringGetCString(summary, buffer, maxSize, kCFStringEncodingUTF8)) { 224 | fprintf(stderr, "crypto/x509: %s returned %d\n", buffer, (int)result); 225 | } 226 | free(buffer); 227 | CFRelease(summary); 228 | } 229 | } 230 | 231 | CFMutableDataRef appendTo; 232 | // > Note the distinction between the results kSecTrustSettingsResultTrustRoot 233 | // > and kSecTrustSettingsResultTrustAsRoot: The former can only be applied to 234 | // > root (self-signed) certificates; the latter can only be applied to 235 | // > non-root certificates. 236 | if (result == kSecTrustSettingsResultTrustRoot) { 237 | CFErrorRef errRef = NULL; 238 | if (!isRootCertificate(cert, &errRef) || errRef != NULL) { 239 | if (errRef != NULL) CFRelease(errRef); 240 | continue; 241 | } 242 | 243 | appendTo = combinedData; 244 | } else if (result == kSecTrustSettingsResultTrustAsRoot) { 245 | CFErrorRef errRef = NULL; 246 | if (isRootCertificate(cert, &errRef) || errRef != NULL) { 247 | if (errRef != NULL) CFRelease(errRef); 248 | continue; 249 | } 250 | 251 | appendTo = combinedData; 252 | } else if (result == kSecTrustSettingsResultDeny) { 253 | appendTo = combinedUntrustedData; 254 | } else if (result == kSecTrustSettingsResultUnspecified) { 255 | // Certificates with unspecified trust should probably be added to a pool of 256 | // intermediates for chain building, or checked for transitive trust and 257 | // added to the root pool (which is an imprecise approximation because it 258 | // cuts chains short) but we don't support either at the moment. TODO. 259 | continue; 260 | } else { 261 | continue; 262 | } 263 | 264 | CFDataRef data = NULL; 265 | err = SecItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data); 266 | if (err != noErr) { 267 | continue; 268 | } 269 | if (data != NULL) { 270 | CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data)); 271 | CFRelease(data); 272 | } 273 | } 274 | CFRelease(certs); 275 | } 276 | *pemRoots = combinedData; 277 | *untrustedPemRoots = combinedUntrustedData; 278 | return 0; 279 | } 280 | */ 281 | import "C" 282 | 283 | import ( 284 | "errors" 285 | "os" 286 | "strings" 287 | "unsafe" 288 | ) 289 | 290 | var debugDarwinRoots = strings.Contains(os.Getenv("GODEBUG"), "x509roots=1") 291 | 292 | func LoadSystemRoots() (*CertStore, error) { 293 | var data, untrustedData C.CFDataRef 294 | err := C.CopyPEMRootsCTX509(&data, &untrustedData, C.bool(debugDarwinRoots)) 295 | if err == -1 { 296 | return nil, errors.New("crypto/x509: failed to load darwin system roots with cgo") 297 | } 298 | defer C.CFRelease(C.CFTypeRef(data)) 299 | defer C.CFRelease(C.CFTypeRef(untrustedData)) 300 | 301 | buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data))) 302 | roots := NewCertStore() 303 | roots.AppendCertsFromPEM(buf) 304 | 305 | if C.CFDataGetLength(untrustedData) == 0 { 306 | return roots, nil 307 | } 308 | 309 | buf = C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(untrustedData)), C.int(C.CFDataGetLength(untrustedData))) 310 | untrustedRoots := NewCertStore() 311 | untrustedRoots.AppendCertsFromPEM(buf) 312 | 313 | trustedRoots := NewCertStore() 314 | for _, c := range roots.Certs { 315 | if !untrustedRoots.contains(c.Certificate) { 316 | trustedRoots.AddCert(c.Certificate) 317 | } 318 | } 319 | return trustedRoots, nil 320 | } 321 | -------------------------------------------------------------------------------- /ctl/ca_linux.go: -------------------------------------------------------------------------------- 1 | //go:build linux 2 | 3 | package ctl 4 | 5 | // Possible certificate files; stop after finding one. 6 | var certFiles = []string{ 7 | "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc. 8 | "/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6 9 | "/etc/ssl/ca-bundle.pem", // OpenSUSE 10 | "/etc/pki/tls/cacert.pem", // OpenELEC 11 | "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7 12 | "/etc/ssl/cert.pem", // Alpine Linux 13 | } 14 | 15 | // Possible directories with certificate files; all will be read. 16 | var certDirectories = []string{ 17 | "/etc/ssl/certs", // SLES10/SLES11, https://golang.org/issue/12139 18 | "/etc/pki/tls/certs", // Fedora/RHEL 19 | "/system/etc/security/cacerts", // Android 20 | } 21 | -------------------------------------------------------------------------------- /ctl/ca_unix.go: -------------------------------------------------------------------------------- 1 | //go:build aix || dragonfly || freebsd || (js && wasm) || linux || netbsd || openbsd || solaris 2 | 3 | package ctl 4 | 5 | import ( 6 | "os" 7 | "strings" 8 | ) 9 | 10 | const ( 11 | // certFileEnv is the environment variable which identifies where to locate 12 | // the SSL certificate file. If set this overrides the system default. 13 | certFileEnv = "SSL_CERT_FILE" 14 | 15 | // certDirEnv is the environment variable which identifies which directory 16 | // to check for SSL certificate files. If set this overrides the system default. 17 | // It is a colon separated list of directories. 18 | // See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html. 19 | certDirEnv = "SSL_CERT_DIR" 20 | ) 21 | 22 | func LoadSystemRoots() (*CertStore, error) { 23 | roots := NewCertStore() 24 | 25 | files := certFiles 26 | if f := os.Getenv(certFileEnv); f != "" { 27 | files = []string{f} 28 | } 29 | 30 | var firstErr error 31 | for _, file := range files { 32 | data, err := os.ReadFile(file) 33 | if err == nil { 34 | roots.AppendCertsFromPEM(data) 35 | break 36 | } 37 | if firstErr == nil && !os.IsNotExist(err) { 38 | firstErr = err 39 | } 40 | } 41 | 42 | dirs := certDirectories 43 | if d := os.Getenv(certDirEnv); d != "" { 44 | // OpenSSL and BoringSSL both use ":" as the SSL_CERT_DIR separator. 