feat: adds support for E2E TLS connection between AMT and RPS (#2598)

* feat: adds support for E2E TLS connection between AMT and RPS#

* refactor: ccm should commit changes

Author: rsdmike

src/DataProcessor.ts

@@ -79,6 +79,10 @@ export class DataProcessor {
           await this.handleConnectionReset(clientMsg, clientId)
           break
         }
+        case ClientMethods.PORT_SWITCH_ACK: {
+          await this.handlePortSwitchAck(clientMsg, clientId)
+          break
+        }
         default: {
           const uuid = clientMsg.payload.uuid ? clientMsg.payload.uuid : devices[clientId].ClientData.payload.uuid
           throw new RPSError(`Device ${uuid} Not a supported method received from AMT device`)
@@ -151,9 +155,6 @@ export class DataProcessor {
           this.logger.warn(`WSMAN RESPONSE: parse failed`)
           rejectValue = new UNEXPECTED_PARSE_ERROR()
         } else {
-          const actionMatch = xmlBody.match(/<a:Action>([^<]+)<\/a:Action>/)
-          const action = actionMatch ? actionMatch[1].split('/').pop() : 'unknown'
-          this.logger.debug(`WSMAN RESPONSE: ${action}`)
           this.logger.debug(`WSMAN RESPONSE XML:\n${xmlBody}`)
         }
       } else {
@@ -253,6 +254,15 @@ export class DataProcessor {
     }
   }
 
+  async handlePortSwitchAck(clientMsg: ClientMsg, clientId: string): Promise<void> {
+    const clientObj = devices[clientId]
+    this.logger.info(`PORT_SWITCH_ACK received from rpc-go for device ${clientObj?.uuid}`)
+
+    if (clientObj?.pendingPromise != null && clientObj.resolve != null) {
+      clientObj.resolve('port_switch_ack')
+    }
+  }
+
   async handleConnectionReset(clientMsg: ClientMsg, clientId: string): Promise<void> {
     const clientObj = devices[clientId]
     this.logger.warn(`CONNECTION RESET from rpc-go`)

src/NodeForge.ts

@@ -67,4 +67,12 @@ export class NodeForge {
   createCert(): forge.pki.Certificate {
     return forge.pki.createCertificate()
   }
+
+  privateKeyFromPem(pem: string): forge.pki.PrivateKey {
+    return forge.pki.privateKeyFromPem(pem)
+  }
+
+  certificateFromPem(pem: string): forge.pki.Certificate {
+    return forge.pki.certificateFromPem(pem)
+  }
 }

src/Validator.ts

@@ -80,6 +80,11 @@ export class Validator implements IValidator {
         this.logger.info(`Device ${payload.uuid} has TLS enforced - enabling TLS tunnel mode`)
       }
     }
+    // Extract TLS tunnel activation flag from payload
+    if (msg.payload.tlsTunnel === true) {
+      clientObj.tlsTunnelActivation = true
+      this.logger.info(`Device ${payload.uuid} requested TLS tunnel activation`)
+    }
     // Check for client requested action and profile activation
     const profile: AMTConfiguration | null = await this.configurator.profileManager.getAmtProfile(
       payload.profile,

