Merge branch 'csaf-poc:main' into main

.github/workflows/release.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   releases-matrix:
     name: Release Go binaries
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout
         uses: actions/checkout@v3

Makefile

@@ -59,7 +59,7 @@ testsemver:
 
 
 # Set -ldflags parameter to pass the semversion.
-LDFLAGS = -ldflags "-X github.com/csaf-poc/csaf_distribution/v2/util.SemVersion=$(SEMVER)"
+LDFLAGS = -ldflags "-X github.com/csaf-poc/csaf_distribution/v3/util.SemVersion=$(SEMVER)"
 
 # Build binaries and place them under bin-$(GOOS)-$(GOARCH)
 # Using 'Target-specific Variable Values' to specify the build target system

README.md

@@ -2,27 +2,31 @@
 
 An implementation of a [CSAF 2.0](https://docs.oasis-open.org/csaf/csaf/v2.0/csd02/csaf-v2.0-csd02.html) trusted provider, checker, aggregator and downloader. Includes an uploader command line tool for the trusted provider.
 
-## [csaf_provider](docs/csaf_provider.md)
+## Tools for users
+### [csaf_downloader](docs/csaf_downloader.md)
+is a tool for downloading advisories from a provider.
+Can be used for automated forwarding of CSAF documents.
+
+### [csaf_validator](docs/csaf_validator.md)
+is a tool to validate local advisories files against the JSON Schema and an optional remote validator.
+
+## Tools for advisory providers
+
+### [csaf_provider](docs/csaf_provider.md)
 is an implementation of the role CSAF Trusted Provider, also offering
 a simple HTTPS based management service.
 
-## [csaf_uploader](docs/csaf_uploader.md)
+### [csaf_uploader](docs/csaf_uploader.md)
-is a command line tool that uploads CSAF documents to the `csaf_provider`.
+is a command line tool to upload CSAF documents to the `csaf_provider`.
 
-## [csaf_aggregator](docs/csaf_aggregator.md)
+### [csaf_checker](docs/csaf_checker.md)
-is an implementation of the role CSAF Aggregator.
+is a tool for testing a CSAF Trusted Provider according to [Section 7 of the CSAF standard](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html#7-distributing-csaf-documents).
 
-## [csaf_checker](docs/csaf_checker.md)
+### [csaf_aggregator](docs/csaf_aggregator.md)
-is a tool for testing a CSAF Trusted Provider according to [Section 7 of the CSAF standard](https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html#7-distributing-csaf-documents). Does check requirements without considering the indicated `role` yet.
+is a CSAF Aggregator, to list or mirror providers.
-
-## [csaf_downloader](docs/csaf_downloader.md)
-is a tool for downloading advisories from a provider.
-
-## [csaf_validator](docs/csaf_validator.md)
-is a tool to validate local advisories files against the JSON Schema and an optional remote validator.
 
 ## Setup
-Note that binaries for the server side are only available and tested
+Binaries for the server side are only available and tested
 for GNU/Linux-Systems, e.g. Ubuntu LTS.
 They are likely to run on similar systems when build from sources.
 
@@ -69,7 +73,7 @@ will update the machine generated code.
 
 ## License
 
-- csaf_distribution is licensed as Free Software under MIT License.
+- `csaf_distribution` is licensed as Free Software under MIT License.
 
 - See the specific source files
   for details, the license itself can be found in the directory `LICENSES/`.

cmd/csaf_aggregator/client.go

@@ -13,7 +13,7 @@ import (
 	"io"
 	"net/http"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 var errNotFound = errors.New("not found")

cmd/csaf_aggregator/config.go

@@ -19,12 +19,12 @@ import (
 	"time"
 
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/filter"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/filter"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/models"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 	"golang.org/x/time/rate"
 )
 

cmd/csaf_aggregator/full.go

@@ -18,8 +18,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type fullJob struct {

cmd/csaf_aggregator/indices.go

@@ -20,8 +20,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 const (

cmd/csaf_aggregator/interim.go

@@ -25,8 +25,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type interimJob struct {

cmd/csaf_aggregator/lazytransaction.go

@@ -13,7 +13,7 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type lazyTransaction struct {

cmd/csaf_aggregator/lister.go

@@ -11,8 +11,8 @@ package main
 import (
 	"fmt"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // mirrorAllowed checks if mirroring is allowed.

cmd/csaf_aggregator/main.go

@@ -14,7 +14,7 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 	"github.com/gofrs/flock"
 )
 

cmd/csaf_aggregator/mirror.go

@@ -30,8 +30,8 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // mirrorAllowed checks if mirroring is allowed.

cmd/csaf_aggregator/processor.go

@@ -15,8 +15,9 @@ import (
 	"path/filepath"
 
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type processor struct {

cmd/csaf_checker/config.go

@@ -13,10 +13,10 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/filter"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/filter"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/models"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 )
 
 type outputFormat string

cmd/csaf_checker/links.go

@@ -14,7 +14,8 @@ import (
 	"net/url"
 
 	"github.com/PuerkitoBio/goquery"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type (

cmd/csaf_checker/links_test.go

@@ -1,3 +1,11 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2022 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2022 Intevation GmbH <https://intevation.de>
+
 package main
 
 import (

cmd/csaf_checker/main.go

@@ -12,7 +12,7 @@ package main
 import (
 	"log"
 
-	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 )
 
 // run uses a processor to check all the given domains or direct urls

cmd/csaf_checker/processor.go

@@ -32,8 +32,9 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"golang.org/x/time/rate"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // topicMessages stores the collected topicMessages for a specific topic.
@@ -666,12 +667,9 @@ func (p *processor) integrity(
 		var folderYear *int
 		if m := yearFromURL.FindStringSubmatch(u); m != nil {
 			year, _ := strconv.Atoi(m[1])
-			// Check if we are in checking time interval.
+			// Check if the year is in the accepted time interval.
-			if accept := p.cfg.Range; accept != nil && !accept.Contains(
+			if accept := p.cfg.Range; accept != nil &&
-				time.Date(
+				!accept.Intersects(models.Year(year)) {
-					year, 12, 31, // Assume last day of year.
-					23, 59, 59, 0, // 23:59:59
-					time.UTC)) {
 				continue
 			}
 			folderYear = &year
@@ -1115,6 +1113,8 @@ func (p *processor) checkMissing(string) error {
 	for _, f := range files {
 		v := p.alreadyChecked[f]
 		var where []string
+		// mistake contains which requirements are broken
+		var mistake whereType
 		for mask := rolieMask; mask <= listingMask; mask <<= 1 {
 			if maxMask&mask == mask {
 				var in string
@@ -1122,11 +1122,26 @@ func (p *processor) checkMissing(string) error {
 					in = "in"
 				} else {
 					in = "not in"
+					// Which file is missing entries?
+					mistake |= mask
 				}
 				where = append(where, in+" "+mask.String())
 			}
 		}
-		p.badIntegrities.error("%s %s", f, strings.Join(where, ", "))
+		// List error in all appropriate categories
+		if mistake&(rolieMask|indexMask|changesMask|listingMask) == 0 {
+			continue
+		}
+		joined := strings.Join(where, ", ")
+		report := func(mask whereType, msgs *topicMessages) {
+			if mistake&mask != 0 {
+				msgs.error("%s %s", f, joined)
+			}
+		}
+		report(rolieMask, &p.badROLIEFeed)
+		report(indexMask, &p.badIndices)
+		report(changesMask, &p.badChanges)
+		report(listingMask, &p.badDirListings)
 	}
 	return nil
 }

cmd/csaf_checker/report.go

@@ -18,8 +18,8 @@ import (
 	"os"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/models"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
 )
 
 // MessageType is the kind of the message.

cmd/csaf_checker/reporters.go

@@ -13,7 +13,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type (

cmd/csaf_checker/roliecheck.go

@@ -15,8 +15,8 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // identifier consist of document/tracking/id and document/publisher/namespace,

cmd/csaf_checker/rules.go

@@ -12,7 +12,7 @@ import (
 	"fmt"
 	"sort"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
 )
 
 type ruleCondition int

cmd/csaf_downloader/config.go

@@ -12,16 +12,17 @@ import (
 	"crypto/tls"
 	"fmt"
 	"io"
+	"log"
 	"log/slog"
 	"net/http"
 	"os"
 	"path/filepath"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/filter"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/filter"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/models"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/models"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 )
 
 const (
@@ -30,7 +31,7 @@ const (
 	defaultForwardQueue   = 5
 	defaultValidationMode = validationStrict
 	defaultLogFile        = "downloader.log"
-	defaultLogLevel       = logLevelInfo
+	defaultLogLevel       = slog.LevelInfo
 )
 
 type validationMode string
@@ -40,15 +41,6 @@ const (
 	validationUnsafe = validationMode("unsafe")
 )
 
-type logLevel string
-
-const (
-	logLevelDebug = logLevel("debug")
-	logLevelInfo  = logLevel("info")
-	logLevelWarn  = logLevel("warn")
-	logLevelError = logLevel("error")
-)
-
 type config struct {
 	Directory            string            `short:"d" long:"directory" description:"DIRectory to store the downloaded files in" value-name:"DIR" toml:"directory"`
 	Insecure             bool              `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
@@ -57,7 +49,6 @@ type config struct {
 	ClientKey            *string           `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE" toml:"client_key"`
 	ClientPassphrase     *string           `long:"client-passphrase" description:"Optional passphrase for the client cert (limited, experimental, see doc)" value-name:"PASSPHRASE" toml:"client_passphrase"`
 	Version              bool              `long:"version" description:"Display version of the binary" toml:"-"`
-	Verbose              bool              `long:"verbose" short:"v" description:"Verbose output" toml:"verbose"`
 	NoStore              bool              `long:"nostore" short:"n" description:"Do not store files" toml:"no_store"`
 	Rate                 *float64          `long:"rate" short:"r" description:"The average upper limit of https operations per second (defaults to unlimited)" toml:"rate"`
 	Worker               int               `long:"worker" short:"w" description:"NUMber of concurrent downloads" value-name:"NUM" toml:"worker"`
@@ -78,9 +69,9 @@ type config struct {
 	ForwardQueue    int         `long:"forwardqueue" description:"Maximal queue LENGTH before forwarder" value-name:"LENGTH" toml:"forward_queue"`
 	ForwardInsecure bool        `long:"forwardinsecure" description:"Do not check TLS certificates from forward endpoint" toml:"forward_insecure"`
 
-	LogFile string `long:"logfile" description:"FILE to log downloading to" value-name:"FILE" toml:"log_file"`
+	LogFile *string `long:"logfile" description:"FILE to log downloading to" value-name:"FILE" toml:"log_file"`
 	//lint:ignore SA5008 We are using choice or than once: debug, info, warn, error
-	LogLevel logLevel `long:"loglevel" description:"LEVEL of logging details" value-name:"LEVEL" choice:"debug" choice:"info" choice:"warn" choice:"error" toml:"log_level"`
+	LogLevel *options.LogLevel `long:"loglevel" description:"LEVEL of logging details" value-name:"LEVEL" choice:"debug" choice:"info" choice:"warn" choice:"error" toml:"log_level"`
 
 	Config string `short:"c" long:"config" description:"Path to config TOML file" value-name:"TOML-FILE" toml:"-"`
 
@@ -97,6 +88,10 @@ var configPaths = []string{
 
 // parseArgsConfig parses the command line and if need a config file.
 func parseArgsConfig() ([]string, *config, error) {
+	var (
+		logFile  = defaultLogFile
+		logLevel = &options.LogLevel{Level: defaultLogLevel}
+	)
 	p := options.Parser[config]{
 		DefaultConfigLocations: configPaths,
 		ConfigLocation:         func(cfg *config) string { return cfg.Config },
@@ -107,8 +102,8 @@ func parseArgsConfig() ([]string, *config, error) {
 			cfg.RemoteValidatorPresets = []string{defaultPreset}
 			cfg.ValidationMode = defaultValidationMode
 			cfg.ForwardQueue = defaultForwardQueue
-			cfg.LogFile = defaultLogFile
+			cfg.LogFile = &logFile
-			cfg.LogLevel = defaultLogLevel
+			cfg.LogLevel = logLevel
 		},
 		// Re-establish default values if not set.
 		EnsureDefaults: func(cfg *config) {
@@ -123,30 +118,35 @@ func parseArgsConfig() ([]string, *config, error) {
 			default:
 				cfg.ValidationMode = validationStrict
 			}
+			if cfg.LogFile == nil {
+				cfg.LogFile = &logFile
+			}
+			if cfg.LogLevel == nil {
+				cfg.LogLevel = logLevel
+			}
 		},
 	}
 	return p.Parse()
 }
 
-// UnmarshalText implements [encoding/text.TextUnmarshaler].
+// UnmarshalText implements [encoding.TextUnmarshaler].
 func (vm *validationMode) UnmarshalText(text []byte) error {
 	switch m := validationMode(text); m {
 	case validationStrict, validationUnsafe:
 		*vm = m
 	default:
-		return fmt.Errorf(`invalid value %q (expected "strict" or "unsafe"`, m)
+		return fmt.Errorf(`invalid value %q (expected "strict" or "unsafe)"`, m)
 	}
 	return nil
 }
 
