1. Added setting for Windows Certificate Store

2. Updated so NodeID is only saved on Windows, if Certificate Store is used
2025-12-15 15:53:55 +00:00 · 2019-04-08 17:44:49 -07:00
parent a5000eee85
commit 7bf31b0a28
4 changed files with 40 additions and 14 deletions
--- a/meshcore/agentcore.c
+++ b/meshcore/agentcore.c
@@ -1930,6 +1930,11 @@ int agent_GenerateCertificates(MeshAgentHostContainer *agent, char* certfile)
 	int len = -1;
 	char* str;

+#ifdef WIN32
+	// If there is a cert here, it was Generated by OpenSSL, so we'll force the regenerate to use OpenSSL, to honor how the current cert was generated
+	if (agent->noCertStore == 0) { agent->noCertStore = ILibSimpleDataStore_Get(agent->masterDb, "SelfNodeCert", NULL, 0); }
+#endif
+
 	// Clear the certs in the database.
 	ILibSimpleDataStore_Delete(agent->masterDb, "SelfNodeCert");
 	ILibSimpleDataStore_Delete(agent->masterDb, "SelfNodeTlsCert");
@@ -1940,7 +1945,7 @@ int agent_GenerateCertificates(MeshAgentHostContainer *agent, char* certfile)
 	{
 #if defined(WIN32)
 		char *rootSubject = (agent->capabilities & MeshCommand_AuthInfo_CapabilitiesMask_RECOVERY) == MeshCommand_AuthInfo_CapabilitiesMask_RECOVERY ? "CN=MeshNodeDiagnosticCertificate" : "CN=MeshNodeCertificate";
-		if (wincrypto_open(TRUE, rootSubject) == 0) // Force certificate re-generation
+		if (agent->noCertStore == 0 && wincrypto_open(TRUE, rootSubject) == 0) // Force certificate re-generation
 		{
 			int l;
 			do {
@@ -2051,7 +2056,7 @@ int agent_LoadCertificates(MeshAgentHostContainer *agent)

 		// No cert in this .db file. Try to load or generate a root certificate from a Windows crypto provider. This can be TPM backed which is great.
 		// However, if we don't have the second cert created, we need to regen the root...
-		if (wincrypto_open(FALSE, rootSubject) == 0 && ILibSimpleDataStore_Get(agent->masterDb, "SelfNodeTlsCert", NULL, 0) != 0)
+		if (agent->noCertStore == 0 && wincrypto_open(FALSE, rootSubject) == 0 && ILibSimpleDataStore_Get(agent->masterDb, "SelfNodeTlsCert", NULL, 0) != 0)
 		{
 			char* str = NULL;
 			int l;
@@ -3715,6 +3720,14 @@ int MeshAgent_AgentMode(MeshAgentHostContainer *agentHost, int paramLen, char **
 		{ 
 			agentHost->capabilities |= MeshCommand_AuthInfo_CapabilitiesMask_RECOVERY; parseCommands = 0; 
 		}
+		if (strcmp(param[ri], "-nocertstore") == 0)
+		{
+			parseCommands = 0;
+#ifdef WIN32
+			printf("** Not using Certificate Store **\n");
+			agentHost->noCertStore = 1;
+#endif
+		}
 	}


@@ -3953,11 +3966,14 @@ int MeshAgent_AgentMode(MeshAgentHostContainer *agentHost, int paramLen, char **
 			else { RegDeleteKeyA(hKey, "DiagnosticAgentNodeId"); }
 		}

-		int NodeIDLen = 0;
-		if ((NodeIDLen = ILibSimpleDataStore_Get(agentHost->masterDb, "NodeID", ILibScratchPad, (int)sizeof(ILibScratchPad))) == 0 || !(NodeIDLen == (int)sizeof(agentHost->g_selfid) && memcmp(agentHost->g_selfid, ILibScratchPad, NodeIDLen)==0))
+		if (ILibSimpleDataStore_Get(agentHost->masterDb, "SelfNodeCert", NULL, 0) == 0)
 		{
-			// NodeID isn't saved to db, so let's put it there
-			ILibSimpleDataStore_PutEx(agentHost->masterDb, "NodeID", 6, agentHost->g_selfid, (int)sizeof(agentHost->g_selfid));
+			int NodeIDLen = 0;
+			if ((NodeIDLen = ILibSimpleDataStore_Get(agentHost->masterDb, "NodeID", ILibScratchPad, (int)sizeof(ILibScratchPad))) == 0 || !(NodeIDLen == (int)sizeof(agentHost->g_selfid) && memcmp(agentHost->g_selfid, ILibScratchPad, NodeIDLen) == 0))
+			{
+				// NodeID isn't saved to db, so let's put it there
+				ILibSimpleDataStore_PutEx(agentHost->masterDb, "NodeID", 6, agentHost->g_selfid, (int)sizeof(agentHost->g_selfid));
+			}
 		}

