MyFavMirrors
/
MeshCentral
mirror of https://github.com/Ylianst/MeshCentral.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
MeshCentral/certoperations.js

521 lines
30 KiB
JavaScript
Raw Normal View History

Initial main commit
2017-08-28 12:27:45 -04:00
/**
* @description Certificate generator
* @author Joko Sastriawan / Ylian Saint-Hilaire
Fixed multi-tenancy DNS support
2018-01-04 15:15:21 -05:00
* @copyright Intel Corporation 2018
* @license Apache-2.0
Initial main commit
2017-08-28 12:27:45 -04:00
* @version v0.0.1
*/
Fixed multi-tenancy DNS support
2018-01-04 15:15:21 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
module.exports.CertificateOperations = function () {
var obj = {};
obj.fs = require('fs');
obj.forge = require('node-forge');
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
obj.crypto = require('crypto');
Initial main commit
2017-08-28 12:27:45 -04:00
obj.pki = obj.forge.pki;
obj.dirExists = function (filePath) { try { return obj.fs.statSync(filePath).isDirectory(); } catch (err) { return false; } }
obj.getFilesizeInBytes = function(filename) { try { return obj.fs.statSync(filename)["size"]; } catch (err) { return -1; } }
obj.fileExists = function(filePath) { try { return obj.fs.statSync(filePath).isFile(); } catch (err) { return false; } }
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
// Return the SHA386 hash of the certificate public key
obj.getPublicKeyHash = function (cert) {
var publickey = obj.pki.certificateFromPem(cert).publicKey;
return obj.pki.getPublicKeyFingerprint(publickey, { encoding: 'hex', md: obj.forge.md.sha384.create() });
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
}
Initial main commit
2017-08-28 12:27:45 -04:00
// Create a self-signed certificate
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
obj.GenerateRootCertificate = function (addThumbPrintToName, commonName, country, organization, strong) {
var keys = obj.pki.rsa.generateKeyPair((strong == true) ? 3072 : 2048);
Initial main commit
2017-08-28 12:27:45 -04:00
var cert = obj.pki.createCertificate();
cert.publicKey = keys.publicKey;
cert.serialNumber = '' + Math.floor((Math.random() * 100000) + 1); ;
cert.validity.notBefore = new Date();
cert.validity.notBefore.setFullYear(cert.validity.notBefore.getFullYear() - 1); // Create a certificate that is valid one year before, to make sure out-of-sync clocks don't reject this cert.
cert.validity.notAfter = new Date();
cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 30);
if (addThumbPrintToName == true) { commonName += '-' + obj.pki.getPublicKeyFingerprint(cert.publicKey, { encoding: 'hex' }).substring(0, 6); }
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
if (country == undefined) { country = 'unknown'; }
if (organization == undefined) { organization = 'unknown'; }
var attrs = [{ name: 'commonName', value: commonName }, { name: 'organizationName', value: organization }, { name: 'countryName', value: country }];
Initial main commit
2017-08-28 12:27:45 -04:00
cert.setSubject(attrs);
cert.setIssuer(attrs);
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
// Create a root certificate
cert.setExtensions([{
name: 'basicConstraints',
cA: true
}, {
Initial main commit
2017-08-28 12:27:45 -04:00
name: 'nsCertType',
sslCA: true,
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
emailCA: true,
Initial main commit
2017-08-28 12:27:45 -04:00
objCA: true
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
}, {
name: 'subjectKeyIdentifier'
}]);
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
cert.sign(keys.privateKey, obj.forge.md.sha384.create());
Initial main commit
2017-08-28 12:27:45 -04:00
return { cert: cert, key: keys.privateKey };
}
// Issue a certificate from a root
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
obj.IssueWebServerCertificate = function (rootcert, addThumbPrintToName, commonName, country, organization, extKeyUsage, strong) {
var keys = obj.pki.rsa.generateKeyPair((strong == true) ? 3072 : 2048);
Initial main commit
2017-08-28 12:27:45 -04:00
var cert = obj.pki.createCertificate();
cert.publicKey = keys.publicKey;
cert.serialNumber = '' + Math.floor((Math.random() * 100000) + 1); ;
cert.validity.notBefore = new Date();
cert.validity.notBefore.setFullYear(cert.validity.notAfter.getFullYear() - 1); // Create a certificate that is valid one year before, to make sure out-of-sync clocks don't reject this cert.
