EverydayTech Platform - Developer Reference
Complete Source Code Documentation - All Applications
Loading...
Searching...
No Matches
certoperations.js
Go to the documentation of this file.
1/**
2* @description Certificate generator
3* @author Joko Sastriawan / Ylian Saint-Hilaire
4* @copyright Intel Corporation 2018-2022
5* @license Apache-2.0
6* @version v0.0.1
7*/
8
9/*xjslint node: true */
10/*xjslint plusplus: true */
11/*xjslint maxlen: 256 */
12/*jshint node: true */
13/*jshint strict: false */
14/*jshint esversion: 6 */
15"use strict";
16
17module.exports.CertificateOperations = function (parent) {
18 var obj = {};
19
20 obj.parent = parent;
21 obj.fs = require('fs');
22 obj.forge = require('node-forge');
23 obj.crypto = require('crypto');
24 obj.tls = require('tls');
25 obj.pki = obj.forge.pki;
26 obj.dirExists = function (filePath) { try { return obj.fs.statSync(filePath).isDirectory(); } catch (err) { return false; } };
27 obj.getFilesizeInBytes = function (filename) { try { return obj.fs.statSync(filename).size; } catch (err) { return -1; } };
28
29 const TopLevelDomainExtendedSupport = { 'net': 2, 'com': 2, 'arpa': 3, 'org': 2, 'gov': 2, 'edu': 2, 'de': 2, 'fr': 3, 'cn': 3, 'nl': 3, 'br': 3, 'mx': 3, 'uk': 3, 'pl': 3, 'tw': 3, 'ca': 3, 'fi': 3, 'be': 3, 'ru': 3, 'se': 3, 'ch': 2, 'dk': 2, 'ar': 3, 'es': 3, 'no': 3, 'at': 3, 'in': 3, 'tr': 3, 'cz': 2, 'ro': 3, 'hu': 3, 'nz': 3, 'pt': 3, 'il': 3, 'gr': 3, 'co': 3, 'ie': 3, 'za': 3, 'th': 3, 'sg': 3, 'hk': 3, 'cl': 2, 'lt': 3, 'id': 3, 'hr': 3, 'ee': 3, 'bg': 3, 'ua': 2 };
30
31 // Return true if the trusted FQDN matched the certificate common name
32 function checkAcmActivationCertName(commonName, trustedFqdn) {
33 commonName = commonName.toLowerCase();
34 trustedFqdn = trustedFqdn.toLowerCase();
35 if (commonName.startsWith('*.') && (commonName.length > 2)) { commonName = commonName.substring(2); }
36 return ((commonName == trustedFqdn) || (trustedFqdn.endsWith('.' + commonName)));
37 }
38
39 // Sign a Intel AMT TLS ACM activation request
40 obj.getAcmCertChain = function (domain, fqdn, hash) {
41 if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (fqdn == null) || (hash == null)) return { action: 'acmactivate', error: 1, errorText: 'Invalid arguments' };
42 if (parent.common.validateString(fqdn, 4, 256) == false) return { action: 'acmactivate', error: 1, errorText: "Invalid FQDN argument." };
43 if (parent.common.validateString(hash, 16, 256) == false) return { action: 'acmactivate', error: 1, errorText: "Invalid hash argument." };
44
45 // Look for the signing certificate
46 var signkey = null, certChain = null, hashAlgo = null, certIndex = null;
47 for (var i in domain.amtacmactivation.certs) {
48 const certEntry = domain.amtacmactivation.certs[i];
49 if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
50 if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
51 }
52 if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "Can't create ACM cert chain, no signing certificate found." }; // Did not find a match.
53
54 // If the matching certificate our wildcard root cert, we can use the root to match any FQDN
55 if (domain.amtacmactivation.certs[certIndex].cn == '*') {
56 // Create a leaf certificate that matches the FQDN we want
57 // TODO: This is an expensive operation, work on ways to pre-generate or cache this leaf certificate.
58 var rootcert = { cert: domain.amtacmactivation.certs[certIndex].rootcert, key: obj.pki.privateKeyFromPem(domain.amtacmactivation.certs[certIndex].key) };
59 var leafcert = obj.IssueWebServerCertificate(rootcert, false, fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false);
60
61 // Setup the certificate chain and key
62 certChain = [ obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert) ];
63 signkey = obj.pki.privateKeyToPem(leafcert.key);
64 } else {
65 // Make sure the cert chain is in PEM format
66 var certChain2 = [];
67 for (var i in certChain) { certChain2.push("-----BEGIN CERTIFICATE-----\r\n" + certChain[i] + "\r\n-----END CERTIFICATE-----\r\n"); }
68 certChain = certChain2;
69 }
70
71 // Hash the leaf certificate and return the certificate chain and signing key
72 return { action: 'acmactivate', certs: certChain, signkey: signkey, hash384: obj.getCertHash(certChain[0]), hash256: obj.getCertHashSha256(certChain[0]) };
73 }
74
75 // Sign a Intel AMT ACM activation request
76 obj.signAcmRequest = function (domain, request, user, pass, ipport, nodeid, meshid, computerName, agentId) {
77 if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (request == null) || (request.nonce == null) || (request.realm == null) || (request.fqdn == null) || (request.hash == null)) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid arguments' };
78 if (parent.common.validateString(request.nonce, 16, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': "Invalid nonce argument." };
79 if (parent.common.validateString(request.realm, 16, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': "Invalid realm argument." };
80 if (parent.common.validateString(request.fqdn, 4, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': "Invalid FQDN argument." };
81 if (parent.common.validateString(request.hash, 16, 256) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': "Invalid hash argument." };
82 if (parent.common.validateString(request.uuid, 36, 36) == false) return { 'action': 'acmactivate', 'error': 1, 'errorText': "Invalid UUID argument." };
83
84 // Look for the signing certificate
85 var signkey = null, certChain = null, hashAlgo = null, certIndex = null;
86 for (var i in domain.amtacmactivation.certs) {
87 const certEntry = domain.amtacmactivation.certs[i];
88 if ((certEntry.sha256 == request.hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, request.fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
89 if ((certEntry.sha1 == request.hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, request.fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
90 }
91 if (signkey == null) return { 'action': 'acmactivate', 'error': 2, 'errorText': "Can't sign ACM request, no signing certificate found." }; // Did not find a match.
92
93 // If the matching certificate our wildcard root cert, we can use the root to match any FQDN
94 if (domain.amtacmactivation.certs[certIndex].cn == '*') {
95 // Create a leaf certificate that matches the FQDN we want
96 // TODO: This is an expensive operation, work on ways to pre-generate or cache this leaf certificate.
97 var rootcert = { cert: domain.amtacmactivation.certs[certIndex].rootcert, key: obj.pki.privateKeyFromPem(domain.amtacmactivation.certs[certIndex].key) };
98 var leafcert = obj.IssueWebServerCertificate(rootcert, false, request.fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false);
99
100 // Setup the certificate chain and key
101 certChain = [pemToBase64(obj.pki.certificateToPem(leafcert.cert)), pemToBase64(obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert))];
102 signkey = obj.pki.privateKeyToPem(leafcert.key);
103 }
104
105 // Setup both nonces, ready to be signed
106 const mcNonce = Buffer.from(obj.crypto.randomBytes(20), 'binary');
107 const fwNonce = Buffer.from(request.nonce, 'base64');
108
109 // Sign the request
110 var signature = null;
111 try {
112 var signer = obj.crypto.createSign(hashAlgo);
113 signer.update(Buffer.concat([fwNonce, mcNonce]));
114 signature = signer.sign(signkey, 'base64');
115 } catch (ex) {
116 return { 'action': 'acmactivate', 'error': 4, 'errorText': "Unable to perform signature." };
117 }
118
119 // Log the activation request, logging is a required step for activation.
120 if (obj.logAmtActivation(domain, { time: new Date(), action: 'acmactivate', domain: domain.id, amtUuid: request.uuid, certHash: request.hash, hashType: hashAlgo, amtRealm: request.realm, amtFqdn: request.fqdn, user: user, password: pass, ipport: ipport, nodeid: nodeid, meshid: meshid, computerName: computerName, agentId: agentId, tag: request.tag, name: request.name }) == false) return { 'action': 'acmactivate', 'error': 5, 'errorText': "Unable to log operation." };
121
122 // Return the signature with the computed account password hash
123 return { 'action': 'acmactivate', 'signature': signature, 'password': obj.crypto.createHash('md5').update(user + ':' + request.realm + ':' + pass).digest('hex'), 'nonce': mcNonce.toString('base64'), 'certs': certChain };
124 }
125
126 // Remove the PEM header, footer and carriage returns so we only have the Base64 DER.
127 function pemToBase64(pem) { return pem.split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('').split('\r\n').join(''); }
128
129 // Return true if both arrays match
130 function compareArrays(a1, a2) {
131 if (Array.isArray(a1) == false) return false;
132 if (Array.isArray(a2) == false) return false;
133 if (a1.length !== a2.length) return false;
134 for (var i = 0; i < a1.length; i++) { if (a1[i] !== a2[i]) return false; }
135 return true;
136 }
137
138 // Log the Intel AMT activation operation in the domain log
139 obj.logAmtActivation = function (domain, x) {
140 if (x == null) return true;
141
142 // Add the password to the Intel AMT list of UUID to passwords
143 if ((typeof x.amtUuid == 'string') && (typeof x.password == 'string')) {
144 if (parent.amtPasswords == null) { parent.amtPasswords = {}; }
145 if (parent.amtPasswords[x.amtUuid] == null) {
146 parent.amtPasswords[x.amtUuid] = [x.password]; // Add password to array
147 parent.amtPasswords = parent.common.sortObj(parent.amtPasswords);
148 } else {
149 if (parent.amtPasswords[x.amtUuid].indexOf(x.password) == -1) {
150 parent.amtPasswords[x.amtUuid].unshift(x.password); // Add password at the start of the array
151 while (parent.amtPasswords[x.amtUuid].length > 3) { parent.amtPasswords[x.amtUuid].pop(); } // Only keep the 3 last passwords for any given device
152 }
153 }
154 }
155
156 // Append to the log file
157 var logpath = null;
158 if ((domain.amtacmactivation == null) || (domain.amtacmactivation.log == null) || (typeof domain.amtacmactivation.log != 'string')) {
159 if (domain.id == '') { logpath = parent.path.join(obj.parent.datapath, 'amtactivation.log'); } else { logpath = parent.path.join(obj.parent.datapath, 'amtactivation-' + domain.id + '.log'); }
160 } else {
161 logpath = parent.common.joinPath(obj.parent.datapath, domain.amtacmactivation.log);
162 }
163 try { obj.fs.appendFileSync(logpath, JSON.stringify(x) + '\r\n'); } catch (ex) { console.log(ex); return false; }
164 return true;
165 }
166
167 // Load Intel AMT ACM activation certificates
168 obj.loadIntelAmtAcmCerts = function (amtacmactivation) {
169 if (amtacmactivation == null) return;
170 var acmCerts = [], acmmatch = [];
171 amtacmactivation.acmCertErrors = [];
172 if (amtacmactivation.certs != null) {
173 for (var j in amtacmactivation.certs) {
174 if (j.startsWith('_')) continue; // Skip any certificates that start with underscore as the name.
