From bafad4310b10816a2547b241c2daf99dac7fc3b1 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Thu, 1 Jul 2021 15:20:39 -0700
Subject: [PATCH] Improved Intel AMT ACM certificate matching.

---
 amtmanager.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/amtmanager.js b/amtmanager.js
index 3b278f1c..ebc4f40b 100644
--- a/amtmanager.js
+++ b/amtmanager.js
@@ -2003,7 +2003,7 @@ module.exports.CreateAmtManager = function (parent) {
         // Find a matching certificate
         for (var i in activationCerts) {
             var cert = activationCerts[i];
-            if ((cert.cn == '*') || (cert.cn == trustedFqdn)) {
+            if ((cert.cn == '*') || checkAcmActivationCertName(cert.cn, trustedFqdn)) {
                 for (var j in deviceHashes) {
                     var hashInfo = deviceHashes[j];
                     if ((hashInfo != null) && (hashInfo.isActive == 1)) {
@@ -2016,6 +2016,14 @@ module.exports.CreateAmtManager = function (parent) {
         return null; // Did not find a match
     }
 
+    // Return true if the trusted FQDN matched the certificate common name
+    function checkAcmActivationCertName(commonName, trustedFqdn) {
+        commonName = commonName.toLowerCase();
+        trustedFqdn = trustedFqdn.toLowerCase();
+        if (commonName.startsWith('*.') && (commonName.length > 2)) { commonName = commonName.substring(2); }
+        return ((commonName == trustedFqdn) || (trustedFqdn.endsWith('.' + commonName)));
+    }
+
     // Attempt Intel AMT TLS ACM activation
     function activateIntelAmtTlsAcm(dev, password, acminfo) {
         // Check if MeshAgent/MeshCMD can support the startConfigurationhostB() call.