From 0b08c610beaed490d09a2c34f0d97f4427653d0f Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Sun, 4 Jul 2021 11:58:15 -0700 Subject: [PATCH] Fixed ACM activation with wildcard certs. --- certoperations.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/certoperations.js b/certoperations.js index 4e827bd0..7454d53d 100644 --- a/certoperations.js +++ b/certoperations.js @@ -28,6 +28,14 @@ module.exports.CertificateOperations = function (parent) { const TopLevelDomainExtendedSupport = { 'net': 2, 'com': 2, 'arpa': 3, 'org': 2, 'gov': 2, 'edu': 2, 'de': 2, 'fr': 3, 'cn': 3, 'nl': 3, 'br': 3, 'mx': 3, 'uk': 3, 'pl': 3, 'tw': 3, 'ca': 3, 'fi': 3, 'be': 3, 'ru': 3, 'se': 3, 'ch': 2, 'dk': 2, 'ar': 3, 'es': 3, 'no': 3, 'at': 3, 'in': 3, 'tr': 3, 'cz': 2, 'ro': 3, 'hu': 3, 'nz': 3, 'pt': 3, 'il': 3, 'gr': 3, 'co': 3, 'ie': 3, 'za': 3, 'th': 3, 'sg': 3, 'hk': 3, 'cl': 2, 'lt': 3, 'id': 3, 'hr': 3, 'ee': 3, 'bg': 3, 'ua': 2 }; + // Return true if the trusted FQDN matched the certificate common name + function checkAcmActivationCertName(commonName, trustedFqdn) { + commonName = commonName.toLowerCase(); + trustedFqdn = trustedFqdn.toLowerCase(); + if (commonName.startsWith('*.') && (commonName.length > 2)) { commonName = commonName.substring(2); } + return ((commonName == trustedFqdn) || (trustedFqdn.endsWith('.' + commonName))); + } + // Sign a Intel AMT TLS ACM activation request obj.getAcmCertChain = function (domain, fqdn, hash) { if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (fqdn == null) || (hash == null)) return { action: 'acmactivate', error: 1, errorText: 'Invalid arguments' }; @@ -38,8 +46,8 @@ module.exports.CertificateOperations = function (parent) { var signkey = null, certChain = null, hashAlgo = null, certIndex = null; for (var i in domain.amtacmactivation.certs) { const certEntry = domain.amtacmactivation.certs[i]; - if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || (certEntry.cn == fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } - if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || (certEntry.cn == fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } + if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } + if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } } if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "No signing certificate found." }; // Did not find a match.