175 var acmconfig = amtacmactivation.certs[j], r = null;
176
177 if ((typeof acmconfig.certpfx == 'string') && (typeof acmconfig.certpfxpass == 'string')) {
178 // P12 format, certpfx and certpfxpass
179 const certFilePath = parent.common.joinPath(obj.parent.datapath, acmconfig.certpfx);
180 try { r = obj.loadPfxCertificate(certFilePath, acmconfig.certpfxpass); } catch (ex) { console.log(ex); }
181 if ((r == null) || (r.certs == null) || (r.keys == null)) { amtacmactivation.acmCertErrors.push("Unable to load certificate file: " + certFilePath + "."); continue; }
182 if (r.certs.length < 2) { amtacmactivation.acmCertErrors.push("Certificate file contains less then 2 certificates: " + certFilePath + "."); continue; }
183 if (r.keys.length != 1) { amtacmactivation.acmCertErrors.push("Certificate file must contain exactly one private key: " + certFilePath + "."); continue; }
184 } else if ((typeof acmconfig.certfiles == 'object') && (typeof acmconfig.keyfile == 'string')) {
185 // PEM format, certfiles and keyfile
186 r = { certs: [], keys: [] };
187 for (var k in acmconfig.certfiles) {
188 const certFilePath = parent.common.joinPath(obj.parent.datapath, acmconfig.certfiles[k]);
189 try { r.certs.push(obj.pki.certificateFromPem(obj.fs.readFileSync(certFilePath))); } catch (ex) { amtacmactivation.acmCertErrors.push("Unable to load certificate file: " + certFilePath + "."); }
190 }
191 r.keys.push(obj.pki.privateKeyFromPem(obj.fs.readFileSync(parent.common.joinPath(obj.parent.datapath, acmconfig.keyfile))));
192 if (r.certs.length < 2) { amtacmactivation.acmCertErrors.push("Certificate file contains less then 2 certificates: " + certFilePath + "."); continue; }
193 if (r.keys.length != 1) { amtacmactivation.acmCertErrors.push("Certificate file must contain exactly one private key: " + certFilePath + "."); continue; }
194 }
195
196 // Reorder the certificates from leaf to root.
197 var orderedCerts = [], or = [], currenthash = null, orderingError = false;;
198 while ((orderingError == false) && (orderedCerts.length < r.certs.length)) {
199 orderingError = true;
200 for (var k in r.certs) {
201 if (((currenthash == null) && (r.certs[k].subject.hash == r.certs[k].issuer.hash)) || ((r.certs[k].issuer.hash == currenthash) && (r.certs[k].subject.hash != r.certs[k].issuer.hash))) {
202 currenthash = r.certs[k].subject.hash;
203 orderedCerts.unshift(Buffer.from(obj.forge.asn1.toDer(obj.pki.certificateToAsn1(r.certs[k])).data, 'binary').toString('base64'));
204 or.unshift(r.certs[k]);
205 orderingError = false;
206 }
207 }
208 }
209 if (orderingError == true) { amtacmactivation.acmCertErrors.push("Unable to order Intel AMT ACM activation certificates to create a full chain."); continue; }
210 r.certs = or;
211
212 // Check that the certificate and private key match
213 if ((compareArrays(r.certs[0].publicKey.n.data, r.keys[0].n.data) == false) || (compareArrays(r.certs[0].publicKey.e.data, r.keys[0].e.data) == false)) {
214 amtacmactivation.acmCertErrors.push("Intel AMT activation certificate provided with a mismatching private key.");
215 continue;
216 }
217
218 /*
219 // Debug: Display all certs & key as PEM
220 for (var k in r.certs) {
221 var cn = r.certs[k].subject.getField('CN');
222 if (cn != null) { console.log(cn.value + '\r\n' + obj.pki.certificateToPem(r.certs[k])); } else { console.log(obj.pki.certificateToPem(r.certs[k])); }
223 }
224 console.log(obj.pki.privateKeyToPem(r.keys[0]));
225 */
226
227 // Check if the right OU or OID is present for Intel AMT activation
228 var validActivationCert = false;
229 for (var k in r.certs[0].extensions) { if (r.certs[0].extensions[k]['2.16.840.1.113741.1.2.3'] == true) { validActivationCert = true; } }
230 var orgName = r.certs[0].subject.getField('OU');
231 if ((orgName != null) && (orgName.value == 'Intel(R) Client Setup Certificate')) { validActivationCert = true; }
232 if (validActivationCert == false) { amtacmactivation.acmCertErrors.push("Intel AMT activation certificate must have usage OID \"2.16.840.1.113741.1.2.3\" or organization name \"Intel(R) Client Setup Certificate\"."); continue; }
233
234 // Compute the SHA256 and SHA1 hashes of the root certificate
235 for (var k in r.certs) {
236 if (r.certs[k].subject.hash != r.certs[k].issuer.hash) continue;
237 const certdata = obj.forge.asn1.toDer(obj.pki.certificateToAsn1(r.certs[k])).data;
238 var md = obj.forge.md.sha256.create();
239 md.update(certdata);
240 acmconfig.sha256 = Buffer.from(md.digest().getBytes(), 'binary').toString('hex');
241 md = obj.forge.md.sha1.create();
242 md.update(certdata);
243 acmconfig.sha1 = Buffer.from(md.digest().getBytes(), 'binary').toString('hex');
244 }
245 if ((acmconfig.sha1 == null) || (acmconfig.sha256 == null)) { amtacmactivation.acmCertErrors.push("Unable to compute Intel AMT activation certificate SHA1 and SHA256 hashes."); continue; }
246
247 // Get the certificate common name
248 var certCommonName = r.certs[0].subject.getField('CN');
249 if (certCommonName == null) { amtacmactivation.acmCertErrors.push("Unable to get Intel AMT activation certificate common name."); continue; }
250 if (amtacmactivation.strictcommonname == true) {
251 // Use the certificate common name exactly
252 acmconfig.cn = certCommonName.value;
253 } else {
254 // Check if Intel AMT will allow some flexibility in the certificate common name
255 var certCommonNameSplit = certCommonName.value.split('.');
256 var topLevel = certCommonNameSplit[certCommonNameSplit.length - 1].toLowerCase();
257 var topLevelNum = TopLevelDomainExtendedSupport[topLevel];
258 if (topLevelNum != null) {
259 while (certCommonNameSplit.length > topLevelNum) { certCommonNameSplit.shift(); }
260 acmconfig.cn = certCommonNameSplit.join('.');
261 } else {
262 acmconfig.cn = certCommonName.value;
263 }
264 }
265 if(r.certs[0].md){
266 acmconfig.hashAlgorithm = r.certs[0].md.algorithm;
267 }
268
269 delete acmconfig.cert;
270 delete acmconfig.certpass;
271 acmconfig.certs = orderedCerts;
272 acmconfig.key = obj.pki.privateKeyToPem(r.keys[0]);
273 acmCerts.push(acmconfig);
274 acmmatch.push({ sha256: acmconfig.sha256, sha1: acmconfig.sha1, cn: acmconfig.cn });
275 }
276 }
277 amtacmactivation.acmmatch = acmmatch;
278 amtacmactivation.certs = acmCerts;
279
280 // Add the MeshCentral root cert as a possible activation cert
281 if (obj.parent.certificates.root) {
282 var x1 = obj.parent.certificates.root.cert.indexOf('-----BEGIN CERTIFICATE-----'), x2 = obj.parent.certificates.root.cert.indexOf('-----END CERTIFICATE-----');
283 if ((x1 >= 0) && (x2 > x1)) {
284 var sha256 = obj.crypto.createHash('sha256').update(Buffer.from(obj.parent.certificates.root.cert.substring(x1 + 27, x2), 'base64')).digest('hex');
285 var sha1 = obj.crypto.createHash('sha1').update(Buffer.from(obj.parent.certificates.root.cert.substring(x1 + 27, x2), 'base64')).digest('hex');
286 amtacmactivation.certs.push({ 'sha256': sha256, 'sha1': sha1, 'cn': '*', rootcert: obj.pki.certificateFromPem(obj.parent.certificates.root.cert), key: obj.parent.certificates.root.key });
287 amtacmactivation.acmmatch.push({ 'sha256': sha256, 'sha1': sha1, 'cn': '*' });
288 }
289 }
290 }
291
292 // Load a generic certificate and key from PFX/P12 or PEM format. Load both keys and attributes.
293 obj.loadGenericCertAndKey = function (config) {
294 if ((typeof config.certpfx == 'string') || (typeof config.certpfxpass == 'string')) {
295 // Load a PFX certificate
296 var r = null;
297 try { r = obj.loadPfxCertificate(parent.getConfigFilePath(config.certpfx), config.certpfxpass); } catch (ex) { console.log(ex); }
298 if ((r != null) && (r.keys.length > 0) && (r.certs.length > 0)) {
299 var attributes = {};
300 for (var j in r.certs[0].subject.attributes) { attributes[r.certs[0].subject.attributes[j].shortName] = r.certs[0].subject.attributes[j].value; }
301 return { cert: obj.pki.certificateToPem(r.certs[0]), key: obj.pki.privateKeyToPem(r.keys[0]), attributes: attributes };
302 }
303 }
304 if ((typeof config.certfile == 'string') || (typeof config.keyfile == 'string')) {
305 // Load a PEM certificate
306 var r = {}
307 r.cert = obj.fs.readFileSync(parent.getConfigFilePath(config.certfile), 'utf8');
308 r.key = obj.fs.readFileSync(parent.getConfigFilePath(config.keyfile), 'utf8');
309 var cert = obj.pki.certificateFromPem(r.cert);
310 r.attributes = {};
311 for (var j in cert.subject.attributes) { r.attributes[cert.subject.attributes[j].shortName] = cert.subject.attributes[j].value; }
312 return r;
313 }
314 return null;
315 }
316
317 // Get the setup.bin file
318 obj.GetSetupBinFile = function (amtacmactivation, oldmebxpass, newmebxpass, domain, user) {
319 // Create a setup.bin file for our own root cert
320 // Get the wiadcard certificate hash
321 var wildcardCertSha256 = null;
322 for (var i = 0; i < amtacmactivation.acmmatch.length; i++) { if (amtacmactivation.acmmatch[i].cn == '*') { wildcardCertSha256 = amtacmactivation.acmmatch[i].sha256; } }
323
324 // Create the Setup.bin stack
325 const AmtSetupBinStack = require('./amt/amt-setupbin')();
326 var setupbin = AmtSetupBinStack.AmtSetupBinCreate(3, 1); // Version 3, 1 = Records will not be consumed.
