Makefile

-.PHONY: default getdeps
+.PHONY: default
 
 .DEFAULT_GOAL := default
 
-getdeps:
-	go get gitlab.kit.edu/kit/kit-ca/lib/certificatestats/ca-websearch...
-
 default: *.go ca-websearch/*.go
-	go install -v  -ldflags="-s -w" gitlab.kit.edu/kit/kit-ca/lib/certificatestats/ca-websearch
+	go get -v -u
+	go install -v -ldflags="-s -w" gitlab.kit.edu/kit/kit-ca/websearch/ca-websearch

ca-websearch/daemon.go

@@ -17,7 +17,7 @@ import (
 	"github.com/gofrs/uuid"
 	"github.com/gorilla/mux"
 	_ "github.com/k0kubun/pp"
-	. "gitlab.kit.edu/kit/kit-ca/websearch"
+	. "gitlab.kit.edu/kit/kit-ca/websearch" //nolint:typecheck
 )
 
 const (
@@ -33,9 +33,7 @@ var (
 	ccache           *CertCache
 	certRepoDir      string
 	webrootDir       string
-	watcherDone      chan bool
 	initialBatchDone = make(chan bool, 1)
-	newFileChan      chan string
 	allWatchers      map[int]*AttributeState
 )
 
@@ -87,18 +85,18 @@ func redirectHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func pubsearchHandler(w http.ResponseWriter, r *http.Request) {
+func publicSearchHandler(w http.ResponseWriter, r *http.Request) {
 	err := r.ParseForm()
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 	}
 	query := r.Form.Get("q")
-	filter := MakePublicSearchFilter(query, allWatchers[WatchVisibile])
+	filter := MakePublicSearchFilter(query, allWatchers[WatchVisible])
 	results := ccache.Filter(filter)
 	sort.Sort(results)
 	w.Header().Set("cache-control", "no-store")
 	w.Header().Set("Content-Type", "application/json")
-	w.Write(results.JSONString(allWatchers))
+	_, _ = w.Write(results.JSONString(allWatchers))
 }
 
 func searchHandler(w http.ResponseWriter, r *http.Request) {
@@ -112,7 +110,7 @@ func searchHandler(w http.ResponseWriter, r *http.Request) {
 	sort.Sort(results)
 	w.Header().Set("cache-control", "no-store")
 	w.Header().Set("Content-Type", "application/json")
-	w.Write(results.JSONString(allWatchers))
+	_, _ = w.Write(results.JSONString(allWatchers))
 }
 
 func downloadHandler(w http.ResponseWriter, r *http.Request) {
@@ -125,18 +123,19 @@ func downloadHandler(w http.ResponseWriter, r *http.Request) {
 		u, _ := uuid.NewV4()
 		uuid4 := u.String()
 		log.Printf("[%s] unable to process request %s, serial %s not in cache", uuid4, r.URL.String(), serial)
-		errormsg := "Invalid serial number " + serial + " (errorid " + uuid4 + ")"
-		http.Error(w, errormsg, http.StatusBadRequest)
-	}
-	switch format {
-	case "der":
-		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.crt", serial))
-		w.Header().Set("Content-Type", "application/pkix-cert")
-		w.Write(cert.GetDER())
-	case "pem":
-		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.pem", serial))
-		w.Header().Set("Content-Type", "application/x-pem-file")
-		w.Write(cert.GetPEM())
+		errorMsg := "Invalid serial number " + serial + " (ErrorID " + uuid4 + ")"
+		http.Error(w, errorMsg, http.StatusBadRequest)
+	} else {
+		switch format {
+		case "der":
+			w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.crt", serial))
+			w.Header().Set("Content-Type", "application/pkix-cert")
+			_, _ = w.Write(cert.GetDER())
+		case "pem":
+			w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.pem", serial))
+			w.Header().Set("Content-Type", "application/x-pem-file")
+			_, _ = w.Write(cert.GetPEM())
+		}
 	}
 }
 
