Added code to skip the agent code signing certificate if missing and getting certs from database or vault (#4299)

2022-07-21 17:17:08 -07:00 · 2022-07-21 17:17:08 -07:00 · 3dd8531ef9
parent 46e511ef95
commit 3dd8531ef9
2 changed files with 10 additions and 3 deletions
--- a/certoperations.js
+++ b/certoperations.js
@ -855,6 +855,9 @@ module.exports.CertificateOperations = function (parent) {
        if (obj.fileExists("codesign-cert-public.crt") && obj.fileExists("codesign-cert-private.key")) {
            r.codesign = { cert: obj.fileLoad("codesign-cert-public.crt", 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad("codesign-cert-private.key", 'utf8')) };
            if (obj.checkCertificate(r.codesign.cert, r.codesign.key) == false) { delete r.codesign; } else { rcount++; }
+        } else {
+            // If we are reading certificates from a database or vault and are just missing the code signing cert, skip it.
+            if (parent.configurationFiles != null) { rcount++; }
        }

        // If the swarm server certificate exist, load it (This is an optional certificate)
@ -969,6 +972,7 @@ module.exports.CertificateOperations = function (parent) {
            }
        }

+        // If we have all the certificates we need, stop here.
        if (rcount === rcountmax) {
            if ((certargs == null) && (mpscertargs == null)) { if (func != undefined) { func(r); } return r; } // If no certificate arguments are given, keep the certificate
            var xcountry, xcountryField = webCertificate.subject.getField('C');
--- a/webserver.js
+++ b/webserver.js
@ -896,9 +896,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
                        var origin = 'https://' + (domain.dns ? domain.dns : parent.certificates.CommonName);
                        if (httpport != 443) { origin += ':' + httpport; }

-                        const sec = parent.decryptSessionData(req.session.e);
+                        var u2fchallenge = null;
+                        if ((req.session != null) && (req.session.e != null)) { const sec = parent.decryptSessionData(req.session.e); if (sec != null) { u2fchallenge = sec.u2f; } }
                        var assertionExpectations = {
-                            challenge: sec.u2f,
+                            challenge: u2fchallenge,
                            origin: origin,
                            factor: 'either',
                            fmt: 'fido-u2f',
@ -978,6 +979,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
    // Return a U2F hardware key challenge
    function getHardwareKeyChallenge(req, domain, user, func) {
        delete req.session.u2f;
+        if (req.session = null) { req.session = {}; }
        const sec = parent.decryptSessionData(req.session.e);

        if (user.otphkeys && (user.otphkeys.length > 0)) {
@ -1015,6 +1017,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
        if (domain == null) { return; }
        if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
        if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed
+        if (req.session == null) { req.session = {}; }

        // Check if this is a banned ip address
        if (obj.checkAllowLogin(req) == false) {
@ -3019,7 +3022,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF

        // Encrypt the hardware key challenge state if needed
        var hwstate = null;
-        if (hardwareKeyChallenge) {
+        if (hardwareKeyChallenge && req.session) {
            const sec = parent.decryptSessionData(req.session.e);
            hwstate = obj.parent.encodeCookie({ u: sec.tuser, p: sec.tpass, c: sec.u2f }, obj.parent.loginCookieEncryptionKey)
        }