327 var certRootName = 'MeshCentral';
328
329 // Figure out what trusted FQDN to use.
330 var trustedFQDN = 'rootcert.meshcentral.com'; // Default DNS name. Any DNS name will do, we this is the fallback.
331 if (typeof domain.dns == 'string') {
332 // Use domain DNS name
333 trustedFQDN = domain.dns;
334 } else if (typeof parent.config.settings.cert == 'string') {
335 // Use main DNS name
336 trustedFQDN = parent.config.settings.cert;
337 }
338
339 // Create a new record
340 var r = {};
341 r.typeIdentifier = 1;
342 r.flags = 1; // Valid, unscrambled record.
343 r.chunkCount = 0;
344 r.headerByteCount = 0;
345 r.number = 0;
346 r.variables = [];
347 setupbin.records.push(r);
348
349 // Create "Current MEBx Password" variable
350 var v = {};
351 v.moduleid = 1;
352 v.varid = 1;
353 v.length = -1;
354 v.value = oldmebxpass;
355 setupbin.records[0].variables.push(v);
356
357 // Create "New MEBx Password" variable
358 v = {};
359 v.moduleid = 1;
360 v.varid = 2;
361 v.length = -1;
362 v.value = newmebxpass;
363 setupbin.records[0].variables.push(v);
364
365 // Create "User Defined Certificate Addition" variable
366 v = {};
367 v.moduleid = 2;
368 v.varid = 8;
369 v.length = -1;
370 v.value = String.fromCharCode(2) + Buffer.from(wildcardCertSha256, 'hex').toString('binary') + String.fromCharCode(certRootName.length) + certRootName; // 2 = SHA256 hash type
371 setupbin.records[0].variables.push(v);
372
373 // Create "PKI DNS Suffix" variable
374 v = {};
375 v.moduleid = 2;
376 v.varid = 3;
377 v.length = -1;
378 v.value = trustedFQDN;
379 setupbin.records[0].variables.push(v);
380
381 // Create "ME Provision Halt Active" variable
382 v = {};
383 v.moduleid = 2;
384 v.varid = 28;
385 v.length = -1;
386 v.value = 0; // Stop
387 setupbin.records[0].variables.push(v);
388
389 // Write to log file
390 obj.logAmtActivation(domain, { time: new Date(), action: 'setupbin', domain: domain.id, userid: user._id, oldmebx: oldmebxpass, newmebx: newmebxpass, rootname: certRootName, hash: wildcardCertSha256, dns: trustedFQDN });
391
392 // Encode the setup.bin file
393 return AmtSetupBinStack.AmtSetupBinEncode(setupbin);
394 }
395
396
397 // Get a bare metal setup.bin file
398 obj.GetBareMetalSetupBinFile = function (amtacmactivation, oldmebxpass, newmebxpass, domain, user) {
399 // Create a setup.bin file for our own root cert
400 // Get the wiadcard certificate hash
401 var wildcardCertSha256 = null;
402 for (var i = 0; i < amtacmactivation.acmmatch.length; i++) { if (amtacmactivation.acmmatch[i].cn == '*') { wildcardCertSha256 = amtacmactivation.acmmatch[i].sha256; } }
403
404 // Create the Setup.bin stack
405 const AmtSetupBinStack = require('./amt/amt-setupbin')();
406 var setupbin = AmtSetupBinStack.AmtSetupBinCreate(3, 1); // Version 3, 1 = Records will not be consumed.
407 var certRootName = 'MeshCentral';
408
409 // Figure out what trusted FQDN to use.
410 var trustedFQDN = parent.config.settings.amtprovisioningserver.trustedfqdn
411
412 // Figure out the provisioning server port
413 var port = 9971;
414 if (typeof parent.config.settings.amtprovisioningserver.port == 'number') { port = parent.config.settings.amtprovisioningserver.port; }
415
416 // Get the provisioning server IP address from the config file
417 if (typeof parent.config.settings.amtprovisioningserver.ip != 'string') return null;
418 var ipaddr = parent.config.settings.amtprovisioningserver.ip;
419 var ipaddrSplit = ipaddr.split('.');
420 var ipaddrStr = String.fromCharCode(parseInt(ipaddrSplit[3])) + String.fromCharCode(parseInt(ipaddrSplit[2])) + String.fromCharCode(parseInt(ipaddrSplit[1])) + String.fromCharCode(parseInt(ipaddrSplit[0]));
421
422 // Create a new record
423 var r = {};
424 r.typeIdentifier = 1;
425 r.flags = 1; // Valid, unscrambled record.
426 r.chunkCount = 0;
427 r.headerByteCount = 0;
428 r.number = 0;
429 r.variables = [];
430 setupbin.records.push(r);
431
432 // Create "Current MEBx Password" variable
433 var v = {};
434 v.moduleid = 1;
435 v.varid = 1;
436 v.length = -1;
437 v.value = oldmebxpass;
438 setupbin.records[0].variables.push(v);
439
440 // Create "New MEBx Password" variable
441 v = {};
442 v.moduleid = 1;
443 v.varid = 2;
444 v.length = -1;
445 v.value = newmebxpass;
446 setupbin.records[0].variables.push(v);
447
448 // Create "User Defined Certificate Addition" variable
449 v = {};
450 v.moduleid = 2;
451 v.varid = 8;
452 v.length = -1;
453 v.value = String.fromCharCode(2) + Buffer.from(wildcardCertSha256, 'hex').toString('binary') + String.fromCharCode(certRootName.length) + certRootName; // 2 = SHA256 hash type
454 setupbin.records[0].variables.push(v);
455
456 // Create "PKI DNS Suffix" variable
457 v = {};
458 v.moduleid = 2;
459 v.varid = 3;
460 v.length = -1;
461 v.value = trustedFQDN;
462 setupbin.records[0].variables.push(v);
463
464 // Create "Configuration Server FQDN" variable
465 v = {};
466 v.moduleid = 2;
467 v.varid = 4;
468 v.length = -1;
469 v.value = trustedFQDN;
470 setupbin.records[0].variables.push(v);
471
472 // Create "Provisioning Server Address" variable
473 v = {};
474 v.moduleid = 2;
475 v.varid = 17;
476 v.length = -1;
477 v.value = ipaddrStr;
478 setupbin.records[0].variables.push(v);
479
480 // Create "Provisioning Server Port Number" variable
481 v = {};
482 v.moduleid = 2;
483 v.varid = 18;
484 v.length = -1;
485 v.value = port;
486 setupbin.records[0].variables.push(v);
487
488 // Create "ME Provision Halt Active" variable
489 v = {};
490 v.moduleid = 2;
491 v.varid = 28;
492 v.length = -1;
493 v.value = 1; // Start
494 setupbin.records[0].variables.push(v);
495
496 // Write to log file
497 obj.logAmtActivation(domain, { time: new Date(), action: 'setupbin-bare-metal', domain: domain.id, userid: user._id, oldmebx: oldmebxpass, newmebx: newmebxpass, rootname: certRootName, hash: wildcardCertSha256, dns: trustedFQDN, ip: ipaddr, port: port });
498
499 // Encode the setup.bin file
500 return AmtSetupBinStack.AmtSetupBinEncode(setupbin);
501 }
502
503 // Return the certificate of the remote HTTPS server
504 obj.loadPfxCertificate = function (filename, password) {
505 var r = { certs: [], keys: [] };
506 var pfxb64 = Buffer.from(obj.fs.readFileSync(filename)).toString('base64');
507 var pfx = obj.forge.pkcs12.pkcs12FromAsn1(obj.forge.asn1.fromDer(obj.forge.util.decode64(pfxb64)), true, password);
508
509 // Get the certs from certbags
510 var bags = pfx.getBags({ bagType: obj.forge.pki.oids.certBag });
511 for (var i = 0; i < bags[obj.forge.pki.oids.certBag].length; i++) { r.certs.push(bags[obj.forge.pki.oids.certBag][i].cert); }
512
513 // Get shrouded key from key bags
514 bags = pfx.getBags({ bagType: obj.forge.pki.oids.pkcs8ShroudedKeyBag });
515 for (var i = 0; i < bags[obj.forge.pki.oids.pkcs8ShroudedKeyBag].length; i++) { r.keys.push(bags[obj.forge.pki.oids.pkcs8ShroudedKeyBag][i].key); }
516 return r;
517 }
518
519 // Return a text file from a remote HTTPS server
520 obj.loadTextFile = function (url, tag, func) {
521 const u = require('url').parse(url);
522 if (u.protocol == 'https:') {
523 // Read from HTTPS
524 const https = require('https');
525 https.get(url, function(resp) {
526 var data = '';
527 resp.on('data', function(chunk) { data += chunk; });
528 resp.on('end', function () { func(url, data, tag); });
529 resp.on('error', function (chunk) { func(url, null, tag); });
530 }).on('error', function (err) { func(url, null, tag); });
531 } else if (u.protocol == 'file:') {
532 // Read a file
533 obj.fs.readFile(url.substring(7), 'utf8', function (err, data) {
534 func(url, err ? null : data, tag);
535 });
536 } else { func(url, null, tag); }
537 };
538
539 // Return the certificate of the remote HTTPS server
540 obj.loadCertificate = function (url, hostname, tag, func) {
541 const u = require('url').parse(url);
542 if (u.protocol == 'https:') {
543 // Read the certificate from HTTPS
544 if (hostname == null) { hostname = u.hostname; }
545 parent.debug('cert', "loadCertificate() - Loading certificate from " + u.hostname + ":" + (u.port ? u.port : 443) + ", Hostname: " + hostname + "...");
546 const tlssocket = obj.tls.connect((u.port ? u.port : 443), u.hostname, { servername: hostname, rejectUnauthorized: false }, function () {
547 this.xxcert = this.getPeerCertificate();
548 parent.debug('cert', "loadCertificate() - TLS connected, " + ((this.xxcert != null) ? "got certificate." : "no certificate."));
549 try { this.destroy(); } catch (ex) { }
550 this.xxfunc(this.xxurl, (this.xxcert == null)?null:(this.xxcert.raw.toString('binary')), hostname, this.xxtag);
551 });
552 tlssocket.xxurl = url;
553 tlssocket.xxfunc = func;
554 tlssocket.xxtag = tag;
555 tlssocket.on('error', function (error) { try { this.destroy(); } catch (ex) { } parent.debug('cert', "loadCertificate() - TLS error: " + error); this.xxfunc(this.xxurl, null, hostname, this.xxtag); });
556 } else if (u.protocol == 'file:') {