-// UnmarshalText implements [encoding/text.TextUnmarshaler].
+// UnmarshalFlag implements [flags.UnmarshalFlag].
-func (ll *logLevel) UnmarshalText(text []byte) error {
+func (vm *validationMode) UnmarshalFlag(value string) error {
-	switch l := logLevel(text); l {
+	var v validationMode
-	case logLevelDebug, logLevelInfo, logLevelWarn, logLevelError:
+	if err := v.UnmarshalText([]byte(value)); err != nil {
-		*ll = l
+		return err
-	default:
-		return fmt.Errorf(`invalid value %q (expected "debug", "info", "warn", "error")`, l)
 	}
+	*vm = v
 	return nil
 }
 
@@ -155,20 +155,9 @@ func (cfg *config) ignoreURL(u string) bool {
 	return cfg.ignorePattern.Matches(u)
 }
 
-// slogLevel converts logLevel to [slog.Level].
+// verbose is considered a log level equal or less debug.
-func (ll logLevel) slogLevel() slog.Level {
+func (cfg *config) verbose() bool {
-	switch ll {
+	return cfg.LogLevel.Level <= slog.LevelDebug
-	case logLevelDebug:
-		return slog.LevelDebug
-	case logLevelInfo:
-		return slog.LevelInfo
-	case logLevelWarn:
-		return slog.LevelWarn
-	case logLevelError:
-		return slog.LevelError
-	default:
-		return slog.LevelInfo
-	}
 }
 
 // prepareDirectory ensures that the working directory
@@ -209,26 +198,28 @@ func dropSubSeconds(_ []string, a slog.Attr) slog.Attr {
 // prepareLogging sets up the structured logging.
 func (cfg *config) prepareLogging() error {
 	var w io.Writer
-	if cfg.LogFile == "" {
+	if cfg.LogFile == nil || *cfg.LogFile == "" {
+		log.Println("using STDERR for logging")
 		w = os.Stderr
 	} else {
 		var fname string
 		// We put the log inside the download folder
 		// if it is not absolute.
-		if filepath.IsAbs(cfg.LogFile) {
+		if filepath.IsAbs(*cfg.LogFile) {
-			fname = cfg.LogFile
+			fname = *cfg.LogFile
 		} else {
-			fname = filepath.Join(cfg.Directory, cfg.LogFile)
+			fname = filepath.Join(cfg.Directory, *cfg.LogFile)
 		}
 		f, err := os.OpenFile(fname, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0644)
 		if err != nil {
 			return err
 		}
+		log.Printf("using %q for logging\n", *cfg.LogFile)
 		w = f
 	}
 	ho := slog.HandlerOptions{
 		//AddSource: true,
-		Level:       cfg.LogLevel.slogLevel(),
+		Level:       cfg.LogLevel.Level,
 		ReplaceAttr: dropSubSeconds,
 	}
 	handler := slog.NewJSONHandler(w, &ho)

cmd/csaf_downloader/downloader.go

@@ -33,8 +33,8 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"golang.org/x/time/rate"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type downloader struct {
@@ -92,10 +92,26 @@ func (d *downloader) addStats(o *stats) {
 	d.stats.add(o)
 }
 
+// logRedirect logs redirects of the http client.
+func logRedirect(req *http.Request, via []*http.Request) error {
+	vs := make([]string, len(via))
+	for i, v := range via {
+		vs[i] = v.URL.String()
+	}
+	slog.Debug("Redirecting",
+		"to", req.URL.String(),
+		"via", strings.Join(vs, " -> "))
+	return nil
+}
+
 func (d *downloader) httpClient() util.Client {
 
 	hClient := http.Client{}
 
+	if d.cfg.verbose() {
+		hClient.CheckRedirect = logRedirect
+	}
+
 	var tlsConfig tls.Config
 	if d.cfg.Insecure {
 		tlsConfig.InsecureSkipVerify = true
@@ -120,8 +136,11 @@ func (d *downloader) httpClient() util.Client {
 	}
 
 	// Add optional URL logging.
-	if d.cfg.Verbose {
+	if d.cfg.verbose() {
-		client = &util.LoggingClient{Client: client}
+		client = &util.LoggingClient{
+			Client: client,
+			Log:    httpLog("downloader"),
+		}
 	}
 
 	// Add optional rate limiting.
@@ -135,6 +154,16 @@ func (d *downloader) httpClient() util.Client {
 	return client
 }
 
+// httpLog does structured logging in a [util.LoggingClient].
+func httpLog(who string) func(string, string) {
+	return func(method, url string) {
+		slog.Debug("http",
+			"who", who,
+			"method", method,
+			"url", url)
+	}
+}
+
 func (d *downloader) download(ctx context.Context, domain string) error {
 	client := d.httpClient()
 
@@ -142,9 +171,9 @@ func (d *downloader) download(ctx context.Context, domain string) error {
 
 	lpmd := loader.Load(domain)
 
-	if d.cfg.Verbose {
+	if d.cfg.verbose() {
 		for i := range lpmd.Messages {
-			slog.Info("Loading provider-metadata.json",
+			slog.Debug("Loading provider-metadata.json",
 				"domain", domain,
 				"message", lpmd.Messages[i].Message)
 		}
@@ -331,7 +360,7 @@ func (d *downloader) logValidationIssues(url string, errors []string, err error)
 		return
 	}
 	if len(errors) > 0 {
-		if d.cfg.Verbose {
+		if d.cfg.verbose() {
 			slog.Error("CSAF file has validation errors",
 				"url", url,
 				"error", strings.Join(errors, ", "))
@@ -388,9 +417,7 @@ nextAdvisory:
 		}
 
 		if d.cfg.ignoreURL(file.URL()) {
-			if d.cfg.Verbose {
+			slog.Debug("Ignoring URL", "url", file.URL())
-				slog.Warn("Ignoring URL", "url", file.URL())
-			}
 			continue
 		}
 
@@ -438,22 +465,18 @@ nextAdvisory:
 
 		// Only hash when we have a remote counter part we can compare it with.
 		if remoteSHA256, s256Data, err = loadHash(client, file.SHA256URL()); err != nil {
-			if d.cfg.Verbose {
+			slog.Warn("Cannot fetch SHA256",
-				slog.Warn("Cannot fetch SHA256",
+				"url", file.SHA256URL(),
-					"url", file.SHA256URL(),
+				"error", err)
-					"error", err)
-			}
 		} else {
 			s256 = sha256.New()
 			writers = append(writers, s256)
 		}
 
 		if remoteSHA512, s512Data, err = loadHash(client, file.SHA512URL()); err != nil {
-			if d.cfg.Verbose {
+			slog.Warn("Cannot fetch SHA512",
-				slog.Warn("Cannot fetch SHA512",
+				"url", file.SHA512URL(),
-					"url", file.SHA512URL(),
+				"error", err)
-					"error", err)
-			}
 		} else {
 			s512 = sha512.New()
 			writers = append(writers, s512)
@@ -506,11 +529,9 @@ nextAdvisory:
 			var sign *crypto.PGPSignature
 			sign, signData, err = loadSignature(client, file.SignURL())
 			if err != nil {
-				if d.cfg.Verbose {
+				slog.Warn("Downloading signature failed",
-					slog.Warn("Downloading signature failed",
+					"url", file.SignURL(),
-						"url", file.SignURL(),
+					"error", err)
-						"error", err)
-				}
 			}
 			if sign != nil {
 				if err := d.checkSignature(data.Bytes(), sign); err != nil {

cmd/csaf_downloader/forwarder.go

@@ -19,8 +19,8 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/csaf-poc/csaf_distribution/v2/internal/misc"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/misc"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // failedForwardDir is the name of the special sub folder
@@ -116,8 +116,11 @@ func (f *forwarder) httpClient() util.Client {
 	}
 
 	// Add optional URL logging.
-	if f.cfg.Verbose {
+	if f.cfg.verbose() {
-		client = &util.LoggingClient{Client: client}
+		client = &util.LoggingClient{
+			Client: client,
+			Log:    httpLog("forwarder"),
+		}
 	}
 
 	f.client = client
@@ -184,16 +187,10 @@ func (f *forwarder) buildRequest(
 // storeFailedAdvisory stores an advisory in a special folder
 // in case the forwarding failed.
 func (f *forwarder) storeFailedAdvisory(filename, doc, sha256, sha512 string) error {
-	dir := filepath.Join(f.cfg.Directory, failedForwardDir)
 	// Create special folder if it does not exist.
-	if _, err := os.Stat(dir); err != nil {
+	dir := filepath.Join(f.cfg.Directory, failedForwardDir)
-		if os.IsNotExist(err) {
+	if err := os.MkdirAll(dir, 0755); err != nil {
-			if err := os.MkdirAll(dir, 0755); err != nil {
+		return err
-				return err
-			}
-		} else {
-			return err
-		}
 	}
 	// Store parts which are not empty.
 	for _, x := range []struct {
@@ -223,6 +220,19 @@ func (f *forwarder) storeFailed(filename, doc, sha256, sha512 string) {
 	}
 }
 
+// limitedString reads max bytes from reader and returns it as a string.
+// Longer strings are indicated by "..." as a suffix.
+func limitedString(r io.Reader, max int) (string, error) {
+	var msg strings.Builder
+	if _, err := io.Copy(&msg, io.LimitReader(r, int64(max))); err != nil {
+		return "", err
+	}
+	if msg.Len() >= max {
+		msg.WriteString("...")
+	}
+	return msg.String(), nil
+}
+
 // forward sends a given document with filename, status and
 // checksums to the forwarder. This is async to the degree
 // till the configured queue size is filled.
@@ -249,16 +259,15 @@ func (f *forwarder) forward(
 		}
 		if res.StatusCode != http.StatusCreated {
 			defer res.Body.Close()
-			var msg strings.Builder
+			if msg, err := limitedString(res.Body, 512); err != nil {
-			io.Copy(&msg, io.LimitReader(res.Body, 512))
+				slog.Error("reading forward result failed",
-			var dots string
+					"error", err)
-			if msg.Len() >= 512 {
+			} else {
-				dots = "..."
+				slog.Error("forwarding failed",
+					"filename", filename,
+					"body", msg,
+					"status_code", res.StatusCode)
 			}
-			slog.Error("forwarding failed",
-				"filename", filename,
-				"body", msg.String()+dots,
-				"status_code", res.StatusCode)
 			f.storeFailed(filename, doc, sha256, sha512)
 		} else {
 			f.succeeded++