cert.validity.notAfter = new Date();
cert.validity.notAfter.setFullYear(cert.validity.notAfter.getFullYear() + 30);
if (addThumbPrintToName == true) { commonName += '-' + obj.pki.getPublicKeyFingerprint(cert.publicKey, { encoding: 'hex' }).substring(0, 6); }
var attrs = [ { name: 'commonName', value: commonName }];
if (country != undefined) attrs.push({ name: 'countryName', value: country });
if (organization != undefined) attrs.push({ name: 'organizationName', value: organization });
cert.setSubject(attrs);
cert.setIssuer(rootcert.cert.subject.attributes);
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
if (extKeyUsage == null) { extKeyUsage = { name: 'extKeyUsage', serverAuth: true, } } else { extKeyUsage.name = 'extKeyUsage'; }
var subjectAltName = null;
if (extKeyUsage.serverAuth == true) {
subjectAltName = {
name: 'subjectAltName',
altNames: [{
type: 6, // URI
value: 'http://' + commonName + '/'
}, {
type: 6, // URL
value: 'http://localhost/'
}]
}
}
/*
{
name: 'extKeyUsage',
serverAuth: true,
clientAuth: true,
codeSigning: true,
emailProtection: true,
timeStamping: true,
'2.16.840.1.113741.1.2.1': true
}
*/
var extensions = [{
name: 'basicConstraints',
cA: false
}, {
Initial main commit
2017-08-28 12:27:45 -04:00
name: 'keyUsage',
keyCertSign: true,
digitalSignature: true,
nonRepudiation: true,
keyEncipherment: true,
dataEncipherment: true
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
}, extKeyUsage, {
Initial main commit
2017-08-28 12:27:45 -04:00
name: 'nsCertType',
client: false,
server: true,
email: false,
objsign: false,
sslCA: false,
emailCA: false,
objCA: false
}, {
name: 'subjectKeyIdentifier'
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
}]
if (subjectAltName != null) extensions.push(subjectAltName);
cert.setExtensions(extensions);
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
cert.sign(rootcert.key, obj.forge.md.sha384.create());
Initial main commit
2017-08-28 12:27:45 -04:00
return { cert: cert, key: keys.privateKey };
}
// Returns the web server TLS certificate and private key, if not present, create demonstration ones.
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
obj.GetMeshServerCertificate = function (parent, args, config, func) {
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
var certargs = args.cert;
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
var mpscertargs = args.mpscert;
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
var strongCertificate = (args.fastcert ? false : true);
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
var rcountmax = 5;
Initial main commit
2017-08-28 12:27:45 -04:00
// commonName, country, organization
// If the certificates directory does not exist, create it.
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (!obj.dirExists(parent.datapath)) { obj.fs.mkdirSync(parent.datapath); }
Initial main commit
2017-08-28 12:27:45 -04:00
var r = {}, rcount = 0;
// If the root certificate already exist, load it
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('root-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('root-cert-private.key'))) {
var rootCertificate = obj.fs.readFileSync(parent.getConfigFilePath('root-cert-public.crt'), 'utf8');
var rootPrivateKey = obj.fs.readFileSync(parent.getConfigFilePath('root-cert-private.key'), 'utf8');
Initial main commit
2017-08-28 12:27:45 -04:00
r.root = { cert: rootCertificate, key: rootPrivateKey };
rcount++;
}
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
if (args.tlsoffload == true) {
// If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-cert-public.crt'))) {
var webCertificate = obj.fs.readFileSync(parent.getConfigFilePath('webserver-cert-public.crt'), 'utf8');
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
r.web = { cert: webCertificate };
rcount++;
}
} else {
// If the web certificate already exist, load it. Load both certificate and private key
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('webserver-cert-private.key'))) {
var webCertificate = obj.fs.readFileSync(parent.getConfigFilePath('webserver-cert-public.crt'), 'utf8');
var webPrivateKey = obj.fs.readFileSync(parent.getConfigFilePath('webserver-cert-private.key'), 'utf8');
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
r.web = { cert: webCertificate, key: webPrivateKey };
rcount++;
}
Initial main commit
2017-08-28 12:27:45 -04:00
}
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
// If the mps certificate already exist, load it
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('mpsserver-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('mpsserver-cert-private.key'))) {
var mpsCertificate = obj.fs.readFileSync(parent.getConfigFilePath('mpsserver-cert-public.crt'), 'utf8');
var mpsPrivateKey = obj.fs.readFileSync(parent.getConfigFilePath('mpsserver-cert-private.key'), 'utf8');
Initial main commit
2017-08-28 12:27:45 -04:00
r.mps = { cert: mpsCertificate, key: mpsPrivateKey };
rcount++;
}
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
// If the agent certificate already exist, load it
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('agentserver-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('agentserver-cert-private.key'))) {
var agentCertificate = obj.fs.readFileSync(parent.getConfigFilePath('agentserver-cert-public.crt'), 'utf8');
var agentPrivateKey = obj.fs.readFileSync(parent.getConfigFilePath('agentserver-cert-private.key'), 'utf8');
Initial main commit
2017-08-28 12:27:45 -04:00
r.agent = { cert: agentCertificate, key: agentPrivateKey };
rcount++;
}
Added support for intermediate CA certs in web server TLS.
