Improved Intel AMT ACM cert chain creation errors.
This commit is contained in:
parent
ec7f891a91
commit
db707b6525
|
@ -168,6 +168,7 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
obj.loadIntelAmtAcmCerts = function (amtacmactivation) {
|
obj.loadIntelAmtAcmCerts = function (amtacmactivation) {
|
||||||
if (amtacmactivation == null) return;
|
if (amtacmactivation == null) return;
|
||||||
var acmCerts = [], acmmatch = [];
|
var acmCerts = [], acmmatch = [];
|
||||||
|
amtacmactivation.acmCertErrors = [];
|
||||||
if (amtacmactivation.certs != null) {
|
if (amtacmactivation.certs != null) {
|
||||||
for (var j in amtacmactivation.certs) {
|
for (var j in amtacmactivation.certs) {
|
||||||
if (j.startsWith('_')) continue; // Skip any certificates that start with underscore as the name.
|
if (j.startsWith('_')) continue; // Skip any certificates that start with underscore as the name.
|
||||||
|
@ -175,14 +176,21 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
|
|
||||||
if ((typeof acmconfig.certpfx == 'string') && (typeof acmconfig.certpfxpass == 'string')) {
|
if ((typeof acmconfig.certpfx == 'string') && (typeof acmconfig.certpfxpass == 'string')) {
|
||||||
// P12 format, certpfx and certpfxpass
|
// P12 format, certpfx and certpfxpass
|
||||||
try { r = obj.loadPfxCertificate(parent.common.joinPath(obj.parent.datapath, acmconfig.certpfx), acmconfig.certpfxpass); } catch (ex) { console.log(ex); }
|
const certFilePath = parent.common.joinPath(obj.parent.datapath, acmconfig.certpfx);
|
||||||
if ((r == null) || (r.certs == null) || (r.keys == null) || (r.certs.length < 2) || (r.keys.length != 1)) continue;
|
try { r = obj.loadPfxCertificate(certFilePath, acmconfig.certpfxpass); } catch (ex) { console.log(ex); }
|
||||||
|
if ((r == null) || (r.certs == null) || (r.keys == null)) { amtacmactivation.acmCertErrors.push("Unable to load certificate file: " + certFilePath + "."); continue; }
|
||||||
|
if (r.certs.length < 2) { amtacmactivation.acmCertErrors.push("Certificate file contains less then 2 certificates: " + certFilePath + "."); continue; }
|
||||||
|
if (r.keys.length != 1) { amtacmactivation.acmCertErrors.push("Certificate file must contain exactly one private key: " + certFilePath + "."); continue; }
|
||||||
} else if ((typeof acmconfig.certfiles == 'object') && (typeof acmconfig.keyfile == 'string')) {
|
} else if ((typeof acmconfig.certfiles == 'object') && (typeof acmconfig.keyfile == 'string')) {
|
||||||
// PEM format, certfiles and keyfile
|
// PEM format, certfiles and keyfile
|
||||||
r = { certs: [], keys: [] };
|
r = { certs: [], keys: [] };
|
||||||
for (var k in acmconfig.certfiles) { r.certs.push(obj.pki.certificateFromPem(obj.fs.readFileSync(parent.common.joinPath(obj.parent.datapath, acmconfig.certfiles[k])))); }
|
for (var k in acmconfig.certfiles) {
|
||||||
|
const certFilePath = parent.common.joinPath(obj.parent.datapath, acmconfig.certfiles[k]);
|
||||||
|
try { r.certs.push(obj.pki.certificateFromPem(obj.fs.readFileSync(certFilePath))); } catch (ex) { amtacmactivation.acmCertErrors.push("Unable to load certificate file: " + certFilePath + "."); }
|
||||||
|
}
|
||||||
r.keys.push(obj.pki.privateKeyFromPem(obj.fs.readFileSync(parent.common.joinPath(obj.parent.datapath, acmconfig.keyfile))));
|
r.keys.push(obj.pki.privateKeyFromPem(obj.fs.readFileSync(parent.common.joinPath(obj.parent.datapath, acmconfig.keyfile))));
|
||||||
if ((r.certs.length < 2) || (r.keys.length != 1)) continue;
|
if (r.certs.length < 2) { amtacmactivation.acmCertErrors.push("Certificate file contains less then 2 certificates: " + certFilePath + "."); continue; }
|
||||||
|
if (r.keys.length != 1) { amtacmactivation.acmCertErrors.push("Certificate file must contain exactly one private key: " + certFilePath + "."); continue; }
|
||||||
}
|
}
|
||||||
|
|
||||||
// Reorder the certificates from leaf to root.
|
// Reorder the certificates from leaf to root.
