From 7af33f1700c9631466867e56be2b8e91849f050a Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Fri, 6 Feb 2015 20:22:42 +0100
Subject: [PATCH] gnutls-cli: added --save-cert option

---
 src/cli-args.def |  7 +++++++
 src/cli.c        | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/src/cli-args.def b/src/cli-args.def
index ff91c86..6a37226 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -140,6 +140,13 @@ flag = {
 };
 
 flag = {
+    name      = save-cert;
+    arg-type  = string;
+    descrip   = "Save the peer's certificate chain in the specified file in PEM format";
+    doc      = "";
+};
+
+flag = {
     name      = save-ocsp;
     arg-type  = string;
     descrip   = "Save the peer's OCSP status response in the provided file";
diff --git a/src/cli.c b/src/cli.c
index ca203cd..1ff9bf6 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -374,6 +374,43 @@ static int read_yesno(const char *input_str)
 	return 0;
 }
 
+static void try_save_cert(gnutls_session_t session)
+{
+	const gnutls_datum_t *cert_list;
+	unsigned int cert_list_size = 0;
+	int ret;
+	unsigned i;
+	gnutls_datum_t t;
+	FILE *fp;
+
+	cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
+	if (cert_list_size == 0) {
+		fprintf(stderr, "no certificates sent by server!\n");
+		exit(1);
+	}
+
+	fp = fopen(OPT_ARG(SAVE_CERT), "w");
+	if (fp == NULL) {
+		fprintf(stderr, "could not open %s\n", OPT_ARG(SAVE_CERT));
+		exit(1);
+	}
+
+	for (i=0;i<cert_list_size;i++) {
+		ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], &t);
+		if (ret < 0) {
+			fprintf(stderr, "error[%d]: %s\n", __LINE__,
+				gnutls_strerror(ret));
+			exit(1);
+		}
+
+		fwrite(t.data, t.size, 1, fp);
+		gnutls_free(t.data);
+	}
+	fclose(fp);
+
+	return;
+}
+
 static int cert_verify_callback(gnutls_session_t session)
 {
 	int rc;
@@ -394,6 +431,10 @@ static int cert_verify_callback(gnutls_session_t session)
 		ssh = strictssh;
 	}
 
+	if (HAVE_OPT(SAVE_CERT)) {
+		try_save_cert(session);
+	}
+
 	print_cert_info(session, verbose, print_cert);
 
 	if (ca_verify) {
-- 
2.1.4