Manually verify SHA1 certificates (fixes #854)#855
Manually verify SHA1 certificates (fixes #854)#855jessepeterson merged 2 commits intomicromdm:mainfrom
Conversation
pkg/crypto/apple.go
Outdated
| ` | ||
|
|
||
| // extracted public key from appleiPhoneDeviceCAPEM | ||
| var appleiPhoneDeviceCAPublicKey = &rsa.PublicKey{ |
There was a problem hiding this comment.
I'd like to keep this within the single X.509 PEM that's already in the source. If optimization was the concern we could add an init() function that does the parsing just once at startup time (though I generally dislike them). I know you test for equality in the test but I like the single source of truth better. Thoughts? Could also wrap this into an interface with its own initializer as well.
There was a problem hiding this comment.
I thought the test was sufficient, but I can see how it seems a little "dirty".
I pushed a commit that replaces the handcrafted public key with a "mustParsePublicKey" function. This way, we're still only parsing it once, but we have the single source of truth. Does that work for you?
There was a problem hiding this comment.
Yeah this looks good!
I don't think its "dirty" per se — I just dislike multiple sources of truth. Like if we wanted to update that cert or whatever we only have one place we need to do it. (Though, honestly, if Apple did update that cert we'd probably have to go do something else yet again heh).
2 participants
Per discussions on the macadmins slack, this changes crypto.VerifyFromAppleDeviceCA to use a manual signature verification instead of using Go's x509 library, since SHA1WithRSA is deprecated and planned to be removed from Go.
I also went ahead and stuck the public key in a var so it doesn't have to parse the embedded cert on each call.