cmd/csaf_downloader/forwarder_test.go

@@ -0,0 +1,429 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"errors"
+	"io"
+	"log/slog"
+	"mime"
+	"mime/multipart"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
+)
+
+func TestValidationStatusUpdate(t *testing.T) {
+	sv := validValidationStatus
+	sv.update(invalidValidationStatus)
+	sv.update(validValidationStatus)
+	if sv != invalidValidationStatus {
+		t.Fatalf("got %q expected %q", sv, invalidValidationStatus)
+	}
+	sv = notValidatedValidationStatus
+	sv.update(validValidationStatus)
+	sv.update(notValidatedValidationStatus)
+	if sv != notValidatedValidationStatus {
+		t.Fatalf("got %q expected %q", sv, notValidatedValidationStatus)
+	}
+}
+
+func TestForwarderLogStats(t *testing.T) {
+	orig := slog.Default()
+	defer slog.SetDefault(orig)
+
+	var buf bytes.Buffer
+	h := slog.NewJSONHandler(&buf, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	})
+	lg := slog.New(h)
+	slog.SetDefault(lg)
+
+	cfg := &config{}
+	fw := newForwarder(cfg)
+	fw.failed = 11
+	fw.succeeded = 13
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		fw.run()
+	}()
+	fw.log()
+	fw.close()
+	<-done
+
+	type fwStats struct {
+		Msg       string `json:"msg"`
+		Succeeded int    `json:"succeeded"`
+		Failed    int    `json:"failed"`
+	}
+	sc := bufio.NewScanner(bytes.NewReader(buf.Bytes()))
+	found := false
+	for sc.Scan() {
+		var fws fwStats
+		if err := json.Unmarshal(sc.Bytes(), &fws); err != nil {
+			t.Fatalf("JSON parsing log failed: %v", err)
+		}
+		if fws.Msg == "Forward statistics" &&
+			fws.Failed == 11 &&
+			fws.Succeeded == 13 {
+			found = true
+			break
+		}
+	}
+	if err := sc.Err(); err != nil {
+		t.Fatalf("scanning log failed: %v", err)
+	}
+	if !found {
+		t.Fatal("Cannot find forward statistics in log")
+	}
+}
+
+func TestForwarderHTTPClient(t *testing.T) {
+	cfg := &config{
+		ForwardInsecure: true,
+		ForwardHeader: http.Header{
+			"User-Agent": []string{"curl/7.55.1"},
+		},
+		LogLevel: &options.LogLevel{Level: slog.LevelDebug},
+	}
+	fw := newForwarder(cfg)
+	if c1, c2 := fw.httpClient(), fw.httpClient(); c1 != c2 {
+		t.Fatal("expected to return same client twice")
+	}
+}
+
+func TestForwarderReplaceExtension(t *testing.T) {
+	for _, x := range [][2]string{
+		{"foo", "foo.ext"},
+		{"foo.bar", "foo.ext"},
+		{".bar", ".ext"},
+		{"", ".ext"},
+	} {
+		if got := replaceExt(x[0], ".ext"); got != x[1] {
+			t.Fatalf("got %q expected %q", got, x[1])
+		}
+	}
+}
+
+func TestForwarderBuildRequest(t *testing.T) {
+
+	// Good case ...
+	cfg := &config{
+		ForwardURL: "https://example.com",
+	}
+	fw := newForwarder(cfg)
+
+	req, err := fw.buildRequest(
+		"test.json", "{}",
+		invalidValidationStatus,
+		"256",
+		"512")
+
+	if err != nil {
+		t.Fatalf("buildRequest failed: %v", err)
+	}
+	mediaType, params, err := mime.ParseMediaType(req.Header.Get("Content-Type"))
+	if err != nil {
+		t.Fatalf("no Content-Type found")
+	}
+	if !strings.HasPrefix(mediaType, "multipart/") {
+		t.Fatalf("media type is not multipart")
+	}
+	mr := multipart.NewReader(req.Body, params["boundary"])
+
+	var foundAdvisory, foundValidationStatus, found256, found512 bool
+
+	for {
+		p, err := mr.NextPart()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			t.Fatalf("parsing multipart failed: %v", err)
+		}
+		data, err := io.ReadAll(p)
+		if err != nil {
+			t.Fatal(err)
+		}
+		cd := p.Header["Content-Disposition"]
+		if len(cd) == 0 {
+			continue
+		}
+
+		switch contains := func(name string) bool {
+			return strings.Contains(cd[0], `name="`+name+`"`)
+		}; {
+		case contains("advisory"):
+			if a := string(data); a != "{}" {
+				t.Fatalf("advisory: got %q expected %q", a, "{}")
+			}
+			foundAdvisory = true
+		case contains("validation_status"):
+			if vs := validationStatus(data); vs != invalidValidationStatus {
+				t.Fatalf("validation_status: got %q expected %q",
+					vs, invalidValidationStatus)
+			}
+			foundValidationStatus = true
+		case contains("hash-256"):
+			if h := string(data); h != "256" {
+				t.Fatalf("hash-256: got %q expected %q", h, "256")
+			}
+			found256 = true
+		case contains("hash-512"):
+			if h := string(data); h != "512" {
+				t.Fatalf("hash-512: got %q expected %q", h, "512")
+			}
+			found512 = true
+		}
+	}
+
+	switch {
+	case !foundAdvisory:
+		t.Fatal("advisory not found")
+	case !foundValidationStatus:
+		t.Fatal("validation_status not found")
+	case !found256:
+		t.Fatal("hash-256 not found")
+	case !found512:
+		t.Fatal("hash-512 not found")
+	}
+
+	// Bad case ...
+	cfg.ForwardURL = "%"
+
+	if _, err := fw.buildRequest(
+		"test.json", "{}",
+		invalidValidationStatus,
+		"256",
+		"512",
+	); err == nil {
+		t.Fatal("bad forward URL should result in an error")
+	}
+}
+
+type badReader struct{ error }
+
+func (br *badReader) Read([]byte) (int, error) { return 0, br.error }
+
+func TestLimitedString(t *testing.T) {
+	for _, x := range [][2]string{
+		{"xx", "xx"},
+		{"xxx", "xxx..."},
+		{"xxxx", "xxx..."},
+	} {
+		got, err := limitedString(strings.NewReader(x[0]), 3)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if got != x[1] {
+			t.Fatalf("got %q expected %q", got, x[1])
+		}
+	}
+
+	if _, err := limitedString(&badReader{error: os.ErrInvalid}, 3); err == nil {
+		t.Fatal("expected to fail with an error")
+	}
+}
+
+func TestStoreFailedAdvisory(t *testing.T) {
+	dir, err := os.MkdirTemp("", "storeFailedAdvisory")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	cfg := &config{Directory: dir}
+	fw := newForwarder(cfg)
+
+	badDir := filepath.Join(dir, failedForwardDir)
+	if err := os.WriteFile(badDir, []byte("test"), 0664); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := fw.storeFailedAdvisory("advisory.json", "{}", "256", "512"); err == nil {
+		t.Fatal("if the destination exists as a file an error should occur")
+	}
+
+	if err := os.Remove(badDir); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := fw.storeFailedAdvisory("advisory.json", "{}", "256", "512"); err != nil {
+		t.Fatal(err)
+	}
+
+	sha256Path := filepath.Join(dir, failedForwardDir, "advisory.json.sha256")
+
+	// Write protect advisory.
+	if err := os.Chmod(sha256Path, 0); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := fw.storeFailedAdvisory("advisory.json", "{}", "256", "512"); err == nil {
+		t.Fatal("expected to fail with an error")
+	}
+
+	if err := os.Chmod(sha256Path, 0644); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestStoredFailed(t *testing.T) {
+	dir, err := os.MkdirTemp("", "storeFailed")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	orig := slog.Default()
+	defer slog.SetDefault(orig)
+
+	var buf bytes.Buffer
+	h := slog.NewJSONHandler(&buf, &slog.HandlerOptions{
+		Level: slog.LevelError,
+	})
+	lg := slog.New(h)
+	slog.SetDefault(lg)
+
+	cfg := &config{Directory: dir}
+	fw := newForwarder(cfg)
+
+	// An empty filename should lead to an error.
+	fw.storeFailed("", "{}", "256", "512")
+
+	if fw.failed != 1 {
+		t.Fatalf("got %d expected 1", fw.failed)
+	}
+
+	type entry struct {
+		Msg   string `json:"msg"`
+		Level string `json:"level"`
+	}
+
+	sc := bufio.NewScanner(bytes.NewReader(buf.Bytes()))
+	found := false
+	for sc.Scan() {
+		var e entry
+		if err := json.Unmarshal(sc.Bytes(), &e); err != nil {
+			t.Fatalf("JSON parsing log failed: %v", err)
+		}
+		if e.Msg == "Storing advisory failed forwarding failed" && e.Level == "ERROR" {
+			found = true
+			break
+		}
+	}
+	if err := sc.Err(); err != nil {
+		t.Fatalf("scanning log failed: %v", err)
+	}
+	if !found {
+		t.Fatal("Cannot error logging statistics in log")
+	}
+}
+
+type fakeClient struct {
+	util.Client
+	state int
+}
+
+func (fc *fakeClient) Do(*http.Request) (*http.Response, error) {
+	// The different states simulates different responses from the remote API.
+	switch fc.state {
+	case 0:
+		fc.state = 1
+		return &http.Response{
+			Status:     http.StatusText(http.StatusCreated),
+			StatusCode: http.StatusCreated,
+		}, nil
+	case 1:
+		fc.state = 2
+		return nil, errors.New("does not work")
+	case 2:
+		fc.state = 3
+		return &http.Response{
+			Status:     http.StatusText(http.StatusBadRequest),
+			StatusCode: http.StatusBadRequest,
+			Body:       io.NopCloser(&badReader{error: os.ErrInvalid}),
+		}, nil
+	default:
+		return &http.Response{
+			Status:     http.StatusText(http.StatusBadRequest),
+			StatusCode: http.StatusBadRequest,
+			Body:       io.NopCloser(strings.NewReader("This was bad!")),
+		}, nil
+	}
+}
+
+func TestForwarderForward(t *testing.T) {
+	dir, err := os.MkdirTemp("", "forward")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	orig := slog.Default()
+	defer slog.SetDefault(orig)
+
+	// We dont care in details here as we captured them
+	// in the other test cases.
+	h := slog.NewJSONHandler(io.Discard, nil)
+	lg := slog.New(h)
+	slog.SetDefault(lg)
+
+	cfg := &config{
+		ForwardURL: "http://example.com",
+		Directory:  dir,
+	}
+	fw := newForwarder(cfg)
+
+	// Use the fact that http client is cached.
+	fw.client = &fakeClient{}
+
+	done := make(chan struct{})
+
+	go func() {
+		defer close(done)
+		fw.run()
+	}()
+
+	// Iterate through states of http client.
+	for i := 0; i <= 3; i++ {
+		fw.forward(
+			"test.json", "{}",
+			invalidValidationStatus,
+			"256",
+			"512")
+	}
+
+	// Make buildRequest fail.
+	wait := make(chan struct{})
+	fw.cmds <- func(f *forwarder) {
+		f.cfg.ForwardURL = "%"
+		close(wait)
+	}
+	<-wait
+	fw.forward(
+		"test.json", "{}",
+		invalidValidationStatus,
+		"256",
+		"512")
+
+	fw.close()
+
+	<-done
+}

cmd/csaf_downloader/main.go

@@ -15,7 +15,7 @@ import (
 	"os"
 	"os/signal"
 
-	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 )
 
 func run(cfg *config, domains []string) error {

cmd/csaf_downloader/stats_test.go

@@ -0,0 +1,112 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"log/slog"
+	"testing"
+)
+
+func TestStatsAdd(t *testing.T) {
+	a := stats{
+		downloadFailed:  2,
+		filenameFailed:  3,
+		schemaFailed:    5,
+		remoteFailed:    7,
+		sha256Failed:    11,
+		sha512Failed:    13,
+		signatureFailed: 17,
+		succeeded:       19,
+	}
+	b := a
+	a.add(&b)
+	b.downloadFailed *= 2
+	b.filenameFailed *= 2
+	b.schemaFailed *= 2
+	b.remoteFailed *= 2
+	b.sha256Failed *= 2
+	b.sha512Failed *= 2
+	b.signatureFailed *= 2
+	b.succeeded *= 2
+	if a != b {
+		t.Fatalf("%v != %v", a, b)
+	}
+}
+
+func TestStatsTotalFailed(t *testing.T) {
+	a := stats{
+		downloadFailed:  2,
+		filenameFailed:  3,
+		schemaFailed:    5,
+		remoteFailed:    7,
+		sha256Failed:    11,
+		sha512Failed:    13,
+		signatureFailed: 17,
+	}
+	sum := a.downloadFailed +
+		a.filenameFailed +
+		a.schemaFailed +
+		a.remoteFailed +
+		a.sha256Failed +
+		a.sha512Failed +
+		a.signatureFailed
+	if got := a.totalFailed(); got != sum {
+		t.Fatalf("got %d expected %d", got, sum)
+	}
+}
+
+func TestStatsLog(t *testing.T) {
+	var out bytes.Buffer
+	h := slog.NewJSONHandler(&out, &slog.HandlerOptions{Level: slog.LevelInfo})
+	orig := slog.Default()
+	defer slog.SetDefault(orig)
+	slog.SetDefault(slog.New(h))
+	a := stats{
+		downloadFailed:  2,
+		filenameFailed:  3,
+		schemaFailed:    5,
+		remoteFailed:    7,
+		sha256Failed:    11,
+		sha512Failed:    13,
+		signatureFailed: 17,
+		succeeded:       19,
+	}
+	a.log()
+	type result struct {
+		Succeeded       int `json:"succeeded"`
+		TotalFailed     int `json:"total_failed"`
+		FilenameFailed  int `json:"filename_failed"`
+		DownloadFailed  int `json:"download_failed"`
+		SchemaFailed    int `json:"schema_failed"`
+		RemoteFailed    int `json:"remote_failed"`
+		SHA256Failed    int `json:"sha256_failed"`
+		SHA512Failed    int `json:"sha512_failed"`
+		SignatureFailed int `json:"signature_failed"`
+	}
+	var got result
+	if err := json.Unmarshal(out.Bytes(), &got); err != nil {
+		t.Fatal(err)
+	}
+	want := result{
+		Succeeded:       a.succeeded,
+		TotalFailed:     a.totalFailed(),
+		FilenameFailed:  a.filenameFailed,
+		DownloadFailed:  a.downloadFailed,
+		SchemaFailed:    a.schemaFailed,
+		RemoteFailed:    a.remoteFailed,
+		SHA256Failed:    a.sha256Failed,
+		SHA512Failed:    a.sha512Failed,
+		SignatureFailed: a.signatureFailed,
+	}
+	if got != want {
+		t.Fatalf("%v != %v", got, want)
+	}
+}

cmd/csaf_provider/actions.go

@@ -25,8 +25,9 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/armor"
 	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 const dateFormat = time.RFC3339

cmd/csaf_provider/config.go

@@ -16,8 +16,9 @@ import (
 
 	"github.com/BurntSushi/toml"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
 	"golang.org/x/crypto/bcrypt"
+
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
 )
 
 const (

cmd/csaf_provider/create.go

@@ -21,8 +21,9 @@ import (
 	"unicode"
 
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // ensureFolders initializes the paths and call functions to create

cmd/csaf_provider/files.go

@@ -13,7 +13,7 @@ import (
 	"crypto/sha512"
 	"os"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 func writeHashedFile(fname, name string, data []byte, armored string) error {

cmd/csaf_provider/indices.go

@@ -18,7 +18,7 @@ import (
 	"sort"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 func updateIndex(dir, fname string) error {

cmd/csaf_provider/main.go

@@ -16,8 +16,9 @@ import (
 	"net/http/cgi"
 	"os"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
 	"github.com/jessevdk/go-flags"
+
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type options struct {

cmd/csaf_provider/rolie.go

@@ -15,8 +15,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // mergeCategories merges the given categories into the old ones.

cmd/csaf_provider/transaction.go

@@ -12,8 +12,8 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 func doTransaction(

cmd/csaf_uploader/config.go

@@ -15,10 +15,11 @@ import (
 	"os"
 
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/term"
+
+	"github.com/csaf-poc/csaf_distribution/v3/internal/certs"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/options"
 )
 
 const (

cmd/csaf_uploader/main.go

@@ -9,7 +9,7 @@
 // Implements a command line tool that uploads csaf documents to csaf_provider.
 package main
 
