mongodb/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SERVER-99750 Use generated certificates in jstests (#46650)

Browse Source 
GitOrigin-RevId: 303ffa3be9ec56f70a9ff9e38d4430fd0c927599
This commit is contained in:
Gabriel Marks 2026-01-28 12:22:51 -05:00 committed by MongoDB Bot
parent cbec74c899
commit 77d90a66d3
142 changed files with 643 additions and 600 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
BUILD.bazel
View File

@ -427,6 +427,12 @@ mongo_install(
],
"//conditions:default": [],
}),
root_files = select({
"//bazel/config:include_autogenerated_targets_enabled": {
"//x509:generate_main_certificates": "bin/x509",
},
"//conditions:default": {},
}),
)
# This sets up targets for install-mongotmock and archive-mongotmock

4
buildscripts/resmokeconfig/suites/client_encrypt.yml
View File

@ -11,5 +11,5 @@ executor:
ssl: ""
tlsAllowInvalidHostnames: ""
tlsAllowInvalidCertificates: ""
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/client.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/client.pem

4
buildscripts/resmokeconfig/suites/fle.yml
View File

@ -12,8 +12,8 @@ executor:
ssl: ""
tlsAllowInvalidHostnames: ""
tlsAllowInvalidCertificates: ""
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/client.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/client.pem
global_vars:
TestData:
useFle2Protocol: false

4
buildscripts/resmokeconfig/suites/fle2_query_analysis.yml
View File

@ -13,8 +13,8 @@ executor:
ssl: ""
tlsAllowInvalidHostnames: ""
tlsAllowInvalidCertificates: ""
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/client.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/client.pem
global_vars:
TestData:
useFle2Protocol: true

4
buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml
View File

@ -57,8 +57,8 @@ executor:
command: 2
enableTestCommands: 1
tlsMode: preferTLS
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/server.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/server.pem
keyFile: *keyFile
clusterAuthMode: sendX509
auth: ""

8
buildscripts/resmokeconfig/suites/integration_tests_standalone_grpc.yml
View File

@ -13,8 +13,8 @@ executor:
config:
program_options:
tlsMode: "preferTLS"
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/client.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/client.pem
useEgressGRPC: true
hooks:
- class: ValidateCollections
@ -29,5 +29,5 @@ executor:
command: 2
enableTestCommands: 1
tlsMode: preferTLS
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/server.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/server.pem

4
buildscripts/resmokeconfig/suites/ocsp.yml
View File

@ -9,7 +9,7 @@ executor:
shell_options:
nodb: ""
tls: ""
tlsCAFile: jstests/libs/ocsp/ca_ocsp.pem
tlsCertificateKeyFile: jstests/libs/ocsp/client_ocsp.pem
tlsCAFile: ${x509ObjDir}/ca_ocsp.pem
tlsCertificateKeyFile: ${x509ObjDir}/client_ocsp.pem
tlsAllowInvalidHostnames: ""
setShellParameter: ocspEnabled=true

4
buildscripts/resmokeconfig/suites/search_community_ssl.yml
View File

@ -28,5 +28,5 @@ executor:
ssl: ""
tlsAllowInvalidHostnames: ""
tlsAllowInvalidCertificates: ""
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/client.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/client.pem

4
buildscripts/resmokeconfig/suites/search_ssl.yml
View File

@ -22,5 +22,5 @@ executor:
ssl: ""
tlsAllowInvalidHostnames: ""
tlsAllowInvalidCertificates: ""
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/client.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/client.pem

4
buildscripts/resmokeconfig/suites/ssl.yml
View File

@ -12,8 +12,8 @@ executor:
nodb: ""
ssl: ""
sslAllowInvalidCertificates: ""
sslCAFile: jstests/libs/ca.pem
sslPEMKeyFile: jstests/libs/client.pem
sslCAFile: ${x509ObjDir}/ca.pem
sslPEMKeyFile: ${x509ObjDir}/client.pem
global_vars:
TestData:
setParameters:

4
buildscripts/resmokeconfig/suites/ssl_linear.yml
View File

@ -13,8 +13,8 @@ executor:
nodb: ""
ssl: ""
sslAllowInvalidCertificates: ""
sslCAFile: jstests/libs/trusted-ca.pem
sslPEMKeyFile: jstests/libs/trusted-client.pem
sslCAFile: ${x509ObjDir}/trusted-ca.pem
sslPEMKeyFile: ${x509ObjDir}/trusted-client.pem
global_vars:
TestData:
setParameters:

