more Intel AMT ACM work...

2024-12-23 14:01:43 +03:00 · 2019-06-22 22:06:50 -07:00 · 2019-06-22 22:06:50 -07:00 · 4f16e0f2ca
commit 4f16e0f2ca
parent 0d2efd47ea
7 changed files with 53 additions and 6 deletions
--- a/agents/MeshCmd-signed.exe
+++ b/agents/MeshCmd-signed.exe
--- a/agents/MeshCmd64-signed.exe
+++ b/agents/MeshCmd64-signed.exe
--- a/agents/meshcmd.js
+++ b/agents/meshcmd.js
@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
 function onVerifyServer(clientName, certs) {
    if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
    try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
-    if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
+    console.log(settings.serverhttpshash);
+    if (settings.serverhttpshash != null) {
+        console.log('Error: Failed to verify server certificate.');
+        console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
+        exit(255);
+        throw 'Invalid server certificate';
+    }
 }

 // Various utility functions
@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {

    // Establish WebSocket connection to activation server
    var options = http.parseUri(settings.url);
-    options.checkServerIdentity = function (clientName, certs) { }; // TODO
+    //options.checkServerIdentity = function (clientName, certs) { }; // TODO
+    options.checkServerIdentity = onVerifyServer;
    options.rejectUnauthorized = false;
    var connection = http.request(options);
    connection.on('upgrade', function (response, socket) {
--- a/agents/meshcmd.min.js
+++ b/agents/meshcmd.min.js
@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
 function onVerifyServer(clientName, certs) {
    if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
    try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
-    if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
+    console.log(settings.serverhttpshash);
+    if (settings.serverhttpshash != null) {
+        console.log('Error: Failed to verify server certificate.');
+        console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
+        exit(255);
+        throw 'Invalid server certificate';
+    }
 }

 // Various utility functions
@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {

    // Establish WebSocket connection to activation server
    var options = http.parseUri(settings.url);
-    options.checkServerIdentity = function (clientName, certs) { }; // TODO
+    //options.checkServerIdentity = function (clientName, certs) { }; // TODO
+    options.checkServerIdentity = onVerifyServer;
    options.rejectUnauthorized = false;
    var connection = http.request(options);
    connection.on('upgrade', function (response, socket) {
--- a/meshuser.js
+++ b/meshuser.js
@ -291,6 +291,15 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use

            // Build server information object
            var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1)), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) };
+            serverinfo.tlshash = Buffer.from(parent.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(); // SHA384 of server HTTPS certificate
+            if ((parent.parent.config.domains[domain.id].amtacmactivation != null) && (parent.parent.config.domains[domain.id].amtacmactivation.acmmatch != null)) {
+                var matchingDomains = [];
+                for (var i in parent.parent.config.domains[domain.id].amtacmactivation.acmmatch) {
+                    var cn = parent.parent.config.domains[domain.id].amtacmactivation.acmmatch[i].cn;
+                    if ((cn != '*') && (matchingDomains.indexOf(cn) == -1)) { matchingDomains.push(cn); }
+                }
+                if (matchingDomains.length > 0) { serverinfo.amtAcmFqdn = matchingDomains; }
+            }
            if (args.notls == true) { serverinfo.https = false; } else { serverinfo.https = true; serverinfo.redirport = args.redirport; }
            if (typeof domain.userconsentflags == 'number') { serverinfo.consent = domain.userconsentflags; }
            if ((typeof domain.usersessionidletimeout == 'number') && (domain.usersessionidletimeout > 0)) { serverinfo.timeout = (domain.usersessionidletimeout * 60 * 1000); }
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -2577,6 +2577,9 @@
                    r += ' <a style=cursor:pointer;font-size:10px title="Add a new Intel&reg; AMT computer that is located on the local network." onclick=addDeviceToMesh(\"' + mesh._id + '\")>Add Local</a>';
                    r += ' <a style=cursor:pointer;font-size:10px title="Add a new Intel&reg; AMT computer by scanning the local network." onclick=addAmtScanToMesh(\"' + mesh._id + '\")>Scan Network</a>';
                }
+                if ((features & 0x00100000) != 0) { // ACM activation
+                    r += ' <a style=cursor:pointer;font-size:10px title="Perform Intel AMT admin control mode (ACM) activation." onclick=showAcmActivation(\"' + mesh._id + '\")>Activation</a>';
+                }
            }
            if (mesh.mtype == 2) {
                r += ' <a style=cursor:pointer;font-size:10px title="Add a new computer to this mesh by installing the mesh agent." onclick=addAgentToMesh(\"' + mesh._id + '\")>Add Agent</a>';
@ -2599,6 +2602,27 @@
            Q('dp1devicename').focus();
        }

+        // Intel AMT Activation
+        function showAcmActivation(meshid) {
+            if (xxdialogMode) return;
+            var servername = serverinfo.name, mesh = meshes[meshid];
+            if ((servername.indexOf('.') == -1) || ((features & 2) != 0)) { servername = window.location.hostname; } // If the server name is not set or it's in LAN-only mode, use the URL hostname as server name.
+            var url, domainUrlNoSlash = domainUrl.substring(0, domainUrl.length - 1);
+            if (serverinfo.https == true) {
+                var portStr = (serverinfo.port == 443) ? '' : (":" + serverinfo.port);
+                url = "wss://" + servername + portStr + domainUrl;
+            } else {
+                var portStr = (serverinfo.port == 80) ? '' : (":" + serverinfo.port);
+                url = "ws://" + servername + portStr + domainUrl;
+            }
+            var x = "Perform Intel AMT admin control mode (ACM) activation to group \"" + EscapeHtml(mesh.name) + "\" by downloading the MeshCMD tool and running it like this:<br /><br />";
+            x += '<textarea readonly=readonly style=width:100%;resize:none;height:100px;overflow:auto;font-size:12px readonly>meshcmd amtacm --url ' + url + 'amtactivate?id=' + meshid.split('/')[2] + ' --serverhttpshash ' + serverinfo.tlshash + '</textarea>';
+            if (serverinfo.amtAcmFqdn != null) {
+                x += '<div style=margin-top:8px>Intel AMT will need to be set with a Trusted FQDN in MEBx or have a wired LAN on the network: <b>' + serverinfo.amtAcmFqdn.join(', ') + '</b></div>';
+            }
+            setDialogMode(2, "Intel&reg; AMT activation", 9, null, x);
+        }
+
        // Display the Intel AMT scanning dialog box
        function addAmtScanToMesh(meshid) {
            if (xxdialogMode) return;
--- a/webserver.js
+++ b/webserver.js
@ -2164,7 +2164,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
        const mesh = obj.meshes[ws.meshid];
        if (mesh == null) { delete ws.meshid; ws.send(JSON.stringify({ errorText: 'Invalid device group' })); ws.close(); return; }
        if (mesh.mtype != 1) { ws.send(JSON.stringify({ errorText: 'Invalid device group type' })); ws.close(); return; }
-
+        
        // Fetch the remote IP:Port for logging
        const remoteaddr = (req.ip.startsWith('::ffff:')) ? (req.ip.substring(7)) : req.ip;
        ws.remoteaddrport = remoteaddr + ':' + ws._socket.remotePort;
@ -2215,7 +2215,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {

                    // Agent is asking the server to sign an Intel AMT ACM activation request
                    var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
-                    ws.send(JSON.stringify(signResponse));
+                    //ws.send(JSON.stringify(signResponse)); // DEBUG***************************
                    break;
                }
                default: {