New Intel AMT ACM activation with MeshCMD
This commit is contained in:
parent
1aae4e2616
commit
9fe71f8842
Binary file not shown.
Binary file not shown.
|
@ -498,9 +498,10 @@ function run(argv) {
|
||||||
activeToCCM();
|
activeToCCM();
|
||||||
} else if (settings.action == 'amtacm') {
|
} else if (settings.action == 'amtacm') {
|
||||||
// Start activation to ACM
|
// Start activation to ACM
|
||||||
if ((settings.wss == null) || (typeof settings.wss != 'string') || (settings.wss == '')) { console.log('No or invalid \"server name\" specified, use --wss [servername:port].'); exit(1); return; }
|
if ((settings.wss == null) || (typeof settings.wss != 'string') || (settings.wss == '')) { console.log('No server URL specified, use --wss [url].'); exit(1); return; }
|
||||||
if ((settings.profile == null) || (typeof settings.profile != 'string') || (settings.profile == '')) { console.log('No or invalid \"profile name\" specified, use --profile [name].'); exit(1); return; }
|
//if ((settings.profile == null) || (typeof settings.profile != 'string') || (settings.profile == '')) { console.log('No or invalid \"profile name\" specified, use --profile [name].'); exit(1); return; }
|
||||||
settings.protocol = 'http:';
|
if ((typeof settings.profile != 'string') || (settings.profile == '')) { settings.profile = null; }
|
||||||
|
//settings.protocol = 'http:';
|
||||||
settings.localport = 16992;
|
settings.localport = 16992;
|
||||||
debug(1, "Settings: " + JSON.stringify(settings));
|
debug(1, "Settings: " + JSON.stringify(settings));
|
||||||
activeToACM();
|
activeToACM();
|
||||||
|
@ -848,37 +849,45 @@ function deactivateACMEx() {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Get Intel AMT activation hashes
|
||||||
|
//
|
||||||
|
|
||||||
|
var trustedHashes = null;
|
||||||
|
function getTrustedHashes(amtMei, func, tag) {
|
||||||
|
console.log('getTrustedHashes');
|
||||||
|
if (trustedHashes != null) { func(tag); }
|
||||||
|
trustedHashes = [];
|
||||||
|
amtMei.getHashHandles(function (handles) {
|
||||||
|
var exitOnCount = handles.length;
|
||||||
|
for (var i = 0; i < handles.length; ++i) {
|
||||||
|
this.getCertHashEntry(handles[i], function (result) {
|
||||||
|
if (result.isActive == 1) { trustedHashes.push(result.certificateHash.toLowerCase()); }
|
||||||
|
if (--exitOnCount == 0) { func(tag); }
|
||||||
|
});
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// Activate Intel AMT to ACM
|
// Activate Intel AMT to ACM
|
||||||
//
|
//
|
||||||
|
|
||||||
function activeToACM() {
|
function activeToACM() {
|
||||||
// See if MicroLMS needs to be started and setup the $$OsAdmin wsman stack
|
console.log('Starting Intel AMT provisioning to Admin Control Mode (ACM) attempt...');
|
||||||
console.log('Starting AMT Provisioning to Admin Control Mode.');
|
|
||||||
settings.noconsole = true;
|
settings.noconsole = true;
|
||||||
|
|
||||||
// Display Intel AMT version and activation state
|
// Display Intel AMT version and activation state
|
||||||
mestate = {};
|
mestate = {};
|
||||||
var amtMeiModule, amtMei;
|
var amtMeiModule, amtMei;
|
||||||
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
|
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
|
||||||
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
|
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
|
||||||
amtMei.getProvisioningState(function (result) {
|
amtMei.getProvisioningState(function (result) { if (result) { mestate.ProvisioningState = result; } });
|
||||||
if (result) {
|
|
||||||
mestate.ProvisioningState = result;
|
|
||||||
startLms(getFwNonce); // TODO: Fix this so that it works even if LMS already running.
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
// Gets the FWNonce from AMT and saves it to a file.
|
|
||||||
function getFwNonce() {
|
|
||||||
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], function (stack, name, responses, status) {
|
|
||||||
var fwNonce = responses['IPS_HostBasedSetupService'].response['ConfigurationNonce'];
|
|
||||||
var digestRealm = responses['AMT_GeneralSettings'].response['DigestRealm'];
|
|
||||||
var amtMeiModule, amtMei, str;
|
|
||||||
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
|
|
||||||
amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } });
|
amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } });
|
||||||
|
amtMei.getUuid(function (result) { if ((result != null) && (result.uuid != null)) { mestate.uuid = result.uuid; } });
|
||||||
amtMei.getDnsSuffix(function (result) {
|
amtMei.getDnsSuffix(function (result) {
|
||||||
|
if (mestate.ProvisioningState.state !== 0) { console.log("Intel AMT is not in pre-provisioning state: " + mestate.ProvisioningState.stateStr); exit(100); return; }
|
||||||
|
if (mestate.uuid == null) { console.log("Unable to get Intel AMT UUID."); exit(100); return; }
|
||||||
var fqdn = null;
|
var fqdn = null;
|
||||||
if ((mestate.net0 == null) && (meinfo.net0.enabled != 0)) { console.log("No Intel AMT wired interface, can't perform ACM activation."); exit(100); return; }
|
if ((mestate.net0 == null) && (meinfo.net0.enabled != 0)) { console.log("No Intel AMT wired interface, can't perform ACM activation."); exit(100); return; }
|
||||||
if (result) { fqdn = result; } // If Intel AMT has a trusted DNS suffix set, use that one.
|
if (result) { fqdn = result; } // If Intel AMT has a trusted DNS suffix set, use that one.
|
||||||
|
@ -892,145 +901,93 @@ function getFwNonce() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (fqdn != null) {
|
if (fqdn != null) {
|
||||||
activeToACMEx(fwNonce, fqdn, digestRealm);
|
settings.fqdn = fqdn;
|
||||||
|
settings.uuid = mestate.uuid;
|
||||||
|
getTrustedHashes(amtMei, function () { startLms(getFwNonce, amtMei); });
|
||||||
} else {
|
} else {
|
||||||
console.log("Trusted DNS suffix not set, can't perform ACM activation."); exit(100); return;
|
console.log("Trusted DNS suffix not set, can't perform ACM activation."); exit(100); return;
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sends a message to RCS server using RCS Message Protocol
|
// Gets the FWNonce from AMT and saves it to a file.
