From 6b1a9d844482a3ed664ba648373ee5c1c20e222e Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 19 Mar 2020 13:42:37 -0700 Subject: [PATCH] Improved CertURL certificate loading. --- amt/amt-ider-module.js | 2 +- amt/amt.js | 2 +- certoperations.js | 11 ++++++++--- meshagent.js | 2 +- mqttbroker.js | 2 +- webauthn.js | 2 +- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/amt/amt-ider-module.js b/amt/amt-ider-module.js index 0d1f491e..231b8bf3 100644 --- a/amt/amt-ider-module.js +++ b/amt/amt-ider-module.js @@ -607,7 +607,7 @@ module.exports.CreateAmtRemoteIder = function (webserver, meshcentral) { if (g_len > obj.iderinfo.readbfr) { len = obj.iderinfo.readbfr; } g_len -= len; g_lba += len; - var buffer = new Buffer(len); + var buffer = Buffer.alloc(len); fs.read(g_media, buffer, 0, len, lba, function (error, bytesRead, buffer) { obj.SendDataToHost(g_dev, (g_len == 0), buffer.toString('binary'), featureRegister & 1); if ((g_len > 0) && (g_reset == false)) { diff --git a/amt/amt.js b/amt/amt.js index c5164b04..bf19a84d 100644 --- a/amt/amt.js +++ b/amt/amt.js @@ -733,7 +733,7 @@ function AmtStackCreateService(wsmanStack) { e = null; try { es = atob(responses.Body['EventRecords'][i]); - e = new Buffer(es); + e = Buffer.from(es); } catch (ex) { console.log(ex + " " + responses.Body['EventRecords'][i]) } diff --git a/certoperations.js b/certoperations.js index dce5cc7b..d49726ba 100644 --- a/certoperations.js +++ b/certoperations.js @@ -200,12 +200,17 @@ module.exports.CertificateOperations = function (parent) { if (u.protocol == 'https:') { // Read the certificate from HTTPS if (hostname == null) { hostname = u.hostname; } - const tlssocket = obj.tls.connect((u.port ? u.port : 443), u.hostname, { servername: hostname, rejectUnauthorized: false }, function () { this.xxcert = this.getPeerCertificate(); this.end(); }); + parent.debug('cert', "loadCertificate() - Loading certificate from " + u.hostname + ":" + (u.port ? u.port : 443) + ", Hostname: " + hostname + "..."); + const tlssocket = obj.tls.connect((u.port ? u.port : 443), u.hostname, { servername: hostname, rejectUnauthorized: false }, function () { + this.xxcert = this.getPeerCertificate(); + parent.debug('cert', "loadCertificate() - TLS connected, " + ((this.xxcert != null) ? "got certificate." : "no certificate.")); + try { this.destroy(); } catch (ex) { } + this.xxfunc(this.xxurl, (this.xxcert == null)?null:(this.xxcert.raw.toString('binary')), hostname, this.xxtag); + }); tlssocket.xxurl = url; tlssocket.xxfunc = func; tlssocket.xxtag = tag; - tlssocket.on('end', function () { this.xxfunc(this.xxurl, this.xxcert.raw.toString('binary'), hostname, this.xxtag); }); - tlssocket.on('error', function () { this.xxfunc(this.xxurl, null, hostname, this.xxtag); }); + tlssocket.on('error', function (error) { try { this.destroy(); } catch (ex) { } parent.debug('cert', "loadCertificate() - TLS error: " + error); this.xxfunc(this.xxurl, null, hostname, this.xxtag); }); } else if (u.protocol == 'file:') { // Read the certificate from a file obj.fs.readFile(url.substring(7), 'utf8', function (err, data) { diff --git a/meshagent.js b/meshagent.js index 4a7b701b..e062d491 100644 --- a/meshagent.js +++ b/meshagent.js @@ -398,7 +398,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) { parent.parent.updateProxyCertificates(false); } parent.agentStats.agentBadWebCertHashCount++; - console.log('Agent bad web cert hash (Agent:' + (Buffer.from(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + ' != Server:' + (Buffer.from(getWebCertHash(domain), 'binary').toString('hex').substring(0, 10)) + ' or ' + (new Buffer(getWebCertFullHash(domain), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddrport + ').'); + console.log('Agent bad web cert hash (Agent:' + (Buffer.from(msg.substring(2, 50), 'binary').toString('hex').substring(0, 10)) + ' != Server:' + (Buffer.from(getWebCertHash(domain), 'binary').toString('hex').substring(0, 10)) + ' or ' + (Buffer.from(getWebCertFullHash(domain), 'binary').toString('hex').substring(0, 10)) + '), holding connection (' + obj.remoteaddrport + ').'); console.log('Agent reported web cert hash:' + (Buffer.from(msg.substring(2, 50), 'binary').toString('hex')) + '.'); return; } diff --git a/mqttbroker.js b/mqttbroker.js index 4008e236..baebf21b 100644 --- a/mqttbroker.js +++ b/mqttbroker.js @@ -124,7 +124,7 @@ module.exports.CreateMQTTBroker = function (parent, db, args) { // Look for any MQTT connections to send this to var clients = obj.connections[nodeid]; if (clients == null) return; - if (typeof message == 'string') { message = new Buffer(message); } + if (typeof message == 'string') { message = Buffer.from(message); } for (var i in clients) { // Only publish to client that subscribe to the topic if (clients[i].subscriptions[topic] != null) { clients[i].publish({ cmd: 'publish', qos: 0, topic: topic, payload: message, retain: false }); } diff --git a/webauthn.js b/webauthn.js index 28a7202a..d1f25da3 100644 --- a/webauthn.js +++ b/webauthn.js @@ -251,7 +251,7 @@ module.exports.CreateWebAuthnModule = function () { function ASN1toPEM(pkBuffer) { if (!Buffer.isBuffer(pkBuffer)) { throw new Error("ASN1toPEM: pkBuffer must be Buffer."); } let type; - if (pkBuffer.length == 65 && pkBuffer[0] == 0x04) { pkBuffer = Buffer.concat([new Buffer.from("3059301306072a8648ce3d020106082a8648ce3d030107034200", "hex"), pkBuffer]); type = 'PUBLIC KEY'; } else { type = 'CERTIFICATE'; } + if (pkBuffer.length == 65 && pkBuffer[0] == 0x04) { pkBuffer = Buffer.concat([Buffer.from("3059301306072a8648ce3d020106082a8648ce3d030107034200", "hex"), pkBuffer]); type = 'PUBLIC KEY'; } else { type = 'CERTIFICATE'; } const b64cert = pkBuffer.toString('base64'); let PEMKey = ''; for (let i = 0; i < Math.ceil(b64cert.length / 64); i++) { const start = 64 * i; PEMKey += b64cert.substr(start, 64) + '\n'; }