MeshCentral now generates a code-signing certificate.

This commit is contained in:
Ylian Saint-Hilaire 2022-05-25 11:05:53 -07:00
parent 1188f0711f
commit 504941d1e4

View File

@ -714,6 +714,10 @@ module.exports.CertificateOperations = function (parent) {
extensions.push({ name: 'subjectAltName', altNames: altNames });
}
if (extKeyUsage.codeSign === true) {
extensions = [{ name: 'basicConstraints', cA: false }, { name: 'keyUsage', keyCertSign: false, digitalSignature: true, nonRepudiation: false, keyEncipherment: false, dataEncipherment: false }, { name: 'extKeyUsage', codeSigning: true }, { name: "subjectKeyIdentifier" }];
}
cert.setExtensions(extensions);
cert.sign(rootcert.key, obj.forge.md.sha384.create());
@ -780,7 +784,7 @@ module.exports.CertificateOperations = function (parent) {
var certargs = args.cert;
var mpscertargs = args.mpscert;
var strongCertificate = (args.fastcert ? false : true);
var rcountmax = 4;
var rcountmax = 5;
var caindex = 1;
var caok = false;
var calist = [];
@ -847,6 +851,12 @@ module.exports.CertificateOperations = function (parent) {
if (obj.checkCertificate(r.agent.cert, r.agent.key) == false) { delete r.agent; } else { rcount++; }
}
// If the code signing certificate already exist, load it
if (obj.fileExists("codesign-cert-public.crt") && obj.fileExists("codesign-cert-private.key")) {
r.codesign = { cert: obj.fileLoad("codesign-cert-public.crt", 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad("codesign-cert-private.key", 'utf8')) };
if (obj.checkCertificate(r.codesign.cert, r.codesign.key) == false) { delete r.codesign; } else { rcount++; }
}
// If the swarm server certificate exist, load it (This is an optional certificate)
if (obj.fileExists('swarmserver-cert-public.crt') && obj.fileExists('swarmserver-cert-private.key')) {
r.swarmserver = { cert: obj.fileLoad('swarmserver-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('swarmserver-cert-private.key', 'utf8')) };
@ -1047,6 +1057,22 @@ module.exports.CertificateOperations = function (parent) {
agentPrivateKey = r.agent.key;
}
// If the code signing certificate does not exist, create one
var codesignCertAndKey, codesignCertificate, codesignPrivateKey;
if (r.codesign == null) {
console.log("Generating code signing certificate...");
codesignCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, true, commonName, country, organization, { codeSign: true }, strongCertificate);
codesignCertificate = obj.pki.certificateToPem(codesignCertAndKey.cert);
codesignPrivateKey = obj.pki.privateKeyToPem(codesignCertAndKey.key);
obj.fs.writeFileSync(parent.getConfigFilePath('codesign-cert-public.crt'), codesignCertificate);
obj.fs.writeFileSync(parent.getConfigFilePath('codesign-cert-private.key'), codesignPrivateKey);
} else {
// Keep the code signing certificate we have
codesignCertAndKey = { cert: obj.pki.certificateFromPem(r.codesign.cert), key: obj.pki.privateKeyFromPem(r.codesign.key) };
codesignCertificate = r.codesign.cert;
codesignPrivateKey = r.codesign.key;
}
// If the Intel AMT MPS certificate does not exist, create one
var mpsCertAndKey, mpsCertificate, mpsPrivateKey;
if ((r.mps == null) || (forceMpsCertGen == 1)) {