From 396b01bbf5b8218f538f81cfa9a8841643669714 Mon Sep 17 00:00:00 2001
From: Itxaka <itxaka@kairos.io>
Date: Thu, 18 Apr 2024 10:16:08 +0200
Subject: [PATCH] Add a method to return full certs

Signed-off-by: Itxaka <itxaka@kairos.io>
---
 signatures/signatures.go | 65 +++++++++++++++++++++++++++++++++++++++-
 types/certs.go           | 12 +++++++-
 2 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/signatures/signatures.go b/signatures/signatures.go
index 2bdfbc6e..aeed0482 100644
--- a/signatures/signatures.go
+++ b/signatures/signatures.go
@@ -28,6 +28,70 @@ func GetKeyDatabase(sigType string) (*signature.SignatureDatabase, error) {
 	return sig, err
 }
 
+// GetAllFullCerts returns a list of certs in the system. Full cert, including raw data of the cert
+func GetAllFullCerts() (types.CertListFull, error) {
+	var certList types.CertListFull
+	pk, err := GetKeyDatabase("PK")
+	if err != nil {
+		return certList, err
+	}
+	kek, err := GetKeyDatabase("KEK")
+	if err != nil {
+		return certList, err
+	}
+	db, err := GetKeyDatabase("DB")
+	if err != nil {
+		return certList, err
+	}
+
+	for _, k := range *pk {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.PK = append(certList.PK, cert)
+				}
+			}
+		}
+	}
+
+	for _, k := range *kek {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.KEK = append(certList.KEK, cert)
+				}
+			}
+		}
+	}
+
+	for _, k := range *db {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.DB = append(certList.DB, cert)
+				}
+			}
+		}
+	}
+
+	return certList, nil
+}
+
 // GetAllCerts returns a list of certs in the system
 func GetAllCerts() (types.CertList, error) {
 	var certList types.CertList
@@ -90,7 +154,6 @@ func GetAllCerts() (types.CertList, error) {
 	}
 
 	return certList, nil
-
 }
 
 // isValidSignature identifies a signature based as a DER-encoded X.509 certificate
diff --git a/types/certs.go b/types/certs.go
index 5f5e0ed8..e71ec71f 100644
--- a/types/certs.go
+++ b/types/certs.go
@@ -1,6 +1,9 @@
 package types
 
-import "crypto/x509/pkix"
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+)
 
 // CertList provides a list of certs on the system from the Efivars and properly parsed
 type CertList struct {
@@ -9,6 +12,13 @@ type CertList struct {
 	DB  []CertDetail
 }
 
+// CertListFull provides a list of FULL certs, including raw cert data
+type CertListFull struct {
+	PK  []*x509.Certificate
+	KEK []*x509.Certificate
+	DB  []*x509.Certificate
+}
+
 type CertDetail struct {
 	Owner  pkix.Name
 	Issuer pkix.Name