From 15a76d3932117c2caf5afcf29c5430ab80f2060e Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Mon, 15 Aug 2022 21:49:01 -0700 Subject: [PATCH] Added strictCommonName option for matching the Intel AMT ACM activation cert. --- certoperations.js | 20 +++++++++++++------- meshcentral-config-schema.json | 1 + sample-config-advanced.json | 1 + 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/certoperations.js b/certoperations.js index 7d552da2..20a5315e 100644 --- a/certoperations.js +++ b/certoperations.js @@ -247,14 +247,20 @@ module.exports.CertificateOperations = function (parent) { // Get the certificate common name var certCommonName = r.certs[0].subject.getField('CN'); if (certCommonName == null) { amtacmactivation.acmCertErrors.push("Unable to get Intel AMT activation certificate common name."); continue; } - var certCommonNameSplit = certCommonName.value.split('.'); - var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase(); - var topLevelNum = TopLevelDomainExtendedSupport[topLevel]; - if (topLevelNum != null) { - while (certCommonNameSplit.length > topLevelNum) { certCommonNameSplit.shift(); } - acmconfig.cn = certCommonNameSplit.join('.'); - } else { + if (amtacmactivation.strictcommonname == true) { + // Use the certificate common name exactly acmconfig.cn = certCommonName.value; + } else { + // Check if Intel AMT will allow some flexibility in the certificate common name + var certCommonNameSplit = certCommonName.value.split('.'); + var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase(); + var topLevelNum = TopLevelDomainExtendedSupport[topLevel]; + if (topLevelNum != null) { + while (certCommonNameSplit.length > topLevelNum) { certCommonNameSplit.shift(); } + acmconfig.cn = certCommonNameSplit.join('.'); + } else { + acmconfig.cn = certCommonName.value; + } } delete acmconfig.cert; diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json index 9a12ff20..01d02fdd 100644 --- a/meshcentral-config-schema.json +++ b/meshcentral-config-schema.json @@ -934,6 +934,7 @@ "additionalProperties": false, "properties": { "log": { "type": "string" }, + "strictCommonName": { "type": "boolean", "default": false, "description": "When set to true, the certificate common name needs to match exactly the Intel AMT trusted FQDN or DHCP Option 15. If false, some flexibility may be given to the matching." }, "certs": { "type": "object", "additionalProperties": { diff --git a/sample-config-advanced.json b/sample-config-advanced.json index f1dbf89e..53eac102 100644 --- a/sample-config-advanced.json +++ b/sample-config-advanced.json @@ -367,6 +367,7 @@ ], "_amtAcmActivation": { "log": "amtactivation.log", + "strictCommonName": false, "certs": { "mycertname": { "certfiles": [