-import "github.com/csaf-poc/csaf_distribution/v2/internal/options"
+import "github.com/csaf-poc/csaf_distribution/v3/internal/options"
 
 func main() {
 	args, cfg, err := parseArgsConfig()

cmd/csaf_uploader/processor.go

@@ -26,9 +26,9 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/internal/misc"
+	"github.com/csaf-poc/csaf_distribution/v3/internal/misc"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type processor struct {

cmd/csaf_validator/main.go

@@ -16,9 +16,10 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/csaf-poc/csaf_distribution/v2/csaf"
-	"github.com/csaf-poc/csaf_distribution/v2/util"
 	"github.com/jessevdk/go-flags"
+
+	"github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 type options struct {

csaf/advisories.go

@@ -18,7 +18,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // AdvisoryFile constructs the urls of a remote file.

csaf/models.go

@@ -17,7 +17,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // TLPLabel is the traffic light policy of the CSAF.

csaf/providermetaloader.go

@@ -17,7 +17,7 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // ProviderMetadataLoader helps load provider-metadata.json from

csaf/rolie.go

@@ -14,7 +14,7 @@ import (
 	"sort"
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // ROLIEServiceWorkspaceCollectionCategoriesCategory is a category in a ROLIE service collection.

csaf/summary.go

@@ -11,7 +11,7 @@ package csaf
 import (
 	"time"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 const (

csaf/validation.go

@@ -92,6 +92,7 @@ func loadURL(s string) (io.ReadCloser, error) {
 
 func (cs *compiledSchema) compile() {
 	c := jsonschema.NewCompiler()
+	c.AssertFormat = true
 	c.LoadURL = loadURL
 	cs.compiled, cs.err = c.Compile(cs.url)
 }

