feat: adds support for E2E TLS connection between AMT and RPS#

Author: rsdmike

src/DataProcessor.ts

@@ -79,6 +79,10 @@ export class DataProcessor {
           await this.handleConnectionReset(clientMsg, clientId)
           break
         }
+        case ClientMethods.PORT_SWITCH_ACK: {
+          await this.handlePortSwitchAck(clientMsg, clientId)
+          break
+        }
         default: {
           const uuid = clientMsg.payload.uuid ? clientMsg.payload.uuid : devices[clientId].ClientData.payload.uuid
           throw new RPSError(`Device ${uuid} Not a supported method received from AMT device`)
@@ -253,6 +257,15 @@ export class DataProcessor {
     }
   }
 
+  async handlePortSwitchAck(clientMsg: ClientMsg, clientId: string): Promise<void> {
+    const clientObj = devices[clientId]
+    this.logger.info(`PORT_SWITCH_ACK received from rpc-go for device ${clientObj?.uuid}`)
+
+    if (clientObj?.pendingPromise != null && clientObj.resolve != null) {
+      clientObj.resolve('port_switch_ack')
+    }
+  }
+
   async handleConnectionReset(clientMsg: ClientMsg, clientId: string): Promise<void> {
     const clientObj = devices[clientId]
     this.logger.warn(`CONNECTION RESET from rpc-go`)

src/Validator.ts

@@ -80,6 +80,11 @@ export class Validator implements IValidator {
         this.logger.info(`Device ${payload.uuid} has TLS enforced - enabling TLS tunnel mode`)
       }
     }
+    // Extract secure activation flag from payload
+    if (msg.payload.secure === true) {
+      clientObj.secureActivation = true
+      this.logger.info(`Device ${payload.uuid} requested secure activation`)
+    }
     // Check for client requested action and profile activation
     const profile: AMTConfiguration | null = await this.configurator.profileManager.getAmtProfile(
       payload.profile,

src/interfaces/ISecretManagerService.ts

@@ -9,6 +9,8 @@ export interface DeviceCredentials {
   AMT_PASSWORD: string | null
   MPS_PASSWORD?: string // only required for CIRA
   MEBX_PASSWORD?: string | null
+  TLS_ROOT_CERTIFICATE?: string
+  TLS_ISSUED_CERTIFICATE?: string
   version?: string
 }
 

src/models/RCS.Config.ts

@@ -126,6 +126,7 @@ export interface ClientObject {
   resolve: (value: unknown) => void
   reject: (value: unknown) => void
   tlsEnforced?: boolean
+  secureActivation?: boolean
   tlsTunnelManager?: TLSTunnelManager
   tlsTunnelNeedsReset?: boolean
   tlsTunnelSessionId?: string // Current TLS session ID for filtering stale data
@@ -200,6 +201,9 @@ export interface TLSConfigFlow {
   commitLocalTLS?: boolean
   getTimeSynch?: boolean
   setTimeSynch?: boolean
+  rootCertPEM?: string
+  rootCertKey?: any
+  issuedCertPEM?: string
 }
 
 export interface mpsServer {
@@ -240,6 +244,7 @@ export interface Payload {
   client: string
   profile?: any
   tlsEnforced?: boolean
+  secure?: boolean
 }
 
 export interface ConnectionObject {
@@ -271,7 +276,9 @@ export enum ClientMethods {
   HEARTBEAT = 'heartbeat_response',
   MAINTENANCE = 'maintenance',
   TLS_DATA = 'tls_data',
-  CONNECTION_RESET = 'connection_reset'
+  CONNECTION_RESET = 'connection_reset',
+  PORT_SWITCH = 'port_switch',
+  PORT_SWITCH_ACK = 'port_switch_ack'
 }
 
 export interface apiResponse {

src/stateMachines/activation.test.ts

@@ -133,6 +133,7 @@ describe('Activation State Machine', () => {
       canActivate: true,
       shbcCCMComplete: false,
       shbcACMComplete: false,
+      secureCCMComplete: false,
       message: '',
       clientId,
       xmlMessage: '',