 		// Close the registry key
--- a/meshcore/agentcore.h
+++ b/meshcore/agentcore.h
@@ -180,6 +180,9 @@ typedef struct MeshAgentHostContainer
 	char agentHash[UTIL_SHA384_HASHSIZE];
 	char serverHash[UTIL_SHA384_HASHSIZE];
 #ifndef MICROSTACK_NOTLS
+#ifdef WIN32
+	int noCertStore;
+#endif
 	struct util_cert selfcert;
 	struct util_cert selftlscert;
 	char serverWebHash[UTIL_SHA384_HASHSIZE];
--- a/microscript/ILibDuktape_Polyfills.c
+++ b/microscript/ILibDuktape_Polyfills.c
@@ -1940,7 +1940,7 @@ void ILibDuktape_Polyfills_JS_Init(duk_context *ctx)


 	// Mesh Agent NodeID helper, refer to modules/_agentNodeId.js
-	duk_peval_string_noresult(ctx, "addModule('_agentNodeId', Buffer.from('LyoKQ29weXJpZ2h0IDIwMTkgSW50ZWwgQ29ycG9yYXRpb24KCkxpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwp5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCllvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQpkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLApXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZApsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4KKi8KCmZ1bmN0aW9uIF9tZXNoTm9kZUlkKCkNCnsNCiAgICB2YXIgcmV0ID0gJyc7DQogICAgc3dpdGNoIChwcm9jZXNzLnBsYXRmb3JtKQ0KICAgIHsNCiAgICAgICAgY2FzZSAnbGludXgnOg0KICAgICAgICBjYXNlICdkYXJ3aW4nOg0KICAgICAgICAgICAgdHJ5DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgdmFyIGRiID0gcmVxdWlyZSgnU2ltcGxlRGF0YVN0b3JlJykuQ3JlYXRlKHByb2Nlc3MuZXhlY1BhdGggKyAnLmRiJywgeyByZWFkT25seTogdHJ1ZSB9KTsNCiAgICAgICAgICAgICAgICByZXQgPSByZXF1aXJlKCd0bHMnKS5sb2FkQ2VydGlmaWNhdGUoeyBwZng6IGRiLkdldEJ1ZmZlcignU2VsZk5vZGVDZXJ0JyksIHBhc3NwaHJhc2U6ICdoaWRkZW4nIH0pLmdldEtleUhhc2goKS50b1N0cmluZygnaGV4Jyk7DQogICAgICAgICAgICB9DQogICAgICAgICAgICBjYXRjaChlKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgYnJlYWs7DQogICAgICAgIGNhc2UgJ3dpbjMyJzoNCiAgICAgICAgICAgIC8vIEZpcnN0IENoZWNrIGlmIHRoZSBkYiBDb250YWlucyB0aGUgTm9kZUlEDQogICAgICAgICAgICB0cnkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICB2YXIgZGIgPSByZXF1aXJlKCdTaW1wbGVEYXRhU3RvcmUnKS5DcmVhdGUocHJvY2Vzcy5leGVjUGF0aC5yZXBsYWNlKCcuZXhlJywgJy5kYicpLCB7IHJlYWRPbmx5OiB0cnVlIH0pOw0KICAgICAgICAgICAgICAgIHZhciB2ID0gZGIuR2V0QnVmZmVyKCdOb2RlSUQnKTsNCiAgICAgICAgICAgICAgICBpZih2IT1udWxsKQ0KICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgcmV0ID0gdi50b1N0cmluZygnaGV4Jyk7DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIHJldCA9IHJlcXVpcmUoJ3RscycpLmxvYWRDZXJ0aWZpY2F0ZSh7IHBmeDogZGIuR2V0QnVmZmVyKCdTZWxmTm9kZUNlcnQnKSwgcGFzc3BocmFzZTogJ2hpZGRlbicgfSkuZ2V0S2V5SGFzaCgpLnRvU3RyaW5nKCdoZXgnKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICB9DQogICAgICAgICAgICBjYXRjaCAoZSkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIGJyZWFrOw0KICAgICAgICBkZWZhdWx0Og0KICAgICAgICAgICAgYnJlYWs7DQogICAgfQ0KICAgIHJldHVybiAocmV0KTsNCn0NCg0KbW9kdWxlLmV4cG9ydHMgPSBfbWVzaE5vZGVJZDsNCg0K', 'base64').toString());");
+	duk_peval_string_noresult(ctx, "addModule('_agentNodeId', Buffer.from('LyoKQ29weXJpZ2h0IDIwMTkgSW50ZWwgQ29ycG9yYXRpb24KCkxpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSAiTGljZW5zZSIpOwp5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlIExpY2Vuc2UuCllvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdAoKICAgIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIuMAoKVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQpkaXN0cmlidXRlZCB1bmRlciB0aGUgTGljZW5zZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAiQVMgSVMiIEJBU0lTLApXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4KU2VlIHRoZSBMaWNlbnNlIGZvciB0aGUgc3BlY2lmaWMgbGFuZ3VhZ2UgZ292ZXJuaW5nIHBlcm1pc3Npb25zIGFuZApsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS4KKi8KCmZ1bmN0aW9uIF9tZXNoTm9kZUlkKCkNCnsNCiAgICB2YXIgcmV0ID0gJyc7DQogICAgc3dpdGNoIChwcm9jZXNzLnBsYXRmb3JtKQ0KICAgIHsNCiAgICAgICAgY2FzZSAnbGludXgnOg0KICAgICAgICBjYXNlICdkYXJ3aW4nOg0KICAgICAgICAgICAgdHJ5DQogICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgdmFyIGRiID0gcmVxdWlyZSgnU2ltcGxlRGF0YVN0b3JlJykuQ3JlYXRlKHByb2Nlc3MuZXhlY1BhdGggKyAnLmRiJywgeyByZWFkT25seTogdHJ1ZSB9KTsNCiAgICAgICAgICAgICAgICByZXQgPSByZXF1aXJlKCd0bHMnKS5sb2FkQ2VydGlmaWNhdGUoeyBwZng6IGRiLkdldEJ1ZmZlcignU2VsZk5vZGVDZXJ0JyksIHBhc3NwaHJhc2U6ICdoaWRkZW4nIH0pLmdldEtleUhhc2goKS50b1N0cmluZygnaGV4Jyk7DQogICAgICAgICAgICB9DQogICAgICAgICAgICBjYXRjaChlKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgYnJlYWs7DQogICAgICAgIGNhc2UgJ3dpbjMyJzoNCiAgICAgICAgICAgIC8vIEZpcnN0IENoZWNrIGlmIHRoZSBkYiBDb250YWlucyB0aGUgTm9kZUlEDQogICAgICAgICAgICB0cnkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICB2YXIgZGIgPSByZXF1aXJlKCdTaW1wbGVEYXRhU3RvcmUnKS5DcmVhdGUocHJvY2Vzcy5leGVjUGF0aC5yZXBsYWNlKCcuZXhlJywgJy5kYicpLCB7IHJlYWRPbmx5OiB0cnVlIH0pOw0KICAgICAgICAgICAgICAgIHZhciB2ID0gZGIuR2V0QnVmZmVyKCdTZWxmTm9kZUNlcnQnKTsNCiAgICAgICAgICAgICAgICBpZiAodikNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgIHRyeQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICByZXQgPSByZXF1aXJlKCd0bHMnKS5sb2FkQ2VydGlmaWNhdGUoeyBwZng6IHYsIHBhc3NwaHJhc2U6ICdoaWRkZW4nIH0pLmdldEtleUhhc2goKS50b1N0cmluZygnaGV4Jyk7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAgY2F0Y2goZSkNCiAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgdiA9IG51bGw7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgaWYgKHYgPT0gbnVsbCAmJiAodiA9IGRiLkdldEJ1ZmZlcignTm9kZUlEJykpICE9IE5VTEwpDQogICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICByZXQgPSB2LnRvU3RyaW5nKCdoZXgnKTsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICB9DQogICAgICAgICAgICBjYXRjaCAoZSkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIGJyZWFrOw0KICAgICAgICBkZWZhdWx0Og0KICAgICAgICAgICAgYnJlYWs7DQogICAgfQ0KICAgIHJldHVybiAocmV0KTsNCn0NCg0KbW9kdWxlLmV4cG9ydHMgPSBfbWVzaE5vZGVJZDsNCg0K', 'base64').toString());");

 	// Task Scheduler, refer to modules/task-scheduler.js
 	char *_taskscheduler = ILibMemory_Allocate(44751, 0, NULL, NULL);
--- a/modules/_agentNodeId.js
+++ b/modules/_agentNodeId.js
@@ -35,15 +35,22 @@ function _meshNodeId()
            try
            {
                var db = require('SimpleDataStore').Create(process.execPath.replace('.exe', '.db'), { readOnly: true });
-                var v = db.GetBuffer('NodeID');
-                if(v!=null)
+                var v = db.GetBuffer('SelfNodeCert');
+                if (v)
+                {
+                    try
+                    {
+                        ret = require('tls').loadCertificate({ pfx: v, passphrase: 'hidden' }).getKeyHash().toString('hex');
+                    }
+                    catch(e)
+                    {
+                        v = null;
+                    }
+                }
+                if (v == null && (v = db.GetBuffer('NodeID')) != NULL)
                {
                    ret = v.toString('hex');
                }
-                else
-                {
-                    ret = require('tls').loadCertificate({ pfx: db.GetBuffer('SelfNodeCert'), passphrase: 'hidden' }).getKeyHash().toString('hex');
-                }
            }
            catch (e)
            {