Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 01:18:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 59

Windows MDM identity certs missing check (#12702)

Browse source 
This is related #12701 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
- [X] Manual QA for all new/changed functionality
This commit is contained in:
Marcos Oviedo 2023-07-10 17:36:17 -03:00 committed by GitHub
parent c3608322a7
commit a49e980394
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changes/bug-12701-windows-mdm-missing-identity-certs Normal file
View file

@ -0,0 +1 @@
* Fleet panicked when Windows MDM identity providers were not set and MDM programmatic enrollment was performed.

12
server/mdm/microsoft/wstep.go
View file

@ -88,10 +88,18 @@ func newManager(store CertStore, certPEM []byte, privKeyPEM []byte) (*manager, e
}
func (m *manager) IdentityFingerprint() string {
if m == nil {
return ""
}
return m.identityFingerprint
}
func (m *manager) IdentityCert() x509.Certificate {
if m == nil {
return x509.Certificate{}
}
return *m.identityCert
}
@ -99,6 +107,10 @@ func (m *manager) IdentityCert() x509.Certificate {
// subject is the DeviceID of the about to be MDM enrolled device, it will be used as the CommonName of the certificate
// clientCSR is the client certificate signing request
func (m *manager) SignClientCSR(ctx context.Context, subject string, clientCSR *x509.CertificateRequest) ([]byte, string, error) {
if m == nil {
return nil, "", errors.New("windows mdm identity keypair was not configured")
}
if m.identityCert == nil || m.identityPrivateKey == nil {
return nil, "", errors.New("invalid identity certificate or private key")
}

4
server/service/microsoft_mdm.go
View file

@ -1045,6 +1045,10 @@ func (svc *Service) GetAuthorizedSoapFault(ctx context.Context, eType string, or
}
func (svc *Service) SignMDMMicrosoftClientCSR(ctx context.Context, subject string, csr *x509.CertificateRequest) ([]byte, string, error) {
if svc.wstepCertManager == nil {
return nil, "", errors.New("windows mdm identity keypair was not configured")
}
cert, fpHex, err := svc.wstepCertManager.SignClientCSR(ctx, subject, csr)
if err != nil {
return nil, "signing wstep client csr", ctxerr.Wrap(ctx, err)