mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2025-01-11 15:03:20 -05:00
Intel AMT TLS ACM activation improvements.
This commit is contained in:
parent
5333cb84fb
commit
7d867dae69
@ -2014,7 +2014,7 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
const activationCerts = domain.amtacmactivation.certs;
|
||||
if ((dev.mpsConnection.tag.meiState == null) || (dev.mpsConnection.tag.meiState.Hashes == null) || (dev.mpsConnection.tag.meiState.Hashes.length == 0)) return { err: "Intel AMT did not report any trusted hashes." };
|
||||
const deviceHashes = dev.mpsConnection.tag.meiState.Hashes;
|
||||
|
||||
|
||||
// Get the trusted FQDN of the device
|
||||
var trustedFqdn = null;
|
||||
if (dev.mpsConnection.tag.meiState.OsDnsSuffix != null) { trustedFqdn = dev.mpsConnection.tag.meiState.OsDnsSuffix; }
|
||||
@ -2023,6 +2023,7 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
|
||||
// Find a matching certificate
|
||||
var gotSuffixMatch = false;
|
||||
var devValidHash = false;
|
||||
for (var i in activationCerts) {
|
||||
var cert = activationCerts[i];
|
||||
var certDnsMatch = checkAcmActivationCertName(cert.cn, trustedFqdn);
|
||||
@ -2031,12 +2032,14 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
for (var j in deviceHashes) {
|
||||
var hashInfo = deviceHashes[j];
|
||||
if ((hashInfo != null) && (hashInfo.isActive == 1)) {
|
||||
devValidHash = true;
|
||||
if ((hashInfo.hashAlgorithmStr == 'SHA256') && (hashInfo.certificateHash.toLowerCase() == cert.sha256)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha256 }; } // Found a match
|
||||
else if ((hashInfo.hashAlgorithmStr == 'SHA1') && (hashInfo.certificateHash.toLowerCase() == cert.sha1)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha1 }; } // Found a match
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!devValidHash) { return { err: "Intel AMT has no trusted root hashes for \"" + trustedFqdn + "\"." }; } // Found no trusted root hashes
|
||||
if (gotSuffixMatch) { return { err: "Certificate root hash matching failed for \"" + trustedFqdn + "\"." }; } // Found a DNS suffix match, but root hash failed to match.
|
||||
return { err: "No matching ACM activation certificate for \"" + trustedFqdn + "\"." }; // Did not find a match
|
||||
}
|
||||
@ -2060,7 +2063,6 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
// Get our ACM activation certificate chain
|
||||
var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash);
|
||||
if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev, 44); return; }
|
||||
acmTlsInfo.certs = acmTlsInfo.certs.reverse(); // Reverse the order of the certificates.
|
||||
dev.acmTlsInfo = acmTlsInfo;
|
||||
|
||||
// Send the MEI command to enable TLS connections
|
||||
@ -2097,7 +2099,7 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
|
||||
// Check if we succesfully connected
|
||||
if (status != 200) {
|
||||
dev.consoleMsg("Failed to perform ACM TLS connection.");
|
||||
dev.consoleMsg("Failed to perform ACM TLS connection, status " + status + ".");
|
||||
//activateIntelAmtAcm(dev); // It's possible to fallback to legacy WSMAN ACM activation here if we needed to..
|
||||
removeAmtDevice(dev);
|
||||
return;
|
||||
|
@ -59,8 +59,7 @@ module.exports.CertificateOperations = function (parent) {
|
||||
var leafcert = obj.IssueWebServerCertificate(rootcert, false, fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false);
|
||||
|
||||
// Setup the certificate chain and key
|
||||
//certChain = [ obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert) ];
|
||||
certChain = [ obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert), obj.pki.certificateToPem(leafcert.cert) ];
|
||||
certChain = [ obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert) ];
|
||||
signkey = obj.pki.privateKeyToPem(leafcert.key);
|
||||
} else {
|
||||
// Make sure the cert chain is in PEM format
|
||||
@ -70,7 +69,7 @@ module.exports.CertificateOperations = function (parent) {
|
||||
}
|
||||
|
||||
// Hash the leaf certificate and return the certificate chain and signing key
|
||||
return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[certChain.length - 1]), hash256: obj.getCertHashSha256(certChain[certChain.length - 1]) };
|
||||
return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[0]), hash256: obj.getCertHashSha256(certChain[0]) };
|
||||
}
|
||||
|
||||
// Sign a Intel AMT ACM activation request
|
||||
|
Loading…
Reference in New Issue
Block a user