Fixed Intel AMT ACM certificate matching bug, #2805.

This commit is contained in:
Ylian Saint-Hilaire 2021-07-15 10:15:05 -07:00
parent 47a8952c19
commit 37418ba6e0

View File

@ -49,7 +49,7 @@ module.exports.CertificateOperations = function (parent) {
if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
} }
if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "No signing certificate found." }; // Did not find a match. if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "Can't create ACM cert chain, no signing certificate found." }; // Did not find a match.
// If the matching certificate our wildcard root cert, we can use the root to match any FQDN // If the matching certificate our wildcard root cert, we can use the root to match any FQDN
if (domain.amtacmactivation.certs[certIndex].cn == '*') { if (domain.amtacmactivation.certs[certIndex].cn == '*') {
@ -86,10 +86,10 @@ module.exports.CertificateOperations = function (parent) {
var signkey = null, certChain = null, hashAlgo = null, certIndex = null; var signkey = null, certChain = null, hashAlgo = null, certIndex = null;
for (var i in domain.amtacmactivation.certs) { for (var i in domain.amtacmactivation.certs) {
const certEntry = domain.amtacmactivation.certs[i]; const certEntry = domain.amtacmactivation.certs[i];
if ((certEntry.sha256 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } if ((certEntry.sha256 == request.hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, request.fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
if ((certEntry.sha1 == request.hash) && ((certEntry.cn == '*') || (certEntry.cn == request.fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } if ((certEntry.sha1 == request.hash) && ((certEntry.cn == '*') || checkAcmActivationCertName(certEntry.cn, request.fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
} }
if (signkey == null) return { 'action': 'acmactivate', 'error': 2, 'errorText': "No signing certificate found." }; // Did not find a match. if (signkey == null) return { 'action': 'acmactivate', 'error': 2, 'errorText': "Can't sign ACM request, no signing certificate found (2)." }; // Did not find a match.
// If the matching certificate our wildcard root cert, we can use the root to match any FQDN // If the matching certificate our wildcard root cert, we can use the root to match any FQDN
if (domain.amtacmactivation.certs[certIndex].cn == '*') { if (domain.amtacmactivation.certs[certIndex].cn == '*') {