Auto-fix certs with empty serial number.

This commit is contained in:
Ylian Saint-Hilaire 2020-09-23 10:13:15 -07:00
parent d6f7d16ffd
commit 397c0142c7
1 changed files with 18 additions and 7 deletions

View File

@ -397,6 +397,14 @@ module.exports.CertificateOperations = function (parent) {
return false; return false;
} }
// Return true if the certificate is valid
obj.checkCertificate = function (pem, key) {
var cert = null;
try { cert = obj.pki.certificateFromPem(pem); } catch (ex) { return false; } // Unable to decode certificate
if (cert.serialNumber == '') return false; // Empty serial number is not allowed.
return true;
}
// Returns the web server TLS certificate and private key, if not present, create demonstration ones. // Returns the web server TLS certificate and private key, if not present, create demonstration ones.
obj.GetMeshServerCertificate = function (args, config, func) { obj.GetMeshServerCertificate = function (args, config, func) {
var i = 0; var i = 0;
@ -426,11 +434,11 @@ module.exports.CertificateOperations = function (parent) {
// This option is required for newer versions of Intel AMT for CIRA/WS-EVENTS. // This option is required for newer versions of Intel AMT for CIRA/WS-EVENTS.
var xroot = obj.pki.certificateFromPem(rootCertificate); var xroot = obj.pki.certificateFromPem(rootCertificate);
var xext = xroot.getExtension('keyUsage'); var xext = xroot.getExtension('keyUsage');
if ((xext == null) || (xext.keyCertSign !== true)) { if ((xext == null) || (xext.keyCertSign !== true) || (xroot.serialNumber == '')) {
// We need to fix this certificate // We need to fix this certificate
console.log("Fixing root certificate to add signing key usage...");
obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-public-backup.crt'), rootCertificate); obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-public-backup.crt'), rootCertificate);
xroot.setExtensions([{ name: 'basicConstraints', cA: true }, { name: 'subjectKeyIdentifier' }, { name: 'keyUsage', keyCertSign: true }]); if (xroot.serialNumber == '') { console.log("Fixing root certificate to add serial number..."); xroot.serialNumber = '' + require('crypto').randomBytes(4).readUInt32BE(0); }
if ((xext == null) || (xext.keyCertSign !== true)) { console.log("Fixing root certificate to add signing key usage..."); xroot.setExtensions([{ name: 'basicConstraints', cA: true }, { name: 'subjectKeyIdentifier' }, { name: 'keyUsage', keyCertSign: true }]); }
var xrootPrivateKey = obj.pki.privateKeyFromPem(rootPrivateKey); var xrootPrivateKey = obj.pki.privateKeyFromPem(rootPrivateKey);
xroot.sign(xrootPrivateKey, obj.forge.md.sha384.create()); xroot.sign(xrootPrivateKey, obj.forge.md.sha384.create());
r.root.cert = obj.pki.certificateToPem(xroot); r.root.cert = obj.pki.certificateToPem(xroot);
@ -441,42 +449,45 @@ module.exports.CertificateOperations = function (parent) {
// If web certificate exist, load it as default. This is useful for agent-only port. Load both certificate and private key // If web certificate exist, load it as default. This is useful for agent-only port. Load both certificate and private key
if (obj.fileExists('webserver-cert-public.crt') && obj.fileExists('webserver-cert-private.key')) { if (obj.fileExists('webserver-cert-public.crt') && obj.fileExists('webserver-cert-private.key')) {
r.webdefault = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.fileLoad('webserver-cert-private.key', 'utf8') }; r.webdefault = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.fileLoad('webserver-cert-private.key', 'utf8') };
if (obj.checkCertificate(r.webdefault.cert, r.webdefault.key) == false) { delete r.webdefault; }
} }
if (args.tlsoffload) { if (args.tlsoffload) {
// If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation // If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