557 // Read the certificate from a file
558 obj.fs.readFile(url.substring(7), 'utf8', function (err, data) {
559 if (err) { func(url, null, hostname, tag); return; }
560 var x1 = data.indexOf('-----BEGIN CERTIFICATE-----'), x2 = data.indexOf('-----END CERTIFICATE-----');
561 if ((x1 >= 0) && (x2 > x1)) {
562 func(url, Buffer.from(data.substring(x1 + 27, x2), 'base64').toString('binary'), hostname, tag);
563 } else {
564 func(url, data, hostname, tag);
565 }
566 });
567 } else { func(url, null, hostname, tag); }
568 };
569
570 // Check if a configuration file exists
571 obj.fileExists = function (filename) {
572 if ((parent.configurationFiles != null) && (parent.configurationFiles[filename] != null)) { return true; }
573 var filePath = parent.getConfigFilePath(filename);
574 try { return obj.fs.statSync(filePath).isFile(); } catch (err) { return false; }
575 };
576
577 // Load a configuration file
578 obj.fileLoad = function (filename, encoding) {
579 if ((parent.configurationFiles != null) && (parent.configurationFiles[filename] != null)) {
580 if (typeof parent.configurationFiles[filename] == 'string') { return fixEndOfLines(parent.configurationFiles[filename]); }
581 return fixEndOfLines(parent.configurationFiles[filename].toString());
582 } else {
583 return fixEndOfLines(obj.fs.readFileSync(parent.getConfigFilePath(filename), encoding));
584 }
585 }
586
587 // Return the SHA384 hash of the certificate public key
588 obj.getPublicKeyHash = function (cert) {
589 var publickey = obj.pki.certificateFromPem(cert).publicKey;
590 return obj.pki.getPublicKeyFingerprint(publickey, { encoding: 'hex', md: obj.forge.md.sha384.create() });
591 };
592
593 // Return the SHA1 hash of the certificate, return hex
594 obj.getCertHashSha1 = function (cert) {
595 try {
596 var md = obj.forge.md.sha1.create();
597 md.update(obj.forge.asn1.toDer(obj.pki.certificateToAsn1(obj.pki.certificateFromPem(cert))).getBytes());
598 return md.digest().toHex();
599 } catch (ex) {
600 // If this is not an RSA certificate, hash the raw PKCS7 out of the PEM file
601 var x1 = cert.indexOf('-----BEGIN CERTIFICATE-----'), x2 = cert.indexOf('-----END CERTIFICATE-----');
602 if ((x1 >= 0) && (x2 > x1)) {
603 return obj.crypto.createHash('sha1').update(Buffer.from(cert.substring(x1 + 27, x2), 'base64')).digest('hex');
604 } else { console.log("ERROR: Unable to decode certificate."); return null; }
605 }
606 };
607
608 // Return the SHA256 hash of the certificate, return hex
609 obj.getCertHashSha256 = function (cert) {
610 try {
611 var md = obj.forge.md.sha256.create();
612 md.update(obj.forge.asn1.toDer(obj.pki.certificateToAsn1(obj.pki.certificateFromPem(cert))).getBytes());
613 return md.digest().toHex();
614 } catch (ex) {
615 // If this is not an RSA certificate, hash the raw PKCS7 out of the PEM file
616 var x1 = cert.indexOf('-----BEGIN CERTIFICATE-----'), x2 = cert.indexOf('-----END CERTIFICATE-----');
617 if ((x1 >= 0) && (x2 > x1)) {
618 return obj.crypto.createHash('sha256').update(Buffer.from(cert.substring(x1 + 27, x2), 'base64')).digest('hex');
619 } else { console.log("ERROR: Unable to decode certificate."); return null; }
620 }
621 };
622
623 // Return the SHA384 hash of the certificate, return hex
624 obj.getCertHash = function (cert) {
625 try {
626 var md = obj.forge.md.sha384.create();
627 md.update(obj.forge.asn1.toDer(obj.pki.certificateToAsn1(obj.pki.certificateFromPem(cert))).getBytes());
628 return md.digest().toHex();
629 } catch (ex) {
630 // If this is not an RSA certificate, hash the raw PKCS7 out of the PEM file
631 var x1 = cert.indexOf('-----BEGIN CERTIFICATE-----'), x2 = cert.indexOf('-----END CERTIFICATE-----');
632 if ((x1 >= 0) && (x2 > x1)) {
633 return obj.crypto.createHash('sha384').update(Buffer.from(cert.substring(x1 + 27, x2), 'base64')).digest('hex');
634 } else { console.log("ERROR: Unable to decode certificate."); return null; }
635 }
636 };
637
638 // Return the SHA384 hash of the certificate public key
639 obj.getPublicKeyHashBinary = function (pem) {
640 const { X509Certificate } = require('crypto');
641 if (X509Certificate == null) {
642 // This version of NodeJS (<v15.6.0) does not support X509 certs, use Node-Forge instead which only supports RSA certs.
643 return obj.pki.getPublicKeyFingerprint(obj.pki.certificateFromPem(pem).publicKey, { encoding: 'binary', md: obj.forge.md.sha384.create() });
644 } else {
645 // This version of NodeJS supports x509 certificates
646 var cert = new X509Certificate(pem);
647 return obj.crypto.createHash('sha384').update(cert.publicKey.export({ type: ((cert.publicKey.asymmetricKeyType == 'rsa') ? 'pkcs1' : 'spki'), format: 'der' })).digest('binary');
648 }
649 };
650
651 // Return the SHA384 hash of the certificate, return binary
652 obj.getCertHashBinary = function (cert) {
653 try {
654 // If this is a RSA certificate, we can use Forge to hash the ASN1
655 var md = obj.forge.md.sha384.create();
656 md.update(obj.forge.asn1.toDer(obj.pki.certificateToAsn1(obj.pki.certificateFromPem(cert))).getBytes());
657 return md.digest().getBytes();
658 } catch (ex) {
659 // If this is not an RSA certificate, hash the raw PKCS7 out of the PEM file
660 var x1 = cert.indexOf('-----BEGIN CERTIFICATE-----'), x2 = cert.indexOf('-----END CERTIFICATE-----');
661 if ((x1 >= 0) && (x2 > x1)) {
662 return obj.crypto.createHash('sha384').update(Buffer.from(cert.substring(x1 + 27, x2), 'base64')).digest('binary');
663 } else { console.log("ERROR: Unable to decode certificate."); return null; }
664 }
665 };
666
667 // Create a self-signed certificate
668 obj.GenerateRootCertificate = function (addThumbPrintToName, commonName, country, organization, strong) {
669 var keys = obj.pki.rsa.generateKeyPair({ bits: (strong == true) ? 3072 : 2048, e: 0x10001 });
670 var cert = obj.pki.createCertificate();
671 cert.publicKey = keys.publicKey;
672 cert.serialNumber = '' + require('crypto').randomBytes(4).readUInt32BE(0);
673 cert.validity.notBefore = new Date(2018, 0, 1);
674 cert.validity.notAfter = new Date(2049, 11, 31);
675 if (addThumbPrintToName === true) { commonName += '-' + obj.pki.getPublicKeyFingerprint(cert.publicKey, { encoding: 'hex' }).substring(0, 6); }
676 if (country == null) { country = "unknown"; }
677 if (organization == null) { organization = "unknown"; }
678 var attrs = [{ name: 'commonName', value: commonName }, { name: 'organizationName', value: organization }, { name: 'countryName', value: country }];
679 cert.setSubject(attrs);
680 cert.setIssuer(attrs);
681 // Create a root certificate
682 //cert.setExtensions([{ name: 'basicConstraints', cA: true }, { name: 'nsCertType', sslCA: true, emailCA: true, objCA: true }, { name: 'subjectKeyIdentifier' }]);
683 cert.setExtensions([{ name: 'basicConstraints', cA: true }, { name: 'subjectKeyIdentifier' }, { name: 'keyUsage', keyCertSign: true }]);
684 cert.sign(keys.privateKey, obj.forge.md.sha384.create());
685
686 return { cert: cert, key: keys.privateKey };
687 };
688
689 // Issue a certificate from a root
690 obj.IssueWebServerCertificate = function (rootcert, addThumbPrintToName, commonName, country, organization, extKeyUsage, strong) {
691 var keys = obj.pki.rsa.generateKeyPair({ bits: (strong == true) ? 3072 : 2048, e: 0x10001 });
692 var cert = obj.pki.createCertificate();
693 cert.publicKey = keys.publicKey;
694 cert.serialNumber = '' + require('crypto').randomBytes(4).readUInt32BE(0);
695 cert.validity.notBefore = new Date(2018, 0, 1);
696 cert.validity.notAfter = new Date(2049, 11, 31);
697 if (addThumbPrintToName === true) { commonName += "-" + obj.pki.getPublicKeyFingerprint(cert.publicKey, { encoding: 'hex' }).substring(0, 6); }
698 var attrs = [{ name: 'commonName', value: commonName }];
699 if (country != null) { attrs.push({ name: 'countryName', value: country }); }
700 if (organization != null) { attrs.push({ name: 'organizationName', value: organization }); }
701 cert.setSubject(attrs);
702 cert.setIssuer(rootcert.cert.subject.attributes);
703
704 if (extKeyUsage == null) { extKeyUsage = { name: 'extKeyUsage', serverAuth: true }; } else { extKeyUsage.name = 'extKeyUsage'; }
705 //var extensions = [{ name: 'basicConstraints', cA: false }, { name: 'keyUsage', keyCertSign: true, digitalSignature: true, nonRepudiation: true, keyEncipherment: true, dataEncipherment: true }, extKeyUsage, { name: "nsCertType", client: false, server: true, email: false, objsign: false, sslCA: false, emailCA: false, objCA: false }, { name: "subjectKeyIdentifier" }];
706 var extensions = [{ name: 'basicConstraints', cA: false }, { name: 'keyUsage', keyCertSign: false, digitalSignature: true, nonRepudiation: false, keyEncipherment: true, dataEncipherment: (extKeyUsage.serverAuth !== true) }, extKeyUsage, { name: "subjectKeyIdentifier" }];
707
708 if (extKeyUsage.serverAuth === true) {
709 // Set subjectAltName according to commonName parsing.
