From 685e1f8557f1d1fa53e6f3d8eab871a3638ad89c Mon Sep 17 00:00:00 2001
From: Roberto Dip <dip.jesusr@gmail.com>
Date: Fri, 21 Jun 2024 12:20:51 -0300
Subject: [PATCH] Fixed a server panic in `/mdm/apple/mdm` (#19929)

for #19928

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
---
 changes/19928-empty-certs              |  1 +
 server/mdm/crypto/scep.go              |  4 ++++
 server/mdm/crypto/scep_test.go         | 13 +++++++++++++
 server/service/integration_mdm_test.go |  6 ++++++
 4 files changed, 24 insertions(+)
 create mode 100644 changes/19928-empty-certs
 create mode 100644 server/mdm/crypto/scep_test.go

diff --git a/changes/19928-empty-certs b/changes/19928-empty-certs
new file mode 100644
index 0000000000..1c080369dd
--- /dev/null
+++ b/changes/19928-empty-certs
@@ -0,0 +1 @@
+* Fixed a server panic when sending a request to `/mdm/apple/mdm` without certificate headers.
diff --git a/server/mdm/crypto/scep.go b/server/mdm/crypto/scep.go
index f8746f282f..1367030bf4 100644
--- a/server/mdm/crypto/scep.go
+++ b/server/mdm/crypto/scep.go
@@ -23,6 +23,10 @@ func NewSCEPVerifier(ds fleet.MDMAssetRetriever) *SCEPVerifier {
 }
 
 func (s *SCEPVerifier) Verify(cert *x509.Certificate) error {
+	if cert == nil {
+		return errors.New("no certificate provided")
+	}
+
 	opts := x509.VerifyOptions{
 		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		Roots:     x509.NewCertPool(),
diff --git a/server/mdm/crypto/scep_test.go b/server/mdm/crypto/scep_test.go
new file mode 100644
index 0000000000..a8865b58f9
--- /dev/null
+++ b/server/mdm/crypto/scep_test.go
@@ -0,0 +1,13 @@
+package mdmcrypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSCEPVerifierVerifyEmptyCerts(t *testing.T) {
+	v := &SCEPVerifier{}
+	err := v.Verify(nil)
+	require.ErrorContains(t, err, "no certificate provided")
+}
diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go
index b8149a546f..23f8fc3c19 100644
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@@ -9075,3 +9075,9 @@ func (s *integrationMDMTestSuite) TestSilentMigrationGotchas() {
 	require.True(t, resp.Notifications.RenewEnrollmentProfile)
 	require.False(t, resp.Notifications.NeedsMDMMigration)
 }
+
+func (s *integrationMDMTestSuite) TestMDMRequestWithoutCerts() {
+	t := s.T()
+	res := s.DoRawNoAuth("PUT", "/mdm/apple/mdm", nil, http.StatusBadRequest)
+	require.NoError(t, res.Body.Close())
+}