|
||||||
|
@ -198,12 +206,12 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (orderingError == true) continue;
|
if (orderingError == true) { amtacmactivation.acmCertErrors.push("Unable to order Intel AMT ACM activation certificates to create a full chain."); continue; }
|
||||||
r.certs = or;
|
r.certs = or;
|
||||||
|
|
||||||
// Check that the certificate and private key match
|
// Check that the certificate and private key match
|
||||||
if ((compareArrays(r.certs[0].publicKey.n.data, r.keys[0].n.data) == false) || (compareArrays(r.certs[0].publicKey.e.data, r.keys[0].e.data) == false)) {
|
if ((compareArrays(r.certs[0].publicKey.n.data, r.keys[0].n.data) == false) || (compareArrays(r.certs[0].publicKey.e.data, r.keys[0].e.data) == false)) {
|
||||||
parent.addServerWarning('Intel AMT activation certificate provided with a mismatching private key.');
|
amtacmactivation.acmCertErrors.push("Intel AMT activation certificate provided with a mismatching private key.");
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -221,11 +229,11 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
for (var k in r.certs[0].extensions) { if (r.certs[0].extensions[k]['2.16.840.1.113741.1.2.3'] == true) { validActivationCert = true; } }
|
for (var k in r.certs[0].extensions) { if (r.certs[0].extensions[k]['2.16.840.1.113741.1.2.3'] == true) { validActivationCert = true; } }
|
||||||
var orgName = r.certs[0].subject.getField('OU');
|
var orgName = r.certs[0].subject.getField('OU');
|
||||||
if ((orgName != null) && (orgName.value == 'Intel(R) Client Setup Certificate')) { validActivationCert = true; }
|
if ((orgName != null) && (orgName.value == 'Intel(R) Client Setup Certificate')) { validActivationCert = true; }
|
||||||
if (validActivationCert == false) continue;
|
if (validActivationCert == false) { amtacmactivation.acmCertErrors.push("Intel AMT activation certificate must have usage OID \"2.16.840.1.113741.1.2.3\" or organization name \"Intel(R) Client Setup Certificate\"."); continue; }
|
||||||
|
|
||||||
// Compute the SHA256 and SHA1 hashes of the root certificate
|
// Compute the SHA256 and SHA1 hashes of the root certificate
|
||||||
for (var k in r.certs) {
|
for (var k in r.certs) {
|
||||||
if (r.certs[k].subject.hash != r.certs[k].issuer.hash) continue;
|
if (r.certs[k].subject.hash != r.certs[k].issuer.hash) { amtacmactivation.acmCertErrors.push("Invalid Intel AMT ACM certificate chain."); continue; }
|
||||||
const certdata = obj.forge.asn1.toDer(obj.pki.certificateToAsn1(r.certs[k])).data;
|
const certdata = obj.forge.asn1.toDer(obj.pki.certificateToAsn1(r.certs[k])).data;
|
||||||
var md = obj.forge.md.sha256.create();
|
var md = obj.forge.md.sha256.create();
|
||||||
md.update(certdata);
|
md.update(certdata);
|
||||||
|
@ -234,11 +242,11 @@ module.exports.CertificateOperations = function (parent) {
|
||||||
md.update(certdata);
|
md.update(certdata);
|
||||||
acmconfig.sha1 = Buffer.from(md.digest().getBytes(), 'binary').toString('hex');
|
acmconfig.sha1 = Buffer.from(md.digest().getBytes(), 'binary').toString('hex');
|
||||||
}
|
}
|
||||||
if ((acmconfig.sha1 == null) || (acmconfig.sha256 == null)) continue;
|
if ((acmconfig.sha1 == null) || (acmconfig.sha256 == null)) { amtacmactivation.acmCertErrors.push("Unable to compute Intel AMT activation certificate SHA1 and SHA256 hashes."); continue; }
|
||||||
|
|
||||||
// Get the certificate common name
|
// Get the certificate common name
|
||||||
var certCommonName = r.certs[0].subject.getField('CN');
|
var certCommonName = r.certs[0].subject.getField('CN');
|
||||||
if (certCommonName == null) continue;
|
if (certCommonName == null) { amtacmactivation.acmCertErrors.push("Unable to get Intel AMT activation certificate common name."); continue; }
|
||||||
var certCommonNameSplit = certCommonName.value.split('.');
|
var certCommonNameSplit = certCommonName.value.split('.');
|
||||||
var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase();
|
var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase();
|
||||||
var topLevelNum = TopLevelDomainExtendedSupport[topLevel];
|
var topLevelNum = TopLevelDomainExtendedSupport[topLevel];
|
||||||
|
|
|
@ -1491,7 +1491,7 @@ function CreateMeshCentralServer(config, args) {
|
||||||
// Load any Intel AMT ACM activation certificates
|
// Load any Intel AMT ACM activation certificates
|
||||||
if (obj.config.domains[i].amtacmactivation == null) { obj.config.domains[i].amtacmactivation = {}; }
|
if (obj.config.domains[i].amtacmactivation == null) { obj.config.domains[i].amtacmactivation = {}; }
|
||||||
obj.certificateOperations.loadIntelAmtAcmCerts(obj.config.domains[i].amtacmactivation);
|
obj.certificateOperations.loadIntelAmtAcmCerts(obj.config.domains[i].amtacmactivation);
|
||||||
|
if (obj.config.domains[i].amtacmactivation.acmCertErrors != null) { for (var j in obj.config.domains[i].amtacmactivation.acmCertErrors) { obj.addServerWarning(obj.config.domains[i].amtacmactivation.acmCertErrors[j]); } }
|
||||||
if (typeof obj.config.domains[i].certurl == 'string') {
|
if (typeof obj.config.domains[i].certurl == 'string') {
|
||||||
obj.supportsProxyCertificatesRequest = true; // If a certurl is set, enable proxy cert requests
|
obj.supportsProxyCertificatesRequest = true; // If a certurl is set, enable proxy cert requests
|
||||||
// Then, fix the URL and add 'https://' if needed
|
// Then, fix the URL and add 'https://' if needed
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "meshcentral",
|
"name": "meshcentral",
|
||||||
"version": "0.9.88",
|
"version": "0.9.89",
|
||||||
"keywords": [
|
"keywords": [
|
||||||
"Remote Device Management",
|
"Remote Device Management",
|
||||||
"Remote Device Monitoring",
|
"Remote Device Monitoring",
|
||||||
|
|
Loading…
Reference in New Issue