external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Intel AMT activation fixes.

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2021-03-13 21:26:59 -08:00
parent ffabdb39d3
commit 5bdebda679
3 changed files with 27 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

10
amtmanager.js
View file

@ -1802,6 +1802,7 @@ module.exports.CreateAmtManager = function (parent) {
const activationCerts = domain.amtacmactivation.certs;
if ((dev.mpsConnection.tag.meiState == null) || (dev.mpsConnection.tag.meiState.Hashes == null) || (dev.mpsConnection.tag.meiState.Hashes.length == 0)) return null;
const deviceHashes = dev.mpsConnection.tag.meiState.Hashes;
if (deviceHashes == null) return null;
// Get the trusted FQDN of the device
var trustedFqdn = null;
@ -1836,11 +1837,12 @@ module.exports.CreateAmtManager = function (parent) {
// Get our ACM activation certificate chain
var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash);
if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev, 44); return; }
acmTlsInfo.certs = acmTlsInfo.certs.reverse(); // Reverse the order of the certificates.
dev.acmTlsInfo = acmTlsInfo;
// Send the MEI command to enable TLS connections
dev.consoleMsg("Performing TLS ACM activation...");
dev.controlMsg({ action: 'startTlsHostConfig', hash: acmTlsInfo.hash, hostVpn: false, dnsSuffixList: null });
dev.controlMsg({ action: 'startTlsHostConfig', hash: acmTlsInfo.hash256, hostVpn: false, dnsSuffixList: null });
} else {
// MeshCore or MeshCMD is to old
dev.consoleMsg("This software is to old to support ACM activation, pleasse update and try again.");
@ -1850,10 +1852,10 @@ module.exports.CreateAmtManager = function (parent) {
// Attempt Intel AMT TLS ACM activation after startConfiguration() is called on remote device
function activateIntelAmtTlsAcmEx(dev, startConfigData) {
console.log('activateIntelAmtTlsAcmEx', dev.mpsConnection.tag.meiState.OsAdmin.user, dev.mpsConnection.tag.meiState.OsAdmin.pass);
//console.log('activateIntelAmtTlsAcmEx', dev.mpsConnection.tag.meiState.OsAdmin.user, dev.mpsConnection.tag.meiState.OsAdmin.pass);
// Setup the WSMAN stack, no TLS
var comm = CreateWsmanComm(dev.nodeid, 16993, 'admin', '', 1, { cert: dev.acmTlsInfo.certs.reverse().join(''), key: dev.acmTlsInfo.signkey }, dev.mpsConnection); // TLS with client certificate chain and key.
var comm = CreateWsmanComm(dev.nodeid, 16993, 'admin', '', 1, { cert: dev.acmTlsInfo.certs.join(''), key: dev.acmTlsInfo.signkey }, dev.mpsConnection); // TLS with client certificate chain and key.
// TODO: Intel AMT leaf TLS cert need to SHA256 hash to "startConfigData.hash"
var wsstack = WsmanStackCreateService(comm);
dev.amtstack = AmtStackCreateService(wsstack);
@ -1865,11 +1867,13 @@ module.exports.CreateAmtManager = function (parent) {
console.log('activateIntelAmtTlsAcmEx1', status, responses);
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) {
dev.consoleMsg("Failed to perform ACM TLS connection, falling back to legacy host-based activation.");
activateIntelAmtAcm(dev); // Falling back to legacy WSMAN ACM activation, start by refreshing $$OsAdmin username and password.
} else {
// TODO!!!
console.log('TODO!!!!!');
}
}

19
certoperations.js
View file

@ -62,7 +62,7 @@ module.exports.CertificateOperations = function (parent) {
}
// Hash the leaf certificate and return the certificate chain and signing key
return { action: 'acmactivate', certs: certChain, signkey: signkey, hash: obj.getCertHash(certChain[certChain.length - 1]) };
return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[certChain.length - 1]), hash256: obj.getCertHashSha256(certChain[certChain.length - 1]) };
}
// Sign a Intel AMT ACM activation request
@ -550,7 +550,7 @@ module.exports.CertificateOperations = function (parent) {
return obj.pki.getPublicKeyFingerprint(publickey, { encoding: 'hex', md: obj.forge.md.sha384.create() });
};
// Return the SHA384 hash of the certificate, return hex
// Return the SHA1 hash of the certificate, return hex
obj.getCertHashSha1 = function (cert) {
try {
var md = obj.forge.md.sha1.create();
@ -565,6 +565,21 @@ module.exports.CertificateOperations = function (parent) {
}
};
// Return the SHA256 hash of the certificate, return hex
obj.getCertHashSha256 = function (cert) {
try {
var md = obj.forge.md.sha256.create();
md.update(obj.forge.asn1.toDer(obj.pki.certificateToAsn1(obj.pki.certificateFromPem(cert))).getBytes());
return md.digest().toHex();
} catch (ex) {
// If this is not an RSA certificate, hash the raw PKCS7 out of the PEM file
var x1 = cert.indexOf('-----BEGIN CERTIFICATE-----'), x2 = cert.indexOf('-----END CERTIFICATE-----');
if ((x1 >= 0) && (x2 > x1)) {
return obj.crypto.createHash('sha256').update(Buffer.from(cert.substring(x1 + 27, x2), 'base64')).digest('hex');
} else { console.log("ERROR: Unable to decode certificate."); return null; }
}
};
// Return the SHA384 hash of the certificate, return hex
obj.getCertHash = function (cert) {
try {

4
interceptor.js
View file

@ -167,7 +167,9 @@ module.exports.CreateHttpInterceptor = function (args) {
// We have authentication data, lets use it.
var AuthArgs = obj.GetAuthArgs(HttpInterceptorAuthentications[obj.args.host + ':' + obj.args.port]);
AuthArgs.qop = 'auth'; // If different QOP options are proposed, always use 'auth' for now.
// If different QOP options are proposed, always use 'auth' for now.
AuthArgs.qop = 'auth';
// In the future, we should support auth-int, but that will required the body of the request to be accumulated and hashed.
/*
if (AuthArgs.qop != null) { // If Intel AMT supports auth-int, use it.