From 0605422ccd4d4638389d9a1b06c3dcb99d0cd004 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Thu, 23 Jun 2022 10:51:39 -0700
Subject: [PATCH] Fixes to agent code signing, #4161

---
 MeshCentralServer.njsproj |  2 --
 authenticode.js           | 38 +++++++++++++++++++++++++++-----------
 2 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/MeshCentralServer.njsproj b/MeshCentralServer.njsproj
index 7cbdaf20..64ed15d7 100644
--- a/MeshCentralServer.njsproj
+++ b/MeshCentralServer.njsproj
@@ -261,10 +261,8 @@
     <Content Include="agents\MeshCommander-Small.gz" />
     <Content Include="agents\meshinstall-initd.sh" />
     <Content Include="agents\meshinstall-linux.sh" />
-    <Content Include="agents\MeshService-signed.exe" />
     <Content Include="agents\MeshService.exe" />
     <Content Include="agents\MeshService.pdb" />
-    <Content Include="agents\MeshService64-signed.exe" />
     <Content Include="agents\MeshService64.exe" />
     <Content Include="agents\MeshService64.pdb" />
     <Content Include="agents\modules_meshcore\coretranslations.json" />
diff --git a/authenticode.js b/authenticode.js
index c2147956..4ee18ee1 100644
--- a/authenticode.js
+++ b/authenticode.js
@@ -408,7 +408,12 @@ function createAuthenticodeHandler(path) {
 
         // Make an HTTP request
         const http = require('http');
-        var options = {
+        const timeServerUrl = new URL(args.time);
+        const options = {
+            protocol: timeServerUrl.protocol,
+            hostname: timeServerUrl.hostname,
+            path: timeServerUrl.pathname,
+            port: ((timeServerUrl.port == '') ? 80 : parseInt(timeServerUrl.port)),
             method: 'POST',
             headers: {
                 'accept': 'application/octet-stream',
@@ -421,7 +426,7 @@ function createAuthenticodeHandler(path) {
 
         // Set up the request
         var responseAccumulator = '';
-        var req = http.request(args.time, options, function (res) {
+        var req = http.request(options, function (res) {
             res.setEncoding('utf8');
             res.on('data', function (chunk) { responseAccumulator += chunk; });
             res.on('end', function () {
@@ -431,7 +436,7 @@ function createAuthenticodeHandler(path) {
 
                 // Decode the executable signature block
                 var pkcs7der = null;
-                try { forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(obj.getRawSignatureBlock(), 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
+                try { pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(obj.getRawSignatureBlock(), 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
 
                 // Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable
                 // TODO: We could look to see if the certificate is already present in the executable
@@ -1294,7 +1299,7 @@ function createAuthenticodeHandler(path) {
         } else {
             // Decode the signature block
             var pkcs7der = null;
-            try { forge.asn1.fromDer(forge.util.createBuffer(p7signature)); } catch (ex) { func('' + ex); return; }
+            try { pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(p7signature)); } catch (ex) { func('' + ex); return; }
 
             // To work around ForgeJS PKCS#7 limitation, this may break PKCS7 verify if ForgeJS adds support for it in the future
             // Switch content type from "1.3.6.1.4.1.311.2.1.4" to "1.2.840.113549.1.7.1"
@@ -1326,7 +1331,12 @@ function createAuthenticodeHandler(path) {
 
             // Make an HTTP request
             const http = require('http');
-            var options = {
+            const timeServerUrl = new URL(args.time);
+            const options = {
+                protocol: timeServerUrl.protocol,
+                hostname: timeServerUrl.hostname,
+                path: timeServerUrl.pathname,
+                port: ((timeServerUrl.port == '') ? 80 : parseInt(timeServerUrl.port)),
                 method: 'POST',
                 headers: {
                     'accept': 'application/octet-stream',
@@ -1339,13 +1349,13 @@ function createAuthenticodeHandler(path) {
 
             // Set up the request
             var responseAccumulator = '';
-            var req = http.request(args.time, options, function (res) {
+            var req = http.request(options, function (res) {
                 res.setEncoding('utf8');
                 res.on('data', function (chunk) { responseAccumulator += chunk; });
                 res.on('end', function () {
                     // Decode the timestamp signature block
-                    const timepkcs7der = null;
-                    try { forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
+                    var timepkcs7der = null;
+                    try { timepkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
 
                     // Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable
                     // TODO: We could look to see if the certificate is already present in the executable
@@ -1642,7 +1652,12 @@ function createAuthenticodeHandler(path) {
 
                 // Make an HTTP request
                 const http = require('http');
-                var options = {
+                const timeServerUrl = new URL(args.time);
+                const options = {
+                    protocol: timeServerUrl.protocol,
+                    hostname: timeServerUrl.hostname,
+                    path: timeServerUrl.pathname,
+                    port: ((timeServerUrl.port == '') ? 80 : parseInt(timeServerUrl.port)),
                     method: 'POST',
                     headers: {
                         'accept': 'application/octet-stream',
@@ -1655,12 +1670,13 @@ function createAuthenticodeHandler(path) {
 
                 // Set up the request
                 var responseAccumulator = '';
-                var req = http.request(args.time, options, function (res) {
+                var req = http.request(options, function (res) {
                     res.setEncoding('utf8');
                     res.on('data', function (chunk) { responseAccumulator += chunk; });
                     res.on('end', function () {
                         // Decode the timestamp signature block
-                        const timepkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary')));
+                        var timepkcs7der = null;
+                        try { timepkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
 
                         // Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable
                         // TODO: We could look to see if the certificate is already present in the executable