2017-09-07 19:01:44 -04:00
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
// If the console certificate already exist, load it
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('amtconsole-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('agentserver-cert-private.key'))) {
var amtConsoleCertificate = obj.fs.readFileSync(parent.getConfigFilePath('amtconsole-cert-public.crt'), 'utf8');
var amtConsolePrivateKey = obj.fs.readFileSync(parent.getConfigFilePath('amtconsole-cert-private.key'), 'utf8');
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
r.console = { cert: amtConsoleCertificate, key: amtConsolePrivateKey };
rcount++;
}
Started work MeshCentral2 legacy update path.
2017-11-03 20:01:30 -04:00
// If the swarm server certificate exist, load it (This is an optional certificate)
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('swarmserver-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('swarmserver-cert-private.key'))) {
var swarmServerCertificate = obj.fs.readFileSync(parent.getConfigFilePath('swarmserver-cert-public.crt'), 'utf8');
var swarmServerPrivateKey = obj.fs.readFileSync(parent.getConfigFilePath('swarmserver-cert-private.key'), 'utf8');
Started work MeshCentral2 legacy update path.
2017-11-03 20:01:30 -04:00
r.swarmserver = { cert: swarmServerCertificate, key: swarmServerPrivateKey };
}
// If the swarm server root certificate exist, load it (This is an optional certificate)
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('swarmserverroot-cert-public.crt'))) {
var swarmServerRootCertificate = obj.fs.readFileSync(parent.getConfigFilePath('swarmserverroot-cert-public.crt'), 'utf8');
Started work MeshCentral2 legacy update path.
2017-11-03 20:01:30 -04:00
r.swarmserverroot = { cert: swarmServerRootCertificate };
}
Added support for intermediate CA certs in web server TLS.
2017-09-07 19:01:44 -04:00
// If CA certificates are present, load them
First pass at adding WebRTC support.
2018-01-16 20:30:34 -05:00
if (r.web != null) {
var caok, caindex = 1, calist = [];
do {
caok = false;
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-cert-chain' + caindex + '.crt'))) {
var caCertificate = obj.fs.readFileSync(parent.getConfigFilePath('webserver-cert-chain' + caindex + '.crt'), 'utf8');
First pass at adding WebRTC support.
2018-01-16 20:30:34 -05:00
calist.push(caCertificate);
caok = true;
}
caindex++;
} while (caok == true);
r.web.ca = calist;
}
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
Initial main commit
2017-08-28 12:27:45 -04:00
// Decode certificate arguments
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
var commonName = 'un-configured', country, organization, forceWebCertGen = 0, forceMpsCertGen = 0;
Initial main commit
2017-08-28 12:27:45 -04:00
if (certargs != undefined) {
var args = certargs.split(',');
if (args.length > 0) commonName = args[0];
if (args.length > 1) country = args[1];
if (args.length > 2) organization = args[2];
}
Improved web interface for getting started.
