From 423daaf19d258ffbff13107f9fe91651d5c33cd9 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Wed, 3 Mar 2021 23:49:53 -0800 Subject: [PATCH] Partial work for host-based ACM AMT activation. --- agents/meshcmd.js | 8 ++++++ agents/meshcore.js | 5 ++++ agents/modules_meshcmd/amt-apfclient.js | 1 + agents/modules_meshcmd/amt-mei.js | 23 ++++++++++++--- agents/modules_meshcore/amt-apfclient.js | 1 + agents/modules_meshcore/amt-manage.js | 6 ++++ agents/modules_meshcore/amt-mei.js | 23 ++++++++++++--- amtmanager.js | 36 +++++++++++++++++++++++- amtscanner.js | 11 +++++--- certoperations.js | 36 ++++++++++++++++++++++++ mpsserver.js | 8 ++++-- 11 files changed, 143 insertions(+), 15 deletions(-) diff --git a/agents/meshcmd.js b/agents/meshcmd.js index 341e715d..cdbcdf09 100644 --- a/agents/meshcmd.js +++ b/agents/meshcmd.js @@ -1174,6 +1174,14 @@ function configureJsonControl(data) { amtMei.on('error', function (e) { settings.apftunnel.sendMeiDeactivationState(1); }); amtMei.unprovision(1, function (status) { settings.apftunnel.sendMeiDeactivationState(status); }); // 0 = Success break; + case 'startTlsHostConfig': // Request start of host based TLS ACM activation + var amtMeiModule, amtMei; + try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { settings.apftunnel.sendStartTlsHostConfigResponse({ state: -103 }); break; } + amtMei.on('error', function (e) { settings.apftunnel.sendStartTlsHostConfigResponse({ state: -104 }); }); + amtMei.startConfigurationHBased(Buffer.from(data.hash, 'hex'), data.hostVpn, data.dnsSuffixList, function (response) { + settings.apftunnel.sendStartTlsHostConfigResponse(response); + }); + break; case 'close': // Close the CIRA-LMS connection exit(0); break; diff --git a/agents/meshcore.js b/agents/meshcore.js index c7d17d66..86d6e460 100644 --- a/agents/meshcore.js +++ b/agents/meshcore.js @@ -1197,6 +1197,11 @@ function handleServerCommand(data) { amtMei.unprovision(1, function (status) { if (apftunnel) apftunnel.sendMeiDeactivationState(status); }); // 0 = Success } if (data.action == 'close') { try { apftunnel.disconnect(); } catch (e) { } apftunnel = null; } // Close the CIRA-LMS connection + if (data.action == 'startTlsHostConfig') { // Request start of host based TLS ACM activation + amt.startConfigurationHBased(Buffer.from(data.hash, 'hex'), data.hostVpn, data.dnsSuffixList, function (response) { + apftunnel.sendStartTlsHostConfigResponse(response); + }); + } } apftunnel.onChannelClosed = function () { addAmtEvent('LMS tunnel closed.'); apftunnel = null; } try { apftunnel.connect(); } catch (ex) { } diff --git a/agents/modules_meshcmd/amt-apfclient.js b/agents/modules_meshcmd/amt-apfclient.js index ba37a4d3..6fd87eb0 100644 --- a/agents/modules_meshcmd/amt-apfclient.js +++ b/agents/modules_meshcmd/amt-apfclient.js @@ -183,6 +183,7 @@ function CreateAPFClient(parent, args) { obj.updateMeiState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'meiState', value: state }); } obj.sendMeiDeactivationState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'deactivate', value: state }); } + obj.sendStartTlsHostConfigResponse = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'startTlsHostConfig', value: state }); } function SendJsonControl(socket, o) { var data = JSON.stringify(o) diff --git a/agents/modules_meshcmd/amt-mei.js b/agents/modules_meshcmd/amt-mei.js index 59f30170..3c9986cb 100644 --- a/agents/modules_meshcmd/amt-mei.js +++ b/agents/modules_meshcmd/amt-mei.js @@ -419,8 +419,8 @@ function amt_heci() { }, this, callback, optional); } - this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, callback) { - if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { