xenOs76 · xenOs76 · Dec 16, 2025 · Dec 15, 2025 · Dec 15, 2025 · Dec 15, 2025
diff --git a/cmd/certinfo.go b/cmd/certinfo.go
@@ -6,6 +6,7 @@ package cmd
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -16,6 +17,7 @@ var (
 	tlsEndpoint   string
 	tlsServerName string
 	tlsInsecure   bool
+	keyPwEnvVar   = "CERTINFO_PKEY_PW"
 )
 
 var certinfoCmd = &cobra.Command{
@@ -71,24 +73,30 @@ Examples:
 
 		certinfoCfg.SetTLSInsecure(tlsInsecure).SetTLSServerName(tlsServerName)
 
-		if err := certinfoCfg.SetCaPoolFromFile(caBundleValue, fileReader); err != nil {
+		if err = certinfoCfg.SetCaPoolFromFile(caBundleValue, fileReader); err != nil {
 			fmt.Printf("Error importing CA Certificate bundle from file: %s", err)
 		}
 
-		if err := certinfoCfg.SetCertsFromFile(certBundleValue, fileReader); err != nil {
+		if err = certinfoCfg.SetCertsFromFile(certBundleValue, fileReader); err != nil {
 			fmt.Printf("Error importing Certificate bundle from file: %s", err)
 		}
 
-		if err := certinfoCfg.SetTLSEndpoint(tlsEndpoint); err != nil {
+		if err = certinfoCfg.SetTLSEndpoint(tlsEndpoint); err != nil {
 			fmt.Printf("Error setting TLS endpoint: %s", err)
 		}
 
-		if err := certinfoCfg.SetPrivateKeyFromFile(keyFileValue, fileReader); err != nil {
+		if err = certinfoCfg.SetPrivateKeyFromFile(
+			keyFileValue,
+			keyPwEnvVar,
+			fileReader,
+		); err != nil {
 			fmt.Printf("Error importing key from file: %s", err)
 		}
 
 		// dump.Print(certinfoCfg)
-		certinfoCfg.PrintData()
+		if err = certinfoCfg.PrintData(os.Stdout); err != nil {
+			fmt.Printf("error printing Certinfo data: %s", err)
+		}
 	},
 }
 

diff --git a/devenv.nix b/devenv.nix
@@ -452,65 +452,65 @@ in {
   '';
 
   scripts.test-certinfo-tlsendpoint.exec = ''
-    gum format "## test certinfo tlsEnpoint"
+    gum format "## test certinfo tlsEndpoint"
     ./dist/https-wrench certinfo --tls-endpoint repo.os76.xyz:443
   '';
 
   scripts.test-certinfo-tlsendpoint-wrong-ca-file.exec = ''
-    gum format "## test certinfo tlsEnpoint with wrong CA file"
+    gum format "## test certinfo tlsEndpoint with wrong CA file"
     set +o pipefail
     ./dist/https-wrench certinfo --tls-endpoint repo.os76.xyz:443 --ca-bundle $CAROOT/rootCA.pem 2>&1 | grep 'certificate signed by unknown authority'
   '';
 
   scripts.test-certinfo-tlsendpoint-servername.exec = ''
-    gum format "## test certinfo tlsEnpoint servername"
+    gum format "## test certinfo tlsEndpoint servername"
     ./dist/https-wrench certinfo --tls-endpoint repo.os76.xyz:443 --tls-servername www.os76.xyz
   '';
 
   scripts.test-certinfo-tlsendpoint-timeout.exec = ''
-    gum format "## test certinfo tlsEnpoint timeout"
+    gum format "## test certinfo tlsEndpoint timeout"
     set +o pipefail
     ./dist/https-wrench certinfo --tls-endpoint repo.os76.xyz:344 2>&1 | grep timeout
   '';
 
   scripts.test-certinfo-tlsendpoint-malformed.exec = ''
-    gum format "## test certinfo tlsEnpoint malformed (missing port)"
+    gum format "## test certinfo tlsEndpoint malformed (missing port)"
     set +o pipefail
     ./dist/https-wrench certinfo --tls-endpoint repo.os76.xyz | grep 'missing port in address'
   '';
 
   scripts.test-certinfo-tlsendpoint-insecure.exec = ''
-    gum format "## test certinfo tlsEnpoint Insecure"
+    gum format "## test certinfo tlsEndpoint Insecure"
     ./dist/https-wrench certinfo --tls-endpoint localhost:9443 --tls-insecure | grep 'certificate signed by unknown authority'
   '';
 
   scripts.test-certinfo-tlsendpoint-ca-bundle.exec = ''
-    gum format "## test certinfo tlsEnpoint + ca-bundle"
+    gum format "## test certinfo tlsEndpoint + ca-bundle"
     ./dist/https-wrench certinfo --tls-endpoint localhost:9443 --ca-bundle $CAROOT/rootCA.pem
   '';
 
   scripts.test-certinfo-tlsendpoint-ca-bundle-ipv4.exec = ''
-    gum format "## test certinfo IPv4 tlsEnpoint + ca-bundle"
+    gum format "## test certinfo IPv4 tlsEndpoint + ca-bundle"
     ./dist/https-wrench certinfo --tls-endpoint 127.0.0.1:9443 --ca-bundle $CAROOT/rootCA.pem
   '';
 