4
buildscripts/resmokeconfig/suites/ssl_x509.yml
View File

@ -11,9 +11,9 @@ executor:
nodb: ""
ssl: ""
sslAllowInvalidCertificates: ""
sslCAFile: jstests/libs/ca.pem
sslCAFile: ${x509ObjDir}/ca.pem
# We use server.pem so that shell can auth as __system.
sslPEMKeyFile: jstests/libs/server.pem
sslPEMKeyFile: ${x509ObjDir}/server.pem
global_vars:
TestData:
setParameters:

4
buildscripts/resmokeconfig/suites/vector_search_ssl.yml
View File

@ -11,5 +11,5 @@ executor:
ssl: ""
tlsAllowInvalidHostnames: ""
tlsAllowInvalidCertificates: ""
tlsCAFile: jstests/libs/ca.pem
tlsCertificateKeyFile: jstests/libs/client.pem
tlsCAFile: ${x509ObjDir}/ca.pem
tlsCertificateKeyFile: ${x509ObjDir}/client.pem

11
buildscripts/resmokelib/testing/fixtures/multi_replica_set.py
View File

@ -4,7 +4,7 @@ import copy
import os.path
from buildscripts.resmokelib.testing.fixtures import interface
from buildscripts.resmokelib.utils import dictionary
from buildscripts.resmokelib.utils import certs, dictionary
class MultiReplicaSetFixture(interface.MultiClusterFixture):
@ -38,8 +38,13 @@ class MultiReplicaSetFixture(interface.MultiClusterFixture):
raise ValueError("num_replica_sets must be greater or equal to 2")
self.num_nodes_per_replica_set = num_nodes_per_replica_set
self.common_mongod_options = self.fixturelib.default_if_none(common_mongod_options, {})
self.per_mongod_options = self.fixturelib.default_if_none(per_mongod_options, [])
self.common_mongod_options = certs.expand_x509_paths(
self.fixturelib.default_if_none(common_mongod_options, {})
)
self.per_mongod_options = [
certs.expand_x509_paths(opts)
for opts in self.fixturelib.default_if_none(per_mongod_options, [])
]
self.common_replica_set_options = common_replica_set_options
self.per_replica_set_options = self.fixturelib.default_if_none(per_replica_set_options, [])
self.persist_connection_strings = persist_connection_strings

11
buildscripts/resmokelib/testing/fixtures/multi_sharded_cluster.py
View File

@ -6,7 +6,7 @@ import os.path
import pymongo
from buildscripts.resmokelib.testing.fixtures import interface
from buildscripts.resmokelib.utils import dictionary
from buildscripts.resmokelib.utils import certs, dictionary
class MultiShardedClusterFixture(interface.MultiClusterFixture):
@ -38,8 +38,13 @@ class MultiShardedClusterFixture(interface.MultiClusterFixture):
raise ValueError("num_sharded_clusters must be greater or equal to 2")
self.num_sharded_clusters = num_sharded_clusters
self.common_mongod_options = self.fixturelib.default_if_none(common_mongod_options, {})
self.per_mongod_options = self.fixturelib.default_if_none(per_mongod_options, [])
self.common_mongod_options = certs.expand_x509_paths(
self.fixturelib.default_if_none(common_mongod_options, {})
)
self.per_mongod_options = [
certs.expand_x509_paths(opts)
for opts in self.fixturelib.default_if_none(per_mongod_options, [])
]
self.common_sharded_cluster_options = common_sharded_cluster_options
self.per_sharded_cluster_options = self.fixturelib.default_if_none(
per_sharded_cluster_options, []

3
buildscripts/resmokelib/testing/fixtures/replicaset.py
View File

@ -17,6 +17,7 @@ from buildscripts.resmokelib.extensions import (
find_and_generate_extension_configs,
)
from buildscripts.resmokelib.testing.fixtures import interface
from buildscripts.resmokelib.utils import certs
def compare_timestamp(timestamp1, timestamp2):
@ -90,7 +91,7 @@ class ReplicaSetFixture(interface.ReplFixture, interface._DockerComposeInterface
self.mongod_executable = mongod_executable
self.mongod_options = self.fixturelib.make_historic(
self.fixturelib.default_if_none(mongod_options, {})
certs.expand_x509_paths(self.fixturelib.default_if_none(mongod_options, {}))
)
self.load_all_extensions = load_all_extensions or self.config.LOAD_ALL_EXTENSIONS