45 | // See: 46 | // * https://golang.org/issue/35325 47 | // * https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html 48 | dirs = strings.Split(d, ":") 49 | } 50 | 51 | for _, directory := range dirs { 52 | fis, err := readUniqueDirectoryEntries(directory) 53 | if err != nil { 54 | if firstErr == nil && !os.IsNotExist(err) { 55 | firstErr = err 56 | } 57 | continue 58 | } 59 | for _, fi := range fis { 60 | data, err := os.ReadFile(directory + "/" + fi.Name()) 61 | if err == nil { 62 | roots.AppendCertsFromPEM(data) 63 | } 64 | } 65 | } 66 | 67 | if len(roots.Certs) > 0 || firstErr == nil { 68 | return roots, nil 69 | } 70 | 71 | return nil, firstErr 72 | } 73 | -------------------------------------------------------------------------------- /ctl/ca_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | 3 | package ctl 4 | 5 | import ( 6 | "crypto/x509" 7 | "syscall" 8 | "unsafe" 9 | ) 10 | 11 | func LoadSystemRoots() (*CertStore, error) { 12 | const CRYPT_E_NOT_FOUND = 0x80092004 13 | root, err := syscall.UTF16PtrFromString("ROOT") 14 | if err != nil { 15 | return nil, err 16 | } 17 | store, err := syscall.CertOpenSystemStore(0, root) 18 | if err != nil { 19 | return nil, err 20 | } 21 | defer func() { 22 | _ = syscall.CertCloseStore(store, 0) 23 | }() 24 | 25 | roots := NewCertStore() 26 | var cert *syscall.CertContext 27 | for { 28 | cert, err = syscall.CertEnumCertificatesInStore(store, cert) 29 | if err != nil { 30 | if errno, ok := err.(syscall.Errno); ok { 31 | if errno == CRYPT_E_NOT_FOUND { 32 | break 33 | } 34 | } 35 | return nil, err 36 | } 37 | if cert == nil { 38 | break 39 | } 40 | // Copy the buf, since ParseCertificate does not create its own copy. 41 | buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:] 42 | buf2 := make([]byte, cert.Length) 43 | copy(buf2, buf) 44 | if c, err := x509.ParseCertificate(buf2); err == nil { 45 | roots.AddCert(c) 46 | } 47 | } 48 | return roots, nil 49 | } 50 | -------------------------------------------------------------------------------- /ctl/cert_store.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "crypto/sha256" 5 | "crypto/x509" 6 | "encoding/pem" 7 | ) 8 | 9 | type sum256 [sha256.Size]byte 10 | 11 | // Cert adds Checksum field to x509.Cerificate to store SHA256 12 | type Cert struct { 13 | *x509.Certificate `json:"_"` 14 | Checksum string `json:"checksum,omitempty"` 15 | } 16 | 17 | // CertStore is a set of certificates. 18 | type CertStore struct { 19 | Certs []*Cert 20 | haveSum map[sum256]bool 21 | } 22 | 23 | // NewCertStore returns a new, empty CertStore. 24 | func NewCertStore() *CertStore { 25 | return &CertStore{ 26 | Certs: []*Cert{}, 27 | haveSum: map[sum256]bool{}, 28 | } 29 | } 30 | 31 | // AddCert adds a certificate to CertStore. 32 | func (s *CertStore) AddCert(cert *x509.Certificate) { 33 | if cert == nil { 34 | panic("adding nil Certificate to CertStore") 35 | } 36 | 37 | rawSum256 := sha256.Sum256(cert.Raw) 38 | 39 | if s.haveSum[rawSum256] { 40 | return 41 | } 42 | 43 | s.Certs = append(s.Certs, &Cert{ 44 | Certificate: cert, 45 | Checksum: getChecksum(cert.Raw), 46 | }) 47 | s.haveSum[rawSum256] = true 48 | } 49 | 50 | // AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. 51 | // It appends any certificates found to s and reports whether any certificates 52 | // were successfully parsed. 53 | // 54 | // On many Linux systems, /etc/ssl/cert.pem will contain the system wide set 55 | // of root CAs in a format suitable for this function. 56 | func (s *CertStore) AppendCertsFromPEM(pemCerts []byte) (ok bool) { 57 | for len(pemCerts) > 0 { 58 | var block *pem.Block 59 | block, pemCerts = pem.Decode(pemCerts) 60 | if block == nil { 61 | break 62 | } 63 | if block.Type != "CERTIFICATE" || len(block.Headers) != 0 { 64 | continue 65 | } 66 | 67 | certBytes := block.Bytes 68 | cert, err := x509.ParseCertificate(certBytes) 69 | if err != nil { 70 | continue 71 | } 72 | 73 | s.AddCert(cert) 74 | ok = true 75 | } 76 | 77 | return ok 78 | } 79 | 80 | func (s *CertStore) contains(cert *x509.Certificate) bool { //nolint:unused 81 | if s == nil { 82 | return false 83 | } 84 | return s.haveSum[sha256.Sum256(cert.Raw)] 85 | } 86 | -------------------------------------------------------------------------------- /ctl/ctl.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "bytes" 5 | "crypto/x509/pkix" 6 | "fmt" 7 | "text/template" 8 | "time" 9 | 10 | "github.com/pterm/pterm" 11 | ) 12 | 13 | const ( 14 | MICROSOFT = "microsoft" 15 | MOZILLA_NSS = "mozilla_nss" 16 | OPENJDK = "openjdk" 17 | ) 18 | 19 | type CTL struct { 20 | UpdatedAt time.Time `yaml:"updated_at,omitempty"` 21 | Trusted Entrys `yaml:"trusted"` 22 | Removed Entrys `yaml:"removed,omitempty"` 23 | } 24 | 25 | // Entrys maps from sum256(cert.Raw) to subject name. 26 | type Entrys map[string]string 27 | 28 | type VerifyResult struct { 29 | Total int 30 | TrustedCerts []*Cert `json:"_"` 31 | AllowedCerts []*Cert `json:"allowed_certs,omitempty"` 32 | allowedDesc string 33 | RemovedCerts []*Cert `json:"removed_certs,omitempty"` 34 | removedDesc string 35 | UnknownCerts []*Cert `json:"unknown_certs,omitempty"` 36 | unknownDesc string 37 | } 38 | 39 | func NewCTL() *CTL { 40 | return &CTL{ 41 | Trusted: Entrys{}, 42 | Removed: Entrys{}, 43 | } 44 | } 45 | 46 | // verify that the specified certificate is included in the CTL or has been removed 47 | func (ctl *CTL) verify(certs []*Cert, allowedCerts Entrys, ret *VerifyResult) { 48 | for _, cert := range certs { 49 | _, ok := ctl.Trusted[cert.Checksum] 50 | if ok { 51 | ret.TrustedCerts = append(ret.TrustedCerts, cert) 52 | } else { 53 | _, ok := allowedCerts[cert.Checksum] 54 | if ok { 55 | ret.AllowedCerts = append(ret.AllowedCerts, cert) 56 | } else { 57 | _, ok = ctl.Removed[cert.Checksum] 58 | if ok { 59 | ret.RemovedCerts = append(ret.RemovedCerts, cert) 60 | } else { 61 | ret.UnknownCerts = append(ret.UnknownCerts, cert) 62 | } 63 | } 64 | } 65 | } 66 | } 67 | 68 | func (result *VerifyResult) ConsoleReport() (output string) { 69 | var ( 70 | countTrusted = len(result.TrustedCerts) 71 | countRemoved = len(result.RemovedCerts) 72 | countAllowed = len(result.AllowedCerts) 73 | countUnknown = len(result.UnknownCerts) 74 | ) 75 | table, err := pterm.DefaultTable.WithHasHeader().WithRightAlignment().WithData( 76 | pterm.TableData{ 77 | {"Total", "Trust", "Allow", "Removal", "Unknown"}, 78 | {fmt.Sprint(result.Total), fmt.Sprint(countTrusted), fmt.Sprint(countAllowed), fmt.Sprint(countRemoved), fmt.Sprint(countUnknown)}, 79 | }).Srender() 80 | if err != nil { 81 | output += pterm.Error.Sprintf("%v", err) 82 | return 83 | } 84 | output += table + "\n" 85 | output += formatCerts("Allowed Certificates", result.allowedDesc, result.AllowedCerts) 86 | output += formatCerts("Removed Certificates", result.removedDesc, result.RemovedCerts) 87 | output += formatCerts("Unknown Certificates", result.unknownDesc, result.UnknownCerts) 88 | return 89 | } 90 | 91 | func formatCerts(title, desc string, certs []*Cert) (output string) { 92 | if len(certs) < 1 { 93 | return 94 | } 95 | output += pterm.DefaultSection.WithLevel(3).Sprintf("%s:%4d", title, len(certs)) 96 | if desc != "" { 97 | output += pterm.ThemeDefault.InfoMessageStyle.Sprintln(desc) 98 | } 99 | 100 | tpl := template.Must(template.New("").Funcs(template.FuncMap{ 101 | "redIfNotExpired": func(t time.Time) string { 102 | txt := t.Format("2006-01-02T15:04:05Z") 103 | if t.After(time.Now()) { 104 | txt = pterm.Red(txt) 105 | } 106 | return txt 107 | }, 108 | "pkixName": func(n pkix.Name) string { 109 | if len(n.CommonName) > 0 { 110 | return n.CommonName 111 | } 112 | if len(n.OrganizationalUnit) > 0 { 113 | return n.OrganizationalUnit[0] 114 | } 115 | if len(n.Organization) > 0 { 116 | return n.Organization[0] 117 | } 118 | return n.String() 119 | }, 120 | }).Parse(` 121 | {{- range . -}} 122 | SHA256: {{ .Checksum }} 123 | Subject: {{ .Subject | pkixName }} 124 | Issuer: {{ .Issuer | pkixName }} 125 | Valid from: {{ .NotBefore.Format "2006-01-02T15:04:05Z" }} 126 | to: {{ .NotAfter | redIfNotExpired }} 127 | {{ end -}} 128 | `)) 129 | 130 | var buf bytes.Buffer 131 | if err := tpl.Execute(&buf, &certs); err != nil { 132 | output += pterm.Error.Sprintf("%v", err) 133 | return 134 | } 135 | output += buf.String() 136 | return 137 | } 138 | -------------------------------------------------------------------------------- /ctl/ctl_apple.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | "time" 7 | 8 | "github.com/antchfx/htmlquery" 9 | "golang.org/x/net/html" 10 | ) 11 | 12 | const AppleKBURL = "https://support.apple.com/en-us/HT209143" 13 | 14 | type AppleCTL struct { 15 | *CTL `yaml:",inline"` 16 | PublishURL string `yaml:"publish_url,omitempty"` 17 | PublishedDate string `yaml:"published_date,omitempty"` 18 | } 19 | 20 | func NewAppleCTL() *AppleCTL { 21 | return &AppleCTL{ 22 | CTL: NewCTL(), 23 | PublishURL: AppleKBURL, 24 | PublishedDate: "2006-01-02", 25 | } 26 | } 27 | 28 | // Verify that the specified certificate is included in the CTL or has been removed 29 | func (ctl *AppleCTL) Verify(certs []*Cert, allowedCerts Entrys) *VerifyResult { 30 | ret := VerifyResult{ 31 | Total: len(certs), 32 | TrustedCerts: []*Cert{}, 33 | AllowedCerts: []*Cert{}, 34 | allowedDesc: "Allow by yourself in the config file.\n", 35 | RemovedCerts: []*Cert{}, 36 | removedDesc: "See https://support.apple.com/en-us/HT209143\n", 37 | UnknownCerts: []*Cert{}, 38 | unknownDesc: "", 39 | } 40 | ctl.verify(certs, allowedCerts, &ret) 41 | return &ret 42 | } 43 | 44 | func (ctl *AppleCTL) Fetch() error { 45 | doc, err := htmlquery.LoadURL(AppleKBURL) 46 | if err != nil { 47 | return err 48 | } 49 | nodeDate := htmlquery.FindOne(doc, "//span[text()='Published Date:']/following-sibling::time") 50 | if nodeDate == nil { 51 | return fmt.Errorf("can not find apple publish date") 52 | } 53 | date := htmlquery.InnerText(nodeDate) 54 | _, err = parseDate(date) 55 | if err != nil { 56 | return fmt.Errorf("can not parse apple publish date: %w", err) 57 | } 58 | if strings.Compare(date, ctl.PublishedDate) < 1 { 59 | return nil // no update 60 | } 61 | ctl.PublishedDate = date 62 | nodeLink := htmlquery.FindOne(doc, "//h2[text()='Current Trust Store']/following-sibling::*//a") 63 | if nodeLink == nil { 64 | return fmt.Errorf("can not find apple publish link") 65 | } 66 | link := htmlquery.SelectAttr(nodeLink, "href") // link to latest url 67 | return ctl.fetchData(link) 68 | } 69 | 70 | func (ctl *AppleCTL) fetchData(link string) error { 71 | page, err := htmlquery.LoadURL(link) 72 | if err != nil { 73 | return err 74 | } 75 | xpathTrusted := "//h2[@id='trusted' or text()='Trusted Certificates' or text()='Trusted certificates']/following-sibling::div[1]//table" 76 | rows := parseTable(page, fmt.Sprintf("%s//th", xpathTrusted), fmt.Sprintf("%s//tr[position()>1]", xpathTrusted)) 77 | ctl.Trusted = extractEntrys(rows) 78 | if len(ctl.Trusted) == 0 { 79 | return fmt.Errorf("can not find data table in the page") 80 | } 81 | xpathBlocked := "//h2[@id='blocked' or text()='Blocked Certificates' or text()='Blocked certificates']/following-sibling::div[1]//table" 82 | rows = parseTable(page, fmt.Sprintf("%s//th", xpathBlocked), fmt.Sprintf("%s//tr[position()>1]", xpathBlocked)) 83 | ctl.Removed = extractEntrys(rows) 84 | ctl.UpdatedAt = time.Now() 85 | return nil 86 | } 87 | 88 | func extractEntrys(rows []map[string]string) Entrys { 89 | entrys := Entrys{} 90 | fpKey := strings.ToUpper("Fingerprint (SHA-256)") 91 | certNameKey := strings.ToUpper("Certificate name") 92 | for _, v := range rows { 93 | fingerprint := strings.ToUpper(strings.ReplaceAll(v[fpKey], " ", "")) 94 | if fingerprint != "" { 95 | entrys[fingerprint] = v[certNameKey] 96 | } 97 | } 98 | return entrys 99 | } 100 | 101 | func parseTable(top *html.Node, thExpr, trExpr string) []map[string]string { 102 | data := []map[string]string{} 103 | thNodes := htmlquery.Find(top, thExpr) 104 | trNodes := htmlquery.Find(top, trExpr) 105 | if len(thNodes) == 0 || len(trNodes) == 0 { 106 | return data // empty 107 | } 108 | headers := []string{} 109 | for _, v := range thNodes { 110 | headers = append(headers, strings.ToUpper(strings.TrimSpace(htmlquery.InnerText(v)))) 111 | } 112 | for _, v := range trNodes { 113 | row := map[string]string{} 114 | for m, n := range headers { 115 | text := htmlquery.Find(v, fmt.Sprintf(`./td[%d]//text()`, m+1)) 116 | value := "" 117 | for _, s := range text { 118 | value = value + " " + strings.TrimSpace(s.Data) 119 | } 120 | row[n] = strings.TrimSpace(value) 121 | } 122 | data = append(data, row) 123 | } 124 | return data 125 | } 126 | -------------------------------------------------------------------------------- /ctl/ctl_apple_test.