dyaa · dyaa · Apr 6, 2026 · Apr 6, 2026
diff --git a/cmd/tlsc/ca.go b/cmd/tlsc/ca.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"os"
@@ -12,33 +13,33 @@ import (
 	"github.com/dyaa/tlsc/internal/services/ca"
 )
 
-func runCA(args []string) {
+func runCA(ctx context.Context, args []string) {
 	if len(args) == 0 {
 		printCAUsage()
 		os.Exit(1)
 	}
 
 	switch args[0] {
 	case "init":
-		runCAInit(args[1:])
+		runCAInit(ctx, args[1:])
 	case "install":
-		runCAInstall(args[1:])
+		runCAInstall(ctx, args[1:])
 	case "uninstall":
 		runCAUninstall(args[1:])
 	case "info":
-		runCAInfo(args[1:])
+		runCAInfo(ctx, args[1:])
 	case "renew":
-		runCARenew(args[1:])
+		runCARenew(ctx, args[1:])
 	case "export":
-		runCAExport(args[1:])
+		runCAExport(ctx, args[1:])
 	case "help", "-h", "--help":
 		printCAUsage()
 	default:
 		fatal("unknown ca command: %s", args[0])
 	}
 }
 
-func runCAInit(args []string) {
+func runCAInit(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("ca init", flag.ExitOnError)
 	var (
 		caPath   string
@@ -75,7 +76,7 @@ func runCAInit(args []string) {
 	opts.Validity = validity
 	opts.KeyType = keyType
 
-	authority, err := ca.Init(caPath, opts)
+	authority, err := ca.Init(ctx, caPath, opts)
 	if err != nil {
 		fatal("%s", err)
 	}
@@ -94,13 +95,13 @@ func runCAInit(args []string) {
 	fmt.Printf("\n  Next: run '\033[1mtlsc ca install\033[0m' to trust it system-wide\n\n")
 }
 
-func runCAInstall(args []string) {
+func runCAInstall(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("ca install", flag.ExitOnError)
 	var caPath string
 	fs.StringVar(&caPath, "ca-path", "", "CA directory (default: ~/.tlsc/ca/)")
 	fs.Parse(normArgs(args))
 
-	authority, err := ca.Load(caPath)
+	authority, err := ca.Load(ctx, caPath)
 	if err != nil {
 		fatal("%s", err)
 	}
@@ -117,13 +118,13 @@ func runCAUninstall(_ []string) {
 	fmt.Printf("\n  \033[32m✓ CA removed from system trust store\033[0m\n\n")
 }
 
-func runCAInfo(args []string) {
+func runCAInfo(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("ca info", flag.ExitOnError)
 	var caPath string
 	fs.StringVar(&caPath, "ca-path", "", "CA directory (default: ~/.tlsc/ca/)")
 	fs.Parse(normArgs(args))
 
-	authority, err := ca.Load(caPath)
+	authority, err := ca.Load(ctx, caPath)
 	if err != nil {
 		fatal("%s", err)
 	}
@@ -147,13 +148,13 @@ func runCAInfo(args []string) {
 	fmt.Println()
 }
 
-func runCARenew(args []string) {
+func runCARenew(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("ca renew", flag.ExitOnError)
 	var caPath string
 	fs.StringVar(&caPath, "ca-path", "", "CA directory (default: ~/.tlsc/ca/)")
 	fs.Parse(normArgs(args))
 
-	authority, err := ca.Renew(caPath)
+	authority, err := ca.Renew(ctx, caPath)
 	if err != nil {
 		fatal("%s", err)
 	}
@@ -164,13 +165,13 @@ func runCARenew(args []string) {
 	fmt.Println()
 }
 
-func runCAExport(args []string) {
+func runCAExport(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("ca export", flag.ExitOnError)
 	var caPath string
 	fs.StringVar(&caPath, "ca-path", "", "CA directory (default: ~/.tlsc/ca/)")
 	fs.Parse(normArgs(args))
 
-	authority, err := ca.Load(caPath)
+	authority, err := ca.Load(ctx, caPath)
 	if err != nil {
 		fatal("%s", err)
 	}

diff --git a/cmd/tlsc/check.go b/cmd/tlsc/check.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"os"
@@ -10,7 +11,7 @@ import (
 	"github.com/dyaa/tlsc/internal/output"
 )
 
-func runCheck(args []string) {
+func runCheck(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("check", flag.ExitOnError)
 
 	var (
@@ -70,7 +71,7 @@ func runCheck(args []string) {
 	exitCode := 0
 
 	if len(hosts) == 1 {
-		result, err := svc.Check(hosts[0], opts)
+		result, err := svc.Check(ctx, hosts[0], opts)
 		if err != nil {
 			if jsonOut {
 				output.JSONError(hosts[0], err)
@@ -92,7 +93,7 @@ func runCheck(args []string) {
 			}
 		}
 	} else {
-		results := svc.CheckBatch(hosts, opts)
+		results := svc.CheckBatch(ctx, hosts, opts)
 		for _, host := range hosts {
 			r := results[host]
 			if r.Err != nil {

diff --git a/cmd/tlsc/convert.go b/cmd/tlsc/convert.go
@@ -1,14 +1,15 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"os"
 
 	"github.com/dyaa/tlsc/internal/services/convert"
 )
 
-func runConvert(args []string) {
+func runConvert(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("convert", flag.ExitOnError)
 
 	var (
@@ -34,7 +35,7 @@ func runConvert(args []string) {
 	inputPath := positional[0]
 	convSvc := convert.New()
 