throw "Bad certHash"; } + this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func) { + if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { func({ status: -101 }); } var optional = []; for (var i = 4; i < arguments.length; ++i) { optional.push(arguments[i]); } @@ -447,8 +447,23 @@ function amt_heci() { opt.unshift({ status: header.Status }); } fn.apply(this, opt); - }, callback, optional); + }, func, optional); } } -module.exports = amt_heci; \ No newline at end of file +module.exports = amt_heci; + + +/* +AMT_STATUS_SUCCESS = 0, +AMT_STATUS_INTERNAL_ERROR = 1, +AMT_STATUS_INVALID_AMT_MODE = 3, +AMT_STATUS_INVALID_MESSAGE_LENGTH = 4, +AMT_STATUS_MAX_LIMIT_REACHED = 23, +AMT_STATUS_INVALID_PARAMETER = 36, +AMT_STATUS_RNG_GENERATION_IN_PROGRESS = 47, +AMT_STATUS_RNG_NOT_READY = 48, +AMT_STATUS_CERTIFICATE_NOT_READY = 49, +AMT_STATUS_INVALID_HANDLE = 2053 +AMT_STATUS_NOT_FOUND = 2068, +*/ \ No newline at end of file diff --git a/agents/modules_meshcore/amt-apfclient.js b/agents/modules_meshcore/amt-apfclient.js index ba37a4d3..6fd87eb0 100644 --- a/agents/modules_meshcore/amt-apfclient.js +++ b/agents/modules_meshcore/amt-apfclient.js @@ -183,6 +183,7 @@ function CreateAPFClient(parent, args) { obj.updateMeiState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'meiState', value: state }); } obj.sendMeiDeactivationState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'deactivate', value: state }); } + obj.sendStartTlsHostConfigResponse = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'startTlsHostConfig', value: state }); } function SendJsonControl(socket, o) { var data = JSON.stringify(o) diff --git a/agents/modules_meshcore/amt-manage.js b/agents/modules_meshcore/amt-manage.js index 179ef1d3..8fb38542 100644 --- a/agents/modules_meshcore/amt-manage.js +++ b/agents/modules_meshcore/amt-manage.js @@ -157,6 +157,12 @@ function AmtManager(agent, db, isdebug) { } } + // Start host based ACM activation with TLS + obj.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func) { + if ((amtMei == null) || (amtMeiState < 2)) { if (func != null) { func({ status: -100 }); } return; } + amtMei.startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func); + } + } module.exports = AmtManager; diff --git a/agents/modules_meshcore/amt-mei.js b/agents/modules_meshcore/amt-mei.js index 59f30170..3c9986cb 100644 --- a/agents/modules_meshcore/amt-mei.js +++ b/agents/modules_meshcore/amt-mei.js @@ -419,8 +419,8 @@ function amt_heci() { }, this, callback, optional); } - this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, callback) { - if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { throw "Bad certHash"; } + this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func) { + if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { func({ status: -101 }); } var optional = []; for (var i = 4; i < arguments.length; ++i) { optional.push(arguments[i]); } @@ -447,8 +447,23 @@ function amt_heci() { opt.unshift({ status: header.Status }); } fn.apply(this, opt); - }, callback, optional); + }, func, optional); } } -module.exports = amt_heci; \ No newline at end of file +module.exports = amt_heci; + + +/* +AMT_STATUS_SUCCESS = 0, +AMT_STATUS_INTERNAL_ERROR = 1, +AMT_STATUS_INVALID_AMT_MODE = 3, +AMT_STATUS_INVALID_MESSAGE_LENGTH = 4, +AMT_STATUS_MAX_LIMIT_REACHED = 23, +AMT_STATUS_INVALID_PARAMETER = 36, +AMT_STATUS_RNG_GENERATION_IN_PROGRESS = 47, +AMT_STATUS_RNG_NOT_READY = 48, +AMT_STATUS_CERTIFICATE_NOT_READY = 49, +AMT_STATUS_INVALID_HANDLE = 2053 +AMT_STATUS_NOT_FOUND = 2068, +*/ \ No newline at end of file diff --git a/amtmanager.js b/amtmanager.js index ec69ecd4..be06ebf6 100644 --- a/amtmanager.js +++ b/amtmanager.js @@ -246,6 +246,10 @@ module.exports.CreateAmtManager = function (parent) { delete dev.pendingUpdatedMeiState; attemptInitialContact(dev); break; + case 'startTlsHostConfig': + if (dev.acmTlsInfo == null) break; + console.log(jsondata); // TODO: Start TLS activation. + break; } } @@ -345,6 +349,9 @@ module.exports.CreateAmtManager = function (parent) { if (typeof dev.mpsConnection.tag.meiState['ProvisioningState'] == 'number') { dev.intelamt.state = dev.aquired.state = dev.mpsConnection.tag.meiState['ProvisioningState']; } + if ((typeof dev.mpsConnection.tag.meiState['Versions'] == 'object') && (typeof dev.mpsConnection.tag.meiState['Versions']['AMT'] == 'string')) { + dev.intelamt.ver = dev.aquired.version = dev.mpsConnection.tag.meiState['Versions']['AMT']; + } if (typeof dev.mpsConnection.tag.meiState['Flags'] == 'number') { const flags = dev.intelamt.flags = dev.mpsConnection.tag.meiState['Flags']; if (flags & 2) { dev.aquired.controlMode = 1; } // CCM @@ -459,6 +466,9 @@ module.exports.CreateAmtManager = function (parent) { dev.amtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], attemptLocalConnectResponse); break; case 3: // Local LAN + // Check if Intel AMT is activated. If not, stop here. + if ((dev.intelamt == null) || ((dev.intelamt.state != null) && (dev.intelamt.state != 2))) { removeAmtDevice(dev); return; } + // Handle the case where the Intel AMT local scanner found the device (connType 3) parent.debug('amt', dev.name, "Attempt Initial Local Contact", dev.connType, dev.host); if (typeof dev.host != 'string') { removeAmtDevice(dev); return; } // Local connection not valid @@ -1666,7 +1676,15 @@ module.exports.CreateAmtManager = function (parent) { deactivateIntelAmtCCM(dev); } else { // We are not activated now, go to ACM directly. - activateIntelAmtAcm(dev, mesh.amt.password, acminfo); + // If this is Intel AMT 14 or better, we are going to attempt a host-based end-to-end TLS activation. + if (typeof dev.intelamt.ver == 'string') { var verSplit = dev.intelamt.ver.split('.'); if (verSplit.length >= 3) { dev.aquired.majorver = parseInt(verSplit[0]); dev.aquired.minorver = parseInt(verSplit[1]); } } + if (dev.aquired.majorver >= 14) { + // Perform host-based TLS ACM activation + activateIntelAmtTlsAcm(dev, mesh.amt.password, acminfo); + } else { + // Perform host-based ACM activation + activateIntelAmtAcm(dev, mesh.amt.password, acminfo); + } } } } @@ -1769,6 +1787,22 @@ module.exports.CreateAmtManager = function (parent) { return null; // Did not find a match } + // Attempt Intel AMT TLS ACM activation + function activateIntelAmtTlsAcm(dev, password, acminfo) { + // Generate a random Intel AMT password if needed + if ((password == null) || (password == '')) { password = getRandomAmtPassword(); } + dev.temp = { pass: password, acminfo: acminfo }; + + // Get our ACM activation certificate chain + var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash); + if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev); return; } + dev.acmTlsInfo = acmTlsInfo; + + // Send the MEI command to enable TLS connections + dev.consoleMsg("Performing TLS ACM activation..."); + dev.controlMsg({ action: 'startTlsHostConfig', hash: acmTlsInfo.hash, hostVpn: false, dnsSuffixList: null }); + } + // Attempt Intel AMT ACM activation function activateIntelAmtAcm(dev, password, acminfo) { // Generate a random Intel AMT password if needed diff --git a/amtscanner.js b/amtscanner.js index 