package main

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"net"
	"os"
)

func getcert(socket string) (*x509.Certificate, error){
	host, _, err := net.SplitHostPort(socket)
	if err != nil {
		return nil, err
	}
	conn, err := tls.Dial("tcp", socket, &tls.Config{InsecureSkipVerify: true})
	if err != nil {
		return nil, err
	}
	defer conn.Close()
	cstate := conn.ConnectionState()

	opts := x509.VerifyOptions{
		DNSName: host,
		Intermediates: x509.NewCertPool(),
	}
	for _, cert := range cstate.PeerCertificates[1:] {
		opts.Intermediates.AddCert(cert)
	}

	cert := cstate.PeerCertificates[0]
	_, err = cert.Verify(opts)
	return cert, err
}

func main() {
	for _, socket := range os.Args[1:] {
		cert, err := getcert(socket)
		if cert == nil {
			fmt.Fprintf(os.Stderr, "Could not get certificate for socket %q: %q\n", socket, err)
			os.Exit(1)
		}
		block := pem.Block{
			Type: "CERTIFICATE",
			Headers: map[string]string{"X-Socket": socket},
			Bytes: cert.Raw,
		}
		if err != nil {
			block.Headers["X-Error"] = err.Error()
		}
		pem.Encode(os.Stdout, &block)
	}
}