5
buildscripts/resmokelib/testing/fixtures/shardedcluster.py
View File

@ -15,6 +15,7 @@ from buildscripts.resmokelib.extensions import (
find_and_generate_extension_configs,
)
from buildscripts.resmokelib.testing.fixtures import _builder, external, interface
from buildscripts.resmokelib.utils import certs
from buildscripts.resmokelib.utils.sharded_cluster_util import (
inject_catalog_metadata_on_the_csrs,
refresh_logical_session_cache_with_retry,
@ -65,7 +66,7 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface
raise ValueError("Cannot specify mongod_options.dbpath")
self.mongos_options = self.fixturelib.make_historic(
self.fixturelib.default_if_none(mongos_options, {})
certs.expand_x509_paths(self.fixturelib.default_if_none(mongos_options, {}))
)
# The mongotHost and searchIndexManagementHostAndPort options cannot be set on mongos_options yet because
# the port value is only assigned in MongoDFixture initialization, which happens later.
@ -73,7 +74,7 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface
# mongod options
self.mongod_options = self.fixturelib.make_historic(
self.fixturelib.default_if_none(mongod_options, {})
certs.expand_x509_paths(self.fixturelib.default_if_none(mongod_options, {}))
)
self.load_all_extensions = load_all_extensions or self.config.LOAD_ALL_EXTENSIONS

3
buildscripts/resmokelib/testing/fixtures/standalone.py
View File

@ -19,6 +19,7 @@ from buildscripts.resmokelib.extensions import (
)
from buildscripts.resmokelib.testing.fixtures import interface
from buildscripts.resmokelib.testing.fixtures.fixturelib import FixtureLib
from buildscripts.resmokelib.utils import certs
from buildscripts.resmokelib.utils.history import HistoryDict
@ -61,7 +62,7 @@ class MongoDFixture(interface.Fixture, interface._DockerComposeInterface):
"""
interface.Fixture.__init__(self, logger, job_num, fixturelib, dbpath_prefix=dbpath_prefix)
self.mongod_options = self.fixturelib.make_historic(
self.fixturelib.default_if_none(mongod_options, {})
certs.expand_x509_paths(self.fixturelib.default_if_none(mongod_options, {}))
)
self.load_all_extensions = load_all_extensions or self.config.LOAD_ALL_EXTENSIONS
if self.load_all_extensions:

2
buildscripts/resmokelib/testing/testcases/cpp_integration_test.py
View File

@ -5,6 +5,7 @@ from typing import Optional
from buildscripts.resmokelib import core, logging, utils
from buildscripts.resmokelib.testing.testcases import interface
from buildscripts.resmokelib.utils import certs
class CPPIntegrationTestCase(interface.ProcessTestCase):
@ -39,6 +40,7 @@ class CPPIntegrationTestCase(interface.ProcessTestCase):
process_kwargs = copy.deepcopy(self.program_options.get("process_kwargs", {}))
interface.append_process_tracking_options(process_kwargs, self._id)
self.program_options["process_kwargs"] = process_kwargs
self.program_options = certs.expand_x509_paths(self.program_options)
def _make_process(self):
return core.programs.generic_program(

3
buildscripts/resmokelib/testing/testcases/jstest.py
View File

@ -15,7 +15,7 @@ from bson.objectid import ObjectId
from buildscripts.resmokelib import config, core, errors, logging, utils
from buildscripts.resmokelib.testing.testcases import interface
from buildscripts.resmokelib.utils import registry
from buildscripts.resmokelib.utils import certs, registry
class _SingleJSTestCase(interface.ProcessTestCase):
@ -125,6 +125,7 @@ class _SingleJSTestCase(interface.ProcessTestCase):
interface.append_process_tracking_options(process_kwargs, self._id)
self.shell_options["process_kwargs"] = process_kwargs
self.shell_options = certs.expand_x509_paths(self.shell_options)
def _get_data_dir(self, global_vars: dict) -> str:
"""Return the value that mongo shell should set for the MongoRunner.dataDir property."""

