From c6ebdd06d048afac0209f35ca8b991b4d673e0af Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Wed, 6 Jan 2021 03:06:42 -0800
Subject: [PATCH] Added Intel AMT cert private key check.

---
 certoperations.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/certoperations.js b/certoperations.js
index ad6514c5..51bcb149 100644
--- a/certoperations.js
+++ b/certoperations.js
@@ -82,6 +82,15 @@ module.exports.CertificateOperations = function (parent) {
     // Remove the PEM header, footer and carriage returns so we only have the Base64 DER.
     function pemToBase64(pem) { return pem.split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('').split('\r\n').join(''); }
 
+    // Return true if both arrays match
+    function compareArrays(a1, a2) {
+        if (Array.isArray(a1) == false) return false;
+        if (Array.isArray(a2) == false) return false;
+        if (a1.length !== a2.length) return false;
+        for (var i = 0; i < a1.length; i++) { if (a1[i] !== a2[i]) return false; }
+        return true;
+    }
+
     // Log the Intel AMT activation operation in the domain log
     obj.logAmtActivation = function (domain, x) {
         if (x == null) return true;
@@ -131,6 +140,12 @@ module.exports.CertificateOperations = function (parent) {
                 if (orderingError == true) continue;
                 r.certs = or;
 
+                // Check that the certificate and private key match
+                if ((compareArrays(r.certs[0].publicKey.n.data, r.keys[0].n.data) == false) || (compareArrays(r.certs[0].publicKey.e.data, r.keys[0].e.data) == false)) {
+                    parent.addServerWarning('Intel AMT activation certificate provided with a mismatching private key.');
+                    continue;
+                }
+
                 /*
                 // Debug: Display all certs & key as PEM
                 for (var k in r.certs) {