710 // Ideally, we should let opportunity in given interface to set any type of altNames according to node_forge library
711 // such as type 2, 6 and 7. (2 -> DNS, 6 -> URI, 7 -> IP)
712 var altNames = [];
713
714 // According to commonName parsing (IP or DNS), add URI and DNS and/or IP altNames
715 if (require('net').isIP(commonName)) {
716 // set both IP and DNS when commonName is an IP@
717 altNames.push({ type: 7, ip: commonName });
718 altNames.push({ type: 2, value: commonName });
719 } else {
720 // set only DNS when commonName is a FQDN
721 altNames.push({ type: 2, value: commonName });
722 }
723 altNames.push({ type: 6, value: 'http://' + commonName + '/' })
724
725 // Add localhost stuff for easy testing on localhost ;)
726 altNames.push({ type: 2, value: 'localhost' });
727 altNames.push({ type: 6, value: 'http://localhost/' });
728 altNames.push({ type: 7, ip: '127.0.0.1' });
729
730 extensions.push({ name: 'subjectAltName', altNames: altNames });
731 }
732
733 if (extKeyUsage.codeSign === true) {
734 extensions = [{ name: 'basicConstraints', cA: false }, { name: 'keyUsage', keyCertSign: false, digitalSignature: true, nonRepudiation: false, keyEncipherment: false, dataEncipherment: false }, { name: 'extKeyUsage', codeSigning: true }, { name: "subjectKeyIdentifier" }];
735 }
736
737 cert.setExtensions(extensions);
738 cert.sign(rootcert.key, obj.forge.md.sha384.create());
739
740 return { cert: cert, key: keys.privateKey };
741 };
742
743 // Make sure a string with Mac style CR endo of line is changed to Linux LF style.
744 function fixEndOfLines(str) {
745 if (typeof (str) != 'string') return str; // If this is not a string, do nothing.
746 var i = str.indexOf('-----'); // Remove everything before "-----".
747 if (i > 0) { str = str.substring(i); } // this solves problems with editors that save text file type indicators ahead of the text.
748 if ((typeof(str) != 'string') || (str.indexOf('\n') > 0)) return str; // If there is a \n in the file, keep the file as-is.
749 return str.split('\r').join('\n'); // If there is no \n, replace all \r with \n.
750 }
751
752 // Return true if the name is found in the certificates names, we support wildcard certificates
753 obj.compareCertificateNames = function (certNames, name) {
754 if (certNames == null) return false;
755 name = name.toLowerCase();
756 var xcertNames = [];
757 for (var i in certNames) { xcertNames.push(certNames[i].toLowerCase()); }
758 if (xcertNames.indexOf(name) >= 0) return true;
759 for (var i in xcertNames) {
760 if ((xcertNames[i].startsWith('*.') == true) && (name.endsWith(xcertNames[i].substring(1)) == true)) { return true; }
761 if (xcertNames[i].startsWith('http://*.') == true) {
762 if (name.endsWith(xcertNames[i].substring(8)) == true) { return true; }
763 if ((xcertNames[i].endsWith('/') == true) && (name.endsWith(xcertNames[i].substring(8, xcertNames[i].length - 1)) == true)) { return true; }
764 }
765 }
766 return false;
767 }
768
769 // Return true if the certificate is valid
770 obj.checkCertificate = function (pem, key) {
771 const { X509Certificate } = require('crypto');
772 if (X509Certificate == null) {
773 // This version of NodeJS (<v15.6.0) does not support X509 certs, use Node-Forge instead which only supports RSA certs.
774 var cert = null;
775 try { cert = obj.pki.certificateFromPem(pem); } catch (ex) { return false; } // Unable to decode certificate
776 if (cert.serialNumber == '') return false; // Empty serial number is not allowed.
777 } else {
778 // This version of NodeJS supports x509 certificates
779 try {
780 const cert = new X509Certificate(pem);
781 if ((cert.serialNumber == '') || (cert.serialNumber == null)) return false; // Empty serial number is not allowed.
782 } catch (ex) { return false; } // Unable to decode certificate
783 }
784 return true;
785 }
786
787 // Get the Common Name from a certificate
788 obj.getCertificateCommonName = function (pem, field) {
789 if (field == null) { field = 'CN'; }
790 const { X509Certificate } = require('crypto');
791 if (X509Certificate == null) {
792 // This version of NodeJS (<v15.6.0) does not support X509 certs, use Node-Forge instead which only supports RSA certs.
793 var cert = obj.pki.certificateFromPem(pem);
794 if (cert.subject.getField(field) != null) return cert.subject.getField(field).value;
795 } else {
796 // This version of NodeJS supports x509 certificates
797 const subjects = new X509Certificate(pem).subject.split('\n');
798 for (var i in subjects) { if (subjects[i].startsWith(field + '=')) { return subjects[i].substring(field.length + 1); } }
799 }
800 return null;
801 }
802
803 // Get the Issuer Common Name from a certificate
804 obj.getCertificateIssuerCommonName = function (pem, field) {
805 if (field == null) { field = 'CN'; }
806 const { X509Certificate } = require('crypto');
807 if (X509Certificate == null) {
808 // This version of NodeJS (<v15.6.0) does not support X509 certs, use Node-Forge instead which only supports RSA certs.
809 var cert = obj.pki.certificateFromPem(pem);
810 if (cert.issuer.getField(field) != null) return cert.issuer.getField(field).value;
811 } else {
812 // This version of NodeJS supports x509 certificates
813 const subjects = new X509Certificate(pem).issuer.split('\n');
814 for (var i in subjects) { if (subjects[i].startsWith(field + '=')) { return subjects[i].substring(field.length + 1); } }
815 }
816 return null;
817 }
818
819 // Get the Common Name and alternate names from a certificate
820 obj.getCertificateAltNames = function (pem) {
821 const altNamesResults = [];
822 const { X509Certificate } = require('crypto');
823 if (X509Certificate == null) {
824 // This version of NodeJS (<v15.6.0) does not support X509 certs, use Node-Forge instead which only supports RSA certs.
825 var cert = obj.pki.certificateFromPem(pem);
826 if (cert.subject.getField('CN') != null) { altNamesResults.push(cert.subject.getField('CN').value); }
827 var altNames = cert.getExtension('subjectAltName');
828 if (altNames) {
829 for (i = 0; i < altNames.altNames.length; i++) {
830 if ((altNames.altNames[i] != null) && (altNames.altNames[i].type === 2) && (typeof altNames.altNames[i].value === 'string')) {
831 var acn = altNames.altNames[i].value.toLowerCase();
832 if (altNamesResults.indexOf(acn) == -1) { altNamesResults.push(acn); }
833 }
834 }
835 }
836 } else {
837 // This version of NodeJS supports x509 certificates
838 const cert = new X509Certificate(pem);
839 const subjects = cert.subject.split('\n');
840 for (var i in subjects) { if (subjects[i].startsWith('CN=')) { altNamesResults.push(subjects[i].substring(3)); } }
841 var subjectAltNames = cert.subjectAltName;
842 if (subjectAltNames != null) {
843 subjectAltNames = subjectAltNames.split(', ');
844 for (var i = 0; i < subjectAltNames.length; i++) {
845 if (subjectAltNames[i].startsWith('DNS:') && altNamesResults.indexOf(subjectAltNames[i].substring(4)) == -1) {
846 altNamesResults.push(subjectAltNames[i].substring(4));
847 }
848 }
849 }
850 }
851 return altNamesResults;
852 }
853
854 // Get the expiration time from a certificate
855 obj.getCertificateExpire = function (pem) {
856 const altNamesResults = [];
857 const { X509Certificate } = require('crypto');
858 if (X509Certificate == null) {
859 // This version of NodeJS (<v15.6.0) does not support X509 certs, use Node-Forge instead which only supports RSA certs.
860 return Date.parse(parent.certificateOperations.forge.pki.certificateFromPem(parent.certificates.web.cert).validity.notAfter);
861 } else {
862 // This version of NodeJS supports x509 certificates
863 return Date.parse(new X509Certificate(pem).validTo);
864 }
865 }
866
867 // Decrypt private key if needed
868 obj.decryptPrivateKey = function (key) {
869 if (typeof key != 'string') return key;
870 var i = key.indexOf('-----BEGIN ENCRYPTED PRIVATE KEY-----');
871 var j = key.indexOf('-----END ENCRYPTED PRIVATE KEY-----');
872 if ((i >= 0) && (j > i)) {
873 var passwords = parent.config.settings.certificateprivatekeypassword;
874 if (parent.config.settings.certificateprivatekeypassword == null) { passwords = []; }
875 else if (typeof parent.config.settings.certificateprivatekeypassword == 'string') { passwords = [parent.config.settings.certificateprivatekeypassword ]; }
876 var privateKey = null;
877 for (var k in passwords) { if (privateKey == null) { try { privateKey = obj.pki.decryptRsaPrivateKey(key, passwords[k]); } catch (ex) { } } }
878 if (privateKey == null) {
879 console.log("Private certificate key is encrypted, but no correct password was found.");
880 console.log("Add the password to the \"certificatePrivateKeyPassword\" value in the Settings section of the config.json.");
881 console.log("Example: \"certificatePrivateKeyPassword\": [ \"MyPassword\" ]");
882 process.exit();
883 return null;
884 }
885 return obj.pki.privateKeyToPem(privateKey);
886 }
887 return key;
888 }
889
890 // Returns the web server TLS certificate and private key, if not present, create demonstration ones.
891 obj.GetMeshServerCertificate = function (args, config, func) {
892 var i = 0;
893 var certargs = args.cert;
894 var mpscertargs = args.mpscert;
895 var strongCertificate = (args.fastcert ? false : true);
896 var rcountmax = 5;
897 var caindex = 1;
898 var caok = false;
899 var calist = [];
900 var dnsname = null;
901 // commonName, country, organization
902
903 // If the certificates directory does not exist, create it.
904 if (!obj.dirExists(parent.datapath)) { obj.fs.mkdirSync(parent.datapath); }
905 var r = {};
906 var rcount = 0;
907
908 // If the root certificate already exist, load it
909 if (obj.fileExists('root-cert-public.crt') && obj.fileExists('root-cert-private.key')) {
910 var rootCertificate = obj.fileLoad('root-cert-public.crt', 'utf8');
911 var rootPrivateKey = obj.decryptPrivateKey(obj.fileLoad('root-cert-private.key', 'utf8'));
912 r.root = { cert: rootCertificate, key: rootPrivateKey };
913 rcount++;
914
915 // Check if the root certificate has the "Certificate Signing (04)" Key usage.
