MyFavMirrors/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-04-16 08:58:07 -04:00
Code Issues Packages Projects Releases Wiki Activity

Intel AMT TLS ACM activation improvements.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2021-07-31 01:53:07 -07:00
parent 5333cb84fb
commit 7d867dae69
2 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
amtmanager.js
View File

@ -2023,6 +2023,7 @@ module.exports.CreateAmtManager = function (parent) {
// Find a matching certificate // Find a matching certificate
var gotSuffixMatch = false; var gotSuffixMatch = false;
var devValidHash = false;
for (var i in activationCerts) { for (var i in activationCerts) {
var cert = activationCerts[i]; var cert = activationCerts[i];
var certDnsMatch = checkAcmActivationCertName(cert.cn, trustedFqdn); var certDnsMatch = checkAcmActivationCertName(cert.cn, trustedFqdn);
@ -2031,12 +2032,14 @@ module.exports.CreateAmtManager = function (parent) {
for (var j in deviceHashes) { for (var j in deviceHashes) {
var hashInfo = deviceHashes[j]; var hashInfo = deviceHashes[j];
if ((hashInfo != null) && (hashInfo.isActive == 1)) { if ((hashInfo != null) && (hashInfo.isActive == 1)) {
devValidHash = true;
if ((hashInfo.hashAlgorithmStr == 'SHA256') && (hashInfo.certificateHash.toLowerCase() == cert.sha256)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha256 }; } // Found a match if ((hashInfo.hashAlgorithmStr == 'SHA256') && (hashInfo.certificateHash.toLowerCase() == cert.sha256)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha256 }; } // Found a match
else if ((hashInfo.hashAlgorithmStr == 'SHA1') && (hashInfo.certificateHash.toLowerCase() == cert.sha1)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha1 }; } // Found a match else if ((hashInfo.hashAlgorithmStr == 'SHA1') && (hashInfo.certificateHash.toLowerCase() == cert.sha1)) { return { cert: cert, fqdn: trustedFqdn, hash: cert.sha1 }; } // Found a match
} }
} }
} }
} }
if (!devValidHash) { return { err: "Intel AMT has no trusted root hashes for \"" + trustedFqdn + "\"." }; } // Found no trusted root hashes
if (gotSuffixMatch) { return { err: "Certificate root hash matching failed for \"" + trustedFqdn + "\"." }; } // Found a DNS suffix match, but root hash failed to match. if (gotSuffixMatch) { return { err: "Certificate root hash matching failed for \"" + trustedFqdn + "\"." }; } // Found a DNS suffix match, but root hash failed to match.
return { err: "No matching ACM activation certificate for \"" + trustedFqdn + "\"." }; // Did not find a match return { err: "No matching ACM activation certificate for \"" + trustedFqdn + "\"." }; // Did not find a match
} }
@ -2060,7 +2063,6 @@ module.exports.CreateAmtManager = function (parent) {
// Get our ACM activation certificate chain // Get our ACM activation certificate chain
var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash); var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash);
if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev, 44); return; } if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev, 44); return; }
acmTlsInfo.certs = acmTlsInfo.certs.reverse(); // Reverse the order of the certificates.
dev.acmTlsInfo = acmTlsInfo; dev.acmTlsInfo = acmTlsInfo;
// Send the MEI command to enable TLS connections // Send the MEI command to enable TLS connections
@ -2097,7 +2099,7 @@ module.exports.CreateAmtManager = function (parent) {
// Check if we succesfully connected // Check if we succesfully connected
if (status != 200) { if (status != 200) {
dev.consoleMsg("Failed to perform ACM TLS connection."); dev.consoleMsg("Failed to perform ACM TLS connection, status " + status + ".");
//activateIntelAmtAcm(dev); // It's possible to fallback to legacy WSMAN ACM activation here if we needed to.. //activateIntelAmtAcm(dev); // It's possible to fallback to legacy WSMAN ACM activation here if we needed to..
removeAmtDevice(dev); removeAmtDevice(dev);
return; return;

5
certoperations.js
View File

@ -59,8 +59,7 @@ module.exports.CertificateOperations = function (parent) {
var leafcert = obj.IssueWebServerCertificate(rootcert, false, fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false); var leafcert = obj.IssueWebServerCertificate(rootcert, false, fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false);
// Setup the certificate chain and key // Setup the certificate chain and key
//certChain = [ obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert) ]; certChain = [ obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert) ];
certChain = [ obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert), obj.pki.certificateToPem(leafcert.cert) ];
signkey = obj.pki.privateKeyToPem(leafcert.key); signkey = obj.pki.privateKeyToPem(leafcert.key);
} else { } else {
// Make sure the cert chain is in PEM format // Make sure the cert chain is in PEM format
@ -70,7 +69,7 @@ module.exports.CertificateOperations = function (parent) {
} }
// Hash the leaf certificate and return the certificate chain and signing key // Hash the leaf certificate and return the certificate chain and signing key
return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[certChain.length - 1]), hash256: obj.getCertHashSha256(certChain[certChain.length - 1]) }; return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[0]), hash256: obj.getCertHashSha256(certChain[0]) };
} }
// Sign a Intel AMT ACM activation request // Sign a Intel AMT ACM activation request