From 3dd8531ef959343e179d0fa669c32ab9569e50a4 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 21 Jul 2022 17:17:08 -0700 Subject: [PATCH] Added code to skip the agent code signing certificate if missing and getting certs from database or vault (#4299) --- certoperations.js | 4 ++++ webserver.js | 9 ++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/certoperations.js b/certoperations.js index 80d3b394..c2846546 100644 --- a/certoperations.js +++ b/certoperations.js @@ -855,6 +855,9 @@ module.exports.CertificateOperations = function (parent) { if (obj.fileExists("codesign-cert-public.crt") && obj.fileExists("codesign-cert-private.key")) { r.codesign = { cert: obj.fileLoad("codesign-cert-public.crt", 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad("codesign-cert-private.key", 'utf8')) }; if (obj.checkCertificate(r.codesign.cert, r.codesign.key) == false) { delete r.codesign; } else { rcount++; } + } else { + // If we are reading certificates from a database or vault and are just missing the code signing cert, skip it. + if (parent.configurationFiles != null) { rcount++; } } // If the swarm server certificate exist, load it (This is an optional certificate) @@ -969,6 +972,7 @@ module.exports.CertificateOperations = function (parent) { } } + // If we have all the certificates we need, stop here. if (rcount === rcountmax) { if ((certargs == null) && (mpscertargs == null)) { if (func != undefined) { func(r); } return r; } // If no certificate arguments are given, keep the certificate var xcountry, xcountryField = webCertificate.subject.getField('C'); diff --git a/webserver.js b/webserver.js index 55230857..5fb8a51a 100644 --- a/webserver.js +++ b/webserver.js @@ -896,9 +896,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF var origin = 'https://' + (domain.dns ? domain.dns : parent.certificates.CommonName); if (httpport != 443) { origin += ':' + httpport; } - const sec = parent.decryptSessionData(req.session.e); + var u2fchallenge = null; + if ((req.session != null) && (req.session.e != null)) { const sec = parent.decryptSessionData(req.session.e); if (sec != null) { u2fchallenge = sec.u2f; } } var assertionExpectations = { - challenge: sec.u2f, + challenge: u2fchallenge, origin: origin, factor: 'either', fmt: 'fido-u2f', @@ -978,6 +979,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // Return a U2F hardware key challenge function getHardwareKeyChallenge(req, domain, user, func) { delete req.session.u2f; + if (req.session = null) { req.session = {}; } const sec = parent.decryptSessionData(req.session.e); if (user.otphkeys && (user.otphkeys.length > 0)) { @@ -1015,6 +1017,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if (domain == null) { return; } if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if (req.body == null) { res.sendStatus(404); return; } // Post body is empty or can't be parsed + if (req.session == null) { req.session = {}; } // Check if this is a banned ip address if (obj.checkAllowLogin(req) == false) { @@ -3019,7 +3022,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // Encrypt the hardware key challenge state if needed var hwstate = null; - if (hardwareKeyChallenge) { + if (hardwareKeyChallenge && req.session) { const sec = parent.decryptSessionData(req.session.e); hwstate = obj.parent.encodeCookie({ u: sec.tuser, p: sec.tpass, c: sec.u2f }, obj.parent.loginCookieEncryptionKey) }