|
||||||
function sendRCSMessage(socket, status, event, message) {
|
function getFwNonce() {
|
||||||
//console.log('Status: ' + status + '. Event: ' + event + '. Message: ' + message);
|
|
||||||
if (socket !== null) { socket.write({ "status": status, "event": event, "data": message }); }
|
|
||||||
}
|
|
||||||
|
|
||||||
function activeToACMEx(fwNonce, dnsSuffix, digestRealm) {
|
|
||||||
// open connection to RCS
|
|
||||||
console.log('Initializing WebSocket...');
|
|
||||||
// Establish WebSocket connection to RCS server
|
|
||||||
var connection = http.request(settings.wss);
|
|
||||||
connection.on('upgrade', function (response, socket) {
|
|
||||||
// WebSocket is up. Handle data on the duplex socket
|
|
||||||
socket.on('data', function (data) {
|
|
||||||
// All messages from RCS are JSON.stringify format and need to be parsed
|
|
||||||
var message = JSON.parse(data);
|
|
||||||
// Check RCS Message Protocol version. Exit if version not supported
|
|
||||||
if (message.version > RCSMessageProtocolVersion) { console.log('Unsupported RCS server.'); socket.end(); exit(0) }
|
|
||||||
// Handle the AMT provisioning certificate blob (contains provisioning certificate, mcnonce, digital signature and password hash)
|
|
||||||
if (message.data.provCertObj !== undefined) {
|
|
||||||
activeToACMEx1(message.data, function (stack, name, responses, status, message) {
|
|
||||||
if (status !== 200) {
|
|
||||||
if (status == 2) {
|
|
||||||
console.log('AMT already provisioned.Exiting ' + status);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed with status: " + status);
|
|
||||||
} else {
|
|
||||||
console.log('Failed to fetch activation status, status ' + status);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed with status: " + status);
|
|
||||||
}
|
|
||||||
socket.end();
|
|
||||||
exit(status);
|
|
||||||
} else if (responses['IPS_HostBasedSetupService'].response['AllowedControlModes'].length != 2) {
|
|
||||||
console.log('Admin control mode activation not allowed');
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed with message: Admin control mode activation not allowed");
|
|
||||||
socket.end();
|
|
||||||
exit(status);
|
|
||||||
} else {
|
|
||||||
activeToACMEx2(message, function (stack, name, responses, status, message) {
|
|
||||||
if (status != 200) {
|
|
||||||
console.log('Failed to activate, status ' + status);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed to activate. Status: " + status);
|
|
||||||
} else if (responses.Body.ReturnValue != 0) {
|
|
||||||
console.log('Admin control mode activation failed: ' + responses.Body.ReturnValueStr);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed to activate: " + responses.Body.ReturnValueStr);
|
|
||||||
} else {
|
|
||||||
if (message.profileScript !== null) {
|
|
||||||
console.log("Running MEScript...");
|
|
||||||
settings.scriptjson = message.profileScript;
|
|
||||||
settings.password = message.amtPassword
|
|
||||||
settings.username = 'admin';
|
|
||||||
startMeScriptEx(function () {
|
|
||||||
console.log('AMT Profile applied');
|
|
||||||
sendRCSMessage(socket, "ok", "finish", "success");
|
|
||||||
socket.end();
|
|
||||||
exit(0);
|
|
||||||
}, stack);
|
|
||||||
} else {
|
|
||||||
sendRCSMessage(socket, "ok", "finish", "success");
|
|
||||||
socket.end();
|
|
||||||
exit(0);
|
|
||||||
}
|
|
||||||
console.log('AMT Provisioning Success');
|
|
||||||
}
|
|
||||||
//socket.end();
|
|
||||||
//exit(status);
|
|
||||||
});
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
if (message.event.toString() == "cmd" && message.data.toString() == "acmready") {
|
|
||||||
sendRCSMessage(socket, "ok", "message", JSON.stringify(fwNonce));
|
|
||||||
}
|
|
||||||
});
|
|
||||||
socket.on('end', function () { console.log('WebSocket closed'); });
|
|
||||||
sendRCSMessage(socket, "ok", "cmd", { "cmd": "acm", "dnssuffix": dnsSuffix, "profile": settings.profile, 'digestrealm': digestRealm, 'fwnonce': fwNonce });
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
// Detects AMT provisioning state and injects the certificate chain into AMT firmware
|
|
||||||
function activeToACMEx1(data, callback) {
|
|
||||||
if (mestate.ProvisioningState.state == 0) {
|
|
||||||
console.log('Performing ACM provisioning...');
|
|
||||||
// Perform full provisioning -- AMT was fully unprovisioned
|
|
||||||
injectCert(0, data, function (stack, name, responses, status, data) {
|
|
||||||
if (status !== 200) { exit(status); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] !== 0) { exit(responses['Body']['ReturnValueStr']); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] == 0) {
|
|
||||||
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], function (stack, name, responses, status) {
|
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], function (stack, name, responses, status) {
|
||||||
callback(stack, name, responses, status, data);
|
if (status != 200) { console.log("Unable to get firmware activation nonce, status=" + status); exit(100); return; }
|
||||||
|
var fwNonce = responses['IPS_HostBasedSetupService'].response['ConfigurationNonce'];
|
||||||
|
var digestRealm = responses['AMT_GeneralSettings'].response['DigestRealm'];
|
||||||
|
activeToACMEx(fwNonce, settings.fqdn, digestRealm, settings.uuid);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
});
|
|
||||||
} else if (mestate.ProvisioningState.state == 1) {
|
// Connect to the activation server and perform ACM activation
|
||||||
// Perform partial provisioning -- AMT was partial unprovisioned
|
function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
|
||||||
// Currently not functional due to limitations in the HW.
|
console.log('FQDN: ' + dnsSuffix);
|
||||||
console.log('Partial provisioning flow currently not available.');
|
console.log('UUID: ' + uuid);
|
||||||
exit(0);
|
console.log('Realm: ' + digestRealm);
|
||||||
//osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], activeToACMEx2);
|
console.log('Nonce: ' + fwNonce);
|
||||||
|
console.log('Connecting to ' + settings.wss);
|
||||||
|
|
||||||
|
// Establish WebSocket connection to activation server
|
||||||
|
var options = http.parseUri(settings.wss);
|
||||||
|
options.checkServerIdentity = function (clientName, certs) { }; // TODO
|
||||||
|
options.rejectUnauthorized = false;
|
||||||
|
var connection = http.request(options);
|
||||||
|
connection.on('upgrade', function (response, socket) {
|
||||||
|
console.log('Connected, requesting activation...');
|
||||||
|
socket.on('end', function () { console.log('Connection closed'); exit(0); });
|
||||||
|
socket.on('error', function () { console.log('Connection error'); exit(100); });
|
||||||
|
socket.on('data', function (data) {
|
||||||
|
// Parse and check the response
|
||||||
|
var cmd = null;
|
||||||
|
try { cmd = JSON.parse(data); } catch (ex) { console.log('Unable to parse server response: ' + data); exit(100); return; }
|
||||||
|
if (typeof cmd != 'object') { console.log('Invalid server response: ' + cmd); exit(100); return; }
|
||||||
|
if (typeof cmd.errorText == 'string') { console.log('Server error: ' + cmd.errorText); exit(100); return; }
|
||||||
|
if (cmd.action != 'acmactivate') { console.log('Invalid server response, command: ' + cmd.cmd); exit(100); return; }
|
||||||
|
if (typeof cmd.signature != 'string') { console.log('Invalid server signature'); exit(100); return; }
|
||||||
|
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
|
||||||
|
if (typeof cmd.nonce != 'string') { console.log('Invalid server nonce'); exit(100); return; }
|
||||||
|
if (typeof cmd.certs != 'object') { console.log('Invalid server certificates'); exit(100); return; }
|
||||||
|
|
||||||
|
// We are ready to go, perform activation.
|
||||||
|
cmd.index = 0;
|
||||||
|
performAcmActivation(cmd, function (result) {
|
||||||
|
if (result == false) {
|
||||||
|
console.log('Intel AMT ACM activation failed.');
|
||||||
} else {
|
} else {
|
||||||
// AMT already provisioned
|
if ((cmd.profileScript !== null) && (cmd.rawpassword != null)) {
|
||||||
callback(null, null, null, 2, 'AMT already provisioned. Exiting')
|
console.log("Intel AMT ACM activation success, applying profile...");
|
||||||
|
settings.scriptjson = cmd.profileScript;
|
||||||
|
settings.password = cmd.rawpassword; // TODO: This is only going to work if the server sends the raw password??
