external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-02-14 12:01:52 +00:00
Code Issues Releases Wiki Activity

Fixes to agent code signing, #4161

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2022-06-23 10:51:39 -07:00
parent 9372f7666c
commit 0605422ccd
2 changed files with 27 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
MeshCentralServer.njsproj
View file

@ -261,10 +261,8 @@
<Content Include="agents\MeshCommander-Small.gz" /> <Content Include="agents\MeshCommander-Small.gz" />
<Content Include="agents\meshinstall-initd.sh" /> <Content Include="agents\meshinstall-initd.sh" />
<Content Include="agents\meshinstall-linux.sh" /> <Content Include="agents\meshinstall-linux.sh" />
<Content Include="agents\MeshService-signed.exe" />
<Content Include="agents\MeshService.exe" /> <Content Include="agents\MeshService.exe" />
<Content Include="agents\MeshService.pdb" /> <Content Include="agents\MeshService.pdb" />
<Content Include="agents\MeshService64-signed.exe" />
<Content Include="agents\MeshService64.exe" /> <Content Include="agents\MeshService64.exe" />
<Content Include="agents\MeshService64.pdb" /> <Content Include="agents\MeshService64.pdb" />
<Content Include="agents\modules_meshcore\coretranslations.json" /> <Content Include="agents\modules_meshcore\coretranslations.json" />

38
authenticode.js
View file

@ -408,7 +408,12 @@ function createAuthenticodeHandler(path) {
// Make an HTTP request // Make an HTTP request
const http = require('http'); const http = require('http');
var options = { const timeServerUrl = new URL(args.time);
const options = {
protocol: timeServerUrl.protocol,
hostname: timeServerUrl.hostname,
path: timeServerUrl.pathname,
port: ((timeServerUrl.port == '') ? 80 : parseInt(timeServerUrl.port)),
method: 'POST', method: 'POST',
headers: { headers: {
'accept': 'application/octet-stream', 'accept': 'application/octet-stream',
@ -421,7 +426,7 @@ function createAuthenticodeHandler(path) {
// Set up the request // Set up the request
var responseAccumulator = ''; var responseAccumulator = '';
var req = http.request(args.time, options, function (res) { var req = http.request(options, function (res) {
res.setEncoding('utf8'); res.setEncoding('utf8');
res.on('data', function (chunk) { responseAccumulator += chunk; }); res.on('data', function (chunk) { responseAccumulator += chunk; });
res.on('end', function () { res.on('end', function () {
@ -431,7 +436,7 @@ function createAuthenticodeHandler(path) {
// Decode the executable signature block // Decode the executable signature block
var pkcs7der = null; var pkcs7der = null;
try { forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(obj.getRawSignatureBlock(), 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; } try { pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(obj.getRawSignatureBlock(), 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
// Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable // Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable
// TODO: We could look to see if the certificate is already present in the executable // TODO: We could look to see if the certificate is already present in the executable
@ -1294,7 +1299,7 @@ function createAuthenticodeHandler(path) {
} else { } else {
// Decode the signature block // Decode the signature block
var pkcs7der = null; var pkcs7der = null;
try { forge.asn1.fromDer(forge.util.createBuffer(p7signature)); } catch (ex) { func('' + ex); return; } try { pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(p7signature)); } catch (ex) { func('' + ex); return; }
// To work around ForgeJS PKCS#7 limitation, this may break PKCS7 verify if ForgeJS adds support for it in the future // To work around ForgeJS PKCS#7 limitation, this may break PKCS7 verify if ForgeJS adds support for it in the future
// Switch content type from "1.3.6.1.4.1.311.2.1.4" to "1.2.840.113549.1.7.1" // Switch content type from "1.3.6.1.4.1.311.2.1.4" to "1.2.840.113549.1.7.1"
@ -1326,7 +1331,12 @@ function createAuthenticodeHandler(path) {
// Make an HTTP request // Make an HTTP request
const http = require('http'); const http = require('http');
var options = { const timeServerUrl = new URL(args.time);
const options = {
protocol: timeServerUrl.protocol,
hostname: timeServerUrl.hostname,
path: timeServerUrl.pathname,
port: ((timeServerUrl.port == '') ? 80 : parseInt(timeServerUrl.port)),
method: 'POST', method: 'POST',
headers: { headers: {
'accept': 'application/octet-stream', 'accept': 'application/octet-stream',
@ -1339,13 +1349,13 @@ function createAuthenticodeHandler(path) {
// Set up the request // Set up the request
var responseAccumulator = ''; var responseAccumulator = '';
var req = http.request(args.time, options, function (res) { var req = http.request(options, function (res) {
res.setEncoding('utf8'); res.setEncoding('utf8');
res.on('data', function (chunk) { responseAccumulator += chunk; }); res.on('data', function (chunk) { responseAccumulator += chunk; });
res.on('end', function () { res.on('end', function () {
// Decode the timestamp signature block // Decode the timestamp signature block
const timepkcs7der = null; var timepkcs7der = null;
try { forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; } try { timepkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
// Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable // Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable
// TODO: We could look to see if the certificate is already present in the executable // TODO: We could look to see if the certificate is already present in the executable
@ -1642,7 +1652,12 @@ function createAuthenticodeHandler(path) {
// Make an HTTP request // Make an HTTP request
const http = require('http'); const http = require('http');
var options = { const timeServerUrl = new URL(args.time);
const options = {
protocol: timeServerUrl.protocol,
hostname: timeServerUrl.hostname,
path: timeServerUrl.pathname,
port: ((timeServerUrl.port == '') ? 80 : parseInt(timeServerUrl.port)),
method: 'POST', method: 'POST',
headers: { headers: {
'accept': 'application/octet-stream', 'accept': 'application/octet-stream',
@ -1655,12 +1670,13 @@ function createAuthenticodeHandler(path) {
// Set up the request // Set up the request
var responseAccumulator = ''; var responseAccumulator = '';
var req = http.request(args.time, options, function (res) { var req = http.request(options, function (res) {
res.setEncoding('utf8'); res.setEncoding('utf8');
res.on('data', function (chunk) { responseAccumulator += chunk; }); res.on('data', function (chunk) { responseAccumulator += chunk; });
res.on('end', function () { res.on('end', function () {
// Decode the timestamp signature block // Decode the timestamp signature block
const timepkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary'))); var timepkcs7der = null;
try { timepkcs7der = forge.asn1.fromDer(forge.util.createBuffer(Buffer.from(responseAccumulator, 'base64').toString('binary'))); } catch (ex) { func('' + ex); return; }
// Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable // Get the ASN1 certificates used to sign the timestamp and add them to the certs in the PKCS7 of the executable
// TODO: We could look to see if the certificate is already present in the executable // TODO: We could look to see if the certificate is already present in the executable