src/certs/amt-odca.ts

@@ -8,55 +8,27 @@
  * These are public Intel certificates used to validate AMT device certificates
  * when TLS is enforced on the AMT platform.
  *
- * Certificate sources:
- * - Intel(R) Client Platform Root Certificate Authority
- * - Intel AMT RCFG certificates
+ * Certificate source: src/certs/OnDie_CA_RootCA_Certificate.cer
  */
 export const AMT_ODCA_ROOT_CERTS: string[] = [
-  // Intel(R) CSME FW RCFG Certificate
-  // This root CA is used for AMT Remote Configuration
+  // Intel OnDie CA Root Certificate (ECC P-384, valid 2019-2049)
+  // Subject: O=Intel Corporation, OU=OnDie CA Root Cert Signing, CN=www.intel.com
   `-----BEGIN CERTIFICATE-----
-MIICwjCCAaqgAwIBAgIQT5cMYuWRhpjgXKkJ8PPbIjANBgkqhkiG9w0BAQsFADBE
-MRQwEgYDVQQHEwtTYW50YSBDbGFyYTELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVT
-MRIwEAYDVQQKEwlJbnRlbChSKSAwHhcNMjEwNjAxMDAwMDAwWhcNNDkxMjMxMjM1
-OTU5WjBEMRQwEgYDVQQHEwtTYW50YSBDbGFyYTELMAkGA1UECBMCQ0ExCzAJBgNV
-BAYTAlVTMRIwEAYDVQQKEwlJbnRlbChSKSAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCr4N3e8kljVeacnP5LchxH3nk5TEiKgqvPCG4HGMJUJlakfLcN
-bwGHNdZdSqI4D7E+H0X5B/9v8yQVJXfsMpqvgtqPCH4H8z8xsHIVCJvJLLlA+PqI
-8pVLAMEaRH2cjIAIYDu3gOxOPSH8Bx+BI9Xje6Lf8IqIHn5LR8YL2gtn0Xpf+EfV
-G8RaXrN7sNhVRNCy7ZQ1DP5C+0XCduRHCa8Zqa6pzmazrVBT4jCIPnZp6wN5RAYW
-pXWv1C5nZ4FW3lFP4JdqoBFZrXxNO8fE3hQhZqWLchGODu+RMDqjFNOCkYBc8GCJ
-j8LyM7McbS5nyFoqhwl0DErcCSHfPJP8DXMZ5Jf3AgMBAAGjFTATMBEGA1UdEwEB
-/wQHMAUBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBAHj6V8E6S3T9g8EhI3NLpaCP
-3P2N/e6z3vFVJDDFVKFc4PTThgFg4J+EjIAg1VvAAYfW0wj+7Ly8SHIrWBh4CJkX
-VVfwdXF2W2pFBeXcAMQHqQ7F8lAhSpaGpE8VqQ6YL7V9hOaAGy1b8t93v+7h1BVo
-uJdj1S2P9v7YhNU1Kn6g8X7CsS3TqFOlQLBp2hE7qIaT0cIxU6wd9rKzNNBPi1MR
-lLm7h5oJag19B1h+ppD0c0BDVpdcqdCFbBf7DmzzuMqB2OCqX8+6h5hj8JJLRCFT
-x+RkGxccVfgGkNB0hDXEPp56vluWd9kDGiVPqDL73aHrcpSb8/BY5h5T5xFl6js=
------END CERTIFICATE-----`,
-
-  // Intel AMT Remote Configuration Root CA
-  // Alternative root CA for AMT device certificates
-  `-----BEGIN CERTIFICATE-----
-MIIDkDCCAnigAwIBAgIQT0cAanSqxS4HblMrI2TFADANBgkqhkiG9w0BAQsFADBf
-MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQL
-EwNEb0QxDDAKBgNVBAsTA1BLSTEWMBQGA1UEAxMNRG9EIFJvb3QgQ0EgMzAeFw0x
-MjA0MDUxMzQzNThaFw0zNzEyMzExMzQzNThaMF8xCzAJBgNVBAYTAlVTMRgwFgYD
-VQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJ
-MRYwFAYDVQQDEw1Eb0QgUm9vdCBDQSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAq6EcqasGJCC9k9J6hCOJxPYHHdKfVJLCE8p2qGGBD08f6e8RADax
-8u3XNMPRM0QB6LjKaHpMPkdR5WSbQrTqPN04BOZgDq1rrqREXsMzb4siDkn0J2x0
-HIB2kRTDtT8VBC7JSCPlMFpZvluYwpAgJkH3AZ0yw8D0mqrKWzN0GYPRJYBeEdG7
-9R6A8tF0MZBqkRAMBGM6KtD8UewJ5NIpqmxexvHyGIl0JVMJBsivfXYJzMHXm8H5
-9N4cgS/rH5YMkAqN5F/MWMMP5O1ZB0aN7N5FQqW5wgQ2pjDhkUI5Fa1p3J1j+K9v
-e3WXz6Q4j+U/n9z4E0ozj0Q+y0+B7dWHBwIDAQABo0IwQDAdBgNVHQ4EFgQUbIqU
-Y559IcHI7UXNDS8dkzQ39JowDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMB
-Af8wDQYJKoZIhvcNAQELBQADggEBAJ17j0qUFlyPNZjfU2G1jwxNvJQP1TwZ3YL4
-QL67jk+E7ji0W8j3gU5JLJ4x/fdOUh0a6X/uh1HZrxsm24bIOzrV0nx3CpLs3WZM
-bf0lWFiPBNbQZUzVLz1GdLhJPBLn5WNBhJYL0D7HqZSJitRmPJLttNfoVPolSKI1
-FRQ6G0HHfLrnBg1TECQ0iFJsRJzRjWw6YnFf6xDy0EfOZPbCOzU9I3QBRLXL1swk
-Xz5EeRXNKEP2QRh1q9rnQSNJo3cIuvHBZzT9r+aPNrNJp6hFvkCAVvWjfH/tf/T2
-d6QakmgMNmgZNAiMp6ms1P1gkjxFlSsG3Nz8L/WNQBLEP2xEAeg=
+MIICujCCAj6gAwIBAgIUPLLiHTrwySRtWxR4lxKLlu7MJ7wwDAYIKoZIzj0EAwMF
+ADCBiTELMAkGA1UEBgwCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBD
+bGFyYTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xIzAhBgNVBAsMGk9uRGll
+IENBIFJvb3QgQ2VydCBTaWduaW5nMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMB4X
+DTE5MDQwMzAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowgYkxCzAJBgNVBAYMAlVTMQsw
+CQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVs
+IENvcnBvcmF0aW9uMSMwIQYDVQQLDBpPbkRpZSBDQSBSb290IENlcnQgU2lnbmlu
+ZzEWMBQGA1UEAwwNd3d3LmludGVsLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
+BK8SfB2UflvXZqb5Kc3+lokrABHWazvNER2axPURP64HILkXChPB0OEX5hLB7Okw
+7Dy6oFqB5tQVDupgfvUX/SgYBEaDdG5rCVFrGAis6HX5TA2ewQmj14r2ncHBgnpp
+B6NjMGEwHwYDVR0jBBgwFoAUtFjJ9uQIQKPyWMg5eG6ujgqNnDgwDwYDVR0TAQH/
+BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLRYyfbkCECj8ljIOXhu
+ro4KjZw4MAwGCCqGSM49BAMDBQADaAAwZQIxAP9B4lFF86uvpHmkcp61cWaU565a
+yE3p7ezu9haLE/lPLh5hFQfmTi1nm/sG3JEXMQIwNpKfHoDmUTrUyezhhfv3GG+1
+CqBXstmCYH40buj9jKW3pHWc71s9arEmPWli7I8U
 -----END CERTIFICATE-----`
 ]
 