docs/csaf_downloader.md

@@ -14,10 +14,8 @@ Application Options:
       --client-key=KEY-FILE                      TLS client private key file (PEM encoded data)
       --client-passphrase=PASSPHRASE             Optional passphrase for the client cert (limited, experimental, see doc)
       --version                                  Display version of the binary
-  -v, --verbose                                  Verbose output
   -n, --nostore                                  Do not store files
-  -r, --rate=                                    The average upper limit of https operations per second (defaults to
+  -r, --rate=                                    The average upper limit of https operations per second (defaults to unlimited)
-                                                 unlimited)
   -w, --worker=NUM                               NUMber of concurrent downloads (default: 2)
   -t, --timerange=RANGE                          RANGE of time from which advisories to download
   -f, --folder=FOLDER                            Download into a given subFOLDER
@@ -65,7 +63,6 @@ insecure            = false
 # client_key        # not set by default
 # client_passphrase # not set by default
 ignoresigcheck      = false
-verbose             = false
 # rate              # set to unlimited
 worker              = 2
 # timerange         # not set by default
@@ -126,6 +123,14 @@ In the config file this has to be noted as:
 ignorepattern = [".*white.*", ".*red.*"]
 ```
 
+#### Forwarding
+The downloader is able to forward downloaded advisories and their checksums,
+OpenPGP signatures and validation results to an HTTP endpoint.  
+The details of the implemented API are described [here](https://github.com/mfd2007/csaf_upload_interface).  
+**Attention** This is a work in progress. There is
+no production ready server which implements this protocol.
+The server in the linked repository is currently for development and testing only.
+
 #### beware of client cert passphrase
 
 The `client-passphrase` option implements a legacy private

docs/scripts/testDownloader.sh

@@ -18,7 +18,7 @@ echo '==== run downloader (1)'
 mkdir ~/downloaded1
 
 ./bin-linux-amd64/csaf_downloader --directory ../downloaded1 \
-  --rate 4.1 --verbose --insecure localhost
+  --rate 4.1 --insecure localhost
 
 echo
 echo '==== this was downloaded (1)'
@@ -32,7 +32,7 @@ echo '==== run downloader (2)'
 mkdir ~/downloaded2
 
 ./bin-linux-amd64/csaf_downloader --directory ../downloaded2 \
-  --verbose --insecure https://localhost:9443/.well-known/csaf-aggregator/local-dev-provider2/provider-metadata.json
+  --insecure https://localhost:9443/.well-known/csaf-aggregator/local-dev-provider2/provider-metadata.json
 
 echo
 echo '==== this was downloaded (2)'

go.mod

@@ -1,4 +1,4 @@
-module github.com/csaf-poc/csaf_distribution/v2
+module github.com/csaf-poc/csaf_distribution/v3
 
 go 1.21
 
@@ -6,26 +6,26 @@ require (
 	github.com/BurntSushi/toml v1.3.2
 	github.com/PaesslerAG/gval v1.2.2
 	github.com/PaesslerAG/jsonpath v0.1.1
-	github.com/ProtonMail/gopenpgp/v2 v2.7.2
+	github.com/ProtonMail/gopenpgp/v2 v2.7.3
 	github.com/PuerkitoBio/goquery v1.8.1
 	github.com/gofrs/flock v0.8.1
 	github.com/jessevdk/go-flags v1.5.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	go.etcd.io/bbolt v1.3.7
-	golang.org/x/crypto v0.12.0
+	golang.org/x/crypto v0.13.0
-	golang.org/x/term v0.11.0
+	golang.org/x/term v0.12.0
 	golang.org/x/time v0.3.0
 )
 
 require (
-	github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
 	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
 	github.com/andybalholm/cascadia v1.3.2 // indirect
 	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
-	golang.org/x/net v0.14.0 // indirect
+	golang.org/x/net v0.15.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 )

go.sum

@@ -1,5 +1,3 @@
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/PaesslerAG/gval v1.0.0/go.mod h1:y/nm5yEyTeX6av0OfKJNp9rBNj2XrGhAf5+v24IBN1I=
@@ -8,29 +6,19 @@ github.com/PaesslerAG/gval v1.2.2/go.mod h1:XRFLwvmkTEdYziLdaCeCa5ImcGVrfQbeNUbV
 github.com/PaesslerAG/jsonpath v0.1.0/go.mod h1:4BzmtoM/PI8fPO4aQGIusjGxGir2BzcV0grWtFzq1Y8=
 github.com/PaesslerAG/jsonpath v0.1.1 h1:c1/AToHQMVsduPAa4Vh6xp2U0evy4t8SWp8imEsylIk=
 github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH/x80vjnCseY=
-github.com/ProtonMail/go-crypto v0.0.0-20230321155629-9a39f2531310/go.mod h1:8TI4H3IbrackdNgv+92dI+rhpCaLqM0IfpgCgenFvRE=
-github.com/ProtonMail/go-crypto v0.0.0-20230424174541-a2e3b023bd29 h1:1QMcTLW3bmjbdwFYzodd8EnMA2+OhiZlmrLxoL3tQec=
-github.com/ProtonMail/go-crypto v0.0.0-20230424174541-a2e3b023bd29/go.mod h1:8TI4H3IbrackdNgv+92dI+rhpCaLqM0IfpgCgenFvRE=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec h1:vV3RryLxt42+ZIVOFbYJCH1jsZNTNmj2NYru5zfx+4E=
-github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
-github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 h1:KLq8BE0KwCL+mmXnjLWEAOYO+2l2AE4YMmqG1ZpZHBs=
 github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
+github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f h1:tCbYj7/299ekTTXpdwKYF8eBlsYsDVoggDAuAjoK66k=
 github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f/go.mod h1:gcr0kNtGBqin9zDW9GOHcVntrwnjrK+qdJ06mWYBybw=
-github.com/ProtonMail/gopenpgp/v2 v2.7.1 h1:Awsg7MPc2gD3I7IFac2qE3Gdls0lZW8SzrFZ3k1oz0s=
+github.com/ProtonMail/gopenpgp/v2 v2.7.3 h1:AJu1OI/1UWVYZl6QcCLKGu9OTngS2r52618uGlje84I=
-github.com/ProtonMail/gopenpgp/v2 v2.7.1/go.mod h1:/BU5gfAVwqyd8EfC3Eu7zmuhwYQpKs+cGD8M//iiaxs=
+github.com/ProtonMail/gopenpgp/v2 v2.7.3/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g=
-github.com/ProtonMail/gopenpgp/v2 v2.7.2 h1:mIwxSUPezxNYq0RA5106VPWyKC+Ly3FvBUnBJh/7GWw=
-github.com/ProtonMail/gopenpgp/v2 v2.7.2/go.mod h1:IhkNEDaxec6NyzSI0PlxapinnwPVIESk8/76da3Ct3g=
 github.com/PuerkitoBio/goquery v1.8.1 h1:uQxhNlArOIdbrH1tr0UXwdVFgDcZDrZVdcpygAcwmWM=
 github.com/PuerkitoBio/goquery v1.8.1/go.mod h1:Q8ICL1kNUJ2sXGoAhPGUdYDJvgQgHzJsnnd3H7Ho5jQ=
 github.com/andybalholm/cascadia v1.3.1/go.mod h1:R4bJ1UQfqADjvDa4P6HZHLh/3OxWWEqc0Sk8XGwHqvA=
 github.com/andybalholm/cascadia v1.3.2 h1:3Xi6Dw5lHF15JtdcmAHD3i1+T8plmv7BQ/nsViSLyss=
 github.com/andybalholm/cascadia v1.3.2/go.mod h1:7gtRlve5FxPPgIgX36uWBX58OdBsSS6lUvCFb+h7KvU=
-github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/cloudflare/circl v1.3.2 h1:VWp8dY3yH69fdM7lM6A1+NhhVoDu9vqK0jOgmkQHFWk=
-github.com/cloudflare/circl v1.3.2/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -46,8 +34,6 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/santhosh-tekuri/jsonschema/v5 v5.3.0 h1:uIkTLo0AGRc8l7h5l9r+GcYi9qfVPt6lD4/bhmzfiKo=
-github.com/santhosh-tekuri/jsonschema/v5 v5.3.0/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H/cDPdvJ/SZJQLWWXWGrZ0=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
@@ -55,6 +41,7 @@ github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFR
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
 go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
@@ -62,12 +49,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
-golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -78,12 +61,9 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
-golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -92,30 +72,23 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
-golang.org/x/term v0.9.0 h1:GRRCnKYhdQrD8kfRAdQ6Zcw1P0OcELxGLKJvtjVMZ28=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
-golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -123,12 +96,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -140,3 +110,4 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/certs/certs_test.go

@@ -0,0 +1,63 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package certs
+
+import "testing"
+
+// TestLoadCertificates tests if LoadCertificate correctly loads
+// valid certificates and throws an error at invalid certificates,
+// keys or passphrases
+func TestLoadCertificates(t *testing.T) {
+	var (
+		testCert       = "data/testclient.crt"
+		testKey        = "data/testclientkey.pem"
+		passphrase     = "qwer"
+		missingCert    = "data/testclientcert_missing.crt"
+		missingTestkey = "data/testclientkey_missing.pem"
+		privateKey     = "data/privated.pem"
+		privateCert    = "data/cert.crt"
+	)
+
+	// Try to load cert that is not protected, expect success.
+	if cert, err := LoadCertificate(&testCert, &testKey, nil); cert == nil || err != nil {
+		t.Errorf("Failure: Couldn't load supposedly valid certificate.")
+	}
+	// Try to load no cert, expect error.
+	if cert, err := LoadCertificate(nil, &testKey, nil); cert != nil || err == nil {
+		t.Errorf("Failure: No error despite missing certificate")
+	}
+	// Try to load cert using a nonexistent key, expect error.
+	if cert, err := LoadCertificate(&testCert, &missingTestkey, nil); cert != nil || err == nil {
+		t.Errorf("Failure: No Failure while loading certificate using missing key.")
+	}
+	// Try to decrypt not encrypted cert, expect error
+	if cert, err := LoadCertificate(&testCert, &testKey, &passphrase); cert != nil || err == nil {
+		t.Errorf("Failure: Could load unprotected valid certificate with passphrase.")
+	}
+	// Try to load encrypted cert using a nonexistent key, but valid passphrase. Expect error.
+	if cert, err := LoadCertificate(&testCert, &missingTestkey, &passphrase); cert != nil || err == nil {
+		t.Errorf("Failure: No Failure while loading certificate using missing key with passphrase.")
+	}
+	// Try to load encrypted cert, expecting success.
+	if cert, err := LoadCertificate(&privateCert, &privateKey, &passphrase); cert == nil || err != nil {
+		t.Errorf("Failure: Couldn't load supposedly valid encrypted certificate.")
+	}
+	// Try to load wrong encrypted cert, expecting error.
+	if cert, err := LoadCertificate(&testKey, &privateKey, &passphrase); cert != nil || err == nil {
+		t.Errorf("Failure: No Failure while loading certificate using wrong encrypted key.")
+	}
+	// Try to load nonexistent encrypted cert, expecting error.
+	if cert, err := LoadCertificate(&missingCert, &privateKey, &passphrase); cert != nil || err == nil {
+		t.Errorf("Failure: No Failure while loading nonexistens certificate.")
+	}
+	// Try to load nonexistent encrypted cert, expecting error.
+	if cert, err := LoadCertificate(nil, nil, nil); cert != nil || err != nil {
+		t.Errorf("Failure: Expected nil return.")
+	}
+}

internal/certs/data/cert.crt

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGajCCBNKgAwIBAgIUGNi4GgCUssOOe3k0VuHf3R0+d54wDQYJKoZIhvcNAQEL
+BQAwgY0xFDASBgNVBAMTC0NvbW1vbiBuYW1lMRMwEQYDVQQLEwppbnRldmF0aW9u
+MRMwEQYDVQQKEwppbnRldmF0aW9uMRMwEQYDVQQHEwppbnRldmF0aW9uMRUwEwYD
+VQQIEwxMb3dlciBTYXhvbnkxCzAJBgNVBAYTAkdFMRIwEAYKCZImiZPyLGQBGRYC
+REMwHhcNMjMwOTE5MDcwMDA1WhcNMjYwNjE0MDcwMDA3WjCB8DEQMA4GA1UEAxMH
+cmVxdWVzdDETMBEGA1UECxMKaW50ZXZhdGlvbjETMBEGA1UEChMKaW50ZXZhdGlv
+bjETMBEGA1UEBxMKb3NuYWJydWVjazEVMBMGA1UECBMMbG93ZXIgc2F4b255MQsw
+CQYDVQQGEwJHRTESMBAGCgmSJomT8ixkARkWAkRDMREwDwYKCZImiZPyLGQBGRYB
+LjERMA8GCgmSJomT8ixkARkWAS4xETAPBgoJkiaJk/IsZAEZFgEuMRMwEQYKCZIm
+iZPyLGQBGRYDd3d3MRcwFQYKCZImiZPyLGQBARMHbm8gaWRlYTCCAaIwDQYJKoZI
+hvcNAQEBBQADggGPADCCAYoCggGBAN0vZbLXtRzd61rR8Hos0BGnqCaJXIwGARwx
+JojMyxASFT+KeC4QDRkgRrK6OY4k/i7TEHuUGk/Bm754++554wmmhDqv1Q4+VhhR