916 // This option is required for newer versions of Intel AMT for CIRA/WS-EVENTS.
917 var xroot = obj.pki.certificateFromPem(rootCertificate);
918 var xext = xroot.getExtension('keyUsage');
919 if ((xext == null) || (xext.keyCertSign !== true) || (xroot.serialNumber == '')) {
920 // We need to fix this certificate
921 parent.common.moveOldFiles(['root-cert-public-backup.crt']);
922 obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-public-backup.crt'), rootCertificate);
923 if (xroot.serialNumber == '') { console.log("Fixing root certificate to add serial number..."); xroot.serialNumber = '' + require('crypto').randomBytes(4).readUInt32BE(0); }
924 if ((xext == null) || (xext.keyCertSign !== true)) { console.log("Fixing root certificate to add signing key usage..."); xroot.setExtensions([{ name: 'basicConstraints', cA: true }, { name: 'subjectKeyIdentifier' }, { name: 'keyUsage', keyCertSign: true }]); }
925 var xrootPrivateKey = obj.pki.privateKeyFromPem(rootPrivateKey);
926 xroot.sign(xrootPrivateKey, obj.forge.md.sha384.create());
927 r.root.cert = obj.pki.certificateToPem(xroot);
928 parent.common.moveOldFiles([parent.getConfigFilePath('root-cert-public.crt')]);
929 try { obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-public.crt'), r.root.cert); } catch (ex) { }
930 }
931 }
932
933 // If web certificate exist, load it as default. This is useful for agent-only port. Load both certificate and private key
934 if (obj.fileExists('webserver-cert-public.crt') && obj.fileExists('webserver-cert-private.key')) {
935 r.webdefault = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('webserver-cert-private.key', 'utf8')) };
936 if (obj.checkCertificate(r.webdefault.cert, r.webdefault.key) == false) { delete r.webdefault; }
937 }
938
939 if (args.tlsoffload) {
940 // If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
941 if (obj.fileExists('webserver-cert-public.crt')) {
942 r.web = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8') };
943 if (obj.checkCertificate(r.web.cert, null) == false) { delete r.web; } else { rcount++; }
944 }
945 } else {
946 // If the web certificate already exist, load it. Load both certificate and private key
947 if (obj.fileExists('webserver-cert-public.crt') && obj.decryptPrivateKey(obj.fileExists('webserver-cert-private.key'))) {
948 r.web = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('webserver-cert-private.key', 'utf8')) };
949 if (obj.checkCertificate(r.web.cert, r.web.key) == false) { delete r.web; } else { rcount++; }
950 }
951 }
952
953 // If the mps certificate already exist, load it
954 if (obj.fileExists('mpsserver-cert-public.crt') && obj.fileExists('mpsserver-cert-private.key')) {
955 r.mps = { cert: obj.fileLoad('mpsserver-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('mpsserver-cert-private.key', 'utf8')) };
956 if (obj.checkCertificate(r.mps.cert, r.mps.key) == false) { delete r.mps; } else { rcount++; }
957 }
958
959 // If the agent certificate already exist, load it
960 if (obj.fileExists("agentserver-cert-public.crt") && obj.fileExists("agentserver-cert-private.key")) {
961 r.agent = { cert: obj.fileLoad("agentserver-cert-public.crt", 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad("agentserver-cert-private.key", 'utf8')) };
962 if (obj.checkCertificate(r.agent.cert, r.agent.key) == false) { delete r.agent; } else { rcount++; }
963 }
964
965 // If the code signing certificate already exist, load it
966 if (obj.fileExists("codesign-cert-public.crt") && obj.fileExists("codesign-cert-private.key")) {
967 r.codesign = { cert: obj.fileLoad("codesign-cert-public.crt", 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad("codesign-cert-private.key", 'utf8')) };
968 if (obj.checkCertificate(r.codesign.cert, r.codesign.key) == false) { delete r.codesign; } else { rcount++; }
969 } else {
970 // If we are reading certificates from a database or vault and are just missing the code signing cert, skip it.
971 if (parent.configurationFiles != null) { rcount++; }
972 }
973
974 // If the swarm server certificate exist, load it (This is an optional certificate)
975 if (obj.fileExists('swarmserver-cert-public.crt') && obj.fileExists('swarmserver-cert-private.key')) {
976 r.swarmserver = { cert: obj.fileLoad('swarmserver-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('swarmserver-cert-private.key', 'utf8')) };
977 if (obj.checkCertificate(r.swarmserver.cert, r.swarmserver.key) == false) { delete r.swarmserver; }
978 }
979
980 // If the swarm server root certificate exist, load it (This is an optional certificate)
981 if (obj.fileExists('swarmserverroot-cert-public.crt')) {
982 r.swarmserverroot = { cert: obj.fileLoad('swarmserverroot-cert-public.crt', 'utf8') };
983 if (obj.checkCertificate(r.swarmserverroot.cert, null) == false) { delete r.swarmserverroot; }
984 }
985
986 // If CA certificates are present, load them
987 do {
988 caok = false;
989 if (obj.fileExists('webserver-cert-chain' + caindex + '.crt')) {
990 calist.push(obj.fileLoad('webserver-cert-chain' + caindex + '.crt', 'utf8'));
991 caok = true;
992 }
993 caindex++;
994 } while (caok === true);
995 if (r.web != null) { r.web.ca = calist; }
996
997 // Decode certificate arguments
998 var commonName = 'un-configured';
999 var country = null;
1000 var organization = null;
1001 var forceWebCertGen = 0;
1002 var forceMpsCertGen = 0;
1003 var forceCodeCertGen = 0;
1004 if (certargs != undefined) {
1005 var xargs = certargs.split(',');
1006 if (xargs.length > 0) { commonName = xargs[0]; }
1007 if (xargs.length > 1) { country = xargs[1]; }
1008 if (xargs.length > 2) { organization = xargs[2]; }
1009 }
1010
1011 // Decode MPS certificate arguments, this is for the Intel AMT CIRA server
1012 var mpsCommonName = ((config.settings != null) && (typeof config.settings.mpsaliashost == 'string')) ? config.settings.mpsaliashost : commonName;
1013 var mpsCountry = country;
1014 var mpsOrganization = organization;
1015 if (mpscertargs !== undefined) {
1016 var xxargs = mpscertargs.split(',');
1017 if (xxargs.length > 0) { mpsCommonName = xxargs[0]; }
1018 if (xxargs.length > 1) { mpsCountry = xxargs[1]; }
1019 if (xxargs.length > 2) { mpsOrganization = xxargs[2]; }
1020 }
1021
1022 if (rcount === rcountmax) {
1023 // Fetch the certificates names for the main certificate
1024 r.AmtMpsName = obj.getCertificateCommonName(r.mps.cert);
1025 r.WebIssuer = obj.getCertificateIssuerCommonName(r.web.cert);
1026 r.CommonName = obj.getCertificateCommonName(r.web.cert);
1027 r.CommonNames = obj.getCertificateAltNames(r.web.cert);
1028 r.RootName = obj.getCertificateCommonName(r.root.cert);
1029 r.CodeCertName = obj.getCertificateCommonName(r.codesign.cert);
1030
1031 // If the "cert" name is not set, try to use the certificate CN instead (ok if the certificate is not wildcard).
1032 if (commonName == 'un-configured') {
1033 if (r.CommonName.startsWith('*.')) { console.log("ERROR: Must specify a server full domain name in Config.json->Settings->Cert when using a wildcard certificate."); process.exit(0); return; }
1034 commonName = r.CommonName;
1035 }
1036 }
1037
1038 // Look for domains that have DNS names and load their certificates
1039 r.dns = {};
1040 for (i in config.domains) {
1041 if ((i != '') && (config.domains[i] != null) && (config.domains[i].dns != null)) {
1042 dnsname = config.domains[i].dns;
1043 // Check if this domain matches a parent wildcard cert, if so, use the parent cert.
1044 if (obj.compareCertificateNames(r.CommonNames, dnsname) == true) {
1045 r.dns[i] = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('webserver-cert-private.key', 'utf8')) };
1046 } else {
1047 if (args.tlsoffload) {
1048 // If the web certificate already exist, load it. Load just the certificate since we are in TLS offload situation
1049 if (obj.fileExists('webserver-' + i + '-cert-public.crt')) {
1050 r.dns[i] = { cert: obj.fileLoad('webserver-' + i + '-cert-public.crt', 'utf8') };
1051 config.domains[i].certs = r.dns[i];
1052 } else {
1053 console.log("WARNING: File \"webserver-" + i + "-cert-public.crt\" missing, domain \"" + i + "\" will not work correctly.");
1054 rcountmax++;
1055 }
1056 } else {
1057 // If the web certificate already exist, load it. Load both certificate and private key
1058 if (obj.fileExists('webserver-' + i + '-cert-public.crt') && obj.fileExists('webserver-' + i + '-cert-private.key')) {
1059 r.dns[i] = { cert: obj.fileLoad('webserver-' + i + '-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('webserver-' + i + '-cert-private.key', 'utf8')) };
1060 config.domains[i].certs = r.dns[i];
1061 // If CA certificates are present, load them
1062 caindex = 1;
1063 r.dns[i].ca = [];
1064 do {
1065 caok = false;
1066 if (obj.fileExists('webserver-' + i + '-cert-chain' + caindex + '.crt')) {
1067 r.dns[i].ca.push(obj.fileLoad('webserver-' + i + '-cert-chain' + caindex + '.crt', 'utf8'));
1068 caok = true;
1069 }
1070 caindex++;
1071 } while (caok === true);
1072 } else {
1073 rcountmax++; // This certificate must be generated
1074 }
1075 }
1076 }
1077 }
1078 }
1079
1080 // If we have all the certificates we need, stop here.
1081 if (rcount === rcountmax) {
1082 if ((certargs == null) && (mpscertargs == null)) { if (func != undefined) { func(r); } return r; } // If no certificate arguments are given, keep the certificate
1083 const xcountry = obj.getCertificateCommonName(r.web.cert, 'C');
1084 const xorganization = obj.getCertificateCommonName(r.web.cert, 'O');
1085 if (certargs == null) { commonName = r.CommonName; country = xcountry; organization = xorganization; }
1086
1087 // Check if we have correct certificates.
