Fixed a server panic in /mdm/apple/mdm (#19929)

for #19928

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

changes/19928-empty-certs

@@ -0,0 +1 @@
+* Fixed a server panic when sending a request to `/mdm/apple/mdm` without certificate headers.

server/mdm/crypto/scep.go

@@ -23,6 +23,10 @@ func NewSCEPVerifier(ds fleet.MDMAssetRetriever) *SCEPVerifier {
 }
 
 func (s *SCEPVerifier) Verify(cert *x509.Certificate) error {
+	if cert == nil {
+		return errors.New("no certificate provided")
+	}
+
 	opts := x509.VerifyOptions{
 		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		Roots:     x509.NewCertPool(),

server/mdm/crypto/scep_test.go

@@ -0,0 +1,13 @@
+package mdmcrypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSCEPVerifierVerifyEmptyCerts(t *testing.T) {
+	v := &SCEPVerifier{}
+	err := v.Verify(nil)
+	require.ErrorContains(t, err, "no certificate provided")
+}

server/service/integration_mdm_test.go

@@ -9075,3 +9075,9 @@ func (s *integrationMDMTestSuite) TestSilentMigrationGotchas() {
 	require.True(t, resp.Notifications.RenewEnrollmentProfile)
 	require.False(t, resp.Notifications.NeedsMDMMigration)
 }
+
+func (s *integrationMDMTestSuite) TestMDMRequestWithoutCerts() {
+	t := s.T()
+	res := s.DoRawNoAuth("PUT", "/mdm/apple/mdm", nil, http.StatusBadRequest)
+	require.NoError(t, res.Body.Close())
+}