2017-10-02 17:12:29 -04:00
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
// Decode MPS certificate arguments, this is for the Intel AMT CIRA server
var mpsCommonName = commonName, mpsCountry = country, mpsOrganization = organization;
if (mpscertargs != undefined) {
var args = mpscertargs.split(',');
if (args.length > 0) mpsCommonName = args[0];
if (args.length > 1) mpsCountry = args[1];
if (args.length > 2) mpsOrganization = args[2];
}
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
// Look for domains that have DNS names and load their certificates
r.dns = {};
for (var i in config.domains) {
if ((i != '') && (config.domains[i] != null) && (config.domains[i].dns != null)) {
var dnsname = config.domains[i].dns;
if (args.tlsoffload == true) {
// If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-' + i + '-cert-public.crt'))) {
r.dns[i] = { cert: obj.fs.readFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-public.crt'), 'utf8') };
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
config.domains[i].certs = r.dns[i];
} else {
console.log('WARNING: File "webserver-' + i + '-cert-public.crt" missing, domain "' + i + '" will not work correctly.');
}
} else {
// If the web certificate already exist, load it. Load both certificate and private key
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-' + i + '-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('webserver-' + i + '-cert-private.key'))) {
r.dns[i] = { cert: obj.fs.readFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-public.crt'), 'utf8'), key: obj.fs.readFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-private.key'), 'utf8') };
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
config.domains[i].certs = r.dns[i];
// If CA certificates are present, load them
var caok, caindex = 1, calist = [];
do {
caok = false;
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-' + i + '-cert-chain' + caindex + '.crt'))) {
var caCertificate = obj.fs.readFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-chain' + caindex + '.crt'), 'utf8');
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
calist.push(caCertificate);
caok = true;
}
caindex++;
} while (caok == true);
r.dns[i].ca = calist;
} else {
rcountmax++; // This certificate must be generated
}
}
}
}
if (rcount == rcountmax) {
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
// Fetch the Intel AMT console name
var consoleCertificate = obj.pki.certificateFromPem(r.console.cert);
r.AmtConsoleName = consoleCertificate.subject.getField('CN').value;
MPS certificate name fix, added MeshType to .msh.
2017-10-11 15:20:59 -04:00
// Fetch the Intel AMT MPS common name
var mpsCertificate = obj.pki.certificateFromPem(r.mps.cert);
r.AmtMpsName = mpsCertificate.subject.getField('CN').value;
Initial main commit
2017-08-28 12:27:45 -04:00
// Fetch the name of the server
var webCertificate = obj.pki.certificateFromPem(r.web.cert);
r.CommonName = webCertificate.subject.getField('CN').value;
var rootCertificate = obj.pki.certificateFromPem(r.root.cert);
r.RootName = rootCertificate.subject.getField('CN').value;
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
if ((certargs == null) && (mpscertargs == null)) { if (func != undefined) { func(r); } return r }; // If no certificate arguments are given, keep the certificate
Initial main commit
2017-08-28 12:27:45 -04:00
var xcountry, xcountryField = webCertificate.subject.getField('C');
if (xcountryField != null) { xcountry = xcountryField.value; }
var xorganization, xorganizationField = webCertificate.subject.getField('O');
if (xorganizationField != null) { xorganization = xorganizationField.value; }
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; }
// Check if we have correct certificates
if ((r.CommonName == commonName) && (xcountry == country) && (xorganization == organization) && (r.AmtMpsName == mpsCommonName)) {
// Certificate matches what we want, keep it.
if (func != undefined) { func(r); } return r;
} else {
// Check what certificates we really need to re-generate.
