From 37418ba6e06162a1a6383eb96279667ab718b33d Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Thu, 15 Jul 2021 10:15:05 -0700
Subject: [PATCH] Fixed Intel AMT ACM certificate matching bug, #2805.

---
 certoperations.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/certoperations.js b/certoperations.js
index 7454d53d..569feabc 100644
--- a/certoperations.js
+++ b/certoperations.js
@@ -49,7 +49,7 @@ module.exports.CertificateOperations = function (parent) {
             if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
             if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
         }
-        if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "No signing certificate found." }; // Did not find a match.
+        if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "Can't create ACM cert chain, no signing certificate found." }; // Did not find a match.
 
         // If the matching certificate our wildcard root cert, we can use the root to match any FQDN
         if (domain.amtacmactivation.certs[certIndex].cn == '*') {
@@ -86,10 +86,10 @@ module.exports.CertificateOperations = function (parent) {
         var signkey = null, certChain = null, hashAlgo = null, certIndex = null;
         for (var i in domain.amtacmactivation.certs) {
             const certEntry = domain.amtacmactivation.certs[i];
-            if ((certEntry.sha256 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
-            if ((certEntry.sha1 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
+            if ((certEntry.sha256 == request.hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, request.fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
+            if ((certEntry.sha1 == request.hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, request.fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
         }
-        if (signkey == null) return { 'action': 'acmactivate', 'error': 2, 'errorText': "No signing certificate found." }; // Did not find a match.
+        if (signkey == null) return { 'action': 'acmactivate', 'error': 2, 'errorText': "Can't sign ACM request, no signing certificate found (2)." }; // Did not find a match.
 
         // If the matching certificate our wildcard root cert, we can use the root to match any FQDN
         if (domain.amtacmactivation.certs[certIndex].cn == '*') {