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import "testing" 4 | 5 | func TestAppleCTL_Fetch(t *testing.T) { 6 | ctl := NewAppleCTL() 7 | err := ctl.Fetch() 8 | if err != nil { 9 | t.Errorf("AppleCTL.Fetch() error = %v", err) 10 | } 11 | if len(ctl.CTL.Trusted) == 0 { 12 | t.Errorf("AppleCTL.Fetch() error = %v", "no trusted certs, may be parse error") 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /ctl/ctl_microsoft.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "bytes" 5 | "crypto/x509/pkix" 6 | "encoding/asn1" 7 | "encoding/binary" 8 | "encoding/hex" 9 | "fmt" 10 | "math/big" 11 | "strings" 12 | "time" 13 | "unicode/utf16" 14 | 15 | "github.com/github/smimesign/ietf-cms/protocol" 16 | ) 17 | 18 | const ( 19 | MicrosoftCACertificateReportCSV = "https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFTCSV" 20 | MicrosoftAuthrootStl = "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroot.stl" 21 | ) 22 | 23 | type MicrosoftCTL struct { 24 | *CTL `yaml:",inline"` 25 | CCADBUrl string `yaml:"ccadb_url"` 26 | CCADBChecksum string `yaml:"ccadb_checksum,omitempty"` 27 | } 28 | 29 | func NewMicrosoftCTL() *MicrosoftCTL { 30 | return &MicrosoftCTL{ 31 | CTL: NewCTL(), 32 | CCADBUrl: MicrosoftCACertificateReportCSV, 33 | CCADBChecksum: "", 34 | } 35 | } 36 | 37 | // Verify that the specified certificate is included in the CTL or has been removed 38 | func (ctl *MicrosoftCTL) Verify(certs []*Cert, allowedCerts Entrys) *VerifyResult { 39 | ret := VerifyResult{ 40 | Total: len(certs), 41 | TrustedCerts: []*Cert{}, 42 | AllowedCerts: []*Cert{}, 43 | allowedDesc: "Allow by yourself in the config file.\n", 44 | RemovedCerts: []*Cert{}, 45 | removedDesc: "Use SHA256 to find the details in: \nhttps://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT\nDeprecation definitions:\nhttps://docs.microsoft.com/en-us/security/trusted-root/deprecation\n", 46 | UnknownCerts: []*Cert{}, 47 | unknownDesc: "", 48 | } 49 | ctl.verify(certs, allowedCerts, &ret) 50 | return &ret 51 | } 52 | 53 | // Fetch Microsoft's CTL from two sources, ccadb and authroot.stl 54 | func (ctl *MicrosoftCTL) Fetch() error { 55 | if ctl.CTL == nil { 56 | ctl.CTL = NewCTL() 57 | } 58 | 59 | body, err := getBody(MicrosoftCACertificateReportCSV) 60 | if err != nil { 61 | return err 62 | } 63 | 64 | hash := getChecksum(body) 65 | if hash != ctl.CCADBChecksum { // updated 66 | c, err := csvReadToMap(bytes.NewReader(body)) 67 | if err != nil { 68 | return fmt.Errorf("read csv file err: %w", err) 69 | } 70 | 71 | for _, v := range c { 72 | name := v["CA Common Name or Certificate Name"] 73 | sha256 := v["SHA-256 Fingerprint"] 74 | 75 | switch name { 76 | case "", "Example Root Case", "Example Root Certificate": 77 | continue 78 | default: 79 | // https://docs.microsoft.com/en-us/security/trusted-root/deprecation 80 | switch v["Microsoft Status"] { 81 | case "Included", "NotBefore": 82 | ctl.Trusted[sha256] = name 83 | // case "NotBefore", "Removal": 84 | // ctl.Removed[sha256] = name 85 | default: 86 | ctl.Removed[sha256] = name 87 | } 88 | } 89 | } 90 | ctl.CCADBChecksum = hash 91 | } 92 | 93 | authroot, err := getBody(MicrosoftAuthrootStl) 94 | if err != nil { 95 | return err 96 | } 97 | items, err := parseAuthroot(authroot) 98 | if err != nil { 99 | return err 100 | } 101 | for k, v := range items { 102 | _, ok := ctl.Removed[k] 103 | if ok { 104 | continue 105 | } 106 | ctl.Trusted[k] = v 107 | } 108 | 109 | // OS built-in, not included in authroot.stl or ccadb. 110 | // https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/trusted-root-certificates-are-required 111 | // -- Friendly name: Microsoft Authenticode(tm) Root 112 | // -- Thumbprint: 7f88cd7223f3c813818c994614a89c99fa3b5247 113 | ctl.Trusted["4898B1749717A594A2030F47C83C272BD14BAE3DCEB2EAE382174EF2EC1C75C9"] = "Microsoft Authenticode(tm) Root Authority" 114 | // -- Friendly name: Microsoft Timestamp Root 115 | // -- Thumbprint: 245c97df7514e7cf2df8be72ae957b9e04741e85 116 | ctl.Trusted["6EF914723F089D2ADAFF98D470A3651CCF1768E559FBDCC0FAAA640AA12E5753"] = "Microsoft Timestamp Root" 117 | 118 | ctl.UpdatedAt = time.Now() 119 | return nil 120 | } 121 | 122 | var ( 123 | // RFC3852 CMS message, ContentType Object Identifier for Certificate Trust List (CTL) 124 | szOID_CTL = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 1} 125 | // Signer of a CTL containing trusted roots 126 | szOID_ROOT_LIST_SIGNER = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 9} 127 | szOID_CERT_FRIENDLY_NAME_PROP_ID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 11, 11} 128 | szOID_CERT_AUTHROOT_SHA256_HASH = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 11, 98} 129 | // szOID_AUTO_ENROLL_CTL_USAGE = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 1} 130 | ) 131 | 132 | // https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/WinArchive/%5bMS-CAESO%5d.pdf 133 | type certificateTrustList struct { 134 | // CTLVersion int `asn1:"default:0"` 135 | SubjectUsage []asn1.ObjectIdentifier 136 | ListIdentifier []byte `asn1:"optional"` 137 | SequenceNumber *big.Int `asn1:"optional"` 138 | CTLThisUpdate time.Time 139 | CTLNextUpdate time.Time `asn1:"optional"` 140 | SubjectAlgorithm pkix.AlgorithmIdentifier 141 | Subjects []subject `asn1:"optional"` 142 | CTLExtensions []pkix.Extension `asn1:"explicit,optional,omitempty,tag:0"` 143 | } 144 | 145 | type subject struct { 146 | Thumbprint []byte 147 | Attributes []attribute `asn1:"optional,set"` 148 | } 149 | 150 | type attribute struct { 151 | Type asn1.ObjectIdentifier 152 | Value asn1.RawValue `asn1:"set"` 153 | } 154 | 155 | func parseAuthroot(b []byte) (Entrys, error) { 156 | ret := Entrys{} 157 | 158 | content, err := getUnsignedData(b, szOID_CTL) 159 | if err != nil { 160 | return ret, err 161 | } 162 | 163 | var ctl certificateTrustList 164 | _, err = asn1.Unmarshal(content, &ctl) 165 | if err != nil { 166 | return ret, fmt.Errorf("parse error, %v", err) 167 | } 168 | 169 | if len(ctl.SubjectUsage) != 1 || !ctl.SubjectUsage[0].Equal(szOID_ROOT_LIST_SIGNER) { 170 | return ret, fmt.Errorf("unknown SubjectUsage") 171 | } 172 | 173 | for _, subject := range ctl.Subjects { 174 | // thumbprint := strings.ToUpper(hex.EncodeToString(subject.Thumbprint)) 175 | var sha256Hash, friendlyName string 176 | for _, attr := range subject.Attributes { 177 | var value []byte 178 | _, err := asn1.Unmarshal(attr.Value.Bytes, &value) 179 | if err != nil { 180 | return ret, err 181 | } 182 | switch attr.Type.String() { 183 | case szOID_CERT_AUTHROOT_SHA256_HASH.String(): 184 | sha256Hash = strings.ToUpper(hex.EncodeToString(value)) 185 | case szOID_CERT_FRIENDLY_NAME_PROP_ID.String(): 186 | name, err := wstrToString(value) 187 | if err != nil { 188 | return ret, err 189 | } 190 | friendlyName = name 191 | } 192 | } 193 | if sha256Hash != "" { 194 | ret[sha256Hash] = friendlyName 195 | } 196 | } 197 | 198 | return ret, nil 199 | } 200 | 201 | // getUnsignedData parse CMS (rfc3852) message, return eContent 202 | func getUnsignedData(b []byte, contentType asn1.ObjectIdentifier) ([]byte, error) { 203 | ci, err := protocol.ParseContentInfo(b) 204 | if err != nil { 205 | return nil, err 206 | } 207 | sd, err := ci.SignedDataContent() 208 | if err != nil { 209 | return nil, err 210 | } 211 | if !sd.EncapContentInfo.EContentType.Equal(contentType) { 212 | return nil, fmt.Errorf("wrong contentType: %v", sd.EncapContentInfo.EContentType) 213 | } 214 | return sd.EncapContentInfo.EContent.Bytes, nil 215 | } 216 | 217 | func wstrToString(b []byte) (string, error) { 218 | count := len(b) 219 | if count == 0 { 220 | return "", nil 221 | } 222 | if count%2 != 0 { 223 | return "", fmt.Errorf("length must be even") 224 | } 225 | var order binary.ByteOrder 226 | order = binary.LittleEndian 227 | bom := [2]byte{b[0], b[1]} 228 | switch bom { 229 | case [2]byte{0xff, 0xfe}: 230 | b = b[2:] 231 | case [2]byte{0xfe, 0xff}: 232 | b = b[2:] 233 | order = binary.BigEndian 234 | } 235 | 236 | buf := make([]uint16, len(b)/2) 237 | if err := binary.Read(bytes.NewReader(b), order, &buf); err != nil { 238 | return "", err 239 | } 240 | 241 | return string(bytes.Trim([]byte(string(utf16.Decode(buf))), "\x00")), nil 242 | } 243 | -------------------------------------------------------------------------------- /ctl/ctl_microsoft_test.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "os" 5 | "testing" 6 | ) 7 | 8 | func Test_parseAuthroot(t *testing.T) { 9 | type args struct { 10 | b []byte 11 | } 12 | stlAuthroot, err := os.ReadFile("testdata/authroot.stl") 13 | if err != nil { 14 | t.Fatalf("parseAuthroot() error: %v", err) 15 | } 16 | tests := []struct { 17 | name string 18 | args args 19 | wantLength int 20 | wantErr bool 21 | }{ 22 | { 23 | name: "empty data", 24 | args: args{ 25 | b: []byte{}, 26 | }, 27 | wantLength: 0, 28 | wantErr: true, 29 | }, 30 | { 31 | name: "real authroot.stl", 32 | args: args{ 33 | b: stlAuthroot, 34 | }, 35 | wantLength: 436, 36 | wantErr: false, 37 | }, 38 | } 39 | for _, tt := range tests { 40 | t.Run(tt.name, func(t *testing.T) { 41 | got, err := parseAuthroot(tt.args.b) 42 | if (err != nil) != tt.wantErr { 43 | t.Errorf("parseAuthroot() error = %v, wantErr %v", err, tt.wantErr) 44 | return 45 | } 46 | if len(got) != tt.wantLength { 47 | t.Errorf("parseAuthroot(), len(Entrys) = %v, want >= %v", len(got), tt.wantLength) 48 | } 49 | // if !reflect.DeepEqual(got, tt.want) { 50 | // t.Errorf("parseAuthroot() = %v, want %v", got, tt.want) 51 | // } 52 | }) 53 | } 54 | } 55 | 56 | func TestMicrosoftCTL_Fetch(t *testing.T) { 57 | ctl := NewMicrosoftCTL() 58 | err := ctl.Fetch() 59 | if err != nil { 60 | t.Errorf("MicrosoftCTL.Fetch() error = %v", err) 61 | } 62 | if len(ctl.CTL.Trusted) == 0 { 63 | t.Errorf("MicrosoftCTL.Fetch() error = %v", "no trusted certs, may be parse error") 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /ctl/ctl_mozilla.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "bytes" 5 | "fmt" 6 | "time" 7 | ) 8 | 9 | const ( 10 | MozillaIncludedCACertificateReportCSV = "https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportCSVFormat" 11 | MozillaRemovedCACertificateReportCSV = "https://ccadb-public.secure.force.com/mozilla/RemovedCACertificateReportCSVFormat" 12 | ) 13 | 14 | type MozillaCTL struct { 15 | *CTL `yaml:",inline"` 16 | URLIncluded string `yaml:"url_included,omitempty"` 17 | ChecksumIncluded string `yaml:"checksum_included,omitempty"` 18 | URLRemoved string `yaml:"url_removed,omitempty"` 19 | ChecksumRemoved string `yaml:"checksum_removed,omitempty"` 20 | } 21 | 22 | func NewMozillaCTL() *MozillaCTL { 23 | return &MozillaCTL{ 24 | CTL: NewCTL(), 25 | URLIncluded: MozillaIncludedCACertificateReportCSV, 26 | ChecksumIncluded: "", 27 | URLRemoved: MozillaRemovedCACertificateReportCSV, 28 | ChecksumRemoved: "", 29 | } 30 | } 31 | 32 | // Verify that the specified certificate is included in the CTL or has been removed 33 | func (ctl *MozillaCTL) Verify(certs []*Cert, allowedCerts Entrys) *VerifyResult { 34 | ret := VerifyResult{ 35 | Total: len(certs), 36 | TrustedCerts: []*Cert{}, 37 | AllowedCerts: []*Cert{}, 38 | allowedDesc: "Allow by yourself in the config file.\n", 39 | RemovedCerts: []*Cert{}, 40 | removedDesc: "Use SHA256 to find the reason for removal (Removal Bug No. or Date) in: \nhttps://ccadb-public.secure.force.com/mozilla/RemovedCACertificateReport\n", 41 | UnknownCerts: []*Cert{}, 42 | unknownDesc: "", 43 | } 44 | ctl.verify(certs, allowedCerts, &ret) 45 | return &ret 46 | } 47 | 48 | // Fetch Mozilla's CA certificate report from https://www.ccadb.org 49 | func (ctl *MozillaCTL) Fetch() error { 50 | if ctl.CTL == nil { 51 | ctl.CTL = NewCTL() 52 | } 53 | 54 | body, err := getBody(MozillaIncludedCACertificateReportCSV) 55 | if err != nil { 56 | return err 57 | } 58 | 59 | if err := ctl.parseIncludedCSV(body); err != nil { 60 | return err 61 | } 62 | 63 | body, err = getBody(MozillaRemovedCACertificateReportCSV) 64 | if err != nil { 65 | return err 66 | } 67 | 68 | err = ctl.parseRemovedCSV(body) 69 | 70 | return err 71 | } 72 | 73 | func (ctl *MozillaCTL) parseIncludedCSV(body []byte) error { 74 | checksum := getChecksum(body) 75 | if checksum == ctl.ChecksumIncluded { // no update 76 | return nil 77 | } 78 | c, err := csvReadToMap(bytes.NewReader(body)) 79 | if err != nil { 80 | return fmt.Errorf("read csv file err: %w", err) 81 | } 82 | 83 | for _, v := range c { 84 | name := v["Common Name or Certificate Name"] 85 | sha256 := v["SHA-256 Fingerprint"] 86 | ctl.Trusted[sha256] = name 87 | } 88 | ctl.ChecksumIncluded = checksum 89 | ctl.UpdatedAt = time.Now() 90 | 91 | return nil 92 | } 93 | 94 | func (ctl *MozillaCTL) parseRemovedCSV(body []byte) error { 95 | checksum := getChecksum(body) 96 | if checksum == ctl.ChecksumRemoved { // no update 97 | return nil 98 | } 99 | 100 | c, err := csvReadToMap(bytes.NewReader(body)) 101 | if err != nil { 102 | return fmt.Errorf("read csv file err: %w", err) 103 | } 104 | 105 | for _, v := range c { 106 | name := v["Root Certificate Name"] 107 | sha256 := v["SHA-256 Fingerprint"] 108 | ctl.Removed[sha256] = name 109 | } 110 | ctl.ChecksumRemoved = checksum 111 | ctl.UpdatedAt = time.Now() 112 | 113 | return nil 114 | } 115 | -------------------------------------------------------------------------------- /ctl/ctl_mozilla_test.