if ((r.CommonName != commonName) || (xcountry != country) || (xorganization != organization)) { forceWebCertGen = 1; }
if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; }
}
Initial main commit
2017-08-28 12:27:45 -04:00
}
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
console.log('Generating certificates, may take a few minutes...');
Added serverstate.txt file in data folder
2018-03-14 15:10:13 -04:00
parent.updateServerState('state', 'generatingcertificates');
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
// If a certificate is missing, but web certificate is present and --cert is not used, set the names to be the same as the web certificate
if ((certargs == null) && (r.web != null)) {
var webCertificate = obj.pki.certificateFromPem(r.web.cert);
commonName = webCertificate.subject.getField('CN').value;
var xcountryField = webCertificate.subject.getField('C');
if (xcountryField != null) { country = xcountryField.value; }
var xorganizationField = webCertificate.subject.getField('O');
if (xorganizationField != null) { organization = xorganizationField.value; }
}
Initial main commit
2017-08-28 12:27:45 -04:00
var rootCertAndKey, rootCertificate, rootPrivateKey, rootName;
if (r.root == undefined) {
// If the root certificate does not exist, create one
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
console.log('Generating root certificate...');
rootCertAndKey = obj.GenerateRootCertificate(true, 'MeshCentralRoot', null, null, strongCertificate);
Initial main commit
2017-08-28 12:27:45 -04:00
rootCertificate = obj.pki.certificateToPem(rootCertAndKey.cert);
rootPrivateKey = obj.pki.privateKeyToPem(rootCertAndKey.key);
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-public.crt'), rootCertificate);
obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-private.key'), rootPrivateKey);
Initial main commit
2017-08-28 12:27:45 -04:00
} else {
// Keep the root certificate we have
rootCertAndKey = { cert: obj.pki.certificateFromPem(r.root.cert), key: obj.pki.privateKeyFromPem(r.root.key) };
rootCertificate = r.root.cert
rootPrivateKey = r.root.key
}
var rootName = rootCertAndKey.cert.subject.getField('CN').value;
// If the web certificate does not exist, create one
var webCertAndKey, webCertificate, webPrivateKey;
MPS certificate name fix, added MeshType to .msh.
2017-10-11 15:20:59 -04:00
if ((r.web == null) || (forceWebCertGen == 1)) {
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
console.log('Generating HTTPS certificate...');
webCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, commonName, country, organization, null, strongCertificate);
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
webCertificate = obj.pki.certificateToPem(webCertAndKey.cert);
webPrivateKey = obj.pki.privateKeyToPem(webCertAndKey.key);
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
obj.fs.writeFileSync(parent.getConfigFilePath('webserver-cert-public.crt'), webCertificate);
obj.fs.writeFileSync(parent.getConfigFilePath('webserver-cert-private.key'), webPrivateKey);
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
} else {
// Keep the console certificate we have
webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert), key: obj.pki.privateKeyFromPem(r.web.key) };
webCertificate = r.web.cert
webPrivateKey = r.web.key
}
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
// If the mesh agent server certificate does not exist, create one
var agentCertAndKey, agentCertificate, agentPrivateKey;
if (r.agent == null) {
console.log('Generating MeshAgent certificate...');
agentCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, true, 'MeshCentralAgentServer', null, strongCertificate);
agentCertificate = obj.pki.certificateToPem(agentCertAndKey.cert);
agentPrivateKey = obj.pki.privateKeyToPem(agentCertAndKey.key);
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
obj.fs.writeFileSync(parent.getConfigFilePath('agentserver-cert-public.crt'), agentCertificate);
obj.fs.writeFileSync(parent.getConfigFilePath('agentserver-cert-private.key'), agentPrivateKey);
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
} else {
// Keep the mesh agent server certificate we have
agentCertAndKey = { cert: obj.pki.certificateFromPem(r.agent.cert), key: obj.pki.privateKeyFromPem(r.agent.key) };
agentCertificate = r.agent.cert
agentPrivateKey = r.agent.key
}
Initial main commit
2017-08-28 12:27:45 -04:00
// If the Intel AMT MPS certificate does not exist, create one
var mpsCertAndKey, mpsCertificate, mpsPrivateKey;
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
if ((r.mps == null) || (forceMpsCertGen == 1)) {
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
console.log('Generating Intel AMT MPS certificate...');
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
mpsCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, mpsCommonName, mpsCountry, mpsOrganization, null, false);
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
mpsCertificate = obj.pki.certificateToPem(mpsCertAndKey.cert);
mpsPrivateKey = obj.pki.privateKeyToPem(mpsCertAndKey.key);
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
obj.fs.writeFileSync(parent.getConfigFilePath('mpsserver-cert-public.crt'), mpsCertificate);
obj.fs.writeFileSync(parent.getConfigFilePath('mpsserver-cert-private.key'), mpsPrivateKey);
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
} else {
// Keep the console certificate we have
mpsCertAndKey = { cert: obj.pki.certificateFromPem(r.mps.cert), key: obj.pki.privateKeyFromPem(r.mps.key) };
mpsCertificate = r.mps.cert
mpsPrivateKey = r.mps.key
}
// If the Intel AMT console certificate does not exist, create one
Many server fixes and more stable mesh agent.
