From 396b01bbf5b8218f538f81cfa9a8841643669714 Mon Sep 17 00:00:00 2001
From: Itxaka <itxaka@kairos.io>
Date: Thu, 18 Apr 2024 10:16:08 +0200
Subject: [PATCH 1/3] Add a method to return full certs

Signed-off-by: Itxaka <itxaka@kairos.io>
---
 signatures/signatures.go | 65 +++++++++++++++++++++++++++++++++++++++-
 types/certs.go           | 12 +++++++-
 2 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/signatures/signatures.go b/signatures/signatures.go
index 2bdfbc6..aeed048 100644
--- a/signatures/signatures.go
+++ b/signatures/signatures.go
@@ -28,6 +28,70 @@ func GetKeyDatabase(sigType string) (*signature.SignatureDatabase, error) {
 	return sig, err
 }
 
+// GetAllFullCerts returns a list of certs in the system. Full cert, including raw data of the cert
+func GetAllFullCerts() (types.CertListFull, error) {
+	var certList types.CertListFull
+	pk, err := GetKeyDatabase("PK")
+	if err != nil {
+		return certList, err
+	}
+	kek, err := GetKeyDatabase("KEK")
+	if err != nil {
+		return certList, err
+	}
+	db, err := GetKeyDatabase("DB")
+	if err != nil {
+		return certList, err
+	}
+
+	for _, k := range *pk {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.PK = append(certList.PK, cert)
+				}
+			}
+		}
+	}
+
+	for _, k := range *kek {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.KEK = append(certList.KEK, cert)
+				}
+			}
+		}
+	}
+
+	for _, k := range *db {
+		if isValidSignature(k.SignatureType) {
+			for _, k1 := range k.Signatures {
+				// Note the S at the end of the function, we are parsing multiple certs, not just one
+				certificates, err := x509.ParseCertificates(k1.Data)
+				if err != nil {
+					continue
+				}
+				for _, cert := range certificates {
+					certList.DB = append(certList.DB, cert)
+				}
+			}
+		}
+	}
+
+	return certList, nil
+}
+
 // GetAllCerts returns a list of certs in the system
 func GetAllCerts() (types.CertList, error) {
 	var certList types.CertList
@@ -90,7 +154,6 @@ func GetAllCerts() (types.CertList, error) {
 	}
 
 	return certList, nil
-
 }
 
 // isValidSignature identifies a signature based as a DER-encoded X.509 certificate
diff --git a/types/certs.go b/types/certs.go
index 5f5e0ed..e71ec71 100644
--- a/types/certs.go
+++ b/types/certs.go
@@ -1,6 +1,9 @@
 package types
 
-import "crypto/x509/pkix"
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+)
 
 // CertList provides a list of certs on the system from the Efivars and properly parsed
 type CertList struct {
@@ -9,6 +12,13 @@ type CertList struct {
 	DB  []CertDetail
 }
 
+// CertListFull provides a list of FULL certs, including raw cert data
+type CertListFull struct {
+	PK  []*x509.Certificate
+	KEK []*x509.Certificate
+	DB  []*x509.Certificate
+}
+
 type CertDetail struct {
 	Owner  pkix.Name
 	Issuer pkix.Name

From 21cf40ea2b06aed3a9787bfe579ad1baf81c9e62 Mon Sep 17 00:00:00 2001
From: Itxaka <itxaka@kairos.io>
Date: Thu, 18 Apr 2024 10:42:40 +0200
Subject: [PATCH 2/3] Fix lint

Signed-off-by: Itxaka <itxaka@kairos.io>
---
 signatures/signatures.go | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/signatures/signatures.go b/signatures/signatures.go
index aeed048..4afe2ac 100644
--- a/signatures/signatures.go
+++ b/signatures/signatures.go
@@ -52,9 +52,7 @@ func GetAllFullCerts() (types.CertListFull, error) {
 				if err != nil {
 					continue
 				}
-				for _, cert := range certificates {
-					certList.PK = append(certList.PK, cert)
-				}
+				certList.PK = append(certList.PK, certificates...)
 			}
 		}
 	}
@@ -67,9 +65,7 @@ func GetAllFullCerts() (types.CertListFull, error) {
 				if err != nil {
 					continue
 				}
-				for _, cert := range certificates {
-					certList.KEK = append(certList.KEK, cert)
-				}
+				certList.KEK = append(certList.KEK, certificates...)
 			}
 		}
 	}
@@ -82,9 +78,7 @@ func GetAllFullCerts() (types.CertListFull, error) {
 				if err != nil {
 					continue
 				}
-				for _, cert := range certificates {
-					certList.DB = append(certList.DB, cert)
-				}
+				certList.DB = append(certList.DB, certificates...)
 			}
 		}
 	}

From 2131a29f84a045029a6f4de29a67b247b36873fe Mon Sep 17 00:00:00 2001
From: Itxaka <itxaka@kairos.io>
Date: Thu, 18 Apr 2024 13:16:40 +0200
Subject: [PATCH 3/3] Rework the cert extraction

Signed-off-by: Itxaka <itxaka@kairos.io>
---
 signatures/signatures.go | 39 +++++++++++----------------------------
 1 file changed, 11 insertions(+), 28 deletions(-)

diff --git a/signatures/signatures.go b/signatures/signatures.go
index 4afe2ac..cc3a637 100644
--- a/signatures/signatures.go
+++ b/signatures/signatures.go
@@ -44,33 +44,17 @@ func GetAllFullCerts() (types.CertListFull, error) {
 		return certList, err
 	}
 
-	for _, k := range *pk {
-		if isValidSignature(k.SignatureType) {
-			for _, k1 := range k.Signatures {
-				// Note the S at the end of the function, we are parsing multiple certs, not just one
-				certificates, err := x509.ParseCertificates(k1.Data)
-				if err != nil {
-					continue
-				}
-				certList.PK = append(certList.PK, certificates...)
-			}
-		}
-	}
+	certList.PK = ExtractCertsFromSignatureDatabase(pk)
+	certList.KEK = ExtractCertsFromSignatureDatabase(kek)
+	certList.DB = ExtractCertsFromSignatureDatabase(db)
 
-	for _, k := range *kek {
-		if isValidSignature(k.SignatureType) {
-			for _, k1 := range k.Signatures {
-				// Note the S at the end of the function, we are parsing multiple certs, not just one
-				certificates, err := x509.ParseCertificates(k1.Data)
-				if err != nil {
-					continue
-				}
-				certList.KEK = append(certList.KEK, certificates...)
-			}
-		}
-	}
+	return certList, nil
+}
 
-	for _, k := range *db {
+// ExtractCertsFromSignatureDatabase returns a []*x509.Certificate from a *signature.SignatureDatabase
+func ExtractCertsFromSignatureDatabase(database *signature.SignatureDatabase) []*x509.Certificate {
+	var result []*x509.Certificate
+	for _, k := range *database {
 		if isValidSignature(k.SignatureType) {
 			for _, k1 := range k.Signatures {
 				// Note the S at the end of the function, we are parsing multiple certs, not just one
@@ -78,12 +62,11 @@ func GetAllFullCerts() (types.CertListFull, error) {
 				if err != nil {
 					continue
 				}
-				certList.DB = append(certList.DB, certificates...)
+				result = append(result, certificates...)
 			}
 		}
 	}
-
-	return certList, nil
+	return result
 }
 
 // GetAllCerts returns a list of certs in the system