Intel AMT activation fixes.

Ylianst · Mar 14, 2021 · 5bdebda · 5bdebda
1 parent ffabdb3
commit 5bdebda
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 6 deletions.
diff --git a/amtmanager.js b/amtmanager.js
@@ -1802,6 +1802,7 @@ module.exports.CreateAmtManager = function (parent) {
         const activationCerts = domain.amtacmactivation.certs;
         if ((dev.mpsConnection.tag.meiState == null) || (dev.mpsConnection.tag.meiState.Hashes == null) || (dev.mpsConnection.tag.meiState.Hashes.length == 0)) return null;
         const deviceHashes = dev.mpsConnection.tag.meiState.Hashes;
+        if (deviceHashes == null) return null;
 
         // Get the trusted FQDN of the device
         var trustedFqdn = null;
@@ -1836,11 +1837,12 @@ module.exports.CreateAmtManager = function (parent) {
             // Get our ACM activation certificate chain
             var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash);
             if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev, 44); return; }
+            acmTlsInfo.certs = acmTlsInfo.certs.reverse(); // Reverse the order of the certificates.
             dev.acmTlsInfo = acmTlsInfo;
 
             // Send the MEI command to enable TLS connections
             dev.consoleMsg("Performing TLS ACM activation...");
-            dev.controlMsg({ action: 'startTlsHostConfig', hash: acmTlsInfo.hash, hostVpn: false, dnsSuffixList: null });
+            dev.controlMsg({ action: 'startTlsHostConfig', hash: acmTlsInfo.hash256, hostVpn: false, dnsSuffixList: null });
         } else {
             // MeshCore or MeshCMD is to old
             dev.consoleMsg("This software is to old to support ACM activation, pleasse update and try again.");
@@ -1850,10 +1852,10 @@ module.exports.CreateAmtManager = function (parent) {
 
     // Attempt Intel AMT TLS ACM activation after startConfiguration() is called on remote device
     function activateIntelAmtTlsAcmEx(dev, startConfigData) {
-        console.log('activateIntelAmtTlsAcmEx', dev.mpsConnection.tag.meiState.OsAdmin.user, dev.mpsConnection.tag.meiState.OsAdmin.pass);
+        //console.log('activateIntelAmtTlsAcmEx', dev.mpsConnection.tag.meiState.OsAdmin.user, dev.mpsConnection.tag.meiState.OsAdmin.pass);
 
         // Setup the WSMAN stack, no TLS
-        var comm = CreateWsmanComm(dev.nodeid, 16993, 'admin', '', 1, { cert: dev.acmTlsInfo.certs.reverse().join(''), key: dev.acmTlsInfo.signkey }, dev.mpsConnection); // TLS with client certificate chain and key.
+        var comm = CreateWsmanComm(dev.nodeid, 16993, 'admin', '', 1, { cert: dev.acmTlsInfo.certs.join(''), key: dev.acmTlsInfo.signkey }, dev.mpsConnection); // TLS with client certificate chain and key.
         // TODO: Intel AMT leaf TLS cert need to SHA256 hash to "startConfigData.hash"
         var wsstack = WsmanStackCreateService(comm);
         dev.amtstack = AmtStackCreateService(wsstack);
@@ -1865,11 +1867,13 @@ module.exports.CreateAmtManager = function (parent) {
         console.log('activateIntelAmtTlsAcmEx1', status, responses);
         const dev = stack.dev;
         if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
+
         if (status != 200) {
             dev.consoleMsg("Failed to perform ACM TLS connection, falling back to legacy host-based activation.");
             activateIntelAmtAcm(dev); // Falling back to legacy WSMAN ACM activation, start by refreshing $$OsAdmin username and password.
         } else {
             // TODO!!!
+            console.log('TODO!!!!!');
         }
     }
 

diff --git a/certoperations.js b/certoperations.js
@@ -62,7 +62,7 @@ module.exports.CertificateOperations = function (parent) {
         }
 
         // Hash the leaf certificate and return the certificate chain and signing key
-        return { action: 'acmactivate', certs: certChain, signkey: signkey, hash: obj.getCertHash(certChain[certChain.length - 1]) };
+        return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[certChain.length - 1]), hash256: obj.getCertHashSha256(certChain[certChain.length - 1]) };
     }
 
     // Sign a Intel AMT ACM activation request
@@ -550,7 +550,7 @@ module.exports.CertificateOperations = function (parent) {
         return obj.pki.getPublicKeyFingerprint(publickey, { encoding: 'hex', md: obj.forge.md.sha384.create() });
     };
 
-    // Return the SHA384 hash of the certificate, return hex
+    // Return the SHA1 hash of the certificate, return hex
     obj.getCertHashSha1 = function (cert) {
         try {
             var md = obj.forge.md.sha1.create();
@@ -565,6 +565,21 @@ module.exports.CertificateOperations = function (parent) {
         }
     };
 
+    // Return the SHA256 hash of the certificate, return hex
+    obj.getCertHashSha256 = function (cert) {
+        try {
+            var md = obj.forge.md.sha256.create();
+            md.update(obj.forge.asn1.toDer(obj.pki.certificateToAsn1(obj.pki.certificateFromPem(cert))).getBytes());
+            return md.digest().toHex();
+        } catch (ex) {
+            // If this is not an RSA certificate, hash the raw PKCS7 out of the PEM file
+            var x1 = cert.indexOf('-----BEGIN CERTIFICATE-----'), x2 = cert.indexOf('-----END CERTIFICATE-----');
+            if ((x1 >= 0) && (x2 > x1)) {
+                return obj.crypto.createHash('sha256').update(Buffer.from(cert.substring(x1 + 27, x2), 'base64')).digest('hex');
+            } else { console.log("ERROR: Unable to decode certificate."); return null; }
+        }
+    };
+
     // Return the SHA384 hash of the certificate, return hex
     obj.getCertHash = function (cert) {
         try {

diff --git a/interceptor.js b/interceptor.js
@@ -167,7 +167,9 @@ module.exports.CreateHttpInterceptor = function (args) {
                 // We have authentication data, lets use it.
                 var AuthArgs = obj.GetAuthArgs(HttpInterceptorAuthentications[obj.args.host + ':' + obj.args.port]);
 
-                AuthArgs.qop = 'auth'; // If different QOP options are proposed, always use 'auth' for now.
+                // If different QOP options are proposed, always use 'auth' for now.
+                AuthArgs.qop = 'auth';
+
                 // In the future, we should support auth-int, but that will required the body of the request to be accumulated and hashed.
                 /*
                 if (AuthArgs.qop != null) { // If Intel AMT supports auth-int, use it.