1088 if (obj.compareCertificateNames(r.CommonNames, commonName) == false) { console.log("Error: " + commonName + " does not match name in TLS certificate: " + r.CommonNames.join(', ')); forceWebCertGen = 1; } else { r.CommonName = commonName; }
1089 if (r.AmtMpsName != mpsCommonName) { forceMpsCertGen = 1; }
1090 if (r.CodeCertName.startsWith(commonName) === false) { forceCodeCertGen = 1; }
1091 if (args.keepcerts == true) { forceWebCertGen = 0; forceMpsCertGen = 0; forceCodeCertGen = 0; r.CommonName = commonName; }
1092
1093 // If the certificates matches what we want, use them.
1094 if ((forceWebCertGen == 0) && (forceMpsCertGen == 0) && (forceCodeCertGen == 0)) {
1095 if (func !== null) { func(r); }
1096 return r;
1097 }
1098 }
1099
1100 if (parent.configurationFiles != null) {
1101 console.log("Error: Vault/Database missing some certificates.");
1102 if (r.root == null) { console.log(' Code signing certificate is missing.'); }
1103 if (r.web == null) { console.log(' HTTPS web certificate is missing.'); }
1104 if (r.mps == null) { console.log(' Intel AMT MPS certificate is missing.'); }
1105 if (r.agent == null) { console.log(' Server agent authentication certificate is missing.'); }
1106 if (r.codesign == null) { console.log(' Agent code signing certificate is missing.'); }
1107 process.exit(0);
1108 return null;
1109 }
1110
1111 console.log("Generating certificates, may take a few minutes...");
1112 parent.updateServerState('state', 'generatingcertificates');
1113
1114 // If a certificate is missing, but web certificate is present and --cert is not used, set the names to be the same as the web certificate
1115 if ((certargs == null) && (r.web != null)) {
1116 var webCertificate = obj.pki.certificateFromPem(r.web.cert);
1117 commonName = webCertificate.subject.getField('CN').value;
1118 var xcountryField = webCertificate.subject.getField('C');
1119 if (xcountryField != null) { country = xcountryField.value; }
1120 var xorganizationField = webCertificate.subject.getField('O');
1121 if (xorganizationField != null) { organization = xorganizationField.value; }
1122 }
1123
1124 var rootCertAndKey, rootCertificate, rootPrivateKey, rootName;
1125 if (r.root == null) {
1126 // If the root certificate does not exist, create one
1127 console.log("Generating root certificate...");
1128 if (typeof args.rootcertcommonname == 'string') {
1129 // If a root certificate common name is specified, use it.
1130 rootCertAndKey = obj.GenerateRootCertificate(false, args.rootcertcommonname, null, null, strongCertificate);
1131 } else {
1132 // A root certificate common name is not specified, use the default one.
1133 rootCertAndKey = obj.GenerateRootCertificate(true, 'MeshCentralRoot', null, null, strongCertificate);
1134 }
1135 rootCertificate = obj.pki.certificateToPem(rootCertAndKey.cert);
1136 rootPrivateKey = obj.pki.privateKeyToPem(rootCertAndKey.key);
1137 parent.common.moveOldFiles([parent.getConfigFilePath('root-cert-public.crt'), parent.getConfigFilePath('root-cert-private.key')]);
1138 obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-public.crt'), rootCertificate);
1139 obj.fs.writeFileSync(parent.getConfigFilePath('root-cert-private.key'), rootPrivateKey);
1140 } else {
1141 // Keep the root certificate we have
1142 rootCertAndKey = { cert: obj.pki.certificateFromPem(r.root.cert), key: obj.pki.privateKeyFromPem(r.root.key) };
1143 rootCertificate = r.root.cert;
1144 rootPrivateKey = r.root.key;
1145 }
1146 var rootName = rootCertAndKey.cert.subject.getField('CN').value;
1147
1148 // If the web certificate does not exist, create one
1149 var webCertAndKey, webCertificate, webPrivateKey;
1150 if ((r.web == null) || (forceWebCertGen === 1)) {
1151 console.log("Generating HTTPS certificate...");
1152 webCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, commonName, country, organization, null, strongCertificate);
1153 webCertificate = obj.pki.certificateToPem(webCertAndKey.cert);
1154 webPrivateKey = obj.pki.privateKeyToPem(webCertAndKey.key);
1155 parent.common.moveOldFiles([parent.getConfigFilePath('webserver-cert-public.crt'), parent.getConfigFilePath('webserver-cert-private.key')]);
1156 obj.fs.writeFileSync(parent.getConfigFilePath('webserver-cert-public.crt'), webCertificate);
1157 obj.fs.writeFileSync(parent.getConfigFilePath('webserver-cert-private.key'), webPrivateKey);
1158 } else {
1159 // Keep the console certificate we have
1160 if (args.tlsoffload) {
1161 webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert) };
1162 webCertificate = r.web.cert;
1163 } else {
1164 webCertAndKey = { cert: obj.pki.certificateFromPem(r.web.cert), key: obj.pki.privateKeyFromPem(r.web.key) };
1165 webCertificate = r.web.cert;
1166 webPrivateKey = r.web.key;
1167 }
1168 }
1169 var webIssuer = null;
1170 if (webCertAndKey.cert.issuer.getField('CN') != null) { webIssuer = webCertAndKey.cert.issuer.getField('CN').value; }
1171
1172 // If the mesh agent server certificate does not exist, create one
1173 var agentCertAndKey, agentCertificate, agentPrivateKey;
1174 if (r.agent == null) {
1175 console.log("Generating MeshAgent certificate...");
1176 agentCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, true, 'MeshCentralAgentServer', country, organization, { }, strongCertificate);
1177 agentCertificate = obj.pki.certificateToPem(agentCertAndKey.cert);
1178 agentPrivateKey = obj.pki.privateKeyToPem(agentCertAndKey.key);
1179 parent.common.moveOldFiles([parent.getConfigFilePath('agentserver-cert-public.crt'), parent.getConfigFilePath('agentserver-cert-private.key')]);
1180 obj.fs.writeFileSync(parent.getConfigFilePath('agentserver-cert-public.crt'), agentCertificate);
1181 obj.fs.writeFileSync(parent.getConfigFilePath('agentserver-cert-private.key'), agentPrivateKey);
1182 } else {
1183 // Keep the mesh agent server certificate we have
1184 agentCertAndKey = { cert: obj.pki.certificateFromPem(r.agent.cert), key: obj.pki.privateKeyFromPem(r.agent.key) };
1185 agentCertificate = r.agent.cert;
1186 agentPrivateKey = r.agent.key;
1187 }
1188
1189 // If the code signing certificate does not exist, create one
1190 var codesignCertAndKey, codesignCertificate, codesignPrivateKey;
1191 if ((r.codesign == null) || (forceCodeCertGen === 1)) {
1192 console.log("Generating code signing certificate...");
1193 codesignCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, true, commonName, country, organization, { codeSign: true }, strongCertificate);
1194 codesignCertificate = obj.pki.certificateToPem(codesignCertAndKey.cert);
1195 codesignPrivateKey = obj.pki.privateKeyToPem(codesignCertAndKey.key);
1196 parent.common.moveOldFiles([parent.getConfigFilePath('codesign-cert-public.crt'), parent.getConfigFilePath('codesign-cert-private.key')]);
1197 obj.fs.writeFileSync(parent.getConfigFilePath('codesign-cert-public.crt'), codesignCertificate);
1198 obj.fs.writeFileSync(parent.getConfigFilePath('codesign-cert-private.key'), codesignPrivateKey);
1199 } else {
1200 // Keep the code signing certificate we have
1201 codesignCertAndKey = { cert: obj.pki.certificateFromPem(r.codesign.cert), key: obj.pki.privateKeyFromPem(r.codesign.key) };
1202 codesignCertificate = r.codesign.cert;
1203 codesignPrivateKey = r.codesign.key;
1204 }
1205
1206 // If the Intel AMT MPS certificate does not exist, create one
1207 var mpsCertAndKey, mpsCertificate, mpsPrivateKey;
1208 if ((r.mps == null) || (forceMpsCertGen === 1)) {
1209 console.log("Generating Intel AMT MPS certificate...");
1210 mpsCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, mpsCommonName, mpsCountry, mpsOrganization, null, false);
1211 mpsCertificate = obj.pki.certificateToPem(mpsCertAndKey.cert);
1212 mpsPrivateKey = obj.pki.privateKeyToPem(mpsCertAndKey.key);
1213 parent.common.moveOldFiles([parent.getConfigFilePath('mpsserver-cert-public.crt'), parent.getConfigFilePath('mpsserver-cert-private.key')]);
1214 obj.fs.writeFileSync(parent.getConfigFilePath('mpsserver-cert-public.crt'), mpsCertificate);
1215 obj.fs.writeFileSync(parent.getConfigFilePath('mpsserver-cert-private.key'), mpsPrivateKey);
1216 } else {
1217 // Keep the console certificate we have
1218 mpsCertAndKey = { cert: obj.pki.certificateFromPem(r.mps.cert), key: obj.pki.privateKeyFromPem(r.mps.key) };
1219 mpsCertificate = r.mps.cert;
1220 mpsPrivateKey = r.mps.key;
1221 }
1222
1223 r = { root: { cert: rootCertificate, key: rootPrivateKey }, web: { cert: webCertificate, key: webPrivateKey, ca: [] }, webdefault: { cert: webCertificate, key: webPrivateKey, ca: [] }, mps: { cert: mpsCertificate, key: mpsPrivateKey }, agent: { cert: agentCertificate, key: agentPrivateKey }, codesign: { cert: codesignCertificate, key: codesignPrivateKey }, ca: calist, CommonName: commonName, RootName: rootName, AmtMpsName: mpsCommonName, dns: {}, WebIssuer: webIssuer };
1224
1225 // Fetch the certificates names for the main certificate
1226 var webCertificate = obj.pki.certificateFromPem(r.web.cert);
1227 if (webCertificate.issuer.getField('CN') != null) { r.WebIssuer = webCertificate.issuer.getField('CN').value; } else { r.WebIssuer = null; }
1228 r.CommonName = webCertificate.subject.getField('CN').value;
1229 if (r.CommonName.startsWith('*.')) {
1230 if (commonName.indexOf('.') == -1) { console.log("ERROR: Must specify a server full domain name in Config.json->Settings->Cert when using a wildcard certificate."); process.exit(0); return; }
1231 if (commonName.startsWith('*.')) { console.log("ERROR: Server can't use a wildcard name: " + commonName); process.exit(0); return; }
1232 r.CommonName = commonName;
1233 }
1234 r.CommonNames = [r.CommonName.toLowerCase()];
1235 var altNames = webCertificate.getExtension('subjectAltName');
1236 if (altNames) {
1237 for (i = 0; i < altNames.altNames.length; i++) {
1238 if ((altNames.altNames[i] != null) && (altNames.altNames[i].type === 2) && (typeof altNames.altNames[i].value === 'string')) {
1239 var acn = altNames.altNames[i].value.toLowerCase();
1240 if (r.CommonNames.indexOf(acn) == -1) { r.CommonNames.push(acn); }
1241 }
1242 }
1243 }
1244 var rootCertificate = obj.pki.certificateFromPem(r.root.cert);
1245 r.RootName = rootCertificate.subject.getField('CN').value;
1246
1247 // Look for domains with DNS names that have no certificates and generated them.