@@ -65,8 +37,6 @@ d6QakmgMNmgZNAiMp6ms1P1gkjxFlSsG3Nz8L/WNQBLEP2xEAeg=
  * Used to validate that certificates are issued by Intel AMT ODCA.
  */
 export const AMT_ALLOWED_ISSUERS = [
-  'iAMT CSME IDevID RCFG',
-  'AMT RCFG',
-  'Intel(R) CSME',
-  'Intel(R)'
+  'OnDie CA Root Cert Signing',
+  'Intel Corporation'
 ]

src/interfaces/ISecretManagerService.ts

@@ -9,6 +9,7 @@ export interface DeviceCredentials {
   AMT_PASSWORD: string | null
   MPS_PASSWORD?: string // only required for CIRA
   MEBX_PASSWORD?: string | null
+  TLS_ISSUED_CERTIFICATE?: string
   version?: string
 }
 

src/models/RCS.Config.ts

@@ -126,6 +126,7 @@ export interface ClientObject {
   resolve: (value: unknown) => void
   reject: (value: unknown) => void
   tlsEnforced?: boolean
+  tlsTunnelActivation?: boolean
   tlsTunnelManager?: TLSTunnelManager
   tlsTunnelNeedsReset?: boolean
   tlsTunnelSessionId?: string // Current TLS session ID for filtering stale data
@@ -200,6 +201,9 @@ export interface TLSConfigFlow {
   commitLocalTLS?: boolean
   getTimeSynch?: boolean
   setTimeSynch?: boolean
+  rootCertKey?: any
+  issuedCertPEM?: string
+  mpsRootCertPEM?: string
 }
 
 export interface mpsServer {
@@ -240,6 +244,7 @@ export interface Payload {
   client: string
   profile?: any
   tlsEnforced?: boolean
+  tlsTunnel?: boolean
 }
 
 export interface ConnectionObject {
@@ -271,7 +276,9 @@ export enum ClientMethods {
   HEARTBEAT = 'heartbeat_response',
   MAINTENANCE = 'maintenance',
   TLS_DATA = 'tls_data',
-  CONNECTION_RESET = 'connection_reset'
+  CONNECTION_RESET = 'connection_reset',
+  PORT_SWITCH = 'port_switch',
+  PORT_SWITCH_ACK = 'port_switch_ack'
 }
 
 export interface apiResponse {