|
||||||
|
settings.username = 'admin';
|
||||||
|
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
|
||||||
|
} else {
|
||||||
|
console.log('Intel AMT ACM activation success.');
|
||||||
|
socket.end();
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Recursive function to inject the provisioning certificates into AMT in the proper order
|
|
||||||
function injectCert(index, cert, callback, stack, name, responses, status) {
|
|
||||||
var leaf = false;
|
|
||||||
var root = false;
|
|
||||||
if (index == 0) { leaf = true; }
|
|
||||||
if (index == cert.provCertObj.certChain.length - 1) { root = true; }
|
|
||||||
if (index < cert.provCertObj.certChain.length) {
|
|
||||||
if (cert.provCertObj.certChain[index] !== undefined) {
|
|
||||||
osamtstack.IPS_HostBasedSetupService_AddNextCertInChain(cert.provCertObj.certChain[index], leaf, root, function (stack, name, responses, status) {
|
|
||||||
if (status !== 200) { exit(status); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] !== 0) { exit(responses['Body']['ReturnValueStr']); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] == 0) {
|
|
||||||
index++;
|
|
||||||
injectCert(index, cert, callback, stack, name, responses, status);
|
|
||||||
}
|
|
||||||
});
|
});
|
||||||
}
|
});
|
||||||
} else { callback(stack, name, responses, status, cert); }
|
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate', fqdn: dnsSuffix, realm: digestRealm, nonce: fwNonce, uuid: uuid, profile: settings.profile, hashes: trustedHashes });
|
||||||
|
});
|
||||||
|
connection.end();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sends the password hash, mcnonce, and digital signature to complete the admin control mode provisioning
|
// Recursive function to inject the provisioning certificates into AMT in the proper order and completes ACM activation
|
||||||
function activeToACMEx2(data, callback) {
|
function performAcmActivation(acmdata, func) {
|
||||||
//var passwordhash = md5hex('admin:' + responses['AMT_GeneralSettings'].response['DigestRealm'] + ':' + data.passwordHash).substring(0, 32);
|
var leaf = (acmdata.index == 0), root = (acmdata.index == (acmdata.certs.length - 1));
|
||||||
//var debugreturn = {"Body": {"ReturnValue": 0}};
|
if ((acmdata.index < acmdata.certs.length) && (acmdata.certs[acmdata.index] != null)) {
|
||||||
//console.log("DEBUG: Everything up to activation works"); callback(null, null, debugreturn, 200, data);
|
osamtstack.IPS_HostBasedSetupService_AddNextCertInChain(acmdata.certs[acmdata.index], leaf, root, function (stack, name, responses, status) {
|
||||||
osamtstack.IPS_HostBasedSetupService_AdminSetup(2, data.passwordHash, data.mcNonce, 2, data.digitalSignature, function (stack, name, responses, status) { callback(stack, name, responses, status, data); });
|
if (status !== 200) { debug('AddNextCertInChain status=' + status); return; }
|
||||||
|
else if (responses['Body']['ReturnValue'] !== 0) { debug('AddNextCertInChain error=' + responses['Body']['ReturnValue']); return; }
|
||||||
|
else { acmdata.index++; performAcmActivation(acmdata, func); }
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
osamtstack.IPS_HostBasedSetupService_AdminSetup(2, acmdata.password, acmdata.nonce, 2, acmdata.signature,
|
||||||
|
function (stack, name, responses, status) { func((status == 200) && (responses['Body']['ReturnValue'] == 0)); }
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
|
@ -498,9 +498,10 @@ function run(argv) {
|
||||||
activeToCCM();
|
activeToCCM();
|
||||||
} else if (settings.action == 'amtacm') {
|
} else if (settings.action == 'amtacm') {
|
||||||
// Start activation to ACM
|
// Start activation to ACM
|
||||||
if ((settings.wss == null) || (typeof settings.wss != 'string') || (settings.wss == '')) { console.log('No or invalid \"server name\" specified, use --wss [servername:port].'); exit(1); return; }
|
if ((settings.wss == null) || (typeof settings.wss != 'string') || (settings.wss == '')) { console.log('No server URL specified, use --wss [url].'); exit(1); return; }
|
||||||
if ((settings.profile == null) || (typeof settings.profile != 'string') || (settings.profile == '')) { console.log('No or invalid \"profile name\" specified, use --profile [name].'); exit(1); return; }
|
//if ((settings.profile == null) || (typeof settings.profile != 'string') || (settings.profile == '')) { console.log('No or invalid \"profile name\" specified, use --profile [name].'); exit(1); return; }
|
||||||
settings.protocol = 'http:';
|
if ((typeof settings.profile != 'string') || (settings.profile == '')) { settings.profile = null; }
|
||||||
|
//settings.protocol = 'http:';
|
||||||
settings.localport = 16992;
|
settings.localport = 16992;
|
||||||
debug(1, "Settings: " + JSON.stringify(settings));
|
debug(1, "Settings: " + JSON.stringify(settings));
|
||||||
activeToACM();
|
activeToACM();
|
||||||
|
@ -848,37 +849,45 @@ function deactivateACMEx() {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Get Intel AMT activation hashes
|
||||||
|
//
|
||||||
|
|
||||||
|
var trustedHashes = null;
|
||||||
|
function getTrustedHashes(amtMei, func, tag) {
|
||||||
|
console.log('getTrustedHashes');
|
||||||
|
if (trustedHashes != null) { func(tag); }
|
||||||
|
trustedHashes = [];
|
||||||
|
amtMei.getHashHandles(function (handles) {
|
||||||
|
var exitOnCount = handles.length;
|
||||||
|
for (var i = 0; i < handles.length; ++i) {
|
||||||
|
this.getCertHashEntry(handles[i], function (result) {
|
||||||
|
if (result.isActive == 1) { trustedHashes.push(result.certificateHash.toLowerCase()); }
|
||||||
|
if (--exitOnCount == 0) { func(tag); }
|
||||||
|
});
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// Activate Intel AMT to ACM
|
// Activate Intel AMT to ACM
|
||||||
//
|
//
|
||||||
|
|
||||||
function activeToACM() {
|
function activeToACM() {
|
||||||
// See if MicroLMS needs to be started and setup the $$OsAdmin wsman stack
|
console.log('Starting Intel AMT provisioning to Admin Control Mode (ACM) attempt...');
|
||||||
console.log('Starting AMT Provisioning to Admin Control Mode.');
|
|
||||||
settings.noconsole = true;
|
settings.noconsole = true;
|
||||||
|
|
||||||
// Display Intel AMT version and activation state
|
// Display Intel AMT version and activation state
|
||||||
mestate = {};
|
mestate = {};
|
||||||
var amtMeiModule, amtMei;
|
var amtMeiModule, amtMei;
|
||||||
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
|
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
|
||||||
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
|
amtMei.on('error', function (e) { console.log('ERROR: ' + e); exit(1); return; });
|
||||||
amtMei.getProvisioningState(function (result) {
|
amtMei.getProvisioningState(function (result) { if (result) { mestate.ProvisioningState = result; } });
|
||||||
if (result) {
|
|
||||||
mestate.ProvisioningState = result;
|
|
||||||
startLms(getFwNonce); // TODO: Fix this so that it works even if LMS already running.