1
buildscripts/resmokelib/utils/BUILD.bazel
View File

@ -7,6 +7,7 @@ py_library(
"archival.py",
"autoloader.py",
"batched_baggage_span_processor.py",
"certs.py",
"check_has_tag.py",
"dictionary.py",
"evergreen_conn.py",

23
buildscripts/resmokelib/utils/certs.py Normal file
View File

@ -0,0 +1,23 @@
import os
from buildscripts.resmokelib import config
def _get_x509_basepath():
return (
"x509"
if config.INSTALL_DIR is None or config.INSTALL_DIR == ""
else os.path.join(config.INSTALL_DIR, "x509")
)
def expand_x509_paths(options: dict) -> dict:
"""Shallowly replace any references to ${x509ObjDir} in option values with the real directory
containing x509 certificates for testing."""
new_options = {}
for k, v in options.items():
if type(v) == str and r"${x509ObjDir}" in v:
new_options[k] = v.replace(r"${x509ObjDir}", _get_x509_basepath())
else:
new_options[k] = v
return new_options

1
eslint.config.mjs
View File

@ -90,6 +90,7 @@ export default [
___it___: true,
// src/mongo/shell/servers_global.js
getX509Path: true,
MongoRunner: true,
myPort: true,
runMongoProgram: true,

1
evergreen/selinux_test_executor.sh
View File

@ -7,6 +7,7 @@ readonly k_test_path="$1"
return_code=1
export PATH="$(dirname "$k_mongo"):$PATH"
export INSTALL_DIR="$(dirname "$k_mongo")"
function print_err() {
echo "$@" >&2

12
jstests/core/testing/certs_are_generated.js
View File

@ -7,16 +7,10 @@
* ]
*/
let installDir = _getEnv("INSTALL_DIR");
if (installDir === "") {
installDir = ".";
}
const pathsep = _isWindows() ? "\\" : "/";
const certDir = installDir + pathsep + "x509";
const certDir = getX509Path("");
jsTest.log.info(certDir);
jsTest.log.info(ls(installDir));
jsTest.log.info(ls(certDir));
assert(fileExists(certDir + pathsep + "ca.pem"));
assert(fileExists(certDir + pathsep + "crl.pem.digest.sha1"));
assert(fileExists(getX509Path("ca.pem")));
assert(fileExists(getX509Path("crl.pem.digest.sha1")));

11
jstests/libs/ssl_test.js
View File

@ -12,8 +12,7 @@
* {'cmdLineParam': 'value', ...}. For flag arguments, the empty string is used as the value.
*
* For serverOpts a few defaults are set if values are not provided: specifically 'tlsMode'
* (preferTLS), tlsCertificateKeyFile ("jstests/libs/server.pem"), and tlsCAFile
* "jstests/libs/ca.pem").
* (preferTLS), tlsCertificateKeyFile ("server.pem"), and tlsCAFile ("ca.pem").
*/
export function TLSTest(serverOpts, clientOpts) {
let canonicalServerOpts = function (userProvidedOpts) {
@ -27,10 +26,10 @@ export function TLSTest(serverOpts, clientOpts) {
}
if (!canonical.hasOwnProperty("tlsCertificateKeyFile")) {
canonical.tlsCertificateKeyFile = "jstests/libs/server.pem";
canonical.tlsCertificateKeyFile = getX509Path("server.pem");
}
if (!canonical.hasOwnProperty("tlsCAFile")) {
canonical.tlsCAFile = "jstests/libs/ca.pem";
canonical.tlsCAFile = getX509Path("ca.pem");
}
return canonical;
};
@ -48,8 +47,8 @@ export function TLSTest(serverOpts, clientOpts) {
*/
TLSTest.prototype.defaultTLSClientOptions = {
"tls": "",
"tlsCertificateKeyFile": "jstests/libs/client.pem",
"tlsCAFile": "jstests/libs/ca.pem",
"tlsCertificateKeyFile": getX509Path("client.pem"),
"tlsCAFile": getX509Path("ca.pem"),
"eval": ";", // prevent the shell from entering interactive mode
};