if (obj.fileExists('webserver-cert-public.crt')) { if (obj.fileExists('webserver-cert-public.crt')) {
r.web = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8') }; r.web = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8') };
rcount++; if (obj.checkCertificate(r.web.cert, null) == false) { delete r.web; } else { rcount++; }
} }
} else { } else {
// If the web certificate already exist, load it. Load both certificate and private key // If the web certificate already exist, load it. Load both certificate and private key
if (obj.fileExists('webserver-cert-public.crt') && obj.fileExists('webserver-cert-private.key')) { if (obj.fileExists('webserver-cert-public.crt') && obj.fileExists('webserver-cert-private.key')) {
r.web = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.fileLoad('webserver-cert-private.key', 'utf8') }; r.web = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.fileLoad('webserver-cert-private.key', 'utf8') };
rcount++; if (obj.checkCertificate(r.web.cert, r.web.key) == false) { delete r.web; } else { rcount++; }
} }
} }
// If the mps certificate already exist, load it // If the mps certificate already exist, load it
if (obj.fileExists('mpsserver-cert-public.crt') && obj.fileExists('mpsserver-cert-private.key')) { if (obj.fileExists('mpsserver-cert-public.crt') && obj.fileExists('mpsserver-cert-private.key')) {
r.mps = { cert: obj.fileLoad('mpsserver-cert-public.crt', 'utf8'), key: obj.fileLoad('mpsserver-cert-private.key', 'utf8') }; r.mps = { cert: obj.fileLoad('mpsserver-cert-public.crt', 'utf8'), key: obj.fileLoad('mpsserver-cert-private.key', 'utf8') };
rcount++; if (obj.checkCertificate(r.mps.cert, r.mps.key) == false) { delete r.mps; } else { rcount++; }
} }
// If the agent certificate already exist, load it // If the agent certificate already exist, load it
if (obj.fileExists("agentserver-cert-public.crt") && obj.fileExists("agentserver-cert-private.key")) { if (obj.fileExists("agentserver-cert-public.crt") && obj.fileExists("agentserver-cert-private.key")) {
r.agent = { cert: obj.fileLoad("agentserver-cert-public.crt", 'utf8'), key: obj.fileLoad("agentserver-cert-private.key", 'utf8') }; r.agent = { cert: obj.fileLoad("agentserver-cert-public.crt", 'utf8'), key: obj.fileLoad("agentserver-cert-private.key", 'utf8') };
rcount++; if (obj.checkCertificate(r.agent.cert, r.agent.key) == false) { delete r.agent; } else { rcount++; }
} }
// If the swarm server certificate exist, load it (This is an optional certificate) // If the swarm server certificate exist, load it (This is an optional certificate)
if (obj.fileExists('swarmserver-cert-public.crt') && obj.fileExists('swarmserver-cert-private.key')) { if (obj.fileExists('swarmserver-cert-public.crt') && obj.fileExists('swarmserver-cert-private.key')) {
r.swarmserver = { cert: obj.fileLoad('swarmserver-cert-public.crt', 'utf8'), key: obj.fileLoad('swarmserver-cert-private.key', 'utf8') }; r.swarmserver = { cert: obj.fileLoad('swarmserver-cert-public.crt', 'utf8'), key: obj.fileLoad('swarmserver-cert-private.key', 'utf8') };
if (obj.checkCertificate(r.swarmserver.cert, r.swarmserver.key) == false) { delete r.swarmserver; }
} }
// If the swarm server root certificate exist, load it (This is an optional certificate) // If the swarm server root certificate exist, load it (This is an optional certificate)
if (obj.fileExists('swarmserverroot-cert-public.crt')) { if (obj.fileExists('swarmserverroot-cert-public.crt')) {
r.swarmserverroot = { cert: obj.fileLoad('swarmserverroot-cert-public.crt', 'utf8') }; r.swarmserverroot = { cert: obj.fileLoad('swarmserverroot-cert-public.crt', 'utf8') };
if (obj.checkCertificate(r.swarmserverroot.cert, null) == false) { delete r.swarmserverroot; }
} }
// If CA certificates are present, load them // If CA certificates are present, load them