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import "testing" 4 | 5 | func TestMozillaCTL_Fetch(t *testing.T) { 6 | ctl := NewMozillaCTL() 7 | err := ctl.Fetch() 8 | if err != nil { 9 | t.Errorf("MozillaCTL.Fetch() error = %v", err) 10 | } 11 | if len(ctl.CTL.Trusted) == 0 { 12 | t.Errorf("MozillaCTL.Fetch() error = %v", "no trusted certs, may be parse error") 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /ctl/misc.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "crypto/sha256" 7 | "encoding/csv" 8 | "encoding/hex" 9 | "fmt" 10 | "io" 11 | "io/fs" 12 | "os" 13 | "path/filepath" 14 | "strings" 15 | "time" 16 | 17 | "github.com/carlmjohnson/requests" 18 | ) 19 | 20 | func csvReadToMap(in io.Reader) ([]map[string]string, error) { 21 | r := csv.NewReader(in) 22 | records, err := r.ReadAll() 23 | if err != nil { 24 | return nil, err 25 | } 26 | ret := []map[string]string{} 27 | keys := []string{} 28 | for k, v := range records { 29 | if k == 0 { 30 | keys = v 31 | continue 32 | } 33 | item := map[string]string{} 34 | if len(keys) != len(v) { 35 | continue 36 | } 37 | for i, j := range v { 38 | item[keys[i]] = j 39 | } 40 | ret = append(ret, item) 41 | } 42 | return ret, nil 43 | } 44 | 45 | func getBody(url string) ([]byte, error) { 46 | var buf bytes.Buffer 47 | err := requests.URL(url). 48 | ToBytesBuffer(&buf).Fetch(context.Background()) 49 | if err != nil { 50 | return nil, fmt.Errorf("get remote csv fail: %w", err) 51 | } 52 | return buf.Bytes(), nil 53 | } 54 | 55 | func getChecksum(data []byte) string { 56 | hash := sha256.Sum256(data) 57 | return strings.ToUpper(hex.EncodeToString(hash[:])) 58 | } 59 | 60 | // readUniqueDirectoryEntries is like os.ReadDir but omits 61 | // symlinks that point within the directory. 62 | func readUniqueDirectoryEntries(dir string) ([]fs.DirEntry, error) { //nolint:unused 63 | files, err := os.ReadDir(dir) 64 | if err != nil { 65 | return nil, err 66 | } 67 | uniq := files[:0] 68 | for _, f := range files { 69 | if !isSameDirSymlink(f, dir) { 70 | uniq = append(uniq, f) 71 | } 72 | } 73 | return uniq, nil 74 | } 75 | 76 | // isSameDirSymlink reports whether fi in dir is a symlink with a 77 | // target not containing a slash. 78 | func isSameDirSymlink(f fs.DirEntry, dir string) bool { //nolint:unused 79 | if f.Type()&fs.ModeSymlink == 0 { 80 | return false 81 | } 82 | target, err := os.Readlink(filepath.Join(dir, f.Name())) 83 | return err == nil && !strings.Contains(target, "/") 84 | } 85 | 86 | func parseDate(date string) (t time.Time, err error) { 87 | t, err = time.Parse("2006-01-02", date) 88 | if err != nil { 89 | t, err = time.Parse("Jan _2, 2006", date) 90 | } 91 | if err != nil { 92 | t, err = time.Parse("2006-1-2", date) 93 | } 94 | if err != nil { 95 | t, err = time.Parse("January _2, 2006", date) 96 | } 97 | return t, err 98 | } 99 | -------------------------------------------------------------------------------- /ctl/misc_test.go: -------------------------------------------------------------------------------- 1 | package ctl 2 | 3 | import ( 4 | "reflect" 5 | "testing" 6 | "time" 7 | ) 8 | 9 | func Test_parseDate(t *testing.T) { 10 | type args struct { 11 | date string 12 | } 13 | tests := []struct { 14 | name string 15 | args args 16 | want time.Time 17 | wantErr bool 18 | }{ 19 | { 20 | name: "2022-09-02", 21 | args: args{ 22 | date: "2022-09-02", 23 | }, 24 | want: time.Date(2022, time.September, 2, 0, 0, 0, 0, time.UTC), 25 | wantErr: false, 26 | }, 27 | { 28 | name: "2022-9-2", 29 | args: args{ 30 | date: "2022-9-2", 31 | }, 32 | want: time.Date(2022, time.September, 2, 0, 0, 0, 0, time.UTC), 33 | wantErr: false, 34 | }, 35 | { 36 | name: "Sep 2, 2022", 37 | args: args{ 38 | date: "Sep 2, 2022", 39 | }, 40 | want: time.Date(2022, time.September, 2, 0, 0, 0, 0, time.UTC), 41 | wantErr: false, 42 | }, 43 | { 44 | name: "Sep 02, 2022", 45 | args: args{ 46 | date: "Sep 02, 2022", 47 | }, 48 | want: time.Date(2022, time.September, 2, 0, 0, 0, 0, time.UTC), 49 | wantErr: false, 50 | }, 51 | { 52 | name: "September 2, 2022", 53 | args: args{ 54 | date: "September 2, 2022", 55 | }, 56 | want: time.Date(2022, time.September, 2, 0, 0, 0, 0, time.UTC), 57 | wantErr: false, 58 | }, 59 | { 60 | name: "September 02, 2022", 61 | args: args{ 62 | date: "September 02, 2022", 63 | }, 64 | want: time.Date(2022, time.September, 2, 0, 0, 0, 0, time.UTC), 65 | wantErr: false, 66 | }, 67 | } 68 | for _, tt := range tests { 69 | t.Run(tt.name, func(t *testing.T) { 70 | got, err := parseDate(tt.args.date) 71 | if (err != nil) != tt.wantErr { 72 | t.Errorf("parseDate() error = %v, wantErr %v", err, tt.wantErr) 73 | return 74 | } 75 | if !reflect.DeepEqual(got, tt.want) { 76 | t.Errorf("parseDate() = %v, want %v", got, tt.want) 77 | } 78 | }) 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /ctl/testdata/authroot.stl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canstand/ctlcheck/d06d27bd7b35f1631deec2cd06aad7ee42d562b0/ctl/testdata/authroot.stl -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/canstand/ctlcheck 2 | 3 | go 1.21.9 4 | 5 | require ( 6 | github.com/antchfx/htmlquery v1.3.0 7 | github.com/carlmjohnson/exitcode v0.20.2 8 | github.com/carlmjohnson/flagext v0.22.1 9 | github.com/carlmjohnson/requests v0.23.5 