2017-10-03 21:31:20 -04:00
var consoleCertAndKey, consoleCertificate, consolePrivateKey, amtConsoleName = 'MeshCentral';
MPS certificate name fix, added MeshType to .msh.
2017-10-11 15:20:59 -04:00
if (r.console == null) {
Fixed certificate generation.
2017-10-18 19:28:05 -04:00
console.log('Generating Intel AMT console certificate...');
Improved crypto and removed dependency on WebSocket library, using ws instead.
2017-10-15 02:22:19 -04:00
consoleCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, amtConsoleName, country, organization, { name: 'extKeyUsage', clientAuth: true, '2.16.840.1.113741.1.2.1': true, '2.16.840.1.113741.1.2.2': true, '2.16.840.1.113741.1.2.3': true }, false); // Intel AMT Remote, Agent and Activation usages
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
consoleCertificate = obj.pki.certificateToPem(consoleCertAndKey.cert);
consolePrivateKey = obj.pki.privateKeyToPem(consoleCertAndKey.key);
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
obj.fs.writeFileSync(parent.getConfigFilePath('amtconsole-cert-public.crt'), consoleCertificate);
obj.fs.writeFileSync(parent.getConfigFilePath('amtconsole-cert-private.key'), consolePrivateKey);
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
} else {
// Keep the console certificate we have
consoleCertAndKey = { cert: obj.pki.certificateFromPem(r.console.cert), key: obj.pki.privateKeyFromPem(r.console.key) };
consoleCertificate = r.console.cert
consolePrivateKey = r.console.key
Many server fixes and more stable mesh agent.
2017-10-03 21:31:20 -04:00
amtConsoleName = consoleCertAndKey.cert.subject.getField('CN').value;
Added new certificate for Intel AMT console authentication.
2017-09-29 17:26:51 -04:00
}
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
var r = { root: { cert: rootCertificate, key: rootPrivateKey }, web: { cert: webCertificate, key: webPrivateKey, ca: [] }, mps: { cert: mpsCertificate, key: mpsPrivateKey }, agent: { cert: agentCertificate, key: agentPrivateKey }, console: { cert: consoleCertificate, key: consolePrivateKey }, ca: calist, CommonName: commonName, RootName: rootName, AmtConsoleName: amtConsoleName, AmtMpsName: mpsCommonName, dns: {} };
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
// Look for domains with DNS names that have no certificates and generated them.
for (var i in config.domains) {
if ((i != '') && (config.domains[i] != null) && (config.domains[i].dns != null)) {
var dnsname = config.domains[i].dns;
if (args.tlsoffload != true) {
// If the web certificate does not exist, create it
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if ((obj.fileExists(parent.getConfigFilePath('webserver-' + i + '-cert-public.crt')) == false) || (obj.fileExists(parent.getConfigFilePath('webserver-' + i + '-cert-private.key')) == false)) {
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
console.log('Generating HTTPS certificate for ' + i + '...');
var xwebCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, dnsname, country, organization, null, strongCertificate);
var xwebCertificate = obj.pki.certificateToPem(xwebCertAndKey.cert);
var xwebPrivateKey = obj.pki.privateKeyToPem(xwebCertAndKey.key);
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
obj.fs.writeFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-public.crt'), xwebCertificate);
obj.fs.writeFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-private.key'), xwebPrivateKey);
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
r.dns[i] = { cert: xwebCertificate, key: xwebPrivateKey };
config.domains[i].certs = r.dns[i];
// If CA certificates are present, load them
var caok, caindex = 1, calist = [];
do {
caok = false;
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-' + i + '-cert-chain' + caindex + '.crt'))) {
var caCertificate = obj.fs.readFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-chain' + caindex + '.crt'), 'utf8');
Added DNS multi-tenancy support
2018-01-02 19:52:49 -05:00
calist.push(caCertificate);
caok = true;
}
caindex++;
} while (caok == true);
r.dns[i].ca = calist;
}
}
}
}
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
// If the swarm server certificate exist, load it (This is an optional certificate)
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('swarmserver-cert-public.crt')) && obj.fileExists(parent.getConfigFilePath('swarmserver-cert-private.key'))) {
var swarmServerCertificate = obj.fs.readFileSync(parent.getConfigFilePath('swarmserver-cert-public.crt'), 'utf8');
var swarmServerPrivateKey = obj.fs.readFileSync(parent.getConfigFilePath('swarmserver-cert-private.key'), 'utf8');
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
r.swarmserver = { cert: swarmServerCertificate, key: swarmServerPrivateKey };
}
// If the swarm server root certificate exist, load it (This is an optional certificate)
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('swarmserverroot-cert-public.crt'))) {
var swarmServerRootCertificate = obj.fs.readFileSync(parent.getConfigFilePath('swarmserverroot-cert-public.crt'), 'utf8');
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
r.swarmserverroot = { cert: swarmServerRootCertificate };
}
// If CA certificates are present, load them
if (r.web != null) {
var caok, caindex = 1, calist = [];
do {
caok = false;
Fixed usernames that include a dot (.)
