From 0d424e42653dd3beac181334f706c7c866c14966 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 20 Jun 2019 18:23:52 -0700 Subject: [PATCH] Intel AMT ACM activation fully working. --- certoperations.js | 36 ++++++++++++++++++++++++++---------- meshagent.js | 2 +- package.json | 2 +- sample-config.json | 9 +++++++++ views/default-min.handlebars | 2 +- views/default.handlebars | 2 +- 6 files changed, 39 insertions(+), 14 deletions(-) diff --git a/certoperations.js b/certoperations.js index 754b868f..ef38101a 100644 --- a/certoperations.js +++ b/certoperations.js @@ -83,11 +83,28 @@ module.exports.CertificateOperations = function (parent) { var acmCerts = [], acmmatch = []; if (amtacmactivation.certs != null) { for (var j in amtacmactivation.certs) { - var acmconfig = amtacmactivation.certs[j]; - if (typeof acmconfig.cert != 'string') continue; - var r = null; - try { r = obj.loadPfxCertificate(obj.parent.path.join(obj.parent.datapath, acmconfig.cert), acmconfig.certpass); } catch (ex) { console.log(ex); } - if ((r == null) || (r.certs == null) || (r.keys == null) || (r.certs.length < 2) || (r.keys.length != 1)) continue; + var acmconfig = amtacmactivation.certs[j], r = null; + + if ((typeof acmconfig.certpfx == 'string') && (typeof acmconfig.certpfxpass == 'string')) { + // P12 format, certpfx and certpfxpass + try { r = obj.loadPfxCertificate(obj.parent.path.join(obj.parent.datapath, acmconfig.certpfx), acmconfig.certpfxpass); } catch (ex) { console.log(ex); } + if ((r == null) || (r.certs == null) || (r.keys == null) || (r.certs.length < 2) || (r.keys.length != 1)) continue; + } else if ((typeof acmconfig.certfiles == 'object') && (typeof acmconfig.keyfile == 'string')) { + // PEM format, certfiles and keyfile + r = { certs: [], keys: [] }; + for (var k in acmconfig.certfiles) { r.certs.push(obj.pki.certificateFromPem(obj.fs.readFileSync(obj.parent.path.join(obj.parent.datapath, acmconfig.certfiles[k])))); } + r.keys.push(obj.pki.privateKeyFromPem(obj.fs.readFileSync(obj.parent.path.join(obj.parent.datapath, acmconfig.keyfile)))); + if ((r.certs.length < 2) || (r.keys.length != 1)) continue; + } + + /* + // Debug: Display all certs & key as PEM + for (var k in r.certs) { + var cn = r.certs[k].subject.getField('CN'); + if (cn != null) { console.log(cn.value + '\r\n' + obj.pki.certificateToPem(r.certs[k])); } else { console.log(obj.pki.certificateToPem(r.certs[k])); } + } + console.log(obj.pki.privateKeyToPem(r.keys[0])); + */ // Check if the right OU or OID is present for Intel AMT activation var validActivationCert = false; @@ -164,14 +181,13 @@ module.exports.CertificateOperations = function (parent) { // Return the certificate of the remote HTTPS server obj.loadPfxCertificate = function (filename, password) { var r = { certs: [], keys: [] }; - var pfxbuf = obj.fs.readFileSync(filename); - var pfxb64 = Buffer.from(pfxbuf).toString('base64'); - var pfxder = obj.forge.util.decode64(pfxb64); - var asn = obj.forge.asn1.fromDer(pfxder); - var pfx = obj.forge.pkcs12.pkcs12FromAsn1(asn, true, password); + var pfxb64 = Buffer.from(obj.fs.readFileSync(filename)).toString('base64'); + var pfx = obj.forge.pkcs12.pkcs12FromAsn1(obj.forge.asn1.fromDer(obj.forge.util.decode64(pfxb64)), true, password); + // Get the certs from certbags var bags = pfx.getBags({ bagType: obj.forge.pki.oids.certBag }); for (var i = 0; i < bags[obj.forge.pki.oids.certBag].length; i++) { r.certs.push(bags[obj.forge.pki.oids.certBag][i].cert); } + // Get shrouded key from key bags bags = pfx.getBags({ bagType: obj.forge.pki.oids.pkcs8ShroudedKeyBag }); for (var i = 0; i < bags[obj.forge.pki.oids.pkcs8ShroudedKeyBag].length; i++) { r.keys.push(bags[obj.forge.pki.oids.pkcs8ShroudedKeyBag][i].key); } diff --git a/meshagent.js b/meshagent.js index 612f2c61..7295baab 100644 --- a/meshagent.js +++ b/meshagent.js @@ -1232,7 +1232,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { ChangeAgentCoreInfo({ "intelamt": { user: 