add fallback verifier and make verifiers context aware (#85)

micromdm · Nov 29, 2023 · e9fcd9b · e9fcd9b
1 parent 012ad61
commit e9fcd9b
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 4 deletions.
diff --git a/certverify/fallback.go b/certverify/fallback.go
@@ -0,0 +1,41 @@
+package certverify
+
+import (
+	"context"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"strings"
+)
+
+// CertVerifier is a simple interface for verifying a certificate.
+type CertVerifier interface {
+	Verify(context.Context, *x509.Certificate) error
+}
+
+// FallbackVerifier verfies certificate validity using multiple verifiers.
+type FallbackVerifier struct {
+	verifiers []CertVerifier
+}
+
+// NewFallbackVerifier creates a new verifier using other verifiers.
+func NewFallbackVerifier(verifiers ...CertVerifier) *FallbackVerifier {
+	return &FallbackVerifier{verifiers: verifiers}
+}
+
+// Verify performs certificate verification.
+// Any verifier returning nil ("passes") will pass (return nil) and not
+// check any other verifier.
+// If all verifiers return non-nil ("fail") then an error for all
+// verifiers will be returned.
+func (v *FallbackVerifier) Verify(ctx context.Context, cert *x509.Certificate) error {
+	var errs []string
+	for i, verifier := range v.verifiers {
+		err := verifier.Verify(ctx, cert)
+		if err == nil {
+			return nil
+		}
+		errs = append(errs, fmt.Sprintf("fallback error (%d): %v", i, err))
+	}
+	return errors.New(strings.Join(errs, "; "))
+}
diff --git a/certverify/fallback_test.go b/certverify/fallback_test.go
@@ -0,0 +1,50 @@
+package certverify
+
+import (
+	"context"
+	"crypto/x509"
+	"errors"
+	"testing"
+)
+
+type errVerifier struct{ err error }
+
+func (v *errVerifier) Verify(_ context.Context, _ *x509.Certificate) error {
+	return v.err
+}
+
+var nilErroringVerifier = &errVerifier{}
+var errErroringVerifier = &errVerifier{err: errors.New("verifier error")}
+
+func TestFallbackVerifier(t *testing.T) {
+	v := NewFallbackVerifier(nilErroringVerifier)
+	err := v.Verify(nil, nil)
+	if err != nil {
+		t.Errorf("should not have errored: %v", err)
+	}
+
+	v = NewFallbackVerifier(nilErroringVerifier, nilErroringVerifier)
+	if err = v.Verify(nil, nil); err != nil {
+		t.Errorf("should not have errored: %v", err)
+	}
+
+	v = NewFallbackVerifier(errErroringVerifier)
+	if err = v.Verify(nil, nil); err == nil {
+		t.Error("should have errored")
+	}
+
+	v = NewFallbackVerifier(errErroringVerifier, nilErroringVerifier)
+	if err = v.Verify(nil, nil); err != nil {
+		t.Errorf("should not have errored: %v", err)
+	}
+
+	v = NewFallbackVerifier(nilErroringVerifier, errErroringVerifier)
+	if err = v.Verify(nil, nil); err != nil {
+		t.Errorf("should not have errored: %v", err)
+	}
+
+	v = NewFallbackVerifier(errErroringVerifier, errErroringVerifier)
+	if err = v.Verify(nil, nil); err == nil {
+		t.Error("should have errored")
+	}
+}
diff --git a/certverify/pool.go b/certverify/pool.go
@@ -1,6 +1,7 @@
 package certverify
 
 import (
+	"context"
 	"crypto/x509"
 	"errors"
 )
@@ -31,7 +32,7 @@ func NewPoolVerifier(rootsPEM []byte, intsPEM []byte, keyUsages ...x509.ExtKeyUs
 }
 
 // Verify performs certificate verification
-func (v *PoolVerifier) Verify(cert *x509.Certificate) error {
+func (v *PoolVerifier) Verify(_ context.Context, cert *x509.Certificate) error {
 	if cert == nil {
 		return errors.New("missing MDM certificate")
 	}

diff --git a/certverify/signature.go b/certverify/signature.go
@@ -1,6 +1,7 @@
 package certverify
 
 import (
+	"context"
 	"crypto/x509"
 	"errors"
 
@@ -25,7 +26,7 @@ func NewSignatureVerifier(rootPEM []byte) (*SignatureVerifier, error) {
 }
 
 // Verify checks only the signature of the certificate against the CA
-func (v *SignatureVerifier) Verify(cert *x509.Certificate) error {
+func (v *SignatureVerifier) Verify(_ context.Context, cert *x509.Certificate) error {
 	if cert == nil {
 		return errors.New("missing MDM certificate")
 	}

diff --git a/http/mdm/mdm_cert.go b/http/mdm/mdm_cert.go
@@ -110,7 +110,7 @@ func GetCert(ctx context.Context) *x509.Certificate {
 
 // CertVerifier is a simple interface for verifying a certificate.
 type CertVerifier interface {
-	Verify(*x509.Certificate) error
+	Verify(context.Context, *x509.Certificate) error
 }
 
 // CertVerifyMiddleware checks the MDM certificate against verifier and
@@ -120,7 +120,7 @@ type CertVerifier interface {
 // MDM unenrollments in the case of bugs or something going wrong.
 func CertVerifyMiddleware(next http.Handler, verifier CertVerifier, logger log.Logger) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := verifier.Verify(GetCert(r.Context())); err != nil {
+		if err := verifier.Verify(r.Context(), GetCert(r.Context())); err != nil {
 			ctxlog.Logger(r.Context(), logger).Info(
 				"msg", "error verifying MDM certificate",
 				"err", err,