p11tool: allow to export a certificate with its stapled extensions

2 files changed, 20 insertions, 0 deletions

diff --git a/src/p11tool-args.def b/src/p11tool-args.def
index b9155c921c..b017ae9345 100644
--- a/src/p11tool-args.def
+++ b/src/p11tool-args.def
@@ -113,18 +113,36 @@ flag = {
     name      = export;
     descrip   = "Export the object specified by the URL";
     doc = "";
+    flags-cant = export-stapled;
+    flags-cant = export-chain;
+    flags-cant = export-pubkey;
+};
+
+flag = {
+    name      = export-stapled;
+    descrip   = "Export the certificate object specified by the URL";
+    doc = "Exports the certificate specified by the URL while including any attached extensions to it.";
+    flags-cant = export;
+    flags-cant = export-chain;
+    flags-cant = export-pubkey;
 };
 
 flag = {
     name      = export-chain;
     descrip   = "Export the certificate specified by the URL and its chain of trust";
     doc = "Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.";
+    flags-cant = export-stapled;
+    flags-cant = export;
+    flags-cant = export-pubkey;
 };
 
 flag = {
     name      = export-pubkey;
     descrip   = "Export the public key for a private key";
     doc = "Exports the public key for the specified private key";
+    flags-cant = export-stapled;
+    flags-cant = export;
+    flags-cant = export-chain;
 };
 
 flag = {
diff --git a/src/p11tool.c b/src/p11tool.c
index 15695bb21e..53a76016e3 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -284,6 +284,8 @@ static void cmd_parser(int argc, char **argv)
 			    flags, detailed_url, &cinfo);
 	} else if (HAVE_OPT(EXPORT)) {
 		pkcs11_export(outfile, url, flags, &cinfo);
+	} else if (HAVE_OPT(EXPORT_STAPLED)) {
+		pkcs11_export(outfile, url, flags|GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT, &cinfo);
 	} else if (HAVE_OPT(EXPORT_CHAIN)) {
 		pkcs11_export_chain(outfile, url, flags, &cinfo);
 	} else if (HAVE_OPT(WRITE)) {