Add new hack.

diff --git a/hacks/certtool b/hacks/certtool
new file mode 100755 (executable)
index 0000000..4a865e4
--- /dev/null
+++ b/hacks/certtool
@@ -0,0 +1,75 @@
+#!/usr/bin/python3
+
+import argparse
+import os
+from pathlib import Path
+import subprocess
+import sys
+import tempfile
+
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-c', '--check', help='check a .dom settings export file on stdin', action='store_true')
+parser.add_argument('-s', '--split', help='split certificates and private keys from stdin', action='store_true')
+parser.add_argument('-p', '--prefix', help='output filename prefix when doing --split', type=Path, default='./')
+args = parser.parse_args()
+
+cert = None
+certs = []
+private_key = None
+
+for line in sys.stdin.readlines():
+    if line.find('BEGIN CERTIFICATE') != -1:
+        cert = line
+    elif line.find('END CERTIFICATE') != -1:
+        cert += line
+        certs.append(cert)
+        cert = None
+    elif cert:
+        cert += line
+    elif line.find('BEGIN RSA PRIVATE KEY') != -1:
+        private_key = line
+    elif line.find('END RSA PRIVATE') != -1:
+        private_key += line
+    elif private_key:
+        private_key += line
+
+if len(certs) != 3:
+    print(f'Expected 3 certificates but found {len(certs)}.', file=sys.stderr)
+    exit(1)
+
+if args.check:
+    if private_key is None:
+        print('Found no private key', file=sys.stderr)
+        exit(1)
+
+    leaf_cert_modulus = None
+    with tempfile.NamedTemporaryFile(mode='w', delete=False) as leaf:
+        print(certs[2], file=leaf)
+        leaf.close()
+        process = subprocess.run(['openssl', 'x509', '-modulus', '-noout', '-in', leaf.name], capture_output=True)
+        leaf_cert_modulus = process.stdout
+
+    leaf_key_modulus = None
+    with tempfile.NamedTemporaryFile('w', delete=False) as key:
+        print(private_key, file=key)
+        key.close()
+        process = subprocess.run(['openssl', 'rsa', '-modulus', '-noout', '-in', key.name], capture_output=True, check=True)
+        leaf_key_modulus = process.stdout
+
+    if leaf_cert_modulus != leaf_key_modulus:
+        print('Leaf certificate and private key don''t match.', file=sys.stderr)
+        exit(1)
+    else:
+        print('Leaf certificates and private key match.')
+
+elif args.split:
+
+    for index, cert in enumerate(certs):
+        with open(f'{args.prefix.name}cert_{index}.pem', 'w') as output:
+            print(cert, file=output)
+
+    if private_key:
+        with open(f'{args.prefix.name}private_key.pem', 'w') as output:
+            print(private_key, file=output)
+