10 | github.com/github/smimesign v0.2.0 11 | github.com/pterm/pterm v0.12.79 12 | golang.org/x/net v0.23.0 13 | gopkg.in/yaml.v3 v3.0.1 14 | ) 15 | 16 | require ( 17 | atomicgo.dev/cursor v0.2.0 // indirect 18 | atomicgo.dev/keyboard v0.2.9 // indirect 19 | atomicgo.dev/schedule v0.1.0 // indirect 20 | github.com/antchfx/xpath v1.2.5 // indirect 21 | github.com/containerd/console v1.0.4 // indirect 22 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect 23 | github.com/gookit/color v1.5.4 // indirect 24 | github.com/lithammer/fuzzysearch v1.1.8 // indirect 25 | github.com/mattn/go-runewidth v0.0.15 // indirect 26 | github.com/rivo/uniseg v0.4.7 // indirect 27 | github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect 28 | golang.org/x/sys v0.18.0 // indirect 29 | golang.org/x/term v0.18.0 // indirect 30 | golang.org/x/text v0.14.0 // indirect 31 | ) 32 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | atomicgo.dev/assert v0.0.2 h1:FiKeMiZSgRrZsPo9qn/7vmr7mCsh5SZyXY4YGYiYwrg= 2 | atomicgo.dev/assert v0.0.2/go.mod h1:ut4NcI3QDdJtlmAxQULOmA13Gz6e2DWbSAS8RUOmNYQ= 3 | atomicgo.dev/cursor v0.2.0 h1:H6XN5alUJ52FZZUkI7AlJbUc1aW38GWZalpYRPpoPOw= 4 | atomicgo.dev/cursor v0.2.0/go.mod h1:Lr4ZJB3U7DfPPOkbH7/6TOtJ4vFGHlgj1nc+n900IpU= 5 | atomicgo.dev/keyboard v0.2.9 h1:tOsIid3nlPLZ3lwgG8KZMp/SFmr7P0ssEN5JUsm78K8= 6 | atomicgo.dev/keyboard v0.2.9/go.mod h1:BC4w9g00XkxH/f1HXhW2sXmJFOCWbKn9xrOunSFtExQ= 7 | atomicgo.dev/schedule v0.1.0 h1:nTthAbhZS5YZmgYbb2+DH8uQIZcTlIrd4eYr3UQxEjs= 8 | atomicgo.dev/schedule v0.1.0/go.mod h1:xeUa3oAkiuHYh8bKiQBRojqAMq3PXXbJujjb0hw8pEU= 9 | github.com/MarvinJWendt/testza v0.1.0/go.mod h1:7AxNvlfeHP7Z/hDQ5JtE3OKYT3XFUeLCDE2DQninSqs= 10 | github.com/MarvinJWendt/testza v0.2.1/go.mod h1:God7bhG8n6uQxwdScay+gjm9/LnO4D3kkcZX4hv9Rp8= 11 | github.com/MarvinJWendt/testza v0.2.8/go.mod h1:nwIcjmr0Zz+Rcwfh3/4UhBp7ePKVhuBExvZqnKYWlII= 12 | github.com/MarvinJWendt/testza v0.2.10/go.mod h1:pd+VWsoGUiFtq+hRKSU1Bktnn+DMCSrDrXDpX2bG66k= 13 | github.com/MarvinJWendt/testza v0.2.12/go.mod h1:JOIegYyV7rX+7VZ9r77L/eH6CfJHHzXjB69adAhzZkI= 14 | github.com/MarvinJWendt/testza v0.3.0/go.mod h1:eFcL4I0idjtIx8P9C6KkAuLgATNKpX4/2oUqKc6bF2c= 15 | github.com/MarvinJWendt/testza v0.4.2/go.mod h1:mSdhXiKH8sg/gQehJ63bINcCKp7RtYewEjXsvsVUPbE= 16 | github.com/MarvinJWendt/testza v0.5.2 h1:53KDo64C1z/h/d/stCYCPY69bt/OSwjq5KpFNwi+zB4= 17 | github.com/MarvinJWendt/testza v0.5.2/go.mod h1:xu53QFE5sCdjtMCKk8YMQ2MnymimEctc4n3EjyIYvEY= 18 | github.com/antchfx/htmlquery v1.3.0 h1:5I5yNFOVI+egyia5F2s/5Do2nFWxJz41Tr3DyfKD25E= 19 | github.com/antchfx/htmlquery v1.3.0/go.mod h1:zKPDVTMhfOmcwxheXUsx4rKJy8KEY/PU6eXr/2SebQ8= 20 | github.com/antchfx/xpath v1.2.3/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs= 21 | github.com/antchfx/xpath v1.2.5 h1:hqZ+wtQ+KIOV/S3bGZcIhpgYC26um2bZYP2KVGcR7VY= 22 | github.com/antchfx/xpath v1.2.5/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs= 23 | github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkUiF/RuIk= 24 | github.com/carlmjohnson/exitcode v0.20.2 h1:vE6rmkCGNA4kO4m1qwWIa77PKlUBVg46cNjs22eAOXE= 25 | github.com/carlmjohnson/exitcode v0.20.2/go.mod h1:MZ6ThCDx517DQcrpYnnns1pLh8onjFl+B/AsrOrdmpc= 26 | github.com/carlmjohnson/flagext v0.22.1 h1:EdIj8NCAOZKikL1Ux55oc3JUJeeAUrsC+A2OaUCdVL0= 27 | github.com/carlmjohnson/flagext v0.22.1/go.mod h1:SKojRbVQTvw04RKgb+4Y1mSlAPFC3p76pUNXGUaJZuQ= 28 | github.com/carlmjohnson/requests v0.23.5 h1:NPANcAofwwSuC6SIMwlgmHry2V3pLrSqRiSBKYbNHHA= 29 | github.com/carlmjohnson/requests v0.23.5/go.mod h1:zG9P28thdRnN61aD7iECFhH5iGGKX2jIjKQD9kqYH+o= 30 | github.com/certifi/gocertifi v0.0.0-20180118203423-deb3ae2ef261/go.mod h1:GJKEexRPVJrBSOjoqN5VNOIKJ5Q3RViH6eu3puDRwx4= 31 | github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= 32 | github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro= 33 | github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk= 34 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 35 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 36 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 37 | github.com/github/smimesign v0.2.0 h1:Hho4YcX5N1I9XNqhq0fNx0Sts8MhLonHd+HRXVGNjvk= 38 | github.com/github/smimesign v0.2.0/go.mod h1:iZiiwNT4HbtGRVqCQu7uJPEZCuEE5sfSSttcnePkDl4= 39 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= 40 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= 41 | github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ= 42 | github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo= 43 | github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= 44 | github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= 45 | github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= 46 | github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c= 47 | github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c= 48 | github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU= 49 | github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= 50 | github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= 51 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 52 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 53 | github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= 54 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 55 | github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4= 56 | github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4= 57 | github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= 58 | github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= 59 | github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= 60 | github.com/pborman/getopt v0.0.0-20180811024354-2b5b3bfb099b/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= 61 | github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 62 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 63 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 64 | github.com/pterm/pterm v0.12.27/go.mod h1:PhQ89w4i95rhgE+xedAoqous6K9X+r6aSOI2eFF7DZI= 65 | github.com/pterm/pterm v0.12.29/go.mod h1:WI3qxgvoQFFGKGjGnJR849gU0TsEOvKn5Q8LlY1U7lg= 66 | github.com/pterm/pterm v0.12.30/go.mod h1:MOqLIyMOgmTDz9yorcYbcw+HsgoZo3BQfg2wtl3HEFE= 