Add a method to return full certs (#103)

* Add a method to return full certs Signed-off-by: Itxaka <[email protected]> * Fix lint Signed-off-by: Itxaka <[email protected]> * Rework the cert extraction Signed-off-by: Itxaka <[email protected]> --------- Signed-off-by: Itxaka <[email protected]>
kairos-io · Apr 18, 2024 · 6364d90 · 6364d90
1 parent b742020
commit 6364d90
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 2 deletions.
diff --git a/signatures/signatures.go b/signatures/signatures.go
@@ -28,6 +28,47 @@ func GetKeyDatabase(sigType string) (*signature.SignatureDatabase, error) {
 	return sig, err
 }
 
+// GetAllFullCerts returns a list of certs in the system. Full cert, including raw data of the cert
+func GetAllFullCerts() (types.CertListFull, error) {
+	var certList types.CertListFull
+	pk, err := GetKeyDatabase("PK")
+	if err != nil {
+		return certList, err
+	}
+	kek, err := GetKeyDatabase("KEK")
+	if err != nil {
+		return certList, err
+	}
+	db, err := GetKeyDatabase("DB")
+	if err != nil {
+		return certList, err
+	}
+
+	certList.PK = ExtractCertsFromSignatureDatabase(pk)
+	certList.KEK = ExtractCertsFromSignatureDatabase(kek)
+	certList.DB = ExtractCertsFromSignatureDatabase(db)
+
+	return certList, nil
+}
+
+// ExtractCertsFromSignatureDatabase returns a []*x509.Certificate from a *signature.SignatureDatabase
+func ExtractCertsFromSignatureDatabase(database *signature.SignatureDatabase) []*x509.Certificate {
+	var result []*x509.Certificate
+	for _, k := range *database {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				result = append(result, certificates...)
+			}
+		}
+	}
+	return result
+}
+
 // GetAllCerts returns a list of certs in the system
 func GetAllCerts() (types.CertList, error) {
 	var certList types.CertList
@@ -90,7 +131,6 @@ func GetAllCerts() (types.CertList, error) {
 	}
 
 	return certList, nil
-
 }
 
 // isValidSignature identifies a signature based as a DER-encoded X.509 certificate

diff --git a/types/certs.go b/types/certs.go
@@ -1,6 +1,9 @@
 package types
 
-import "crypto/x509/pkix"
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+)
 
 // CertList provides a list of certs on the system from the Efivars and properly parsed
 type CertList struct {
@@ -9,6 +12,13 @@ type CertList struct {
 	DB  []CertDetail
 }
 
+// CertListFull provides a list of FULL certs, including raw cert data
+type CertListFull struct {
+	PK  []*x509.Certificate
+	KEK []*x509.Certificate
+	DB  []*x509.Certificate
+}
+
 type CertDetail struct {
 	Owner  pkix.Name
 	Issuer pkix.Name