2018-07-13 22:18:43 -04:00
if (obj.fileExists(parent.getConfigFilePath('webserver-cert-chain' + caindex + '.crt'))) {
var caCertificate = obj.fs.readFileSync(parent.getConfigFilePath('webserver-cert-chain' + caindex + '.crt'), 'utf8');
Added MPS server aliasing support.
2018-03-06 20:50:44 -05:00
calist.push(caCertificate);
caok = true;
}
caindex++;
} while (caok == true);
r.web.ca = calist;
}
Initial main commit
2017-08-28 12:27:45 -04:00
if (func != undefined) { func(r); }
return r;
}
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
// Accelerators, used to dispatch work to other processes
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
const fork = require('child_process').fork;
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
const program = require('path').join(__dirname, 'meshaccelerator.js');
const acceleratorTotalCount = require('os').cpus().length;
var acceleratorCreateCount = acceleratorTotalCount;
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
var freeAccelerators = [];
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
var pendingAccelerator = [];
obj.acceleratorCertStore = null;
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
// Create a new accelerator module
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
obj.getAccelerator = function () {
if (obj.acceleratorCertStore == null) { return null; }
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
if (freeAccelerators.length > 0) { return freeAccelerators.pop(); }
if (acceleratorCreateCount > 0) {
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
acceleratorCreateCount--;
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
var accelerator = fork(program, [], { stdio: ['pipe', 'pipe', 'pipe', 'ipc'] });
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
accelerator.on('message', function (message) { this.func(message); if (pendingAccelerator.length > 0) { accelerator.send(pendingAccelerator.shift()); } else { freeAccelerators.push(this); } });
accelerator.send({ action: 'setState', certs: obj.acceleratorCertStore });
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
return accelerator;
}
return null;
}
// Set the state of the accelerators. This way, we don't have to send certificate & keys to them each time.
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
obj.acceleratorStart = function (certificates) {
if (obj.acceleratorCertStore != null) { console.error('ERROR: Accelerators can only be started once.'); return; }
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
obj.acceleratorCertStore = [{ cert: certificates.agent.cert, key: certificates.agent.key }];
if (certificates.swarmserver != null) { obj.acceleratorCertStore.push({ cert: certificates.swarmserver.cert, key: certificates.swarmserver.key }); }
}
// Perform any RSA signature, just pass in the private key and data.
obj.acceleratorPerformSignature = function (privatekey, data, func) {
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
if (acceleratorTotalCount <= 1) {
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
// No accelerators available
if (typeof privatekey == 'number') { privatekey = obj.acceleratorCertStore[privatekey].key; }
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
const sign = obj.crypto.createSign('SHA384');
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
sign.end(new Buffer(data, 'binary'));
func(sign.sign(privatekey).toString('binary'));
} else {
Much improved Windows MeshAgent stability
2018-01-12 14:41:26 -05:00
var acc = obj.getAccelerator();
if (acc == null) {
// Add to pending accelerator workload
pendingAccelerator.push({ action: 'sign', key: privatekey, data: data });
} else {
// Send to accelerator now
acc.func = func;
acc.send({ action: 'sign', key: privatekey, data: data });
}
Faster RSA signatures.
2018-01-09 23:13:41 -05:00
}
}
Initial main commit
2017-08-28 12:27:45 -04:00
return obj;
};