Add a method to return full certs

Signed-off-by: Itxaka <[email protected]>
kairos-io · Apr 18, 2024 · 396b01b · 396b01b
1 parent b742020
commit 396b01b
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 2 deletions.
diff --git a/signatures/signatures.go b/signatures/signatures.go
@@ -28,6 +28,70 @@ func GetKeyDatabase(sigType string) (*signature.SignatureDatabase, error) {
 	return sig, err
 }
 
+// GetAllFullCerts returns a list of certs in the system. Full cert, including raw data of the cert
+func GetAllFullCerts() (types.CertListFull, error) {
+	var certList types.CertListFull
+	pk, err := GetKeyDatabase("PK")
+	if err != nil {
+		return certList, err
+	}
+	kek, err := GetKeyDatabase("KEK")
+	if err != nil {
+		return certList, err
+	}
+	db, err := GetKeyDatabase("DB")
+	if err != nil {
+		return certList, err
+	}
+
+	for _, k := range *pk {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.PK = append(certList.PK, cert)
+				}
+			}
+		}
+	}
+
+	for _, k := range *kek {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.KEK = append(certList.KEK, cert)
+				}
+			}
+		}
+	}
+
+	for _, k := range *db {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.DB = append(certList.DB, cert)
+				}
+			}
+		}
+	}
+
+	return certList, nil
+}
+
 // GetAllCerts returns a list of certs in the system
 func GetAllCerts() (types.CertList, error) {
 	var certList types.CertList
@@ -90,7 +154,6 @@ func GetAllCerts() (types.CertList, error) {
 	}
 
 	return certList, nil
-
 }
 
 // isValidSignature identifies a signature based as a DER-encoded X.509 certificate

diff --git a/types/certs.go b/types/certs.go
@@ -1,6 +1,9 @@
 package types
 
-import "crypto/x509/pkix"
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+)
 
 // CertList provides a list of certs on the system from the Efivars and properly parsed
 type CertList struct {
@@ -9,6 +12,13 @@ type CertList struct {
 	DB  []CertDetail
 }
 
+// CertListFull provides a list of FULL certs, including raw cert data
+type CertListFull struct {
+	PK  []*x509.Certificate
+	KEK []*x509.Certificate
+	DB  []*x509.Certificate
+}
+
 type CertDetail struct {
 	Owner  pkix.Name
 	Issuer pkix.Name