signature verifier location

jessepeterson · jessepeterson · commit a3faa70f8758 · 2024-09-30T14:51:31.000-07:00
diff --git a/cmd/nanomdm/main.go b/cmd/nanomdm/main.go
@@ -162,7 +162,7 @@ func main() {
 				if *flDebug {
 					opts = append(opts, httpmdm.SigLogWithLogErrors(true))
 				}
-				h = httpmdm.CertExtractMdmSignatureMiddleware(h, cryptoutil.MdmSignatureVerifierFunc(cryptoutil.VerifyMdmSignature), opts...)
+				h = httpmdm.CertExtractMdmSignatureMiddleware(h, httpmdm.MdmSignatureVerifierFunc(cryptoutil.VerifyMdmSignature), opts...)
 			}
 			return h
 		}
diff --git a/cryptoutil/cryptoutil.go b/cryptoutil/cryptoutil.go
@@ -40,14 +40,6 @@ func TopicFromPEMCert(pemCert []byte) (string, error) {
 	return TopicFromCert(cert)
 }
 
-// MdmSignatureVerifierFunc is an adapter for verifying Apple MDM "Mdm-Signature" headers.
-type MdmSignatureVerifierFunc func(header string, body []byte) (*x509.Certificate, error)
-
-// VerifyMdmSignature calls v with header and body.
-func (v MdmSignatureVerifierFunc) VerifyMdmSignature(header string, body []byte) (*x509.Certificate, error) {
-	return v(header, body)
-}
-
 // VerifyMdmSignature verifies an Apple MDM "Mdm-Signature" header and returns the signing certificate.
 // See https://developer.apple.com/documentation/devicemanagement/implementing_device_management/managing_certificates_for_mdm_servers_and_devices
 // section "Pass an Identity Certificate Through a Proxy."
diff --git a/cryptoutil/cryptoutil_test.go b/cryptoutil/cryptoutil_test.go
@@ -22,13 +22,12 @@ func TestPKCS7ParseTagLengthError(t *testing.T) {
 	}
 }
 
-func TestMdmVerifierFunc(t *testing.T) {
+func TestVerifyMdmSignature(t *testing.T) {
 	body, err := base64.StdEncoding.DecodeString(mdmSignatureBody2)
 	if err != nil {
 		t.Error(err)
 	}
-	verifier := MdmSignatureVerifierFunc(VerifyMdmSignature)
-	_, err = verifier.VerifyMdmSignature(mdmSignatureHeader2, body)
+	_, err = VerifyMdmSignature(mdmSignatureHeader2, body)
 	if err != nil {
 		t.Error(err)
 	}
diff --git a/http/mdm/mdm_cert.go b/http/mdm/mdm_cert.go
@@ -108,6 +108,14 @@ type MdmSignatureVerifier interface {
 	VerifyMdmSignature(header string, body []byte) (*x509.Certificate, error)
 }
 
+// MdmSignatureVerifierFunc is an adapter for verifying Apple MDM "Mdm-Signature" headers.
+type MdmSignatureVerifierFunc func(header string, body []byte) (*x509.Certificate, error)
+
+// VerifyMdmSignature calls v with header and body.
+func (v MdmSignatureVerifierFunc) VerifyMdmSignature(header string, body []byte) (*x509.Certificate, error) {
+	return v(header, body)
+}
+
 // CertExtractMdmSignatureMiddleware extracts the MDM enrollment
 // identity certificate from the request into the HTTP request context.
 // It tries to verify the Mdm-Signature header on the request.

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ func main() {`
`162`	`162`	`if *flDebug {`
`163`	`163`	`opts = append(opts, httpmdm.SigLogWithLogErrors(true))`
`164`	`164`	`}`
`165`		`- h = httpmdm.CertExtractMdmSignatureMiddleware(h, cryptoutil.MdmSignatureVerifierFunc(cryptoutil.VerifyMdmSignature), opts...)`
	`165`	`+ h = httpmdm.CertExtractMdmSignatureMiddleware(h, httpmdm.MdmSignatureVerifierFunc(cryptoutil.VerifyMdmSignature), opts...)`
`166`	`166`	`}`
`167`	`167`	`return h`
`168`	`168`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,13 +22,12 @@ func TestPKCS7ParseTagLengthError(t *testing.T) {`
`22`	`22`	`}`
`23`	`23`	`}`
`24`	`24`
`25`		`-func TestMdmVerifierFunc(t *testing.T) {`
	`25`	`+func TestVerifyMdmSignature(t *testing.T) {`
`26`	`26`	`body, err := base64.StdEncoding.DecodeString(mdmSignatureBody2)`
`27`	`27`	`if err != nil {`
`28`	`28`	`t.Error(err)`
`29`	`29`	`}`
`30`		`- verifier := MdmSignatureVerifierFunc(VerifyMdmSignature)`
`31`		`- _, err = verifier.VerifyMdmSignature(mdmSignatureHeader2, body)`
	`30`	`+ _, err = VerifyMdmSignature(mdmSignatureHeader2, body)`
`32`	`31`	`if err != nil {`
`33`	`32`	`t.Error(err)`
`34`	`33`	`}`