@@ -155,23 +154,23 @@ func pubDownloadHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// check if certificate is public
-	if allWatchers[WatchVisibile].Is(cert.Serial, Public) == false {
+	if allWatchers[WatchVisible].Is(cert.Serial, Public) == false {
 		u, _ := uuid.NewV4()
 		uuid4 := u.String()
 		//log.Printf("[%s] certificate %s, serial %s not public", uuid4, r.URL.String(), serial)
-		errormsg := "Certificate " + serial + " is not public (errorid " + uuid4 + "), authorization required for download."
-		http.Error(w, errormsg, http.StatusUnauthorized)
+		errorMessage := "Certificate " + serial + " is not public (errorid " + uuid4 + "), authorization required for download."
+		http.Error(w, errorMessage, http.StatusUnauthorized)
 		return
 	}
 	switch format {
 	case "der":
 		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.crt", serial))
 		w.Header().Set("Content-Type", "application/pkix-cert")
-		w.Write(cert.GetDER())
+		_, _ = w.Write(cert.GetDER())
 	case "pem":
 		w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.pem", serial))
 		w.Header().Set("Content-Type", "application/x-pem-file")
-		w.Write(cert.GetPEM())
+		_, _ = w.Write(cert.GetPEM())
 	}
 }
 
@@ -186,7 +185,7 @@ func emailtocertHandler(w http.ResponseWriter, r *http.Request) {
 		})
 	w.Header().Set("cache-control", "no-store")
 	w.Header().Set("Content-Type", "application/json")
-	w.Write(results.JSONString(allWatchers))
+	_, _ = w.Write(results.JSONString(allWatchers))
 }
 
 func main() {
@@ -214,7 +213,7 @@ func main() {
 	r.Path("/pubsearch/v1/json").
 		Methods("GET").
 		Queries("q", "").
-		HandlerFunc(pubsearchHandler)
+		HandlerFunc(publicSearchHandler)
 
 	// add internal search handler
 	r.Path("/search/v1/json").
@@ -246,7 +245,7 @@ func main() {
 				log.Print(requestErr)
 			}
 			w.Header().Set("content-type", "text/plain")
-			w.Write(requestDump)
+			_, _ = w.Write(requestDump)
 		})
 
 	// add handler for static files
@@ -260,7 +259,7 @@ func main() {
 			log.Print(requestErr)
 		}
 		w.Header().Set("content-type", "text/plain")
-		w.Write(requestDump)
+		_, _ = w.Write(requestDump)
 		http.NotFound(w, r)
 	})
 

debian/rules

@@ -3,7 +3,7 @@
 #DH_VERBOSE = 1
 #export DH_OPTIONS=-v
 
-export DH_GOLANG_BUILDPKG := gitlab.kit.edu/kit/kit-ca/lib/certificatestats/ca-websearch
+export DH_GOLANG_BUILDPKG := gitlab.kit.edu/kit/kit-ca/lib/certificatestats
 
 export DH_GOLANG_INSTALL_EXTRA := webroot
 

filewatcher.go

@@ -19,7 +19,7 @@ const (
 var (
 	serialMatcher            = regexp.MustCompile("(?:([[:digit:]]{8,})\\.pem)")
 	MagicInitialImportMarker = "Not an actual file"
-	MagicInitialFileEvent    = fsnotify.Event{"Not an actual file", fsnotify.Chmod}
+	MagicInitialFileEvent    = fsnotify.Event{Name: "Not an actual file", Op: fsnotify.Chmod}
 )
 
 // CertArchiveWatcher reads all certificates from the archive directory and watches
@@ -167,7 +167,7 @@ func SymlinkStateWatcher(path string, initialBatchDone chan bool) *CertSymlinkSt
 		for _, file := range files {
 			if !file.IsDir() {
 				fullname := filepath.Join(path, file.Name())
-				eventChan <- &fsnotify.Event{fullname, fsnotify.Create}
+				eventChan <- &fsnotify.Event{Name: fullname, Op: fsnotify.Create}
 			}
 		}
 		eventChan <- &MagicInitialFileEvent

go.mod

 module gitlab.kit.edu/kit/kit-ca/websearch
 
-go 1.19
+go 1.23.0
+
+toolchain go1.24.0
 
 require (
 	github.com/boltdb/bolt v1.3.1
-	github.com/fsnotify/fsnotify v1.6.0
+	github.com/fsnotify/fsnotify v1.8.0
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/sessions v1.2.1
 	github.com/hashicorp/go-memdb v1.3.4
 	github.com/hreese/go-humanreltime v0.0.0-20170421160357-794c2e8d2412
 	github.com/k0kubun/pp v3.0.1+incompatible
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	golang.org/x/text v0.13.0
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	golang.org/x/text v0.23.0
 )
 