9807061e..c7e34d04 100644 --- a/amtscanner.js +++ b/amtscanner.js @@ -287,15 +287,18 @@ module.exports.CreateAmtScanner = function (parent) { obj.changeConnectState = function (tag, minorVersion, majorVersion, provisioningState, openPort, dualPorts, rinfo, user) { //var provisioningStates = { 0: 'Pre', 1: 'in', 2: 'Post' }; //var provisioningStateStr = provisioningStates[provisioningState]; - //console.log('Intel AMT ' + majorVersion + '.' + minorVersion + ', ' + provisioningStateStr + '-Provisioning at ' + rinfo.address + ', Open Ports: [' + openPort + '], tag: ' + tag); + //console.log('Intel AMT ' + majorVersion + '.' + minorVersion + ', ' + provisioningStateStr + '-Provisioning at ' + rinfo.address + ', Open Ports: [' + openPort + '], tag: ' + tag + ', dualPorts: ' + dualPorts); var scaninfo = obj.scanTableTags[tag]; if (scaninfo != undefined) { scaninfo.lastpong = Date.now(); if (scaninfo.state == 0) { scaninfo.state = 1; - scaninfo.nodeinfo.intelamt.tls = (((openPort == 16993) || (dualPorts == true)) ? 1 : 0); - scaninfo.nodeinfo.intelamt.ver = majorVersion + '.' + minorVersion; - scaninfo.nodeinfo.intelamt.state = provisioningState; + if ((openPort == 16993) || (dualPorts == true)) { scaninfo.nodeinfo.intelamt.tls = 1; } + else if (openPort == 16992) { scaninfo.nodeinfo.intelamt.tls = 0; } + if (majorVersion > 0) { // Older versions of Intel AMT report the AMT version. + scaninfo.nodeinfo.intelamt.ver = majorVersion + '.' + minorVersion; + scaninfo.nodeinfo.intelamt.state = provisioningState; + } obj.parent.SetConnectivityState(scaninfo.nodeinfo.meshid, scaninfo.nodeinfo._id, scaninfo.lastpong, 4, 7); // Report power state as "present" (7). obj.changeAmtState(scaninfo.nodeinfo._id, scaninfo.nodeinfo.intelamt.ver, provisioningState, scaninfo.nodeinfo.intelamt.tls); if (obj.parent.amtManager != null) { obj.parent.amtManager.startAmtManagement(scaninfo.nodeinfo._id, 3, scaninfo.nodeinfo.host); } diff --git a/certoperations.js b/certoperations.js index 8dce9719..2ba9c21d 100644 --- a/certoperations.js +++ b/certoperations.js @@ -28,6 +28,42 @@ module.exports.CertificateOperations = function (parent) { const TopLevelDomainExtendedSupport = { 'net': 2, 'com': 2, 'arpa': 3, 'org': 2, 'gov': 2, 'edu': 2, 'de': 2, 'fr': 3, 'cn': 3, 'nl': 3, 'br': 3, 'mx': 3, 'uk': 3, 'pl': 3, 'tw': 3, 'ca': 3, 'fi': 3, 'be': 3, 'ru': 3, 'se': 3, 'ch': 2, 'dk': 2, 'ar': 3, 'es': 3, 'no': 3, 'at': 3, 'in': 3, 'tr': 3, 'cz': 2, 'ro': 3, 'hu': 3, 'nz': 3, 'pt': 3, 'il': 3, 'gr': 3, 'co': 3, 'ie': 3, 'za': 3, 'th': 3, 'sg': 3, 'hk': 3, 'cl': 2, 'lt': 3, 'id': 3, 'hr': 3, 'ee': 3, 'bg': 3, 'ua': 2 }; + // Sign a Intel AMT TLS ACM activation request + obj.getAcmCertChain = function (domain, fqdn, hash) { + if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (fqdn == null) || (hash == null)) return { action: 'acmactivate', error: 1, errorText: 'Invalid arguments' }; + if (parent.common.validateString(fqdn, 4, 256) == false) return { action: 'acmactivate', error: 1, errorText: "Invalid FQDN argument." }; + if (parent.common.validateString(hash, 16, 256) == false) return { action: 'acmactivate', error: 1, errorText: "Invalid hash argument." }; + + // Look for the signing certificate + var signkey = null, certChain = null, hashAlgo = null, certIndex = null; + for (var i in domain.amtacmactivation.certs) { + const certEntry = domain.amtacmactivation.certs[i]; + if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || (certEntry.cn == fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } + if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || (certEntry.cn == fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; } + } + if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "No signing certificate found." }; // Did not find a match. + + // If the matching certificate our wildcard root cert, we can use the root to match any FQDN + if (domain.amtacmactivation.certs[certIndex].cn == '*') { + // Create a leaf certificate that matches the FQDN we want + // TODO: This is an expensive operation, work on ways to pre-generate or cache this leaf certificate. + var rootcert = { cert: domain.amtacmactivation.certs[certIndex].rootcert, key: obj.pki.privateKeyFromPem(domain.amtacmactivation.certs[certIndex].key) }; + var leafcert = obj.IssueWebServerCertificate(rootcert, false, fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false); + + // Setup the certificate chain and key + certChain = [obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert)]; + signkey = obj.pki.privateKeyToPem(leafcert.key); + } else { + // Make sure the cert chain is in PEM format + var certChain2 = []; + for (var i in certChain) { certChain2.push("-----BEGIN CERTIFICATE-----\r\n" + certChain[i] + "\r\n-----END CERTIFICATE-----\r\n"); } + certChain = certChain2; + } + + // Hash the leaf certificate and return the certificate chain and signing key + return { action: 'acmactivate', certs: certChain, signkey: signkey, hash: obj.getCertHash(certChain[0]) }; + } + // Sign a Intel AMT ACM activation request obj.signAcmRequest = function (domain, request, user, pass, ipport, nodeid, meshid, computerName, agentId) { if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (request == null) || (request.nonce == null) || (request.realm == null) || (request.fqdn == null) || (request.hash == null)) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid arguments' }; diff --git a/mpsserver.js b/mpsserver.js index 3277696c..bfa24de2 100644 --- a/mpsserver.js +++ b/mpsserver.js @@ -913,6 +913,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) { var jsondata = null, jsondatastr = data.substring(5, 5 + jsondatalen); try { jsondata = JSON.parse(jsondatastr); } catch (ex) { } if ((jsondata == null) || (typeof jsondata.action != 'string')) return; + parent.debug('mpscmd', '--> JSON_CONTROL', jsondata.action); switch (jsondata.action) { case 'connType': if ((socket.tag.connType != 0) || (socket.tag.SystemId != null)) return; // Once set, the connection type can't be changed. @@ -930,6 +931,10 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) { if (socket.tag.connType != 2) break; // Only accept MEI state on CIRA-LMS connection if (obj.parent.amtManager != null) { obj.parent.amtManager.mpsControlMessage(socket.tag.nodeid, socket, socket.tag.connType, jsondata); } break; + case 'startTlsHostConfig': + if (socket.tag.connType != 2) break; // Only accept MEI state on CIRA-LMS connection + if (obj.parent.amtManager != null) { obj.parent.amtManager.mpsControlMessage(socket.tag.nodeid, socket, socket.tag.connType, jsondata); } + break; } return 5 + jsondatalen; } @@ -956,8 +961,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) { obj.SendJsonControl = function(socket, data) { if (socket.tag.connType == 0) return; // This command is valid only for connections that are not really CIRA. - parent.debug('mpscmd', '<-- JSON_CONTROL'); - if (typeof data == 'object') { data = JSON.stringify(data); } + if (typeof data == 'object') { parent.debug('mpscmd', '<-- JSON_CONTROL', data.action); data = JSON.stringify(data); } else { parent.debug('mpscmd', '<-- JSON_CONTROL'); } Write(socket, String.fromCharCode(APFProtocol.JSON_CONTROL) + common.IntToStr(data.length) + data); }