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
// Gets the FWNonce from AMT and saves it to a file.
|
|
||||||
function getFwNonce() {
|
|
||||||
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], function (stack, name, responses, status) {
|
|
||||||
var fwNonce = responses['IPS_HostBasedSetupService'].response['ConfigurationNonce'];
|
|
||||||
var digestRealm = responses['AMT_GeneralSettings'].response['DigestRealm'];
|
|
||||||
var amtMeiModule, amtMei, str;
|
|
||||||
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { console.log(ex); exit(1); return; }
|
|
||||||
amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } });
|
amtMei.getLanInterfaceSettings(0, function (result) { if (result) { mestate.net0 = result; } });
|
||||||
|
amtMei.getUuid(function (result) { if ((result != null) && (result.uuid != null)) { mestate.uuid = result.uuid; } });
|
||||||
amtMei.getDnsSuffix(function (result) {
|
amtMei.getDnsSuffix(function (result) {
|
||||||
|
if (mestate.ProvisioningState.state !== 0) { console.log("Intel AMT is not in pre-provisioning state: " + mestate.ProvisioningState.stateStr); exit(100); return; }
|
||||||
|
if (mestate.uuid == null) { console.log("Unable to get Intel AMT UUID."); exit(100); return; }
|
||||||
var fqdn = null;
|
var fqdn = null;
|
||||||
if ((mestate.net0 == null) && (meinfo.net0.enabled != 0)) { console.log("No Intel AMT wired interface, can't perform ACM activation."); exit(100); return; }
|
if ((mestate.net0 == null) && (meinfo.net0.enabled != 0)) { console.log("No Intel AMT wired interface, can't perform ACM activation."); exit(100); return; }
|
||||||
if (result) { fqdn = result; } // If Intel AMT has a trusted DNS suffix set, use that one.
|
if (result) { fqdn = result; } // If Intel AMT has a trusted DNS suffix set, use that one.
|
||||||
|
@ -892,145 +901,93 @@ function getFwNonce() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (fqdn != null) {
|
if (fqdn != null) {
|
||||||
activeToACMEx(fwNonce, fqdn, digestRealm);
|
settings.fqdn = fqdn;
|
||||||
|
settings.uuid = mestate.uuid;
|
||||||
|
getTrustedHashes(amtMei, function () { startLms(getFwNonce, amtMei); });
|
||||||
} else {
|
} else {
|
||||||
console.log("Trusted DNS suffix not set, can't perform ACM activation."); exit(100); return;
|
console.log("Trusted DNS suffix not set, can't perform ACM activation."); exit(100); return;
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sends a message to RCS server using RCS Message Protocol
|
// Gets the FWNonce from AMT and saves it to a file.
|
||||||
function sendRCSMessage(socket, status, event, message) {
|
function getFwNonce() {
|
||||||
//console.log('Status: ' + status + '. Event: ' + event + '. Message: ' + message);
|
|
||||||
if (socket !== null) { socket.write({ "status": status, "event": event, "data": message }); }
|
|
||||||
}
|
|
||||||
|
|
||||||
function activeToACMEx(fwNonce, dnsSuffix, digestRealm) {
|
|
||||||
// open connection to RCS
|
|
||||||
console.log('Initializing WebSocket...');
|
|
||||||
// Establish WebSocket connection to RCS server
|
|
||||||
var connection = http.request(settings.wss);
|
|
||||||
connection.on('upgrade', function (response, socket) {
|
|
||||||
// WebSocket is up. Handle data on the duplex socket
|
|
||||||
socket.on('data', function (data) {
|
|
||||||
// All messages from RCS are JSON.stringify format and need to be parsed
|
|
||||||
var message = JSON.parse(data);
|
|
||||||
// Check RCS Message Protocol version. Exit if version not supported
|
|
||||||
if (message.version > RCSMessageProtocolVersion) { console.log('Unsupported RCS server.'); socket.end(); exit(0) }
|
|
||||||
// Handle the AMT provisioning certificate blob (contains provisioning certificate, mcnonce, digital signature and password hash)
|
|
||||||
if (message.data.provCertObj !== undefined) {
|
|
||||||
activeToACMEx1(message.data, function (stack, name, responses, status, message) {
|
|
||||||
if (status !== 200) {
|
|
||||||
if (status == 2) {
|
|
||||||
console.log('AMT already provisioned.Exiting ' + status);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed with status: " + status);
|
|
||||||
} else {
|
|
||||||
console.log('Failed to fetch activation status, status ' + status);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed with status: " + status);
|
|
||||||
}
|
|
||||||
socket.end();
|
|
||||||
exit(status);
|
|
||||||
} else if (responses['IPS_HostBasedSetupService'].response['AllowedControlModes'].length != 2) {
|
|
||||||
console.log('Admin control mode activation not allowed');
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed with message: Admin control mode activation not allowed");
|
|
||||||
socket.end();
|
|
||||||
exit(status);
|
|
||||||
} else {
|
|
||||||
activeToACMEx2(message, function (stack, name, responses, status, message) {
|
|
||||||
if (status != 200) {
|
|
||||||
console.log('Failed to activate, status ' + status);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed to activate. Status: " + status);
|
|
||||||
} else if (responses.Body.ReturnValue != 0) {
|
|
||||||
console.log('Admin control mode activation failed: ' + responses.Body.ReturnValueStr);
|
|
||||||
sendRCSMessage(socket, "error", "finish", "failed to activate: " + responses.Body.ReturnValueStr);
|
|
||||||
} else {
|
|
||||||
if (message.profileScript !== null) {
|
|
||||||
console.log("Running MEScript...");
|
|
||||||
settings.scriptjson = message.profileScript;
|
|
||||||
settings.password = message.amtPassword
|
|
||||||
settings.username = 'admin';
|
|
||||||
startMeScriptEx(function () {
|
|
||||||
console.log('AMT Profile applied');
|
|
||||||
sendRCSMessage(socket, "ok", "finish", "success");
|
|
||||||
socket.end();
|
|
||||||
exit(0);
|
|
||||||
}, stack);
|
|
||||||
} else {
|
|
||||||
sendRCSMessage(socket, "ok", "finish", "success");
|
|
||||||
socket.end();
|
|
||||||
exit(0);
|
|
||||||
}
|
|
||||||
console.log('AMT Provisioning Success');
|
|
||||||
}
|
|
||||||
//socket.end();
|
|
||||||
//exit(status);
|
|
||||||
});
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
if (message.event.toString() == "cmd" && message.data.toString() == "acmready") {
|
|
||||||
sendRCSMessage(socket, "ok", "message", JSON.stringify(fwNonce));
|
|
||||||
}
|
|
||||||
});
|
|
||||||
socket.on('end', function () { console.log('WebSocket closed'); });
|
|
||||||
sendRCSMessage(socket, "ok", "cmd", { "cmd": "acm", "dnssuffix": dnsSuffix, "profile": settings.profile, 'digestrealm': digestRealm, 'fwnonce': fwNonce });
|
|
||||||
});
|
|
||||||
}
|
|
||||||
|
|
||||||
// Detects AMT provisioning state and injects the certificate chain into AMT firmware
|
|
||||||
function activeToACMEx1(data, callback) {
|
|
||||||
if (mestate.ProvisioningState.state == 0) {
|
|
||||||
console.log('Performing ACM provisioning...');
|
|
||||||
// Perform full provisioning -- AMT was fully unprovisioned
|
|
||||||
injectCert(0, data, function (stack, name, responses, status, data) {
|
|
||||||
if (status !== 200) { exit(status); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] !== 0) { exit(responses['Body']['ReturnValueStr']); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] == 0) {
|
|
||||||
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], function (stack, name, responses, status) {
|
osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], function (stack, name, responses, status) {
|
||||||
callback(stack, name, responses, status, data);
|
if (status != 200) { console.log("Unable to get firmware activation nonce, status=" + status); exit(100); return; }
|
||||||
|
var fwNonce = responses['IPS_HostBasedSetupService'].response['ConfigurationNonce'];
|
||||||
|
var digestRealm = responses['AMT_GeneralSettings'].response['DigestRealm'];
|
||||||
|
activeToACMEx(fwNonce, settings.fqdn, digestRealm, settings.uuid);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
});
|
|
||||||
} else if (mestate.ProvisioningState.state == 1) {
|
// Connect to the activation server and perform ACM activation
|
||||||
// Perform partial provisioning -- AMT was partial unprovisioned
|
function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
|
||||||
// Currently not functional due to limitations in the HW.
