#! /bin/sh -e

bad_issuers="
O = Digital Signature Trust Co., CN = DST Root CA X3
"

case $# in
  1) certs=$1 ;;
  *) echo >&2 "usage: $0 CERTLIST-FILE"; exit 2 ;;
esac

nl="
"
mode=skip all=
while IFS= read -r line; do
  case $line,$mode in
    "-----BEGIN CERTIFICATE-----",skip)
      mode=keep
      buf="$line$nl"
      ;;
    "-----END CERTIFICATE-----",keep)
      mode=skip
      buf="$buf$line"
      keep=t
      case "$nl$nl$all$nl$nl" in
	*"$nl$nl$buf$nl$nl"*) keep=nil ;;
      esac
      case $keep in
	t)
	  issuer=$(echo "$buf" | openssl x509 -noout -issuer)
	  case $bad_issuers in $"$nl$issuer$nl"*) keep=nil ;; esac
	  ;;
      esac
      case $keep in t) all="${all:+$all$nl$nl}$buf" ;; esac
      ;;
    *,keep) buf="$buf$line$nl" ;;
  esac
done <"$certs"

case $all in "") echo >&2 "$0: no certificates found"; exit 127 ;; esac
echo "$all"