+1K/JAz/HVZNTAR1rPKwG82lyEpPxlRNZg/QtF9DqQSoSkL/fJLs+rq4zlKozXzRE
+auZ5Be8So1dXRZfMVUMDgtk+IX8+iCeZisiWfv62ttQ0EiuiXLagd6ruEuoCSVi2
+tVswsC/Hp8AI2Ro56mmHiWthuae1H8yDWUFLSe9AQW65qC/xVUgo/nMpK2BYVFKb
+70TMjl/dZM0Qn1tdiNyqCkbIhXjklZvZYhO+15TPkgDXDsqRUjpTrLZXLGrD6XIx
+CRLZGY6YrUfsFTjUC6JrUrAR8zY7SLsYN5sUmFUSMpJnI+T/SD4p/0CXrKrbMOjW
+Qqz6FX/WHPxvswGKHk5zHYGHrzx7OKmfVa6gzUgZSfOHj2xOOR2Un9DwNavIrmSC
+WYXKZqig5qDyfzBvlXWEio/5GrDwgQIDAQABo4IBWzCCAVcwgcIGA1UdEQSBujCB
+t4IrYSBkbnNOYW1lIG9mIHRoZSBzdWJqZWN0IG9mIHRoZSBjZXJ0aWZpY2F0ZYI3
+YW4gYWRkaXRpb25hbCBkbnNOYW1lIG9mIHRoZSBzdWJqZWN0IG9mIHRoZSBjZXJ0
+aWZpY2F0ZYIBLoIBLoIBLoIBLoIBLoIBLoIBLoIBLoIBLoIBLoIBLoIBLoIBLoIP
+c2Vjb25kIGFkZGl0aW9ugg50aGlyZCBhZGRpdGlvboIHZG5zTmFtZTAMBgNVHRMB
+Af8EAjAAMDEGA1UdJQQqMCgGCCsGAQUFBwMJBggrBgEFBQcDAgYIKwYBBQUHAwEG
+CCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHsAAwHQYDVR0OBBYEFKrFhODjTKCopb+W
+Qa29PsHR4HXgMB8GA1UdIwQYMBaAFCyZxCa1ZUHVy8LjikE8zumAiEgfMA0GCSqG
+SIb3DQEBCwUAA4IBgQBTrAgh6d+qiLumEfmkNCmhewxKxDZp+Ni2nz9XRzNO2cQE
+U0n8MdbnQInW3xJXng2sAcl1fQz0RN1hkyjDwi69mbbPgcTYmxJFvyt+zRYBe/Sq
+4CGGkxEdPW94tMpQ6SrCn2mAMnvcq9A1pYBVYyPeUsaRHC5OUBFOMCevNy8JwNyY
+MJ0H5HQCyCysbzA1d521pogGUs/tmbE+ym9zpV8vG0b6De1PexjVeGkTNYz6NCR2
+VZTQ+OJ5iE5pHPEC1Qif44LrR9Kdn/wu3RjTYyHeBOJFjK+DKgleNF4QVTcZQIPE
+snN4H+/VSgTZQ3kgWbtpd1m5oRBJovEc2Qe+l+iDFCk8OA4z/x+fkvOeD3NUAl7D
+9Pt3cP3UtWUJp4NJn2dvUljmQhB02HSqdNBhqKSg4/cf7l8Zo1ejvBUosrlgw3C3
+apDaC4/xk7woFKVYW25teH2ze+Gpz/YsLDtmL7Bri8CGVsqsN9yqO8SstwKBa3Rt
+xQ2em6XnnanApT4iFX4=
+-----END CERTIFICATE-----

internal/certs/data/privated.pem

@@ -0,0 +1,42 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-CBC,054A583F6C90570F
+
+tlGw8qlO25FaQdRLkai5L1JHWz/5fC4zd3qFISWssYH2FEnz8yfYsCoRLivVYhJB
+fswOTj9h5b1RYRsWfIwCGfyNeOj8hkQrLwCW607vbhydGGJ4xc5RBF9MK0QCjSNT
+r8myedNyfI4nm5enNVFDqYsqAc7cA3m1qw+QsAhPOrASDTp5svHR7g9+T6P5GDHm
+B79nap02kfmodC7ytmWDBEclJ45Y19LOucN0+Nl6JgKkQEfWB/p2s2kGAGY1Of3X
+/ERPOqeqZdFSdPDyX+mrzjGVhypgjBaz7XRh8OSeW8UP70rE+9aZKn9fIs2NyYMH
+wwCElUmFV1Ye+/JtE4+Rcu6pG7NrX1rAC+pqPZaF8PT/kEuawiwrMuU0RP/8Y6mn
+PRZZGZhXwBcfWPDN+JIj7e1NAXynwP/d4Pc4nb1O6EG3/Yip+F9NNaNbEfS4z9eV
+Se7Gr/ySwxFhww9KhMtFYhkb6DVzy7StXpDqDmLhaF+qGCl86XRzZHho6EwQi+9r
+c3VXbgogbjwIP8OgAKIZLuMxETZb0rvOr87sMAiqWRx+gRhryNniNr70anY8Vkpl
+jcw6SJdqWuvOGaKjxWgdcHOzHdISEu/W6z8euTzMxX6/C7hBrKT8Edt71Jha26a5
+ZZNDH2XoqDphelfCbrARhw4P++KcnhPsY2da5cJ4021dfwXQGbGjcW1EAR3tCP/U
+NKWc8Wm4dzuQSMqJERbWlXL8/UuvtyJR8VgNueg8EAHXCWBCS9i1i06gla9gPbdy
+erhMDtUsJepFPDZVuqvm0dIjBaldl+74FHnPQ6+qFHXy6f71bGOmbonspnApqoeP
+gc4zB65Nv+ws//XfdgwHhmtUkWS2ANPNQhU9o92l8XlqKicGC72dEEsR2TMS7fEW
+K9/d06ZGu83FEXL43OXN79JmkpblonCWRgyVF7WPGufm+dtmR5zlIQruW2FJVwPZ
+QmOioJYlSopOztyyBIuhZaNwVDQgoFtwHKRWAUseodzmHuPpvWCBjlL4hebJ7O0T
+HGHGddqam3IPmyradhk0o1Qb54uk9rrzKWjcOEw850mJt3DnkHRNRgY96Gg0fA+m
++UxEOuGPvOudOMtC32vDKwAZ9eGgxAKea/kvaLFdPqwiq3B+IBetjSYGZ2kxVOAD
+K8rHH6bnzrrasKHfOIBpw4MsiAG19sW1fFL61v5OXTcLOEQ/UVC8WinSj3JK894O
+XjETyg8zvH+bYdlv9T2SGvAAzv1bJ3Iw9kb2VK0ZgwfwQgKpCDe6PEFLP7K2NNdF
+zSw1GHOiDewsMD7VSfkmtevhzTOcQd/3uoyn/5ftcvcbqI4CGxP6kOxmul3NdfYl
+insi95+IuhkSUQL02AdkI3SQhSnfmFRZSsy6JTXSN/7XOOzRFyMJcR1WlXOKFpt9
+G/bYGjVmfxtRqH4ZO7irCPiM+ZudXvPCl5VhZReBsJeEJcNuR36QTJIL3RQHyKTD
+9Z12PegrgPXDgkSns1s8phTu+GygIEh67yLPbPYohYYbJUOkab7Il3JauihnuMSP
+2BDDbwdvL1V7TQCmnopNb1srZj3q/1eWKmik2U1kvc78c3W03NC5wFETic2QCM9z
+u/IaKAjO/kvSB8+ClSYaZDVLuBgUHf0DSG9cb5eoPqFt3t4zuWQhQjJR1YlLtQsJ
+YSQFf0WqGj6sA2+AIy6Fv3oitlOPtRi/2seZ8ACSqxbwUFf3to8ZA3rJNoaYLvsT
+sz++DrA8oHr4eDOiCoLeU6MLNiUvB6RGtjDwhQDh2LoJJyAdh9wB3vaAmEJ1u3o4
+cGyTCxbbkxRCWhMWW4NJbvdZORYhhhIu+TH5DaLgsZS1n+UF/amKQ0m8sj968Uo/
+w05QBNm/F3zg5dpzyW7uEfti8DaP/apDcf1dHSpk9ERkJ/QSIdgzGmrROQvh2tF/
+nvubXXMAex0tXFS6eyIZVgkT1S5eF001DsxIlp/jY6oFUYHquMcOQkyRAvUTvLO1
+pkexrPYrmx/alP71nNrBfixSTHMuPVb2jC38ElzllgxHfaaI5Q1hef4lVaErNaQ3
+m1hvE7dYkNomTt9fu/LHaxtw/P1eBlL44QcfqdqL67ROES+fB27d8vbajm1EQraw
+QUoY+NM5KeQyKeRPWxDVQwAv02Lof/FSiB01yNqrzmRojtTykKB5VrnIA1DDP2vI
+SoZjPZOSIJHh3qlDaKxlGOQD9Wp4OtIPLqxpBmRgGcq2AVtm57jRAF634nTGvB+N
+7fvMpBay3EZy3sauM4MZk7bytJKK6huQjmER+GM/F/Wyw28L7rewK8ukPKx8Wybc
+ljVLrduRPt97JH4WWejy+k5vv4LHWJLsGGU474YHGMXF2VE3kJ3JKj8Wm5gS6p/p
+-----END RSA PRIVATE KEY-----

internal/certs/data/testclient.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkDCCAvigAwIBAgIBFDANBgkqhkiG9w0BAQsFADBKMQ8wDQYDVQQDEwZUZXN0
+ZXIxKjAoBgNVBAoTIUNTQUYgVG9vbHMgRGV2ZWxvcG1lbnQgKGludGVybmFsKTEL
+MAkGA1UEBhMCREUwHhcNMjMwOTA0MDcyMjAzWhcNMjMxMDI0MDcyMjAzWjBVMRow
+GAYDVQQDExFUTFMgVGVzdCBDbGllbnQgMTEqMCgGA1UEChMhQ1NBRiBUb29scyBE
+ZXZlbG9wbWVudCAoaW50ZXJuYWwpMQswCQYDVQQGEwJERTCCAaIwDQYJKoZIhvcN
+AQEBBQADggGPADCCAYoCggGBAN0vZbLXtRzd61rR8Hos0BGnqCaJXIwGARwxJojM
+yxASFT+KeC4QDRkgRrK6OY4k/i7TEHuUGk/Bm754++554wmmhDqv1Q4+VhhR1K/J
+Az/HVZNTAR1rPKwG82lyEpPxlRNZg/QtF9DqQSoSkL/fJLs+rq4zlKozXzREauZ5
+Be8So1dXRZfMVUMDgtk+IX8+iCeZisiWfv62ttQ0EiuiXLagd6ruEuoCSVi2tVsw
+sC/Hp8AI2Ro56mmHiWthuae1H8yDWUFLSe9AQW65qC/xVUgo/nMpK2BYVFKb70TM
+jl/dZM0Qn1tdiNyqCkbIhXjklZvZYhO+15TPkgDXDsqRUjpTrLZXLGrD6XIxCRLZ
+GY6YrUfsFTjUC6JrUrAR8zY7SLsYN5sUmFUSMpJnI+T/SD4p/0CXrKrbMOjWQqz6
+FX/WHPxvswGKHk5zHYGHrzx7OKmfVa6gzUgZSfOHj2xOOR2Un9DwNavIrmSCWYXK
+Zqig5qDyfzBvlXWEio/5GrDwgQIDAQABo3YwdDAMBgNVHRMBAf8EAjAAMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFKrFhODj
+TKCopb+WQa29PsHR4HXgMB8GA1UdIwQYMBaAFI6GhktAq9L2uRChC9LcXeedKiUg
+MA0GCSqGSIb3DQEBCwUAA4IBgQAbUDaIkmubooDde7BpZQx742BsPg4IN68bIg9A
+3jI9codx9c8l9ROvZ/7FeRNXzhYrQUwzcKpwtQ1mB7kM85oXaTLxrtnkZAO2fFSb
+8RA6QjOrnOvewWaO3moCZaPnN1wWtlnUev2tD7D2Tz/f20dE2wbDV0BGb8bU4eGI
+UVgzYrMh0MHaC8LKoXUWP97jp/p+9CG4D2S1CmpzP2Nm1dS03oj4UHIUtamjivYY
+vOeoKATXmj59lgYqqoAVbTH6f4mZlZGmzUhRxK6hck7xBdiXAwfta72m4WzE7HRh
+nHAgO5aVWb6zltvVDJhYumB9Itv+LI7uU8fF9Uyc65SZ2BevxgikoDNxTx0oNr+4
+hExQhJfKuPFF2NI1N2tPYJT53Cek/ZJfjX3TyBneqehthtRqoAIIEaF/QlXqzJIi
+G66YFC3xFlLmaQh52DJkF2+hzcPhFTVQv3yCirGLUSS9Nm7vTO2wnnW5arZazSV+
+enRZb3oiVYFVDh0Hymz9g5VraMw=
+-----END CERTIFICATE-----

internal/certs/data/testclientkey.pem

@@ -0,0 +1,182 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: High (3072 bits)
+
+modulus:
+	00:dd:2f:65:b2:d7:b5:1c:dd:eb:5a:d1:f0:7a:2c:d0
+	11:a7:a8:26:89:5c:8c:06:01:1c:31:26:88:cc:cb:10
+	12:15:3f:8a:78:2e:10:0d:19:20:46:b2:ba:39:8e:24
+	fe:2e:d3:10:7b:94:1a:4f:c1:9b:be:78:fb:ee:79:e3
+	09:a6:84:3a:af:d5:0e:3e:56:18:51:d4:af:c9:03:3f
+	c7:55:93:53:01:1d:6b:3c:ac:06:f3:69:72:12:93:f1
+	95:13:59:83:f4:2d:17:d0:ea:41:2a:12:90:bf:df:24
+	bb:3e:ae:ae:33:94:aa:33:5f:34:44:6a:e6:79:05:ef
+	12:a3:57:57:45:97:cc:55:43:03:82:d9:3e:21:7f:3e
+	88:27:99:8a:c8:96:7e:fe:b6:b6:d4:34:12:2b:a2:5c
+	b6:a0:77:aa:ee:12:ea:02:49:58:b6:b5:5b:30:b0:2f
+	c7:a7:c0:08:d9:1a:39:ea:69:87:89:6b:61:b9:a7:b5
+	1f:cc:83:59:41:4b:49:ef:40:41:6e:b9:a8:2f:f1:55
+	48:28:fe:73:29:2b:60:58:54:52:9b:ef:44:cc:8e:5f
+	dd:64:cd:10:9f:5b:5d:88:dc:aa:0a:46:c8:85:78:e4
+	95:9b:d9:62:13:be:d7:94:cf:92:00:d7:0e:ca:91:52
+	3a:53:ac:b6:57:2c:6a:c3:e9:72:31:09:12:d9:19:8e
+	98:ad:47:ec:15:38:d4:0b:a2:6b:52:b0:11:f3:36:3b
+	48:bb:18:37:9b:14:98:55:12:32:92:67:23:e4:ff:48
+	3e:29:ff:40:97:ac:aa:db:30:e8:d6:42:ac:fa:15:7f
+	d6:1c:fc:6f:b3:01:8a:1e:4e:73:1d:81:87:af:3c:7b
+	38:a9:9f:55:ae:a0:cd:48:19:49:f3:87:8f:6c:4e:39
+	1d:94:9f:d0:f0:35:ab:c8:ae:64:82:59:85:ca:66:a8
+	a0:e6:a0:f2:7f:30:6f:95:75:84:8a:8f:f9:1a:b0:f0
+	81:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	14:ff:c0:f9:ff:bc:b4:26:e5:87:53:d3:2e:e6:3e:42
+	ce:d6:0a:02:94:84:be:b5:30:46:02:50:8e:90:e0:cf
+	b6:b0:b7:a6:bd:48:cc:d5:8b:d8:ea:72:ff:af:dd:17
+	3c:be:d1:1b:ca:6d:cd:10:a6:86:a8:d9:d2:44:44:27
+	d0:65:51:65:0c:27:34:07:dc:7b:38:64:10:03:7c:f4
+	a1:cd:40:de:24:3a:e0:21:bc:ef:33:1d:9f:61:e8:57
+	ac:e4:9c:c0:7b:df:7c:f8:20:83:ac:0b:8e:0b:d3:62
+	eb:8a:8e:03:5b:a3:e5:08:ae:df:a7:fe:85:92:e8:a5
+	ae:58:46:72:d6:fc:91:43:b1:7b:a4:c0:5f:51:c3:50
+	0d:e2:67:e8:af:51:13:41:a9:8d:ef:fb:a1:a4:e2:84
+	7c:2b:a0:50:c5:fe:ed:84:a5:25:83:86:4a:d3:0f:56
+	37:38:e6:1e:26:7d:45:22:0b:ba:22:35:be:f8:8b:1b
+	72:90:13:c4:1f:c5:d1:34:b5:0e:b2:ee:f7:e1:b9:5e
+	a2:29:8d:f9:6e:23:4b:50:8f:35:c8:a9:f3:d2:1f:dd
+	ce:a0:96:50:2d:2e:af:cf:b5:e1:20:e7:e9:d2:49:ed
+	b5:0e:5b:3e:d1:4b:f1:fa:c2:73:3a:1b:51:34:7e:75
+	30:06:d2:47:d2:a8:2a:45:be:16:fb:8f:63:84:85:b7
+	bf:f7:c4:c5:3d:95:56:8c:d1:02:7f:58:ac:4d:11:7b
+	c5:55:f3:c8:4e:d7:d9:aa:62:b0:e3:1e:04:5c:97:d1
+	ca:e2:71:aa:8b:33:b4:34:e9:04:d4:70:7c:f4:cb:57
+	19:c1:03:23:f4:bc:4d:91:8f:b2:9a:99:1c:6c:81:2d
+	4d:2d:e9:a1:e3:ce:e3:c9:62:52:89:1f:47:86:61:f1
+	dd:bc:46:8d:79:0a:99:9d:aa:4b:a9:0a:72:54:db:dc
+	ae:48:be:60:4a:73:99:d8:3c:9e:07:78:05:df:87:39
+	
+
+prime1:
+	00:e9:63:0f:d7:49:31:27:a8:36:fe:95:bd:8d:05:c1
+	35:48:2e:03:4f:a6:57:54:3a:a4:95:3f:8e:9f:28:7c
+	d2:df:af:54:36:9e:7c:9f:c3:b9:64:8f:c0:b0:96:3c
+	aa:01:f6:9a:be:83:e2:85:20:0d:33:de:88:97:af:6f
+	be:3f:53:5a:a3:77:02:fd:81:17:91:3b:b2:2d:ab:78
+	db:d9:43:db:04:69:82:61:30:e4:96:ac:88:8b:f6:3f
+	56:c4:49:fd:d5:e5:8c:9d:30:ad:cf:d9:8d:5c:87:b5
+	27:4b:09:8e:19:ed:e2:11:3f:69:b2:47:be:70:39:11
+	41:a3:db:bb:b9:0e:e4:7b:50:d0:d2:c2:89:81:36:b9
+	6b:a6:fe:94:5b:06:66:e6:ed:86:52:42:5e:a9:0e:18
+	db:18:f9:14:21:3d:e0:3c:8d:79:c3:f5:d2:cc:51:65
+	fb:1c:49:ed:0a:d5:33:99:34:16:f9:1d:68:4a:78:da
+	5f:
+
+prime2:
+	00:f2:9d:ae:5f:bd:b7:a3:87:a7:8d:30:46:06:8b:15
+	a9:e5:a9:58:1c:2b:3a:7e:78:35:36:56:31:42:df:46
+	87:e8:57:0d:6e:99:de:cf:fb:a8:72:16:71:4b:b3:ad
+	ed:74:07:cb:cf:7d:2b:12:89:66:c4:0f:8a:ea:e3:37
+	17:2c:75:92:11:7a:a6:da:29:24:33:9b:69:c2:64:68
+	03:db:31:de:fe:1d:a2:4d:9d:91:9f:f0:50:b8:8f:d0
+	22:11:b9:b0:95:98:5e:65:bf:45:97:9b:35:f2:98:27
+	46:7c:b2:86:eb:7b:8b:57:f2:c3:49:47:7d:01:4a:9a
+	b0:e6:67:05:e5:61:7a:ab:63:c8:cb:d8:44:69:88:72
+	a5:a9:60:89:60:df:e6:d9:4d:16:2b:35:7b:20:00:f3
+	3c:d1:78:f9:22:eb:48:c3:7f:78:63:e6:34:60:48:30
+	66:02:bb:38:c2:94:2e:b9:86:b2:2f:9a:4f:17:7f:e1
+	1f:
+
+coefficient:
+	00:93:3e:7c:b9:ea:87:52:37:fa:d5:0a:36:fb:e1:d0
+	fc:62:4d:00:0b:ad:a8:fb:bd:34:53:96:c2:6c:a1:6a
+	49:b7:a0:24:33:16:95:79:14:ac:bb:75:8d:78:e9:10
+	fa:be:44:60:58:94:4a:9c:ba:64:1d:86:27:8b:7f:51
+	4d:80:b0:ff:7a:91:c0:4d:a4:aa:d1:f1:79:7d:8f:71
+	49:12:73:d4:44:5f:0c:2e:55:a6:d9:13:b8:3b:e5:dc
+	e1:14:98:7e:eb:5b:60:ad:d7:4b:da:c0:d8:3f:bf:70
+	92:53:8c:31:6a:8b:61:5e:a3:7d:ff:84:2c:7d:ed:9f
+	74:29:9a:e7:14:fb:c3:ab:8e:9f:60:6a:98:ab:86:0b
+	ea:fb:ff:20:2f:3b:a7:76:03:3a:55:bb:b2:c6:9c:b5
+	66:36:b8:1c:7f:9b:b6:62:89:ff:6a:d6:35:58:0b:f0
+	55:27:01:f0:67:8d:88:3f:74:48:3d:bf:8c:fc:05:62
+	47:
+
+exp1:
+	00:99:16:2d:91:dd:a4:ac:8a:9e:68:27:f8:89:c4:38
+	93:a6:a0:e7:f3:1a:fd:35:76:b1:f6:64:16:3d:37:e5
+	88:bc:c8:d8:c8:6a:f4:fc:26:fa:38:88:42:b0:92:1b
+	80:b8:80:f5:c7:f9:e2:5f:c8:42:60:bf:9b:81:43:c6
+	5c:58:55:68:a2:c8:b1:e1:6f:07:f2:6f:e1:d4:2b:21
+	bf:b3:a7:da:c5:ee:1f:63:79:1a:b7:ea:bc:36:72:73
+	e1:8a:27:ae:a4:db:49:7c:e2:2d:60:a5:27:20:86:b3
+	c0:ee:6b:7a:16:6f:ff:55:a8:ee:bf:ce:67:90:5d:1e
+	80:9b:e6:ca:1f:fd:30:c9:e2:9c:d7:62:5b:a7:b2:29
+	b5:ff:78:06:00:1f:16:e8:6a:ed:2c:8f:f4:5f:97:ab
+	9e:2b:a7:56:18:e7:e9:6a:4e:b2:8c:63:76:be:26:b6
+	6a:1c:88:31:40:65:d0:ce:b1:68:50:47:85:dd:33:a0
+	a9:
+
+exp2:
+	00:8d:b1:5f:7c:94:ed:62:39:40:b6:a9:a1:cc:02:80
+	c5:77:d6:9e:19:dd:79:4d:11:61:6a:79:8e:4d:92:de
+	bb:53:0b:3c:52:02:d5:69:3c:7d:95:1b:dc:51:2d:00
+	00:35:0a:b4:92:5a:74:c4:5f:b0:c0:02:9f:cc:2c:a5
+	29:08:93:25:9a:c5:ba:1a:a1:7a:7e:15:5e:ff:e3:ea
+	07:8e:85:a2:c9:60:7f:40:bb:2c:a8:6f:0e:85:ab:a0
+	0f:b5:b0:70:1b:fe:1f:eb:66:78:fb:60:ef:71:de:40
