From 15a76d3932117c2caf5afcf29c5430ab80f2060e Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Mon, 15 Aug 2022 21:49:01 -0700
Subject: [PATCH] Added strictCommonName option for matching the Intel AMT ACM
 activation cert.

---
 certoperations.js              | 20 +++++++++++++-------
 meshcentral-config-schema.json |  1 +
 sample-config-advanced.json    |  1 +
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/certoperations.js b/certoperations.js
index 7d552da2..20a5315e 100644
--- a/certoperations.js
+++ b/certoperations.js
@@ -247,14 +247,20 @@ module.exports.CertificateOperations = function (parent) {
                 // Get the certificate common name
                 var certCommonName = r.certs[0].subject.getField('CN');
                 if (certCommonName == null) { amtacmactivation.acmCertErrors.push("Unable to get Intel AMT activation certificate common name."); continue; }
-                var certCommonNameSplit = certCommonName.value.split('.');
-                var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase();
-                var topLevelNum = TopLevelDomainExtendedSupport[topLevel];
-                if (topLevelNum != null) {
-                    while (certCommonNameSplit.length > topLevelNum) { certCommonNameSplit.shift(); }
-                    acmconfig.cn = certCommonNameSplit.join('.');
-                } else {
+                if (amtacmactivation.strictcommonname == true) {
+                    // Use the certificate common name exactly
                     acmconfig.cn = certCommonName.value;
+                } else {
+                    // Check if Intel AMT will allow some flexibility in the certificate common name
+                    var certCommonNameSplit = certCommonName.value.split('.');
+                    var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase();
+                    var topLevelNum = TopLevelDomainExtendedSupport[topLevel];
+                    if (topLevelNum != null) {
+                        while (certCommonNameSplit.length > topLevelNum) { certCommonNameSplit.shift(); }
+                        acmconfig.cn = certCommonNameSplit.join('.');
+                    } else {
+                        acmconfig.cn = certCommonName.value;
+                    }
                 }
 
                 delete acmconfig.cert;
diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index 9a12ff20..01d02fdd 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -934,6 +934,7 @@
             "additionalProperties": false,
             "properties": {
               "log": { "type": "string" },
+              "strictCommonName": { "type": "boolean", "default": false, "description": "When set to true, the certificate common name needs to match exactly the Intel AMT trusted FQDN or DHCP Option 15. If false, some flexibility may be given to the matching." },
               "certs": {
                 "type": "object",
                 "additionalProperties": {
diff --git a/sample-config-advanced.json b/sample-config-advanced.json
index f1dbf89e..53eac102 100644
--- a/sample-config-advanced.json
+++ b/sample-config-advanced.json
@@ -367,6 +367,7 @@
       ],
       "_amtAcmActivation": {
         "log": "amtactivation.log",
+        "strictCommonName": false,
         "certs": {
           "mycertname": {
             "certfiles": [