Add a method to return full certs (#103)

* Add a method to return full certs Signed-off-by: Itxaka <itxaka@kairos.io> * Fix lint Signed-off-by: Itxaka <itxaka@kairos.io> * Rework the cert extraction Signed-off-by: Itxaka <itxaka@kairos.io> --------- Signed-off-by: Itxaka <itxaka@kairos.io>
2025-05-10 00:56:49 +00:00 · 2024-04-18 13:11:52 +00:00 · 2024-04-18 13:11:52 +00:00 · 6364d90a12
commit 6364d90a12
parent b7420201f1
2 changed files with 52 additions and 2 deletions
--- a/signatures/signatures.go
+++ b/signatures/signatures.go
@ -28,6 +28,47 @@ func GetKeyDatabase(sigType string) (*signature.SignatureDatabase, error) {
 	return sig, err
 }

+// GetAllFullCerts returns a list of certs in the system. Full cert, including raw data of the cert
+func GetAllFullCerts() (types.CertListFull, error) {
+	var certList types.CertListFull
+	pk, err := GetKeyDatabase("PK")
+	if err != nil {
+		return certList, err
+	}
+	kek, err := GetKeyDatabase("KEK")
+	if err != nil {
+		return certList, err
+	}
+	db, err := GetKeyDatabase("DB")
+	if err != nil {
+		return certList, err
+	}
+
+	certList.PK = ExtractCertsFromSignatureDatabase(pk)
+	certList.KEK = ExtractCertsFromSignatureDatabase(kek)
+	certList.DB = ExtractCertsFromSignatureDatabase(db)
+
+	return certList, nil
+}
+
+// ExtractCertsFromSignatureDatabase returns a []*x509.Certificate from a *signature.SignatureDatabase
+func ExtractCertsFromSignatureDatabase(database *signature.SignatureDatabase) []*x509.Certificate {
+	var result []*x509.Certificate
+	for _, k := range *database {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				result = append(result, certificates...)
+			}
+		}
+	}
+	return result
+}
+
 // GetAllCerts returns a list of certs in the system
 func GetAllCerts() (types.CertList, error) {
 	var certList types.CertList
@ -90,7 +131,6 @@ func GetAllCerts() (types.CertList, error) {
 	}

 	return certList, nil
-
 }

 // isValidSignature identifies a signature based as a DER-encoded X.509 certificate
--- a/types/certs.go
+++ b/types/certs.go
@ -1,6 +1,9 @@
 package types

-import "crypto/x509/pkix"
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+)

 // CertList provides a list of certs on the system from the Efivars and properly parsed
 type CertList struct {
@ -9,6 +12,13 @@ type CertList struct {
 	DB  []CertDetail
 }

+// CertListFull provides a list of FULL certs, including raw cert data
+type CertListFull struct {
+	PK  []*x509.Certificate
+	KEK []*x509.Certificate
+	DB  []*x509.Certificate
+}
+
 type CertDetail struct {
 	Owner  pkix.Name
 	Issuer pkix.Name