From 7d867dae6926c2fea1626c118a81ac7a55b50c17 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Sat, 31 Jul 2021 01:53:07 -0700 Subject: [PATCH] Intel AMT TLS ACM activation improvements. --- amtmanager.js | 8 +++++--- certoperations.js | 5 ++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/amtmanager.js b/amtmanager.js index 1a885190..1affd9e5 100644 --- a/amtmanager.js +++ b/amtmanager.js @@ -2014,7 +2014,7 @@ module.exports.CreateAmtManager = function (parent) { const activationCerts = domain.amtacmactivation.certs; if ((dev.mpsConnection.tag.meiState == null) || (dev.mpsConnection.tag.meiState.Hashes == null) || (dev.mpsConnection.tag.meiState.Hashes.length == 0)) return { err: "Intel AMT did not report any trusted hashes." }; const deviceHashes = dev.mpsConnection.tag.meiState.Hashes; - + // Get the trusted FQDN of the device var trustedFqdn = null; if (dev.mpsConnection.tag.meiState.OsDnsSuffix != null) { trustedFqdn = dev.mpsConnection.tag.meiState.OsDnsSuffix; } @@ -2023,6 +2023,7 @@ module.exports.CreateAmtManager = function (parent) { // Find a matching certificate var gotSuffixMatch = false; + var devValidHash = false; for (var i in activationCerts) { var cert = activationCerts[i]; var certDnsMatch = checkAcmActivationCertName(cert.cn, trustedFqdn); @@ -2031,12 +2032,14 @@ module.exports.CreateAmtManager = function (parent) { for (var j in deviceHashes) { var hashInfo = deviceHashes[j]; if ((hashInfo != null) && (hashInfo.isActive == 1)) { + devValidHash = true; if ((hashInfo.hashAlgorithmStr == 'SHA256') && (hashInfo.certificateHash.toLowerCase() == cert.sha256)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha256 }; } // Found a match else if ((hashInfo.hashAlgorithmStr == 'SHA1') && (hashInfo.certificateHash.toLowerCase() == cert.sha1)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha1 }; } // Found a match } } } } + if (!devValidHash) { return { err: "Intel AMT has no trusted root hashes for \"" + trustedFqdn + "\"." }; } // Found no trusted root hashes if (gotSuffixMatch) { return { err: "Certificate root hash matching failed for \"" + trustedFqdn + "\"." }; } // Found a DNS suffix match, but root hash failed to match. return { err: "No matching ACM activation certificate for \"" + trustedFqdn + "\"." }; // Did not find a match } @@ -2060,7 +2063,6 @@ module.exports.CreateAmtManager = function (parent) { // Get our ACM activation certificate chain var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash); if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev, 44); return; } - acmTlsInfo.certs = acmTlsInfo.certs.reverse(); // Reverse the order of the certificates. dev.acmTlsInfo = acmTlsInfo; // Send the MEI command to enable TLS connections @@ -2097,7 +2099,7 @@ module.exports.CreateAmtManager = function (parent) { // Check if we succesfully connected if (status != 200) { - dev.consoleMsg("Failed to perform ACM TLS connection."); + dev.consoleMsg("Failed to perform ACM TLS connection, status " + status + "."); //activateIntelAmtAcm(dev); // It's possible to fallback to legacy WSMAN ACM activation here if we needed to.. removeAmtDevice(dev); return; diff --git a/certoperations.js b/certoperations.js index 47c0c95d..2e2108c2 100644 --- a/certoperations.js +++ b/certoperations.js @@ -59,8 +59,7 @@ module.exports.CertificateOperations = function (parent) { var leafcert = obj.IssueWebServerCertificate(rootcert, false, fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false); // Setup the certificate chain and key - //certChain = [ obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert) ]; - certChain = [ obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert), obj.pki.certificateToPem(leafcert.cert) ]; + certChain = [ obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert) ]; signkey = obj.pki.privateKeyToPem(leafcert.key); } else { // Make sure the cert chain is in PEM format @@ -70,7 +69,7 @@ module.exports.CertificateOperations = function (parent) { } // Hash the leaf certificate and return the certificate chain and signing key - return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[certChain.length - 1]), hash256: obj.getCertHashSha256(certChain[certChain.length - 1]) }; + return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[0]), hash256: obj.getCertHashSha256(certChain[0]) }; } // Sign a Intel AMT ACM activation request