|
console.log('FQDN: ' + dnsSuffix);
|
||||||
console.log('Partial provisioning flow currently not available.');
|
console.log('UUID: ' + uuid);
|
||||||
exit(0);
|
console.log('Realm: ' + digestRealm);
|
||||||
//osamtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], activeToACMEx2);
|
console.log('Nonce: ' + fwNonce);
|
||||||
|
console.log('Connecting to ' + settings.wss);
|
||||||
|
|
||||||
|
// Establish WebSocket connection to activation server
|
||||||
|
var options = http.parseUri(settings.wss);
|
||||||
|
options.checkServerIdentity = function (clientName, certs) { }; // TODO
|
||||||
|
options.rejectUnauthorized = false;
|
||||||
|
var connection = http.request(options);
|
||||||
|
connection.on('upgrade', function (response, socket) {
|
||||||
|
console.log('Connected, requesting activation...');
|
||||||
|
socket.on('end', function () { console.log('Connection closed'); exit(0); });
|
||||||
|
socket.on('error', function () { console.log('Connection error'); exit(100); });
|
||||||
|
socket.on('data', function (data) {
|
||||||
|
// Parse and check the response
|
||||||
|
var cmd = null;
|
||||||
|
try { cmd = JSON.parse(data); } catch (ex) { console.log('Unable to parse server response: ' + data); exit(100); return; }
|
||||||
|
if (typeof cmd != 'object') { console.log('Invalid server response: ' + cmd); exit(100); return; }
|
||||||
|
if (typeof cmd.errorText == 'string') { console.log('Server error: ' + cmd.errorText); exit(100); return; }
|
||||||
|
if (cmd.action != 'acmactivate') { console.log('Invalid server response, command: ' + cmd.cmd); exit(100); return; }
|
||||||
|
if (typeof cmd.signature != 'string') { console.log('Invalid server signature'); exit(100); return; }
|
||||||
|
if (typeof cmd.password != 'string') { console.log('Invalid server password'); exit(100); return; }
|
||||||
|
if (typeof cmd.nonce != 'string') { console.log('Invalid server nonce'); exit(100); return; }
|
||||||
|
if (typeof cmd.certs != 'object') { console.log('Invalid server certificates'); exit(100); return; }
|
||||||
|
|
||||||
|
// We are ready to go, perform activation.
|
||||||
|
cmd.index = 0;
|
||||||
|
performAcmActivation(cmd, function (result) {
|
||||||
|
if (result == false) {
|
||||||
|
console.log('Intel AMT ACM activation failed.');
|
||||||
} else {
|
} else {
|
||||||
// AMT already provisioned
|
if ((cmd.profileScript !== null) && (cmd.rawpassword != null)) {
|
||||||
callback(null, null, null, 2, 'AMT already provisioned. Exiting')
|
console.log("Intel AMT ACM activation success, applying profile...");
|
||||||
|
settings.scriptjson = cmd.profileScript;
|
||||||
|
settings.password = cmd.rawpassword; // TODO: This is only going to work if the server sends the raw password??
|
||||||
|
settings.username = 'admin';
|
||||||
|
startMeScriptEx(function () { console.log('Intel AMT profile applied.'); socket.end(); exit(0); }, stack);
|
||||||
|
} else {
|
||||||
|
console.log('Intel AMT ACM activation success.');
|
||||||
|
socket.end();
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Recursive function to inject the provisioning certificates into AMT in the proper order
|
|
||||||
function injectCert(index, cert, callback, stack, name, responses, status) {
|
|
||||||
var leaf = false;
|
|
||||||
var root = false;
|
|
||||||
if (index == 0) { leaf = true; }
|
|
||||||
if (index == cert.provCertObj.certChain.length - 1) { root = true; }
|
|
||||||
if (index < cert.provCertObj.certChain.length) {
|
|
||||||
if (cert.provCertObj.certChain[index] !== undefined) {
|
|
||||||
osamtstack.IPS_HostBasedSetupService_AddNextCertInChain(cert.provCertObj.certChain[index], leaf, root, function (stack, name, responses, status) {
|
|
||||||
if (status !== 200) { exit(status); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] !== 0) { exit(responses['Body']['ReturnValueStr']); return; }
|
|
||||||
else if (responses['Body']['ReturnValue'] == 0) {
|
|
||||||
index++;
|
|
||||||
injectCert(index, cert, callback, stack, name, responses, status);
|
|
||||||
}
|
|
||||||
});
|
});
|
||||||
}
|
});
|
||||||
} else { callback(stack, name, responses, status, cert); }
|
socket.write({ client: 'meshcmd', version: 1, action: 'acmactivate', fqdn: dnsSuffix, realm: digestRealm, nonce: fwNonce, uuid: uuid, profile: settings.profile, hashes: trustedHashes });
|
||||||
|
});
|
||||||
|
connection.end();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sends the password hash, mcnonce, and digital signature to complete the admin control mode provisioning
|
// Recursive function to inject the provisioning certificates into AMT in the proper order and completes ACM activation
|
||||||
function activeToACMEx2(data, callback) {
|
function performAcmActivation(acmdata, func) {
|
||||||
//var passwordhash = md5hex('admin:' + responses['AMT_GeneralSettings'].response['DigestRealm'] + ':' + data.passwordHash).substring(0, 32);
|
var leaf = (acmdata.index == 0), root = (acmdata.index == (acmdata.certs.length - 1));
|
||||||
//var debugreturn = {"Body": {"ReturnValue": 0}};
|
if ((acmdata.index < acmdata.certs.length) && (acmdata.certs[acmdata.index] != null)) {
|
||||||
//console.log("DEBUG: Everything up to activation works"); callback(null, null, debugreturn, 200, data);
|
osamtstack.IPS_HostBasedSetupService_AddNextCertInChain(acmdata.certs[acmdata.index], leaf, root, function (stack, name, responses, status) {
|
||||||
osamtstack.IPS_HostBasedSetupService_AdminSetup(2, data.passwordHash, data.mcNonce, 2, data.digitalSignature, function (stack, name, responses, status) { callback(stack, name, responses, status, data); });
|
if (status !== 200) { debug('AddNextCertInChain status=' + status); return; }
|
||||||
|
else if (responses['Body']['ReturnValue'] !== 0) { debug('AddNextCertInChain error=' + responses['Body']['ReturnValue']); return; }
|
||||||
|
else { acmdata.index++; performAcmActivation(acmdata, func); }
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
osamtstack.IPS_HostBasedSetupService_AdminSetup(2, acmdata.password, acmdata.nonce, 2, acmdata.signature,
|
||||||
|
function (stack, name, responses, status) { func((status == 200) && (responses['Body']['ReturnValue'] == 0)); }
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
|
@ -30,12 +30,12 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
|
|
||||||
// Sign a Intel AMT ACM activation request
|
// Sign a Intel AMT ACM activation request
|
||||||
obj.signAcmRequest = function (domain, request, user, pass, ipport, nodeid, meshid, computerName, agentId) {
|
obj.signAcmRequest = function (domain, request, user, pass, ipport, nodeid, meshid, computerName, agentId) {
|
||||||