+	d9:de:cb:d9:16:40:52:12:2c:3a:b7:5a:63:fc:54:18
+	e2:05:bd:d7:68:ae:b4:98:d2:2f:1c:36:13:46:5b:25
+	31:f1:28:eb:32:c3:b1:2b:e9:e4:6f:99:cd:6d:d4:80
+	3a:5d:d0:3c:18:93:b7:2c:4e:0e:fe:b1:1c:97:ba:b1
+	61:72:68:eb:6e:60:62:a5:81:b0:21:33:0a:cc:1b:a8
+	5b:
+
+
+Public Key PIN:
+	pin-sha256:iFdBnKP/7hZCLdj7qqTtdNPFjpZGka259fSYvv3X02U=
+Public Key ID:
+	sha256:8857419ca3ffee16422dd8fbaaa4ed74d3c58e964691adb9f5f498befdd7d365
+	sha1:aac584e0e34ca0a8a5bf9641adbd3ec1d1e075e0
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5QIBAAKCAYEA3S9lste1HN3rWtHweizQEaeoJolcjAYBHDEmiMzLEBIVP4p4
+LhANGSBGsro5jiT+LtMQe5QaT8Gbvnj77nnjCaaEOq/VDj5WGFHUr8kDP8dVk1MB
+HWs8rAbzaXISk/GVE1mD9C0X0OpBKhKQv98kuz6urjOUqjNfNERq5nkF7xKjV1dF
+l8xVQwOC2T4hfz6IJ5mKyJZ+/ra21DQSK6JctqB3qu4S6gJJWLa1WzCwL8enwAjZ
+GjnqaYeJa2G5p7UfzINZQUtJ70BBbrmoL/FVSCj+cykrYFhUUpvvRMyOX91kzRCf
+W12I3KoKRsiFeOSVm9liE77XlM+SANcOypFSOlOstlcsasPpcjEJEtkZjpitR+wV
+ONQLomtSsBHzNjtIuxg3mxSYVRIykmcj5P9IPin/QJesqtsw6NZCrPoVf9Yc/G+z
+AYoeTnMdgYevPHs4qZ9VrqDNSBlJ84ePbE45HZSf0PA1q8iuZIJZhcpmqKDmoPJ/
+MG+VdYSKj/kasPCBAgMBAAECggGAFP/A+f+8tCblh1PTLuY+Qs7WCgKUhL61MEYC
+UI6Q4M+2sLemvUjM1YvY6nL/r90XPL7RG8ptzRCmhqjZ0kREJ9BlUWUMJzQH3Hs4
+ZBADfPShzUDeJDrgIbzvMx2fYehXrOScwHvffPggg6wLjgvTYuuKjgNbo+UIrt+n
+/oWS6KWuWEZy1vyRQ7F7pMBfUcNQDeJn6K9RE0Gpje/7oaTihHwroFDF/u2EpSWD
+hkrTD1Y3OOYeJn1FIgu6IjW++IsbcpATxB/F0TS1DrLu9+G5XqIpjfluI0tQjzXI
+qfPSH93OoJZQLS6vz7XhIOfp0knttQ5bPtFL8frCczobUTR+dTAG0kfSqCpFvhb7
+j2OEhbe/98TFPZVWjNECf1isTRF7xVXzyE7X2apisOMeBFyX0cricaqLM7Q06QTU
+cHz0y1cZwQMj9LxNkY+ympkcbIEtTS3poePO48liUokfR4Zh8d28Ro15Cpmdqkup
+CnJU29yuSL5gSnOZ2DyeB3gF34c5AoHBAOljD9dJMSeoNv6VvY0FwTVILgNPpldU
+OqSVP46fKHzS369UNp58n8O5ZI/AsJY8qgH2mr6D4oUgDTPeiJevb74/U1qjdwL9
+gReRO7Itq3jb2UPbBGmCYTDklqyIi/Y/VsRJ/dXljJ0wrc/ZjVyHtSdLCY4Z7eIR
+P2myR75wORFBo9u7uQ7ke1DQ0sKJgTa5a6b+lFsGZubthlJCXqkOGNsY+RQhPeA8
+jXnD9dLMUWX7HEntCtUzmTQW+R1oSnjaXwKBwQDyna5fvbejh6eNMEYGixWp5alY
+HCs6fng1NlYxQt9Gh+hXDW6Z3s/7qHIWcUuzre10B8vPfSsSiWbED4rq4zcXLHWS
+EXqm2ikkM5tpwmRoA9sx3v4dok2dkZ/wULiP0CIRubCVmF5lv0WXmzXymCdGfLKG
+63uLV/LDSUd9AUqasOZnBeVheqtjyMvYRGmIcqWpYIlg3+bZTRYrNXsgAPM80Xj5
+IutIw394Y+Y0YEgwZgK7OMKULrmGsi+aTxd/4R8CgcEAmRYtkd2krIqeaCf4icQ4
+k6ag5/Ma/TV2sfZkFj035Yi8yNjIavT8Jvo4iEKwkhuAuID1x/niX8hCYL+bgUPG
+XFhVaKLIseFvB/Jv4dQrIb+zp9rF7h9jeRq36rw2cnPhiieupNtJfOItYKUnIIaz
+wO5rehZv/1Wo7r/OZ5BdHoCb5sof/TDJ4pzXYlunsim1/3gGAB8W6GrtLI/0X5er
+niunVhjn6WpOsoxjdr4mtmociDFAZdDOsWhQR4XdM6CpAoHBAI2xX3yU7WI5QLap
+ocwCgMV31p4Z3XlNEWFqeY5Nkt67Uws8UgLVaTx9lRvcUS0AADUKtJJadMRfsMAC
+n8wspSkIkyWaxboaoXp+FV7/4+oHjoWiyWB/QLssqG8OhaugD7WwcBv+H+tmePtg
+73HeQNney9kWQFISLDq3WmP8VBjiBb3XaK60mNIvHDYTRlslMfEo6zLDsSvp5G+Z
+zW3UgDpd0DwYk7csTg7+sRyXurFhcmjrbmBipYGwITMKzBuoWwKBwQCTPny56odS
+N/rVCjb74dD8Yk0AC62o+700U5bCbKFqSbegJDMWlXkUrLt1jXjpEPq+RGBYlEqc
+umQdhieLf1FNgLD/epHATaSq0fF5fY9xSRJz1ERfDC5VptkTuDvl3OEUmH7rW2Ct
+10vawNg/v3CSU4wxaothXqN9/4Qsfe2fdCma5xT7w6uOn2BqmKuGC+r7/yAvO6d2
+AzpVu7LGnLVmNrgcf5u2Yon/atY1WAvwVScB8GeNiD90SD2/jPwFYkc=
+-----END RSA PRIVATE KEY-----

internal/filter/filter_test.go

@@ -0,0 +1,39 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package filter
+
+import (
+	"testing"
+)
+
+// TestNewPatternMatcher tests if NewPatternMatcher recognizes
+// whether a set of sample regular expressions is valid
+func TestNewPatternMatcher(t *testing.T) {
+	var regex []string
+	if pm, err := NewPatternMatcher(regex); pm == nil || err != nil {
+		t.Errorf("Failure: Did not compile valid regex pattern")
+	}
+	regex = append(regex, "++")
+	if pm, err := NewPatternMatcher(regex); pm != nil || err == nil {
+		t.Errorf("Failure: No error returned at invalid compile pattern")
+	}
+}
+
+// TestMatches tests if Matches returns whether a given string
+// matches a sample of the expressions correctly.
+func TestMatches(t *testing.T) {
+	regex := []string{"a"}
+	pm, _ := NewPatternMatcher(regex)
+	if !pm.Matches("a") {
+		t.Errorf("Failure: Did not match two identical strings")
+	}
+	if pm.Matches("b") {
+		t.Errorf("Failure: Matched two non-matching strings")
+	}
+}

internal/misc/mime_test.go

@@ -0,0 +1,25 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package misc
+
+import (
+	"io"
+	"mime/multipart"
+	"testing"
+)
+
+// TestCreateFormFile tests if CreateFormFile throws an error when creating
+// a FormFile
+func TestCreateFormFile(t *testing.T) {
+	writer := multipart.NewWriter(io.Discard)
+
+	if _, err := CreateFormFile(writer, "csaf", "data", "application/json"); err != nil {
+		t.Errorf("Failure: failed to create an io.Writer via CreateFormFile")
+	}
+}

internal/models/models.go

@@ -28,6 +28,14 @@ func NewTimeInterval(a, b time.Time) TimeRange {
 	return TimeRange{a, b}
 }
 
+// Year returns the time range for a given year.
+func Year(year int) TimeRange {
+	return TimeRange{
+		time.Date(year, time.January, 1, 0, 0, 0, 0, time.UTC),
+		time.Date(year, time.December, 31, 23, 59, 59, int(time.Second-time.Nanosecond), time.UTC),
+	}
+}
+
 // guessDate tries to guess an RFC 3339 date time from a given string.
 func guessDate(s string) (time.Time, bool) {
 	for _, layout := range []string{
@@ -100,3 +108,8 @@ func (tr *TimeRange) UnmarshalFlag(s string) error {
 func (tr TimeRange) Contains(t time.Time) bool {
 	return !(t.Before(tr[0]) || t.After(tr[1]))
 }
+
+// Intersects returns true if the two time ranges intersects.
+func (tr TimeRange) Intersects(other TimeRange) bool {
+	return !(other[1].Before(tr[0]) || tr[1].Before(other[0]))
+}

internal/models/models_test.go

@@ -0,0 +1,168 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package models
+
+import (
+	"testing"
+	"time"
+)
+
+// TestNewTimeInterval tests the creation of time intervals via NewTimeInterval()
+func TestNewTimeInterval(t *testing.T) {
+	var (
+		before          = time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+		after           = time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC)
+		pseudoTimeRange = TimeRange{before, after}
+	)
+	if NewTimeInterval(after, before) != pseudoTimeRange {
+		t.Errorf("Failure: Couldn't generate timerange.")
+	}
+}
+
+// TestGuessDate tests whether a sample of strings are correctly parsed into Dates by guessDate()
+func TestGuessDate(t *testing.T) {
+	if _, guess := guessDate("2006-01-02T15:04:05"); !guess {
+		t.Errorf("Failure: Could not guess valid Date from valid string")
+	}
+	if _, guess := guessDate("2006"); !guess {
+		t.Errorf("Failure: Could not guess valid Date from valid string")
+	}
+	if _, guess := guessDate("2006-01-02"); !guess {
+		t.Errorf("Failure: Could not guess valid Date from valid string")
+	}
+
+	if _, guess := guessDate(""); guess {
+		t.Errorf("Failure: Guessed Date from invalid string")
+	}
+}
+
+// TestUnmarshalText tests whether UnmarshalText() correctly unmarshals a sample of byteSlices
+func TestUnmarshalText(t *testing.T) {
+	testTimeRange := NewTimeInterval(
+		time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC),
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC))
+	byteSlice := []byte{'3', 'h'}
+	var emptySlice []byte
+	if testTimeRange.UnmarshalText(byteSlice) != nil {
+		t.Errorf(testTimeRange.UnmarshalText(byteSlice).Error())
+	}
+	if testTimeRange.UnmarshalText(emptySlice) == nil {
+		t.Errorf("Failure: UnmarshalText succeeded on invalid slice of bytes.")
+	}
+}
+
+// TestMarshalJSON tests whether MarshalJSON() correctly marshals a sample TimeRange
+func TestMarshalJSON(t *testing.T) {
+	testTimeRange := NewTimeInterval(
+		time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC),
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC))
+	if _, err := testTimeRange.MarshalJSON(); err != nil {
+		t.Errorf("Failure: %v", err)
+	}
+}
+
+// TestUnmarshalFlag tests whether UnmarshalFlag() correctly extracts time from a given timeRange string.
+func TestUnmarshalFlag(t *testing.T) {
+	testTimeRange := NewTimeInterval(
+		time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC),
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC))
+	if err := testTimeRange.UnmarshalFlag("3h"); err != nil {
+		t.Errorf(err.Error())
+	}
+	if err := testTimeRange.UnmarshalFlag("2006-01-02T15:04:05"); err != nil {
+		t.Errorf(err.Error())
+	}
+	if err := testTimeRange.UnmarshalFlag("2006-01-02T15:04:05a"); err == nil {
+		t.Errorf("Failure: Extracted time from invalid string")
+	}
+	if err := testTimeRange.UnmarshalFlag("2006-01-02T15:04:05a, 2007-01-02T15:04:05"); err == nil {
+		t.Errorf("Failure: Extracted time from invalid string")
+	}
+	if err := testTimeRange.UnmarshalFlag("2006-01-02T15:04:05, 2007-01-02T15:04:05a"); err == nil {
+		t.Errorf("Failure: Extracted time from invalid string")
+	}
+	if err := testTimeRange.UnmarshalFlag("2006-01-02T15:04:05, 2007-01-02T15:04:05"); err != nil {
+		t.Errorf(err.Error())
+	}
+}
+
+// TestContains tests whether Contains() correctly identifies a sample of points in time to be within
+// a timerange or not.
+func TestContains(t *testing.T) {
+	testTimeRange := NewTimeInterval(
+		time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC),
+		time.Date(2010, time.November, 10, 23, 0, 0, 0, time.UTC))
+	testPointInTime := time.Date(2010, time.March, 10, 23, 0, 0, 0, time.UTC)
+	testPointAfterTime := time.Date(2022, time.March, 10, 23, 0, 0, 0, time.UTC)
+	testPointBeforeTime := time.Date(2002, time.March, 10, 23, 0, 0, 0, time.UTC)
+	if !testTimeRange.Contains(testPointInTime) {
+		t.Errorf("Failure: Did not recognize point within timerange correctly.")
+	}
+	if testTimeRange.Contains(testPointAfterTime) {
+		t.Errorf("Failure: Did not recognize that a point in time was after a timerange correctly.")
+	}
+	if testTimeRange.Contains(testPointBeforeTime) {
+		t.Errorf("Failure: Did not recognize that a point in time was before a timerange correctly.")
+	}
+}
+
+// TestTimeRangeIntersects checks if TimeRange.Intersects works.
+func TestTimeRangeIntersects(t *testing.T) {
+	var (
+		a = time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+		b = a.AddDate(0, 0, 10)
+		c = b.AddDate(0, 0, 10)
+		d = c.AddDate(0, 0, 10)
+	)
+	for _, x := range []struct {
+		ranges   [2]TimeRange
+		expected bool
+	}{
+		{ranges: [2]TimeRange{{a, b}, {a, b}}, expected: true},  // equal
+		{ranges: [2]TimeRange{{a, b}, {c, d}}, expected: false}, // disjoint
+		{ranges: [2]TimeRange{{a, b}, {b, c}}, expected: true},  // touching
+		{ranges: [2]TimeRange{{a, c}, {b, d}}, expected: true},  // overlapping
+		{ranges: [2]TimeRange{{a, d}, {b, c}}, expected: true},  // containing
+		{ranges: [2]TimeRange{{a, b}, {a, c}}, expected: true},  // containing touch left
+		{ranges: [2]TimeRange{{b, c}, {a, c}}, expected: true},  // containing touch right
+	} {
+		got1 := x.ranges[0].Intersects(x.ranges[1])
+		got2 := x.ranges[1].Intersects(x.ranges[0])
+		if got1 != got2 {
+			t.Fatalf("intersecting %v is not commutative", x.ranges)
+		}
+		if got1 != x.expected {
+			t.Fatalf("%v: got %t expected %t", x.ranges, got1, x.expected)
+		}
+	}
+}
+
+// TestTimeRangeYear checks if the Year construction works.
+func TestTimeRangeYear(t *testing.T) {
+	var (
+		year   = Year(1984)
+		first  = time.Date(1984, time.January, 1, 0, 0, 0, 0, time.UTC)
+		before = first.Add(-time.Nanosecond)
+		after  = time.Date(1984+1, time.January, 1, 0, 0, 0, 0, time.UTC)