+require gitlab.kit.edu/kit/kit-ca/lib/certificatestats v0.0.0-20250207165819-6c3517b36c80
+
 require (
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	gitlab.kit.edu/kit/kit-ca/lib/certificatestats v0.0.0-20250207165819-6c3517b36c80 // indirect
-	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
 )

go.sum

@@ -2,6 +2,8 @@ github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@@ -28,6 +30,8 @@ github.com/k0kubun/pp v3.0.1+incompatible h1:3tqvf7QgUnZ5tXO6pNAZlrvHgl6DvifjDrd
 github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
@@ -40,5 +44,9 @@ golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=

searchablecert.go

@@ -44,7 +44,7 @@ var (
 
 const (
 	WatchValid = 1 << iota
-	WatchVisibile
+	WatchVisible
 )
 
 // coarse Type
@@ -68,6 +68,17 @@ var SectigoPersonalFilter = func(c *x509.Certificate) bool {
 	return slices.Contains(sectigoIssuers, c.Issuer.String())
 }
 
+// IsUserHarica returns true if the certificate is a user certificate issued by HARICA
+var IsUserHarica = func(c *x509.Certificate) bool {
+	haricaIssuers := []string{
+		"C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA Client RSA Root CA 2021",
+		"C=GR, O=Hellenic Academic and Research Institutions CA, CN=GEANT S/MIME RSA 1",
+		"C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA Client ECC Root CA 2021",
+		"C=GR, O=Hellenic Academic and Research Institutions CA, CN=GEANT S/MIME ECC 1",
+	}
+	return slices.Contains(haricaIssuers, c.Issuer.String())
+}
+
 var NoCommonNameFilter = func(c *x509.Certificate) bool {
 	return len(c.Subject.CommonName) == 0
 }
@@ -123,15 +134,15 @@ func VisibilityToName(v int) string {
 	}
 }
 
-// start all known watchers in certRepoDir
+// CreateAllWatchers starts all known watchers in certRepoDir
 func CreateAllWatchers(certRepoDir string) map[int]*AttributeState {
 	var allWatcherData = map[int][]WatchForSymlinkChange{
-		WatchValid: []WatchForSymlinkChange{
+		WatchValid: {
 			{filepath.Join(certRepoDir, "Validity/Valid"), Valid},
 			{filepath.Join(certRepoDir, "Validity/Expired"), Expired},
 			{filepath.Join(certRepoDir, "Validity/Revoked"), Revoked},
 		},
-		WatchVisibile: []WatchForSymlinkChange{
+		WatchVisible: {
 			{filepath.Join(certRepoDir, "Visibility/Public"), Public},
 			{filepath.Join(certRepoDir, "Visibility/Private"), Private},
 		},
@@ -169,8 +180,8 @@ func CreateAllWatchers(certRepoDir string) map[int]*AttributeState {
 		//		},
 	}
 	var watchers = make(map[int]*AttributeState)
-	for key, symlinkset := range allWatcherData {
-		watchers[key] = NewAttributeState(symlinkset)
+	for key, symlinkSet := range allWatcherData {
+		watchers[key] = NewAttributeState(symlinkSet)
 	}
 	return watchers
 }
@@ -189,8 +200,8 @@ type SearchableCert struct {
 	IPAddresses        []string
 	CAGeneration       *string
 	Type               int
-	searchablestring   string
-	pubsearchToken     []string
+	searchableString   string
+	publicSearchToken  []string
 	rawCertificate     *x509.Certificate
 	FingerprintSHA1    string
 	FingerprintSHA256  string
@@ -215,7 +226,7 @@ func isMn(r rune) bool {
 	return unicode.Is(unicode.Mn, r) // Mn: nonspacing marks
 }
 