if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (request == null) || (request.nonce == null) || (request.realm == null) || (request.fqdn == null) || (request.hash == null)) return null;
|
if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (request == null) || (request.nonce == null) || (request.realm == null) || (request.fqdn == null) || (request.hash == null)) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid arguments' };
|
||||||
if (parent.common.validateString(request.nonce, 16, 256) == false) return null;
|
if (parent.common.validateString(request.nonce, 16, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid nonce argument' };
|
||||||
if (parent.common.validateString(request.realm, 16, 256) == false) return null;
|
if (parent.common.validateString(request.realm, 16, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid realm argument' };
|
||||||
if (parent.common.validateString(request.fqdn, 4, 256) == false) return null;
|
if (parent.common.validateString(request.fqdn, 4, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid FQDN argument' };
|
||||||
if (parent.common.validateString(request.hash, 16, 256) == false) return null;
|
if (parent.common.validateString(request.hash, 16, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid hash argument' };
|
||||||
if (parent.common.validateString(request.uuid, 36, 36) == false) return null;
|
if (parent.common.validateString(request.uuid, 36, 36) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid UUID argument' };
|
||||||
|
|
||||||
// Look for the signing certificate
|
// Look for the signing certificate
|
||||||
var signkey = null, certChain = null, hashAlgo = null, certIndex = null;
|
var signkey = null, certChain = null, hashAlgo = null, certIndex = null;
|
||||||
|
@ -44,10 +44,10 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
if ((certEntry.sha256 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
|
if ((certEntry.sha256 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
|
||||||
if ((certEntry.sha1 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
|
if ((certEntry.sha1 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
|
||||||
}
|
}
|
||||||
if (signkey == null) return null; // Did not find a match.
|
if (signkey == null) return { 'action': 'acmactivate', 'error': 2, 'errorText': 'No signing certificate found' }; // Did not find a match.
|
||||||
|
|
||||||
// If the matching certificate is a root cert, issue a leaf cert that matches the fqdn
|
// If the matching certificate is a root cert, issue a leaf cert that matches the fqdn
|
||||||
if (domain.amtacmactivation.certs[certIndex].cn == '*') return; // TODO: Add support for this mode
|
if (domain.amtacmactivation.certs[certIndex].cn == '*') return { 'action': 'acmactivate', 'error': 3, 'errorText': 'Unsupported activation' }; // TODO: Add support for this mode
|
||||||
|
|
||||||
// Setup both nonces, ready to be signed
|
// Setup both nonces, ready to be signed
|
||||||
const mcNonce = Buffer.from(obj.crypto.randomBytes(20), 'binary');
|
const mcNonce = Buffer.from(obj.crypto.randomBytes(20), 'binary');
|
||||||
|
@ -59,10 +59,10 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
var signer = obj.crypto.createSign(hashAlgo);
|
var signer = obj.crypto.createSign(hashAlgo);
|
||||||
signer.update(Buffer.concat([fwNonce, mcNonce]));
|
signer.update(Buffer.concat([fwNonce, mcNonce]));
|
||||||
signature = signer.sign(signkey, 'base64');
|
signature = signer.sign(signkey, 'base64');
|
||||||
} catch (ex) { return null; }
|
} catch (ex) { return { 'action': 'acmactivate', 'error': 4, 'errorText': 'Unable to perform signature' }; }
|
||||||
|
|
||||||
// Log the activation request, logging is a required step for activation.
|
// Log the activation request, logging is a required step for activation.
|
||||||
if (obj.logAmtActivation(domain, { time: new Date(), domain: domain.id, amtUuid: request.uuid, certHash: request.hash, hashType: hashAlgo, amtRealm: request.realm, amtFqdn: request.fqdn, user: user, password: pass, ipport: ipport, nodeid: nodeid, meshid: meshid, computerName: computerName, agentId: agentId }) == false) return null;
|
if (obj.logAmtActivation(domain, { time: new Date(), domain: domain.id, amtUuid: request.uuid, certHash: request.hash, hashType: hashAlgo, amtRealm: request.realm, amtFqdn: request.fqdn, user: user, password: pass, ipport: ipport, nodeid: nodeid, meshid: meshid, computerName: computerName, agentId: agentId }) == false) return { 'action': 'acmactivate', 'error': 5, 'errorText': 'Unable to log operation' };
|
||||||
|
|
||||||
// Return the signature with the computed account password hash
|
// Return the signature with the computed account password hash
|
||||||
return { 'action': 'acmactivate', 'signature': signature, 'password': obj.crypto.createHash('md5').update(user + ':' + request.realm + ':' + pass).digest('hex'), 'nonce': mcNonce.toString('base64'), 'certs': certChain };
|
return { 'action': 'acmactivate', 'signature': signature, 'password': obj.crypto.createHash('md5').update(user + ':' + request.realm + ':' + pass).digest('hex'), 'nonce': mcNonce.toString('base64'), 'certs': certChain };
|
||||||
|
|
|
@ -1222,7 +1222,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||||
|
|
||||||
// Agent is asking the server to sign an Intel AMT ACM activation request
|
// Agent is asking the server to sign an Intel AMT ACM activation request
|
||||||
var signResponse = parent.parent.certificateOperations.signAcmRequest(domain, command, 'admin', amtpassword, obj.remoteaddrport, obj.dbNodeKey, obj.dbMeshKey, obj.agentInfo.computerName, obj.agentInfo.agentId); // TODO: Place account credentials!!!
|
var signResponse = parent.parent.certificateOperations.signAcmRequest(domain, command, 'admin', amtpassword, obj.remoteaddrport, obj.dbNodeKey, obj.dbMeshKey, obj.agentInfo.computerName, obj.agentInfo.agentId); // TODO: Place account credentials!!!
|
||||||
if (signResponse != null) {
|
if ((signResponse != null) && (signResponse.error == null)) {
|
||||||
// Log this activation event
|
// Log this activation event
|
||||||
var event = { etype: 'node', action: 'amtactivate', nodeid: obj.dbNodeKey, domain: domain.id, msg: 'Device requested Intel AMT ACM activation, FQDN: ' + command.fqdn, ip: obj.remoteaddrport };
|
var event = { etype: 'node', action: 'amtactivate', nodeid: obj.dbNodeKey, domain: domain.id, msg: 'Device requested Intel AMT ACM activation, FQDN: ' + command.fqdn, ip: obj.remoteaddrport };
|
||||||
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
|
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the node. Another event will come.