2
jstests/noPassthrough/libs/x509/main_certs.json
View File

File diff suppressed because one or more lines are too long

4
jstests/noPassthrough/shell/shell_grpc_uri.js
View File

@ -38,11 +38,11 @@ function testGRPCConnect(ok, ...args) {
testGRPCConnect(true);
// Options currently prohibited when using gRPC.
testGRPCConnect(false, "--tlsCRLFile", "jstests/libs/crl.pem");
testGRPCConnect(false, "--tlsCRLFile", getX509Path("crl.pem"));
testGRPCConnect(
false,
"--tlsCertificateKeyFile",
"jstests/libs/password_protected.pem",
getX509Path("password_protected.pem"),
"--tlsCertificateKeyFilePassword",
"qwerty",
);

37
jstests/ocsp/lib/ocsp_helpers.js
View File

@ -5,27 +5,26 @@
import {isUbuntu1804} from "jstests/libs/os_helpers.js";
import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
export const OCSP_CA_PEM = "jstests/libs/ocsp/ca_ocsp.pem";
export const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.crt";
export const OCSP_CA_KEY = "jstests/libs/ocsp/ca_ocsp.key";
export const CLUSTER_CA_CERT = "jstests/libs/ca.pem";
export const CLUSTER_KEY = "jstests/libs/server.pem";
export const OCSP_SERVER_CERT = "jstests/libs/ocsp/server_ocsp.pem";
export const OCSP_NO_OCSP_SERVER_CERT = "jstests/libs/ocsp/server_no_ocsp.pem";
export const OCSP_CLIENT_CERT = "jstests/libs/ocsp/client_ocsp.pem";
export const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pem";
export const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem";
export const OCSP_SERVER_CERT_INVALID = "jstests/libs/ocsp/server_ocsp_invalid.pem";
export const OCSP_RESPONDER_CERT = "jstests/libs/ocsp/ocsp_responder.crt";
export const OCSP_RESPONDER_KEY = "jstests/libs/ocsp/ocsp_responder.key";
export const OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM = "jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem";
export const OCSP_INTERMEDIATE_CA_ONLY_CERT = "jstests/libs/ocsp/intermediate_ca_only_ocsp.crt";
export const OCSP_INTERMEDIATE_CA_ONLY_KEY = "jstests/libs/ocsp/intermediate_ca_only_ocsp.key";
export const OCSP_CA_PEM = getX509Path("ca_ocsp.pem");
export const OCSP_CA_CERT = getX509Path("ca_ocsp.crt");
export const OCSP_CA_KEY = getX509Path("ca_ocsp.key");
export const CLUSTER_CA_CERT = getX509Path("ca.pem");
export const CLUSTER_KEY = getX509Path("server.pem");
export const OCSP_SERVER_CERT = getX509Path("server_ocsp.pem");
export const OCSP_NO_OCSP_SERVER_CERT = getX509Path("server_no_ocsp.pem");
export const OCSP_CLIENT_CERT = getX509Path("client_ocsp.pem");
export const OCSP_SERVER_MUSTSTAPLE_CERT = getX509Path("server_ocsp_mustStaple.pem");
export const OCSP_SERVER_CERT_REVOKED = getX509Path("server_ocsp_revoked.pem");
export const OCSP_SERVER_CERT_INVALID = getX509Path("server_ocsp_invalid.pem");
export const OCSP_RESPONDER_CERT = getX509Path("ocsp_responder.crt");
export const OCSP_RESPONDER_KEY = getX509Path("ocsp_responder.key");
export const OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM = getX509Path("intermediate_ca_with_root_ocsp.pem");
export const OCSP_INTERMEDIATE_CA_ONLY_CERT = getX509Path("intermediate_ca_only_ocsp.crt");
export const OCSP_INTERMEDIATE_CA_ONLY_KEY = getX509Path("intermediate_ca_only_ocsp.key");
export const OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM = "jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem";
export const OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM = getX509Path("server_signed_by_intermediate_ca_ocsp.pem");
export const OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM =
"jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem";
export const OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM = getX509Path("server_and_intermediate_ca_appended_ocsp.pem");
export var clearOCSPCache = function () {
let provider = determineSSLProvider();

8
jstests/ssl/auth-counters.js
View File

@ -4,8 +4,8 @@ const x509 = "MONGODB-X509";
const mongod = MongoRunner.runMongod({
auth: "",
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
clusterAuthMode: "x509",
});
const admin = mongod.getDB("admin");
@ -67,9 +67,9 @@ function assertSuccessInternal() {
"--port",
mongod.port,
"--tlsCertificateKeyFile",
"jstests/libs/server.pem",
getX509Path("server.pem"),
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--authenticationDatabase",
"$external",
"--authenticationMechanism",