'admin', pass: amtpassword, uuid: command.uuid, realm: command.realm } }); // Send the activation response - //obj.send(JSON.stringify(signResponse)); + obj.send(JSON.stringify(signResponse)); } break; } diff --git a/package.json b/package.json index a5c8a87b..e5a254e3 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.3.6-r", + "version": "0.3.6-s", "keywords": [ "Remote Management", "Intel AMT", diff --git a/sample-config.json b/sample-config.json index 41261d29..c94da1c2 100644 --- a/sample-config.json +++ b/sample-config.json @@ -82,6 +82,15 @@ "_MaxAgentSessions": 100, "MaxSingleUserSessions": 10 }, + "_AmtAcmActivation": { + "log": "amtactivation.log", + "certs": { + "mycertname": { + "certfiles": [ "amtacm-leafcert.crt", "amtacm-intermediate1.crt", "amtacm-intermediate2.crt", "amtacm-rootcert.crt" ], + "keyfile": "amtacm-leafcert.key" + } + } + }, "_Redirects": { "meshcommander": "https://www.meshcommander.com/" }, diff --git a/views/default-min.handlebars b/views/default-min.handlebars index b0de8b95..3e9d90c3 100644 --- a/views/default-min.handlebars +++ b/views/default-min.handlebars @@ -9885,7 +9885,7 @@ var QRCode;!function(){function a(a){this.mode=c.MODE_8BIT_BYTE,this.data=a,this } // Attribute: Mesh Agent - var agentsStr = ['Unknown', 'Windows 32bit console', 'Windows 64bit console', 'Windows 32bit service', 'Windows 64bit service', 'Linux 32bit', 'Linux 64bit', 'MIPS', 'XENx86', 'Android ARM', 'Linux ARM', 'MacOS 32bit', 'Android x86', 'PogoPlug ARM', 'Android APK', 'Linux Poky x86-32bit', 'MacOS 64bit', 'ChromeOS', 'Linux Poky x86-64bit', 'Linux NoKVM x86-32bit', 'Linux NoKVM x86-64bit', 'Windows MinCore console', 'Windows MinCore service', 'NodeJS', 'ARM-Linaro', 'ARMv6l / ARMv7l', 'ARMv8 64bit']; + var agentsStr = ['Unknown', 'Windows 32bit console', 'Windows 64bit console', 'Windows 32bit service', 'Windows 64bit service', 'Linux 32bit', 'Linux 64bit', 'MIPS', 'XENx86', 'Android ARM', 'Linux ARM', 'MacOS 32bit', 'Android x86', 'PogoPlug ARM', 'Android APK', 'Linux Poky x86-32bit', 'MacOS 64bit', 'ChromeOS', 'Linux Poky x86-64bit', 'Linux NoKVM x86-32bit', 'Linux NoKVM x86-64bit', 'Windows MinCore console', 'Windows MinCore service', 'NodeJS', 'ARM-Linaro', 'ARMv6l / ARMv7l', 'ARMv8 64bit', 'Unknown', 'Unknown', 'Unknown', 'FreeBSD x86-64']; if ((node.agent != null) && (node.agent.id != null) && (node.agent.ver != null)) { var str = ''; if (node.agent.id <= agentsStr.length) { str = agentsStr[node.agent.id]; } else { str = agentsStr[0]; } diff --git a/views/default.handlebars b/views/default.handlebars index e3752366..e4be1101 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -3830,7 +3830,7 @@ } // Attribute: Mesh Agent - var agentsStr = ['Unknown', 'Windows 32bit console', 'Windows 64bit console', 'Windows 32bit service', 'Windows 64bit service', 'Linux 32bit', 'Linux 64bit', 'MIPS', 'XENx86', 'Android ARM', 'Linux ARM', 'MacOS 32bit', 'Android x86', 'PogoPlug ARM', 'Android APK', 'Linux Poky x86-32bit', 'MacOS 64bit', 'ChromeOS', 'Linux Poky x86-64bit', 'Linux NoKVM x86-32bit', 'Linux NoKVM x86-64bit', 'Windows MinCore console', 'Windows MinCore service', 'NodeJS', 'ARM-Linaro', 'ARMv6l / ARMv7l', 'ARMv8 64bit']; + var agentsStr = ['Unknown', 'Windows 32bit console', 'Windows 64bit console', 'Windows 32bit service', 'Windows 64bit service', 'Linux 32bit', 'Linux 64bit', 'MIPS', 'XENx86', 'Android ARM', 'Linux ARM', 'MacOS 32bit', 'Android x86', 'PogoPlug ARM', 'Android APK', 'Linux Poky x86-32bit', 'MacOS 64bit', 'ChromeOS', 'Linux Poky x86-64bit', 'Linux NoKVM x86-32bit', 'Linux NoKVM x86-64bit', 'Windows MinCore console', 'Windows MinCore service', 'NodeJS', 'ARM-Linaro', 'ARMv6l / ARMv7l', 'ARMv8 64bit', 'Unknown', 'Unknown', 'Unknown', 'FreeBSD x86-64']; if ((node.agent != null) && (node.agent.id != null) && (node.agent.ver != null)) { var str = ''; if (node.agent.id <= agentsStr.length) { str = agentsStr[node.agent.id]; } else { str = agentsStr[0]; }