|
||||||
|
@ -1232,7 +1232,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
|
||||||
ChangeAgentCoreInfo({ "intelamt": { user: 'admin', pass: amtpassword, uuid: command.uuid, realm: command.realm } });
|
ChangeAgentCoreInfo({ "intelamt": { user: 'admin', pass: amtpassword, uuid: command.uuid, realm: command.realm } });
|
||||||
|
|
||||||
// Send the activation response
|
// Send the activation response
|
||||||
obj.send(JSON.stringify(signResponse));
|
//obj.send(JSON.stringify(signResponse)); // DEBUG****************************
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2766,8 +2766,8 @@
|
||||||
// Windows agent install
|
// Windows agent install
|
||||||
//x += "<div id=agins_windows>To add a new computer to device group \"" + EscapeHtml(mesh.name) + "\", download the mesh agent and configuration file and install the agent on the computer to manage.<br /><br />";
|
//x += "<div id=agins_windows>To add a new computer to device group \"" + EscapeHtml(mesh.name) + "\", download the mesh agent and configuration file and install the agent on the computer to manage.<br /><br />";
|
||||||
x += "<div id=agins_windows>To add a new computer to device group \"" + EscapeHtml(mesh.name) + "\", download the mesh agent and install it the computer to manage. This agent has server and device group information embedded within it.<br /><br />";
|
x += "<div id=agins_windows>To add a new computer to device group \"" + EscapeHtml(mesh.name) + "\", download the mesh agent and install it the computer to manage. This agent has server and device group information embedded within it.<br /><br />";
|
||||||
x += addHtmlValue('Mesh Agent', '<a id=aginsw32lnk href="meshagents?id=3&meshid=' + meshid.split('/')[2] + '&installflags=0" download title="32bit version of the MeshAgent">Windows (.exe)</a>');
|
x += addHtmlValue('Mesh Agent', '<a id=aginsw32lnk href="meshagents?id=3&meshid=' + meshid.split('/')[2] + '&installflags=0" download onclick="setDialogMode(0)" title="32bit version of the MeshAgent">Windows (.exe)</a>');
|
||||||
x += addHtmlValue('Mesh Agent', '<a id=aginsw64lnk href="meshagents?id=4&meshid=' + meshid.split('/')[2] + '&installflags=0" download title="64bit version of the MeshAgent">Windows x64 (.exe)</a>');
|
x += addHtmlValue('Mesh Agent', '<a id=aginsw64lnk href="meshagents?id=4&meshid=' + meshid.split('/')[2] + '&installflags=0" download onclick="setDialogMode(0)" title="64bit version of the MeshAgent">Windows x64 (.exe)</a>');
|
||||||
if (debugmode > 0) { x += addHtmlValue('Settings File', '<a id=aginswmshlnk href="meshsettings?id=' + meshid.split('/')[2] + '&installflags=0" rel="noreferrer noopener" target="_blank">' + EscapeHtml(mesh.name) + ' settings (.msh)</a>'); }
|
if (debugmode > 0) { x += addHtmlValue('Settings File', '<a id=aginswmshlnk href="meshsettings?id=' + meshid.split('/')[2] + '&installflags=0" rel="noreferrer noopener" target="_blank">' + EscapeHtml(mesh.name) + ' settings (.msh)</a>'); }
|
||||||
x += "</div>";
|
x += "</div>";
|
||||||
|
|
||||||
|
@ -2783,8 +2783,8 @@
|
||||||
|
|
||||||
// Windows agent uninstall
|
// Windows agent uninstall
|
||||||
x += "<div id=agins_windows_un style=display:none>To remove a mesh agent, download the file below, run it and click \"uninstall\".<br /><br />";
|
x += "<div id=agins_windows_un style=display:none>To remove a mesh agent, download the file below, run it and click \"uninstall\".<br /><br />";
|
||||||
x += addHtmlValue('Mesh Agent', '<a href="meshagents?id=3" download title="32bit version of the MeshAgent">Windows (.exe)</a>');
|
x += addHtmlValue('Mesh Agent', '<a href="meshagents?id=3" download onclick="setDialogMode(0)" title="32bit version of the MeshAgent">Windows (.exe)</a>');
|
||||||
x += addHtmlValue('Mesh Agent', '<a href="meshagents?id=4" download title="64bit version of the MeshAgent">Windows x64 (.exe)</a>');
|
x += addHtmlValue('Mesh Agent', '<a href="meshagents?id=4" download onclick="setDialogMode(0)" title="64bit version of the MeshAgent">Windows x64 (.exe)</a>');
|
||||||
x += "</div>";
|
x += "</div>";
|
||||||
|
|
||||||
// Linux agent uninstall
|
// Linux agent uninstall
|
||||||
|
@ -4106,7 +4106,7 @@
|
||||||
++count;
|
++count;
|
||||||
date = new Date(date.getTime() - (1000 * 60 * 60 * 24)); // Substract one day
|
date = new Date(date.getTime() - (1000 * 60 * 60 * 24)); // Substract one day
|
||||||
}
|
}
|
||||||
QH('p10html2', '<table cellpadding=2 cellspacing=0><thead><tr style=><th scope=col style=text-align:center;width:150px>Day</th><th scope=col style=text-align:center><a download href="devicepowerevents.ashx?id=' + currentNode._id + '"><img title="Download power events" src="images/link4.png" /></a>7 Day Power State</th></tr></thead><tbody>' + x + '</tbody></table>');
|
QH('p10html2', '<table cellpadding=2 cellspacing=0><thead><tr style=><th scope=col style=text-align:center;width:150px>Day</th><th scope=col style=text-align:center><a download href="devicepowerevents.ashx?id=' + currentNode._id + '" onclick="setDialogMode(0)"><img title="Download power events" src="images/link4.png" /></a>7 Day Power State</th></tr></thead><tbody>' + x + '</tbody></table>');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return a color for the given power state
|
// Return a color for the given power state
|
||||||
|
@ -4261,7 +4261,7 @@
|
||||||
function p10showMeshRouterDialog() {
|
function p10showMeshRouterDialog() {
|
||||||
if (xxdialogMode) return;
|
if (xxdialogMode) return;
|
||||||
var x = "<div>MeshCentral Router is a Windows tool for TCP port mapping. You can, for example, RDP into a remote device thru this server.</div><br />";
|
var x = "<div>MeshCentral Router is a Windows tool for TCP port mapping. You can, for example, RDP into a remote device thru this server.</div><br />";
|
||||||
x += addHtmlValue('Win32 Executable', '<a style=cursor:pointer download href="meshagents?meshaction=winrouter">MeshCentralRouter.exe</a>');
|
x += addHtmlValue('Win32 Executable', '<a style=cursor:pointer download href="meshagents?meshaction=winrouter" onclick="setDialogMode(0)">MeshCentralRouter.exe</a>');
|
||||||
setDialogMode(2, "MeshCentral Router", 1, null, x, "fileDownload");
|
setDialogMode(2, "MeshCentral Router", 1, null, x, "fileDownload");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
86
webserver.js
86
webserver.js
|
@ -2153,6 +2153,83 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Handle a Intel AMT activation request
|
||||||
|
function handleAmtActivateWebSocket(ws, req) {
|
||||||
|
const domain = checkUserIpAddress(ws, req);
|
||||||
|