   scripts.test-certinfo-tlsendpoint-ca-bundle-ipv6.exec = ''
-    gum format "## test certinfo IPV6 tlsEnpoint + ca-bundle "
+    gum format "## test certinfo IPV6 tlsEndpoint + ca-bundle "
     ./dist/https-wrench certinfo --tls-endpoint [::1]:9443 --ca-bundle $CAROOT/rootCA.pem
   '';
 
   scripts.test-certinfo-tlsendpoint-rsa-key-cert.exec = ''
-    gum format "## test certinfo tlsEnpoint: RSA key + cert"
+    gum format "## test certinfo tlsEndpoint: RSA key + cert"
     ./dist/https-wrench certinfo --tls-endpoint localhost:9443 --tls-insecure --tls-servername example.com --key-file $CAROOT/key.pem | grep 'PrivateKey match: true'
   '';
 
   scripts.test-certinfo-tlsendpoint-ecdsa-key-cert.exec = ''
-    gum format "## test certinfo tlsEnpoint: ECDSA key + cert"
+    gum format "## test certinfo tlsEndpoint: ECDSA key + cert"
     ./dist/https-wrench certinfo --tls-endpoint localhost:9446 --tls-insecure --tls-servername example.com --key-file $ECDSA_DIR/ecdsa.key | grep 'PrivateKey match: true'
   '';
 
   scripts.test-certinfo-tlsendpoint-ed25519-key-cert.exec = ''
-    gum format "## test certinfo tlsEnpoint: ED25519 key + cert"
+    gum format "## test certinfo tlsEndpoint: ED25519 key + cert"
     ./dist/https-wrench certinfo --tls-endpoint localhost:9445 --tls-insecure --tls-servername example.com --key-file $ED25519_DIR/ed25519.key | grep 'PrivateKey match: true'
   '';
 

diff --git a/internal/certinfo/certinfo.go b/internal/certinfo/certinfo.go
@@ -31,7 +31,6 @@ type CertinfoConfig struct {
 	TLSEndpointPort         string
 	TLSEndpointCerts        []*x509.Certificate
 	TLSEndpointCertsFromKey bool
-	TLSEndpointCertsValid   bool
 	TLSServerName           string
 	TLSInsecure             bool
 }
@@ -96,7 +95,10 @@ func (c *CertinfoConfig) SetCaPoolFromFile(filePath string, fileReader Reader) e
 
 func (c *CertinfoConfig) SetCertsFromFile(filePath string, fileReader Reader) error {
 	if filePath != emptyString {
-		certs, err := GetCertsFromBundle(filePath, fileReader)
+		certs, err := GetCertsFromBundle(
+			filePath,
+			fileReader,
+		)
 		if err != nil {
 			return err
 		}
@@ -108,11 +110,15 @@ func (c *CertinfoConfig) SetCertsFromFile(filePath string, fileReader Reader) er
 	return nil
 }
 
-func (c *CertinfoConfig) SetPrivateKeyFromFile(filePath string, fileReader Reader) error {
+func (c *CertinfoConfig) SetPrivateKeyFromFile(
+	filePath string,
+	keyPwEnvVar string,
+	fileReader Reader,
+) error {
 	if filePath != emptyString {
 		keyFromFile, err := GetKeyFromFile(
 			filePath,
-			privateKeyPwEnvVar,
+			keyPwEnvVar,
 			fileReader,
 		)
 		if err != nil {
@@ -126,31 +132,34 @@ func (c *CertinfoConfig) SetPrivateKeyFromFile(filePath string, fileReader Reade
 	return nil
 }
 
-func (c *CertinfoConfig) SetTLSEndpoint(e string) error {
-	if e != "" {
-		c.TLSEndpoint = e
-
-		eHost, ePort, err := net.SplitHostPort(c.TLSEndpoint)
+func (c *CertinfoConfig) SetTLSEndpoint(hostport string) error {
+	if hostport != emptyString {
+		eHost, ePort, err := net.SplitHostPort(hostport)
 		if err != nil {
-			return fmt.Errorf("invalid TLS endpoint %q: %w", c.TLSEndpoint, err)
+			return fmt.Errorf("invalid TLS endpoint %q: %w", hostport, err)
 		}
 
+		c.TLSEndpoint = hostport
 		c.TLSEndpointHost = eHost
 		c.TLSEndpointPort = ePort
-		c.GetRemoteCerts()
+
+		err = c.GetRemoteCerts()
+		if err != nil {
+			return fmt.Errorf("unable to get endpoint certificates: %w", err)
+		}
 	}
 
 	return nil
 }
 
-func (c *CertinfoConfig) SetTLSInsecure(b bool) *CertinfoConfig {
-	c.TLSInsecure = b
+func (c *CertinfoConfig) SetTLSInsecure(skipVerify bool) *CertinfoConfig {
+	c.TLSInsecure = skipVerify
 	return c
 }
 
-func (c *CertinfoConfig) SetTLSServerName(s string) *CertinfoConfig {
-	if s != "" {
-		c.TLSServerName = s
+func (c *CertinfoConfig) SetTLSServerName(serverName string) *CertinfoConfig {
+	if serverName != emptyString {
+		c.TLSServerName = serverName
 	}
 
 	return c