8
jstests/ssl/canonicalize_command_line_opts.js
View File

@ -16,16 +16,16 @@ function runTest(mongod) {
const tls = net.tls;
assert.eq(tls.mode, "requireTLS");
assert.eq(tls.CAFile, "jstests/libs/ca.pem");
assert.eq(tls.certificateKeyFile, "jstests/libs/server.pem");
assert.eq(tls.CAFile, getX509Path("ca.pem"));
assert.eq(tls.certificateKeyFile, getX509Path("server.pem"));
assert.eq(tls.allowConnectionsWithoutCertificates, true);
assert.eq(tls.allowInvalidHostnames, true);
}
const options = {
sslMode: "requireSSL",
sslCAFile: "jstests/libs/ca.pem",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: getX509Path("ca.pem"),
sslPEMKeyFile: getX509Path("server.pem"),
sslAllowConnectionsWithoutCertificates: "",
sslAllowInvalidHostnames: "",
};

14
jstests/ssl/client_x509_rotate.js
View File

@ -8,13 +8,13 @@ import {
import {ShardingTest} from "jstests/libs/shardingtest.js";
import {copyCertificateFile} from "jstests/ssl/libs/ssl_helpers.js";
const OLD_CA = "jstests/libs/ca.pem";
const OLD_CLIENT = "jstests/libs/client.pem";
const OLD_SERVER = "jstests/libs/server.pem";
const OLD_CA = getX509Path("ca.pem");
const OLD_CLIENT = getX509Path("client.pem");
const OLD_SERVER = getX509Path("server.pem");
const NEW_CA = "jstests/libs/trusted-ca.pem";
const NEW_CLIENT = "jstests/libs/trusted-client.pem";
const NEW_SERVER = "jstests/libs/trusted-server.pem";
const NEW_CA = getX509Path("trusted-ca.pem");
const NEW_CLIENT = getX509Path("trusted-client.pem");
const NEW_SERVER = getX509Path("trusted-server.pem");
(function () {
let mongos;
@ -32,7 +32,7 @@ const NEW_SERVER = "jstests/libs/trusted-server.pem";
// rotate, and make sure it can communicate with ONLY that shard after a rotate.
const mongosOptions = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: dbPath + "/ca-test.pem",
tlsClusterFile: dbPath + "/client-test.pem",
tlsAllowInvalidHostnames: "",

14
jstests/ssl/cluster_member.js
View File

@ -42,7 +42,7 @@ function authAndDo(port, cert, cmd = ";") {
port,
"--tls",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
cert,
"--eval",
@ -53,10 +53,10 @@ function authAndDo(port, cert, cmd = ";") {
function runTest(conn) {
const SERVER_RDN = "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
const SERVER = "jstests/libs/server.pem";
const FOO_MEMBER = "jstests/ssl/libs/cluster-member-foo.pem";
const BAR_MEMBER = "jstests/ssl/libs/cluster-member-bar.pem";
const FOO_MEMBER_ALT = "jstests/ssl/libs/cluster-member-foo-alt-rdn.pem";
const SERVER = getX509Path("server.pem");
const FOO_MEMBER = getX509Path("cluster-member-foo.pem");
const BAR_MEMBER = getX509Path("cluster-member-bar.pem");
const FOO_MEMBER_ALT = getX509Path("cluster-member-foo-alt-rdn.pem");
const FOO_MEMBER_ALT_RDN = "CN=Doer,OU=Business,O=Company,L=Fakesville,ST=Example,C=ZZ";
const admin = conn.getDB("admin");
@ -99,8 +99,8 @@ function runTest(conn) {
const opts = {
auth: "",
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/ssl/libs/cluster-member-foo.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("cluster-member-foo.pem"),
tlsCAFile: getX509Path("ca.pem"),
clusterAuthMode: "x509",
tlsClusterAuthX509ExtensionValue: "foo",
setParameter: {