if (domain == null) { ws.send(JSON.stringify({ errorText: 'Invalid domain' })); ws.close(); return; }
|
||||||
|
if (req.query.id == null) { ws.send(JSON.stringify({ errorText: 'Missing group identifier' })); ws.close(); return; }
|
||||||
|
|
||||||
|
// Fetch the mesh object
|
||||||
|
ws.meshid = 'mesh/' + domain.id + '/' + req.query.id;
|
||||||
|
const mesh = obj.meshes[ws.meshid];
|
||||||
|
if (mesh == null) { delete ws.meshid; ws.send(JSON.stringify({ errorText: 'Invalid device group' })); ws.close(); return; }
|
||||||
|
if (mesh.mtype != 1) { ws.send(JSON.stringify({ errorText: 'Invalid device group type' })); ws.close(); return; }
|
||||||
|
|
||||||
|
// Fetch the remote IP:Port for logging
|
||||||
|
const remoteaddr = (req.ip.startsWith('::ffff:')) ? (req.ip.substring(7)) : req.ip;
|
||||||
|
ws.remoteaddrport = remoteaddr + ':' + ws._socket.remotePort;
|
||||||
|
|
||||||
|
// When data is received from the web socket, echo it back
|
||||||
|
ws.on('message', function (data) {
|
||||||
|
// Parse the incoming command
|
||||||
|
var cmd = null;
|
||||||
|
try { cmd = JSON.parse(data); } catch (ex) { };
|
||||||
|
if (cmd == null) return;
|
||||||
|
|
||||||
|
// Process the command
|
||||||
|
switch (cmd.action) {
|
||||||
|
case 'acmactivate': {
|
||||||
|
// Check the command
|
||||||
|
if (cmd.version != 1) { ws.send(JSON.stringify({ errorText: 'Unsupported version' })); ws.close(); return; }
|
||||||
|
if (typeof cmd.hashes != 'object') { ws.send(JSON.stringify({ errorText: 'Invalid hashes' })); ws.close(); return; }
|
||||||
|
if (typeof cmd.fqdn != 'string') { ws.send(JSON.stringify({ errorText: 'Invalid FQDN' })); ws.close(); return; }
|
||||||
|
|
||||||
|
// Get the current Intel AMT policy
|
||||||
|
var mesh = obj.meshes[ws.meshid];
|
||||||
|
if ((mesh == null) || (mesh.amt == null) || (mesh.amt.type != 3) || (domain.amtacmactivation == null) || (domain.amtacmactivation.acmmatch == null) || (mesh.amt.password == null)) { ws.send(JSON.stringify({ errorText: 'Unable to activate' })); ws.close(); return; }
|
||||||
|
|
||||||
|
// Check if we have a FQDN/Hash match
|
||||||
|
var matchingHash = null, matchingCN = null;
|
||||||
|
for (var i in domain.amtacmactivation.acmmatch) {
|
||||||
|
// Check for a matching FQDN
|
||||||
|
if ((domain.amtacmactivation.acmmatch[i].cn == '*') || (domain.amtacmactivation.acmmatch[i].cn.toLowerCase() == cmd.fqdn)) {
|
||||||
|
// Check for a matching certificate
|
||||||
|
if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha256) >= 0) {
|
||||||
|
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
|
||||||
|
matchingHash = domain.amtacmactivation.acmmatch[i].sha256;
|
||||||
|
continue;
|
||||||
|
} else if (cmd.hashes.indexOf(domain.amtacmactivation.acmmatch[i].sha1) >= 0) {
|
||||||
|
matchingCN = domain.amtacmactivation.acmmatch[i].cn;
|
||||||
|
matchingHash = domain.amtacmactivation.acmmatch[i].sha1;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (matchingHash == null) { ws.send(JSON.stringify({ errorText: 'No matching activation certificates' })); ws.close(); return; }
|
||||||
|
if (matchingCN == '*') { ws.send(JSON.stringify({ errorText: 'Wildcard certificate activation not yet supported' })); ws.close(); return; }
|
||||||
|
cmd.hash = matchingHash;
|
||||||
|
|
||||||
|
// Get the Intel AMT admin password, randomize if needed.
|
||||||
|
var amtpassword = ((mesh.amt.password == '') ? getRandomAmtPassword() : mesh.amt.password);
|
||||||
|
if (checkAmtPassword(amtpassword) == false) { ws.send(JSON.stringify({ errorText: 'Invalid Intel AMT password' })); ws.close(); return; } // Invalid Intel AMT password, this should never happen.
|
||||||
|
|
||||||
|
// Agent is asking the server to sign an Intel AMT ACM activation request
|
||||||
|
var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
|
||||||
|
ws.send(JSON.stringify(signResponse));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
default: {
|
||||||
|
// This is not a known command
|
||||||
|
ws.send(JSON.stringify({ errorText: 'Invalid command' })); ws.close(); return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
// If close or error, do nothing.
|
||||||
|
ws.on('error', function (err) { });
|
||||||
|
ws.on('close', function (req) { });
|
||||||
|
}
|
||||||
|
|
||||||
// Handle the web socket echo request, just echo back the data sent
|
// Handle the web socket echo request, just echo back the data sent
|
||||||
function handleEchoWebSocket(ws, req) {
|
function handleEchoWebSocket(ws, req) {
|
||||||
const domain = checkUserIpAddress(ws, req);
|
const domain = checkUserIpAddress(ws, req);
|
||||||
|
@ -2790,6 +2867,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Intel AMT ACM activation
|
||||||
|
if ((parent.config.domains[i].amtacmactivation != null) && (parent.config.domains[i].amtacmactivation.acmmatch != null)) {
|
||||||
|
obj.app.ws(url + 'amtactivate', handleAmtActivateWebSocket);
|
||||||
|
}
|
||||||
|
|
||||||
// Creates a login token using the user/pass that is passed in as URL arguments.
|
// Creates a login token using the user/pass that is passed in as URL arguments.
|
||||||
// For example: https://localhost/createLoginToken.ashx?user=admin&pass=admin&a=3
|
// For example: https://localhost/createLoginToken.ashx?user=admin&pass=admin&a=3
|
||||||
// It's not advised to use this to create login tokens since the URL is often logged and you got credentials in the URL.
|
// It's not advised to use this to create login tokens since the URL is often logged and you got credentials in the URL.
|
||||||
|
@ -3165,5 +3247,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||||
// Return the query string portion of the URL, the ? and anything after.
|
// Return the query string portion of the URL, the ? and anything after.
|
||||||
function getQueryPortion(req) { var s = req.url.indexOf('?'); if (s == -1) { if (req.body && req.body.urlargs) { return req.body.urlargs; } return ''; } return req.url.substring(s); }
|
function getQueryPortion(req) { var s = req.url.indexOf('?'); if (s == -1) { if (req.body && req.body.urlargs) { return req.body.urlargs; } return ''; } return req.url.substring(s); }
|
||||||
|
|
||||||
|
// Generate a random Intel AMT password
|
||||||
|
function checkAmtPassword(p) { return (p.length > 7) && (/\d/.test(p)) && (/[a-z]/.test(p)) && (/[A-Z]/.test(p)) && (/\W/.test(p)); }
|
||||||
|
function getRandomAmtPassword() { var p; do { p = Buffer.from(obj.crypto.randomBytes(9), 'binary').toString('base64').split('/').join('@'); } while (checkAmtPassword(p) == false); return p; }
|
||||||
|
|
||||||
return obj;
|
return obj;
|
||||||
};
|
};
|
Loading…
Reference in New Issue