+		last   = after.Add(-time.Nanosecond)
+	)
+	for _, x := range []struct {
+		t        time.Time
+		expected bool
+	}{
+		{t: first, expected: true},
+		{t: before, expected: false},
+		{t: last, expected: true},
+		{t: after, expected: false},
+	} {
+		if got := year.Contains(x.t); got != x.expected {
+			t.Fatalf("%v: got %t expected %t", x.t, got, x.expected)
+		}
+	}
+}

internal/options/data/config.toml

@@ -0,0 +1 @@
+Test = "data/config.toml"

internal/options/data/config_plus.toml

@@ -0,0 +1,2 @@
+Test = "data/config_plus.toml"
+surplus = true

internal/options/data/empty.toml

@@ -0,0 +1 @@
+# Empty but valid config file

internal/options/log.go

@@ -0,0 +1,33 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package options
+
+import (
+	"log/slog"
+	"strings"
+)
+
+// LogLevel implements a helper type to be used in configurations.
+type LogLevel struct{ slog.Level }
+
+// MarshalFlag implements [flags.Marshaler].
+func (ll LogLevel) MarshalFlag() (string, error) {
+	t, err := ll.MarshalText()
+	return strings.ToLower(string(t)), err
+}
+
+// UnmarshalFlag implements [flags.Unmarshaler].
+func (ll *LogLevel) UnmarshalFlag(value string) error {
+	var l slog.Level
+	if err := l.UnmarshalText([]byte(value)); err != nil {
+		return err
+	}
+	*ll = LogLevel{Level: l}
+	return nil
+}

internal/options/log_test.go

@@ -0,0 +1,49 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package options
+
+import (
+	"log/slog"
+	"testing"
+)
+
+func TestMarshalFlag(t *testing.T) {
+	ll := LogLevel{Level: slog.LevelInfo}
+	got, err := ll.MarshalFlag()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if got != "info" {
+		t.Fatalf("got %q expected \"info\"", got)
+	}
+}
+
+func TestUnmarshalFlag(t *testing.T) {
+	for _, x := range []struct {
+		input  string
+		expect slog.Level
+	}{
+		{input: "debug", expect: slog.LevelDebug},
+		{input: "info", expect: slog.LevelInfo},
+		{input: "warn", expect: slog.LevelWarn},
+		{input: "error", expect: slog.LevelError},
+	} {
+		var ll LogLevel
+		if err := ll.UnmarshalFlag(x.input); err != nil {
+			t.Fatalf("%q error: %v", x.input, err)
+		}
+		if ll.Level != x.expect {
+			t.Fatalf("%q: got %s expected %s", x.input, ll.Level, x.expect)
+		}
+	}
+	var ll LogLevel
+	if err := ll.UnmarshalFlag("invalid"); err == nil {
+		t.Fatal(`"invalid" should return an error`)
+	}
+}

internal/options/options.go

@@ -3,8 +3,8 @@
 //
 // SPDX-License-Identifier: MIT
 //
-// SPDX-FileCopyrightText: 2022 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
-// Software-Engineering: 2022 Intevation GmbH <https://intevation.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
 
 // Package options contains helpers to handle command line options and config files.
 package options
@@ -18,7 +18,7 @@ import (
 	"github.com/jessevdk/go-flags"
 	"github.com/mitchellh/go-homedir"
 
-	"github.com/csaf-poc/csaf_distribution/v2/util"
+	"github.com/csaf-poc/csaf_distribution/v3/util"
 )
 
 // Parser helps parsing command line arguments and loading

internal/options/options_test.go

@@ -0,0 +1,206 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+package options
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"testing"
+)
+
+type config struct {
+	Test           string `long:"Test" description:"Test config struct"`
+	Version        bool   `long:"version" description:"test print version"`
+	ConfigLocation string `long:"configlocation" description:"test location"`
+}
+
+// TestParse helps parsing command line arguments and loading
+// stored configurations from file.
+func TestParse(t *testing.T) {
+	orig := os.Args
+	defer func() { os.Args = orig }()
+
+	os.Args = []string{"cmd"}
+	defaultConfigLocation := []string{"data/config.toml"}
+	p := Parser[config]{
+		DefaultConfigLocations: defaultConfigLocation,
+		ConfigLocation: func(cfg *config) string {
+			return cfg.ConfigLocation
+		},
+		Usage:      "[OPTIONS] domain...",
+		HasVersion: func(cfg *config) bool { return cfg.Version },
+		SetDefaults: func(cfg *config) {
+		},
+		// Re-establish default values if not set.
+		EnsureDefaults: func(cfg *config) {
+		},
+	}
+
+	// Test searching for data/config.toml as config file
+	if _, _, err := p.Parse(); err != nil {
+		t.Errorf("Failure: Valid Parser using config location failed.")
+	}
+
+	// Test invalid flag
+	os.Args = []string{"cmd", "--invalid"}
+	fmt.Println("The following test should produce a warning.")
+	if _, _, err := p.Parse(); err == nil {
+		t.Errorf("Failure: Parsed invalid flag 'invalid'")
+	}
+
+	// Test with no default location; no config is loaded
+	var emptyLocation []string
+	p.DefaultConfigLocations = emptyLocation
+	os.Args = []string{"cmd"}
+	if _, _, err := p.Parse(); err != nil {
+		t.Errorf("Failure: Valid Parser without config location failed: %s", err.Error())
+	}
+
+	// Test failing to load TOML file
+	os.Args = []string{"cmd", "--configlocation=data/config_surplus.toml"}
+	if _, _, err := p.Parse(); err == nil {
+		t.Errorf("Failure: Parsed invalid toml file.")
+	}
+
+	// Test failing to expand Path
+	os.Args = []string{"cmd", "--configlocation=~~"}
+	if _, _, err := p.Parse(); err == nil {
+		t.Errorf("Failure: Invalid path expanded.")
+	}
+
+	// os.exit tests start here
+	// test the help flag
+	// if TEST_HELP was set, try parsing the help flag
+	if os.Getenv("TEST_HELP") == "1" {
+		os.Args = []string{"cmd", "--help"}
+		p.Parse()
+		return
+	}
+
+	// Build subprocess that can be exited
+	cmd := exec.Command(orig[0], "-test.run=TestParse")
+	cmd.Env = append(os.Environ(), "TEST_HELP=1")
+	err := cmd.Run()
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+
+	// test the version flag
+	if os.Getenv("TEST_VERSION") == "1" {
+		os.Args = []string{"cmd", "--version"}
+		p.Parse()
+		return
+	}
+
+	cmd = exec.Command(orig[0], "-test.run=TestParse")
+	cmd.Env = append(os.Environ(), "TEST_VERSION=1")
+	err = cmd.Run()
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+}
+
+// TestFindConfigFile tests if findConfigFile() correctly finds existing and
+// doesn't find nonexisting config files
+func TestFindConfigFile(t *testing.T) {
+	locations := []string{"data/config.toml"}
+	notLocation := []string{"notomllocation"}
+	errorExpandLocation := []string{"~~"}
+
+	if findConfigFile(locations) != "data/config.toml" {
+		t.Errorf("Failure: Couldn't find existing toml file in specified location")
+	}
+	if !(findConfigFile(notLocation) == "") {
+		t.Errorf("Failure: Supposedly found configuration file in nonexistant location")
+	}
+	fmt.Println("The following test should produce a warning.")
+	if !(findConfigFile(errorExpandLocation) == "") {
+		t.Errorf("Failure: Supposedly found configuration file in nonexistant location")
+	}
+}
+
+// TestLoadToml tests if loadTOML() can correctly load TOML files
+func TestLoadToml(t *testing.T) {
+	var cfg config
+	if err := loadTOML(&cfg, "data/nonexistant.toml"); err.Error() != "open "+
+		"data/nonexistant.toml: no such file or directory" {
+		t.Errorf("Failure: Didn't throw the correct " +
+			"error on trying to load nonexistant file")
+	}
+	const errMsg = `could not parse ["surplus"] from "data/config_plus.toml"`
+	if err := loadTOML(&cfg, "data/config_plus.toml"); err.Error() != errMsg {
+		t.Errorf("Failure: Succeeded in parsing nonexistant parameter")
+	}
+	if err := loadTOML(&cfg, "data/config.toml"); err != nil {
+		t.Errorf(err.Error())
+	}
+}
+
+// TestErrorCheck checks whether the ErrorChecker correctly logs a fatal error
+func TestErrorCheck(t *testing.T) {
+	if os.Getenv("TEST_ERROR") == "1" {
+		ErrorCheck(errors.New("succesful"))
+		return
+	}
+	cmd := exec.Command(os.Args[0], "-test.run=TestErrorCheck")
+	cmd.Env = append(os.Environ(), "TEST_ERROR=1")
+	err := cmd.Run()
+	if e, ok := err.(*exec.ExitError); ok && !e.Success() {
+		return
+	}
+	t.Fatalf("process ran with err %v, want exit status 1", err)
+
+}
+
+// TestSecondPassCommandlineParsing checks if the second pass
+// of the command line passing is error checked.
+func TestSecondPassCommandlineParsing(t *testing.T) {
+	orig := os.Args
+	defer func() { os.Args = orig }()
+
+	os.Args = []string{"cmd"}
+	p := Parser[config]{
+		ConfigLocation: func(cfg *config) string {
+			// This is a bit stupid.
+			os.Args = []string{"cmd", "--invalid"}
+			return "data/empty.toml"
+		},
+	}
+	if _, _, err := p.Parse(); err == nil {
+		t.Fatalf("Second command line parsing pass did not fail.\n")
+	}
+}
+
+// TestSecondPassCommandlineHelp triggers the help output in the
+// second pass of the command line parsing.
+func TestSecondPassCommandlineHelp(t *testing.T) {
+	if os.Getenv("TEST_ERROR") == "1" {
+		orig := os.Args
+		defer func() { os.Args = orig }()
+
+		os.Args = []string{"cmd"}
+		p := Parser[config]{
+			ConfigLocation: func(cfg *config) string {
+				// This is a bit stupid.
+				os.Args = []string{"cmd", "--help"}
+				return "data/empty.toml"
+			},
+		}
+		p.Parse()
+		t.Fatalf("Second command line parsing pass help should not reach this.\n")
+		return
+	}
+	cmd := exec.Command(os.Args[0], "-test.run=TestSecondPassCommandlineHelp")
+	cmd.Env = append(os.Environ(), "TEST_ERROR=1")
+	if err := cmd.Run(); err != nil {
+		t.Fatalf("process ran with err %v", err)
+	}
+}

util/client.go

@@ -31,6 +31,7 @@ type Client interface {
 // LoggingClient is a client that logs called URLs.
 type LoggingClient struct {
 	Client
+	Log func(method, url string)
 }
 
 // LimitingClient is a Client implementing rate throttling.
@@ -97,33 +98,42 @@ func (hc *HeaderClient) PostForm(url string, data url.Values) (*http.Response, e
 		url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
 }
 
+// log logs to a callback if given.
+func (lc *LoggingClient) log(method, url string) {
+	if lc.Log != nil {
+		lc.Log(method, url)
+	} else {
+		log.Printf("[%s]: %s\n", method, url)
+	}
+}
+
 // Do implements the respective method of the Client interface.
 func (lc *LoggingClient) Do(req *http.Request) (*http.Response, error) {
-	log.Printf("[DO]: %s\n", req.URL.String())
+	lc.log("DO", req.URL.String())
 	return lc.Client.Do(req)
 }
 
 // Get implements the respective method of the Client interface.
 func (lc *LoggingClient) Get(url string) (*http.Response, error) {
-	log.Printf("[GET]: %s\n", url)
+	lc.log("GET", url)
 	return lc.Client.Get(url)
 }
 
 // Head implements the respective method of the Client interface.
 func (lc *LoggingClient) Head(url string) (*http.Response, error) {
-	log.Printf("[HEAD]: %s\n", url)
+	lc.log("HEAD", url)
 	return lc.Client.Head(url)
 }
 
 // Post implements the respective method of the Client interface.
 func (lc *LoggingClient) Post(url, contentType string, body io.Reader) (*http.Response, error) {
-	log.Printf("[POST]: %s\n", url)
+	lc.log("POST", url)
 	return lc.Client.Post(url, contentType, body)
 }
 
 // PostForm implements the respective method of the Client interface.
 func (lc *LoggingClient) PostForm(url string, data url.Values) (*http.Response, error) {
-	log.Printf("[POST FORM]: %s\n", url)
+	lc.log("POST FORM", url)
 	return lc.Client.PostForm(url, data)
 }
 

util/file_test.go

@@ -1,3 +1,11 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2022 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2022 Intevation GmbH <https://intevation.de>
+
 package util
 
 import (