From 828d1a5cc2e44bf8fb4fb58341685bc93eeeae77 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 14 Nov 2019 16:10:16 -0800 Subject: [PATCH] Added automatic key usage fix for root cert --- certoperations.js | 15 +++++++++++++++ package.json | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/certoperations.js b/certoperations.js index 445977e3..8c96f436 100644 --- a/certoperations.js +++ b/certoperations.js @@ -418,6 +418,21 @@ module.exports.CertificateOperations = function (parent) { var rootPrivateKey = obj.fileLoad("root-cert-private.key", "utf8"); r.root = { cert: rootCertificate, key: rootPrivateKey }; rcount++; + + // Check if the root certificate has the "Certificate Signing (04)" Key usage. + // This option is required for newer versions of Intel AMT for CIRA/WS-EVENTS. + var xroot = obj.pki.certificateFromPem(rootCertificate); + var xext = xroot.getExtension("keyUsage"); + if ((xext == null) || (xext.keyCertSign !== true)) { + // We need to fix this certificate + console.log('Fixing root certificate to add signing key usage...'); + obj.fs.writeFileSync(parent.getConfigFilePath("root-cert-public-backup.crt"), rootCertificate); + xroot.setExtensions([{ name: "basicConstraints", cA: true }, { name: "subjectKeyIdentifier" }, { name: "keyUsage", keyCertSign: true }]); + var xrootPrivateKey = obj.pki.privateKeyFromPem(rootPrivateKey); + xroot.sign(xrootPrivateKey, obj.forge.md.sha384.create()); + r.root.cert = obj.pki.certificateToPem(xroot); + try { obj.fs.writeFileSync(parent.getConfigFilePath("root-cert-public.crt"), r.root.cert); } catch (ex) { } + } } if (args.tlsoffload) { diff --git a/package.json b/package.json index 740ee815..fb080e2b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.4.4-a", + "version": "0.4.4-b", "keywords": [ "Remote Management", "Intel AMT",