67 | github.com/pterm/pterm v0.12.31/go.mod h1:32ZAWZVXD7ZfG0s8qqHXePte42kdz8ECtRyEejaWgXU= 68 | github.com/pterm/pterm v0.12.33/go.mod h1:x+h2uL+n7CP/rel9+bImHD5lF3nM9vJj80k9ybiiTTE= 69 | github.com/pterm/pterm v0.12.36/go.mod h1:NjiL09hFhT/vWjQHSj1athJpx6H8cjpHXNAK5bUw8T8= 70 | github.com/pterm/pterm v0.12.40/go.mod h1:ffwPLwlbXxP+rxT0GsgDTzS3y3rmpAO1NMjUkGTYf8s= 71 | github.com/pterm/pterm v0.12.79 h1:lH3yrYMhdpeqX9y5Ep1u7DejyHy7NSQg9qrBjF9dFT4= 72 | github.com/pterm/pterm v0.12.79/go.mod h1:1v/gzOF1N0FsjbgTHZ1wVycRkKiatFvJSJC4IGaQAAo= 73 | github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= 74 | github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= 75 | github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= 76 | github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= 77 | github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= 78 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 79 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 80 | github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= 81 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 82 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 83 | github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= 84 | github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= 85 | github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778/go.mod h1:2MuV+tbUrU1zIOPMxZ5EncGwgmMJsa+9ucAQZXxsObs= 86 | github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= 87 | github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= 88 | github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= 89 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 90 | golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 91 | golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= 92 | golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= 93 | golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= 94 | golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E= 95 | golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= 96 | golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= 97 | golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= 98 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 99 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 100 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 101 | golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 102 | golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws= 103 | golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 104 | golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= 105 | golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= 106 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 107 | golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 108 | golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 109 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 110 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 111 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 112 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 113 | golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 114 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 115 | golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 116 | golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 117 | golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 118 | golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 119 | golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 120 | golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 121 | golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 122 | golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= 123 | golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 124 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 125 | golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 126 | golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 127 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 128 | golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ= 129 | golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= 130 | golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= 131 | golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= 132 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 133 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 134 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 135 | golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 136 | golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 137 | golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= 138 | golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= 139 | golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= 140 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 141 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 142 | golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= 143 | golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= 144 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 145 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 146 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 147 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= 148 | gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 149 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 150 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 151 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 152 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 153 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 154 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 155 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | 6 | "github.com/canstand/ctlcheck/app" 7 | "github.com/carlmjohnson/exitcode" 8 | ) 9 | 10 | func main() { 11 | exitcode.Exit(app.CLI(os.Args[1:])) 12 | } 13 | -------------------------------------------------------------------------------- /snapshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/canstand/ctlcheck/d06d27bd7b35f1631deec2cd06aad7ee42d562b0/snapshot.png --------------------------------------------------------------------------------