Add -intermediate switch for device verification

micromdm · Aug 24, 2022 · 0ca17b4 · 0ca17b4
1 parent f31ea96
commit 0ca17b4
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/certverify/pool.go b/certverify/pool.go
@@ -11,14 +11,20 @@ type PoolVerifier struct {
 }
 
 // NewPoolVerifier creates a new Verifier
-func NewPoolVerifier(rootsPEM []byte, keyUsages ...x509.ExtKeyUsage) (*PoolVerifier, error) {
+func NewPoolVerifier(rootsPEM []byte, intsPEM []byte, keyUsages ...x509.ExtKeyUsage) (*PoolVerifier, error) {
 	opts := x509.VerifyOptions{
 		KeyUsages: keyUsages,
 		Roots:     x509.NewCertPool(),
 	}
 	if len(rootsPEM) == 0 || !opts.Roots.AppendCertsFromPEM(rootsPEM) {
 		return nil, errors.New("could not append root CA(s)")
 	}
+	if len(intsPEM) > 0 {
+		opts.Intermediates = x509.NewCertPool()
+		if !opts.Intermediates.AppendCertsFromPEM(intsPEM) {
+			return nil, errors.New("could not append intermediate CA(s)")
+		}
+	}
 	return &PoolVerifier{
 		verifyOpts: opts,
 	}, nil

diff --git a/cmd/nanomdm/main.go b/cmd/nanomdm/main.go
@@ -50,7 +50,8 @@ func main() {
 		flListen     = flag.String("listen", ":9000", "HTTP listen address")
 		flAPIKey     = flag.String("api", "", "API key for API endpoints")
 		flVersion    = flag.Bool("version", false, "print version")
-		flRootsPath  = flag.String("ca", "", "path to CA cert for verification")
+		flRootsPath  = flag.String("ca", "", "path to PEM CA cert(s)")
+		flIntsPath   = flag.String("intermediate", "", "path to PEM intermediate cert(s)")
 		flWebhook    = flag.String("webhook-url", "", "URL to send requests to")
 		flCertHeader = flag.String("cert-header", "", "HTTP header containing URL-escaped TLS client certificate")
 		flDebug      = flag.Bool("debug", false, "log debug messages")
@@ -81,7 +82,11 @@ func main() {
 	if err != nil {
 		stdlog.Fatal(err)
 	}
-	verifier, err := certverify.NewPoolVerifier(caPEM, x509.ExtKeyUsageClientAuth)
+	intsPEM, err := os.ReadFile(*flIntsPath)
+	if err != nil {
+		stdlog.Fatal(err)
+	}
+	verifier, err := certverify.NewPoolVerifier(caPEM, intsPEM, x509.ExtKeyUsageClientAuth)
 	if err != nil {
 		stdlog.Fatal(err)
 	}

diff --git a/docs/operations-guide.md b/docs/operations-guide.md
@@ -28,9 +28,15 @@ API authorization in NanoMDM is simply HTTP Basic authentication using "nanomdm"
 
 ### -ca string
 
-* Path to CA cert for verification
+* path to PEM CA cert(s)
 
-NanoMDM validates that the device identity certificate is issued from specific CAs. This switch is the path to a file of PEM-encoded CAs to validate against.
+NanoMDM validates that the device identity certificate is issued from specific CAs. This switch is the path to a file of PEM-encoded CAs to validate enrollments against.
+
+### -intermediate string
+
+* path to PEM intermediate cert(s)
+
+NanoMDM validates that the device identity certificate is issued from specific CAs. This switch is the path to a file of PEM-encoded intermediate certificates that can be used to build a chain of trust to the CAs to validate enrollments against.
 
 ### -cert-header string