-// Cleanup query
+// CleanupQueryString normalizes a query string for search
 func CleanupQueryString(query string) string {
 	// transform to lowercase
 	query = strings.ToLower(query)
@@ -260,7 +271,7 @@ func MakeInternalSearchFilter(query string) SCFilter {
 	return func(c *SearchableCert) bool {
 		numMatches := 0
 		for _, t := range token {
-			if strings.Contains(c.searchablestring, t) {
+			if strings.Contains(c.searchableString, t) {
 				numMatches++
 			}
 		}
@@ -350,7 +361,7 @@ func MakePublicSearchFilter(query string, visibilityWatcher *AttributeState) SCF
 		// check if all parts of the query match any precomputed certificate part
 		var numMatches int
 		for _, token := range queryTokens {
-			for _, certToken := range append(c.pubsearchToken, c.EmailAddresses...) {
+			for _, certToken := range append(c.publicSearchToken, c.EmailAddresses...) {
 				if strings.EqualFold(token, certToken) {
 					numMatches++
 					continue
@@ -426,7 +437,7 @@ func DnToString(n pkix.Name) string {
 	return strings.Join(parts, ",")
 }
 
-// CertToSearchable converts an x509.Certificate into a SearchableCert
+// CertToSearchable converts a x509.Certificate into a SearchableCert
 func CertToSearchable(c *x509.Certificate) SearchableCert {
 	cert := SearchableCert{
 		Serial:             c.SerialNumber.Text(10),
@@ -483,7 +494,7 @@ func CertToSearchable(c *x509.Certificate) SearchableCert {
 	buffer.WriteString(" ")
 	buffer.WriteString(cert.FingerprintMD5)
 
-	cert.searchablestring = strings.ToLower(buffer.String())
+	cert.searchableString = strings.ToLower(buffer.String())
 
 	// build array for public search
 	token := make(map[string]bool)
@@ -509,10 +520,10 @@ func CertToSearchable(c *x509.Certificate) SearchableCert {
 			}
 		}
 	}
-	cert.pubsearchToken = make([]string, len(token))
+	cert.publicSearchToken = make([]string, len(token))
 	idx := 0
-	for key, _ := range token {
-		cert.pubsearchToken[idx] = key
+	for key := range token {
+		cert.publicSearchToken[idx] = key
 		idx++
 	}
 
@@ -526,9 +537,9 @@ func CertToSearchable(c *x509.Certificate) SearchableCert {
 		cert.Type = Extern
 	case CertificateStats.FilterIsNutzer(c):
 		cert.Type = Benutzer
-	case CertificateStats.And(SectigoPersonalFilter, NoCommonNameFilter)(c):
+	case CertificateStats.And(CertificateStats.Or(SectigoPersonalFilter, IsUserHarica), NoCommonNameFilter)(c):
 		cert.Type = Gruppe
-	case CertificateStats.And(SectigoPersonalFilter, CertificateStats.Not(NoCommonNameFilter))(c):
+	case CertificateStats.And(CertificateStats.Or(SectigoPersonalFilter, IsUserHarica), CertificateStats.Not(NoCommonNameFilter))(c):
 		cert.Type = Benutzer
 	default:
 		cert.Type = Server
@@ -590,7 +601,7 @@ func (c *SearchableCert) JSONResult(watchers map[int]*AttributeState) *JSONResul
 		Profile:            "",
 		Expired:            c.NotAfter.Before(time.Now()),
 		Validity:           ValidityToName(watchers[WatchValid].Get(c.Serial)),
-		Public:             VisibilityToName(watchers[WatchVisibile].Get(c.Serial)),
+		Public:             VisibilityToName(watchers[WatchVisible].Get(c.Serial)),
 		FingerprintMD5:     c.FingerprintMD5,
 		FingerprintSHA1:    c.FingerprintSHA1,
 		FingerprintSHA256:  c.FingerprintSHA256,