-	if err := convSvc.Convert(inputPath, outPath, format); err != nil {
+	if err := convSvc.Convert(ctx, inputPath, outPath, format); err != nil {
 		fatal("%s", err)
 	}
 

diff --git a/cmd/tlsc/csr.go b/cmd/tlsc/csr.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"os"
@@ -10,25 +11,25 @@ import (
 	"github.com/dyaa/tlsc/internal/services/generate"
 )
 
-func runCSR(args []string) {
+func runCSR(ctx context.Context, args []string) {
 	if len(args) == 0 {
 		printCSRUsage()
 		os.Exit(1)
 	}
 
 	switch args[0] {
 	case "generate":
-		runCSRGenerate(args[1:])
+		runCSRGenerate(ctx, args[1:])
 	case "sign":
-		runCSRSign(args[1:])
+		runCSRSign(ctx, args[1:])
 	case "help", "-h", "--help":
 		printCSRUsage()
 	default:
 		fatal("unknown csr command: %s", args[0])
 	}
 }
 
-func runCSRGenerate(args []string) {
+func runCSRGenerate(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("csr generate", flag.ExitOnError)
 
 	var (
@@ -71,7 +72,7 @@ func runCSRGenerate(args []string) {
 	opts.State = state
 
 	csrSvc := generate.New()
-	result, err := csrSvc.GenerateCSR(hosts, opts)
+	result, err := csrSvc.GenerateCSR(ctx, hosts, opts)
 	if err != nil {
 		fatal("%s", err)
 	}
@@ -83,7 +84,7 @@ func runCSRGenerate(args []string) {
 	fmt.Printf("\n  Next: run '\033[1mtlsc csr sign %s\033[0m' to sign with your CA\n\n", result.CSRPath)
 }
 
-func runCSRSign(args []string) {
+func runCSRSign(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("csr sign", flag.ExitOnError)
 
 	var (
@@ -126,7 +127,7 @@ func runCSRSign(args []string) {
 	}
 
 	csrSvc := generate.New()
-	result, err := csrSvc.SignCSR(csrPath, opts)
+	result, err := csrSvc.SignCSR(ctx, csrPath, opts)
 	if err != nil {
 		fatal("%s", err)
 	}

diff --git a/cmd/tlsc/generate.go b/cmd/tlsc/generate.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"fmt"
 	"os"
@@ -12,7 +13,7 @@ import (
 
 var genSvc = generate.New()
 
-func runGenerate(args []string) {
+func runGenerate(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("generate", flag.ExitOnError)
 
 	var (
@@ -78,12 +79,12 @@ func runGenerate(args []string) {
 		opts.CAPath = caPath
 	}
 
-	result, err := genSvc.Generate(hosts, opts)
+	result, err := genSvc.Generate(ctx, hosts, opts)
 	if err != nil {
 		fatal("%s", err)
 	}
 
-	inspected, err := svc.InspectFile(result.CertPath)
+	inspected, err := svc.InspectFile(ctx, result.CertPath)
 	if err != nil {
 		fmt.Printf("\n  \033[32m✓ Created certificate\033[0m\n\n")
 		fmt.Printf("  cert: %s\n  key:  %s\n\n", result.CertPath, result.KeyPath)

diff --git a/cmd/tlsc/inspect.go b/cmd/tlsc/inspect.go
@@ -1,16 +1,18 @@
 package main
 
 import (
+	"context"
 	"crypto/x509"
 	"encoding/pem"
 	"flag"
 	"fmt"
 	"os"
 
+	"github.com/dyaa/tlsc/internal/fileutil"
 	"github.com/dyaa/tlsc/internal/output"
 )
 
-func runInspect(args []string) {
+func runInspect(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("inspect", flag.ExitOnError)
 
 	var (
@@ -32,7 +34,7 @@ func runInspect(args []string) {
 	}
 
 	path := positional[0]
-	result, err := svc.InspectFile(path)
+	result, err := svc.InspectFile(ctx, path)
 	if err != nil {
 		fatal("%s", err)
 	}
@@ -53,7 +55,7 @@ func runInspect(args []string) {
 }
 
 func validateChain(certPath, caPath string) (bool, string) {
-	certData, err := os.ReadFile(certPath)
+	certData, err := fileutil.ReadLimited(certPath, fileutil.MaxCertFileSize)
 	if err != nil {
 		return false, err.Error()
 	}
@@ -66,7 +68,7 @@ func validateChain(certPath, caPath string) (bool, string) {
 		return false, err.Error()
 	}
 
-	caData, err := os.ReadFile(caPath)
+	caData, err := fileutil.ReadLimited(caPath, fileutil.MaxCertFileSize)
 	if err != nil {
 		return false, err.Error()
 	}

diff --git a/cmd/tlsc/list.go b/cmd/tlsc/list.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"flag"
 	"fmt"
@@ -11,7 +12,7 @@ import (
 	"github.com/dyaa/tlsc/internal/domain"
 )
 
-func runList(args []string) {
+func runList(ctx context.Context, args []string) {
 	fs := flag.NewFlagSet("list", flag.ExitOnError)
 
 	var jsonOut bool
@@ -26,7 +27,7 @@ func runList(args []string) {
 
 	fs.Parse(normArgs(args))
 
-	certs, err := svc.ListCerts(dir)
+	certs, err := svc.ListCerts(ctx, dir)
 	if err != nil {
 		fatal("%s", err)
 	}