1248 for (i in config.domains) {
1249 if ((i != '') && (config.domains[i] != null) && (config.domains[i].dns != null)) {
1250 dnsname = config.domains[i].dns;
1251 // Check if this domain matches a parent wildcard cert, if so, use the parent cert.
1252 if (obj.compareCertificateNames(r.CommonNames, dnsname) == true) {
1253 r.dns[i] = { cert: obj.fileLoad('webserver-cert-public.crt', 'utf8'), key: obj.decryptPrivateKey(obj.fileLoad('webserver-cert-private.key', 'utf8')) };
1254 } else {
1255 if (!args.tlsoffload) {
1256 // If the web certificate does not exist, create it
1257 if ((obj.fileExists('webserver-' + i + '-cert-public.crt') === false) || (obj.fileExists('webserver-' + i + '-cert-private.key') === false)) {
1258 console.log('Generating HTTPS certificate for ' + i + '...');
1259 var xwebCertAndKey = obj.IssueWebServerCertificate(rootCertAndKey, false, dnsname, country, organization, null, strongCertificate);
1260 var xwebCertificate = obj.pki.certificateToPem(xwebCertAndKey.cert);
1261 var xwebPrivateKey = obj.pki.privateKeyToPem(xwebCertAndKey.key);
1262 parent.common.moveOldFiles([ parent.getConfigFilePath('webserver-' + i + '-cert-public.crt'), parent.getConfigFilePath('webserver-' + i + '-cert-private.key') ]);
1263 obj.fs.writeFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-public.crt'), xwebCertificate);
1264 obj.fs.writeFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-private.key'), xwebPrivateKey);
1265 r.dns[i] = { cert: xwebCertificate, key: xwebPrivateKey };
1266 config.domains[i].certs = r.dns[i];
1267
1268 // If CA certificates are present, load them
1269 caindex = 1;
1270 r.dns[i].ca = [];
1271 do {
1272 caok = false;
1273 if (obj.fileExists('webserver-' + i + '-cert-chain' + caindex + '.crt')) {
1274 r.dns[i].ca.push(fixEndOfLines(obj.fs.readFileSync(parent.getConfigFilePath('webserver-' + i + '-cert-chain' + caindex + '.crt'), 'utf8')));
1275 caok = true;
1276 }
1277 caindex++;
1278 } while (caok === true);
1279 }
1280 }
1281 }
1282 }
1283 }
1284
1285 // If the swarm server certificate exist, load it (This is an optional certificate)
1286 if (obj.fileExists('swarmserver-cert-public.crt') && obj.fileExists('swarmserver-cert-private.key')) {
1287 r.swarmserver = { cert: fixEndOfLines(obj.fs.readFileSync(parent.getConfigFilePath('swarmserver-cert-public.crt'), 'utf8')), key: fixEndOfLines(obj.fs.readFileSync(parent.getConfigFilePath("swarmserver-cert-private.key"), 'utf8')) };
1288 }
1289
1290 // If the swarm server root certificate exist, load it (This is an optional certificate)
1291 if (obj.fileExists('swarmserverroot-cert-public.crt')) {
1292 r.swarmserverroot = { cert: fixEndOfLines(obj.fs.readFileSync(parent.getConfigFilePath('swarmserverroot-cert-public.crt'), 'utf8')) };
1293 }
1294
1295 // If CA certificates are present, load them
1296 if (r.web != null) {
1297 caindex = 1;
1298 r.web.ca = [];
1299 do {
1300 caok = false;
1301 if (obj.fileExists('webserver-cert-chain' + caindex + '.crt')) {
1302 r.web.ca.push(fixEndOfLines(obj.fs.readFileSync(parent.getConfigFilePath('webserver-cert-chain' + caindex + '.crt'), 'utf8')));
1303 caok = true;
1304 }
1305 caindex++;
1306 } while (caok === true);
1307 }
1308
1309 if (func != undefined) { func(r); }
1310 return r;
1311 };
1312
1313 // Accelerators, used to dispatch work to other processes
1314 const fork = require('child_process').fork;
1315 const program = require('path').join(__dirname, 'meshaccelerator.js');
1316 const acceleratorTotalCount = require('os').cpus().length; // TODO: Check if this accelerator can scale.
1317 var acceleratorCreateCount = acceleratorTotalCount;
1318 var freeAccelerators = [];
1319 var pendingAccelerator = [];
1320 obj.acceleratorCertStore = null;
1321
1322 // Accelerator Stats
1323 var getAcceleratorFuncCalls = 0;
1324 var acceleratorStartFuncCall = 0;
1325 var acceleratorPerformSignatureFuncCall = 0;
1326 var acceleratorPerformSignaturePushFuncCall = 0;
1327 var acceleratorPerformSignatureRunFuncCall = 0;
1328 var acceleratorMessage = 0;
1329 var acceleratorMessageException = 0;
1330 var acceleratorMessageLastException = null;
1331 var acceleratorException = 0;
1332 var acceleratorLastException = null;
1333
1334 // Get stats about the accelerators
1335 obj.getAcceleratorStats = function () {
1336 return {
1337 acceleratorTotalCount: acceleratorTotalCount,
1338 acceleratorCreateCount: acceleratorCreateCount,
1339 freeAccelerators: freeAccelerators.length,
1340 pendingAccelerator: pendingAccelerator.length,
1341 getAcceleratorFuncCalls: getAcceleratorFuncCalls,
1342 startFuncCall: acceleratorStartFuncCall,
1343 performSignatureFuncCall: acceleratorPerformSignatureFuncCall,
1344 performSignaturePushFuncCall: acceleratorPerformSignaturePushFuncCall,
1345 performSignatureRunFuncCall: acceleratorPerformSignatureRunFuncCall,
1346 message: acceleratorMessage,
1347 messageException: acceleratorMessageException,
1348 messageLastException: acceleratorMessageLastException,
1349 exception: acceleratorException,
1350 lastException: acceleratorLastException
1351 };
1352 }
1353
1354 // Create a new accelerator module
1355 obj.getAccelerator = function () {
1356 getAcceleratorFuncCalls++;
1357 if (obj.acceleratorCertStore == null) { return null; }
1358 if (freeAccelerators.length > 0) { return freeAccelerators.pop(); }
1359 if (acceleratorCreateCount > 0) {
1360 acceleratorCreateCount--;
1361 var accelerator = fork(program, [], { stdio: ['pipe', 'pipe', 'pipe', 'ipc'] });
1362 accelerator.accid = acceleratorCreateCount;
1363 accelerator.on('message', function (message) {
1364 acceleratorMessage++;
1365 if (this.x.func) { this.x.func(this.x.tag, message); }
1366 delete this.x;
1367 if (pendingAccelerator.length > 0) { this.send(this.x = pendingAccelerator.shift()); } else { freeAccelerators.push(this); }
1368 });
1369 accelerator.on('exit', function (code) {
1370 if (this.x) { pendingAccelerator.push(this.x); delete this.x; }
1371 acceleratorCreateCount++;
1372 if (pendingAccelerator.length > 0) { var acc = obj.getAccelerator(); acc.send(acc.x = pendingAccelerator.shift()); }
1373 });
1374 accelerator.on('error', function (code) { }); // Not sure if somethign should be done here to help kill the process.
1375 accelerator.send({ action: 'setState', certs: obj.acceleratorCertStore });
1376 return accelerator;
1377 }
1378 return null;
1379 };
1380
1381 // Set the state of the accelerators. This way, we don"t have to send certificate & keys to them each time.
1382 obj.acceleratorStart = function (certificates) {
1383 acceleratorStartFuncCall++;
1384 if (obj.acceleratorCertStore != null) { console.error("ERROR: Accelerators can only be started once."); return; }
1385 obj.acceleratorCertStore = [{ cert: certificates.agent.cert, key: certificates.agent.key }];
1386 if (certificates.swarmserver != null) { obj.acceleratorCertStore.push({ cert: certificates.swarmserver.cert, key: certificates.swarmserver.key }); }
1387 };
1388
1389 // Perform any RSA signature, just pass in the private key and data.
1390 obj.acceleratorPerformSignature = function (privatekey, data, tag, func) {
1391 acceleratorPerformSignatureFuncCall++;
1392 if (acceleratorTotalCount <= 1) {
1393 // No accelerators available
1394 if (typeof privatekey == 'number') { privatekey = obj.acceleratorCertStore[privatekey].key; }
1395 const sign = obj.crypto.createSign('SHA384');
1396 sign.end(Buffer.from(data, 'binary'));
1397 try { func(tag, sign.sign(privatekey).toString('binary')); } catch (ex) { acceleratorMessageException++; acceleratorMessageLastException = ex; }
1398 } else {
1399 var acc = obj.getAccelerator();
1400 if (acc == null) {
1401 // Add to pending accelerator workload
1402 acceleratorPerformSignaturePushFuncCall++;
1403 pendingAccelerator.push({ action: 'sign', key: privatekey, data: data, tag: tag, func: func });
1404 } else {
1405 // Send to accelerator now
1406 acceleratorPerformSignatureRunFuncCall++;
1407 acc.send(acc.x = { action: 'sign', key: privatekey, data: data, tag: tag, func: func });
1408 }
1409 }
1410 };
1411
1412 // Perform any general operation
1413 obj.acceleratorPerformOperation = function (operation, data, tag, func) {
1414 var acc = obj.getAccelerator();
1415 if (acc == null) {
1416 // Add to pending accelerator workload
1417 acceleratorPerformSignaturePushFuncCall++;
1418 pendingAccelerator.push({ action: operation, data: data, tag: tag, func: func });
1419 } else {
1420 // Send to accelerator now
1421 acceleratorPerformSignatureRunFuncCall++;
1422 acc.send(acc.x = { action: operation, data: data, tag: tag, func: func });
1423 }
1424 };
1425
1426 return obj;
1427};