30
jstests/ssl/cluster_x509_rotate.js
View File

@ -6,9 +6,9 @@ import {copyCertificateFile} from "jstests/ssl/libs/ssl_helpers.js";
const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/");
mkdir(dbPath);
copyCertificateFile("jstests/libs/ca.pem", dbPath + "/ca-test.pem");
copyCertificateFile("jstests/libs/client.pem", dbPath + "/client-test.pem");
copyCertificateFile("jstests/libs/server.pem", dbPath + "/server-test.pem");
copyCertificateFile(getX509Path("ca.pem"), dbPath + "/ca-test.pem");
copyCertificateFile(getX509Path("client.pem"), dbPath + "/client-test.pem");
copyCertificateFile(getX509Path("server.pem"), dbPath + "/server-test.pem");
// Make replset with old certificates, rotate to new certificates, and try to add
// a node with new certificates.
@ -24,9 +24,9 @@ rst.startSet({
rst.initiate();
rst.awaitReplication();
copyCertificateFile("jstests/libs/trusted-ca.pem", dbPath + "/ca-test.pem");
copyCertificateFile("jstests/libs/trusted-client.pem", dbPath + "/client-test.pem");
copyCertificateFile("jstests/libs/trusted-server.pem", dbPath + "/server-test.pem");
copyCertificateFile(getX509Path("trusted-ca.pem"), dbPath + "/ca-test.pem");
copyCertificateFile(getX509Path("trusted-client.pem"), dbPath + "/client-test.pem");
copyCertificateFile(getX509Path("trusted-server.pem"), dbPath + "/server-test.pem");
for (let node of rst.nodes) {
assert.commandWorked(node.adminCommand({rotateCertificates: 1}));
@ -34,9 +34,9 @@ for (let node of rst.nodes) {
const newnode = rst.add({
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCAFile: "jstests/libs/trusted-ca.pem",
tlsClusterFile: "jstests/libs/trusted-client.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
tlsCAFile: getX509Path("trusted-ca.pem"),
tlsClusterFile: getX509Path("trusted-client.pem"),
tlsAllowInvalidHostnames: "",
// IMPORTANT: shell will not be able to talk to the new node due to cert rotation
// therefore we set "waitForConnect:false" to ensure shell does not try to acess it
@ -50,8 +50,8 @@ assert.soon(() => {
try {
new Mongo(host, undefined, {
tls: {
certificateKeyFile: "jstests/libs/trusted-client.pem",
CAFile: "jstests/libs/trusted-ca.pem",
certificateKeyFile: getX509Path("trusted-client.pem"),
CAFile: getX509Path("trusted-ca.pem"),
allowInvalidHostnames: true,
},
});
@ -69,8 +69,8 @@ assert.soon(() => {
try {
const conn = new Mongo(host, undefined, {
tls: {
certificateKeyFile: "jstests/libs/trusted-client.pem",
CAFile: "jstests/libs/trusted-ca.pem",
certificateKeyFile: getX509Path("trusted-client.pem"),
CAFile: getX509Path("trusted-ca.pem"),
allowInvalidHostnames: true,
},
});
@ -99,8 +99,8 @@ for (let node of rst.nodeList()) {
print(`Testing connectivity of ${node} to ${target}`);
const conn = new Mongo(node, undefined, {
tls: {
certificateKeyFile: "jstests/libs/trusted-client.pem",
CAFile: "jstests/libs/trusted-ca.pem",
certificateKeyFile: getX509Path("trusted-client.pem"),
CAFile: getX509Path("trusted-ca.pem"),
allowInvalidHostnames: true,
},
});

4
jstests/ssl/config-canonicalize-normal-ports.js
View File

@ -2,8 +2,8 @@
const mongod = MongoRunner.runMongod({
tlsOnNormalPorts: "",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
});
assert(mongod);
assert.commandWorked(mongod.getDB("admin").runCommand({hello: 1}));

20
jstests/ssl/crl_x509_rotate.js
View File

@ -9,12 +9,12 @@ if (determineSSLProvider() === "apple") {
const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/");
mkdir(dbPath);
copyCertificateFile("jstests/libs/crl.pem", dbPath + "/crl-test.pem");
copyCertificateFile(getX509Path("crl.pem"), dbPath + "/crl-test.pem");
const mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsCRLFile: dbPath + "/crl-test.pem",
});
@ -27,16 +27,16 @@ let out = runMongoProgram(
host,
"--tls",
"--tlsCertificateKeyFile",
"jstests/libs/client_revoked.pem",
getX509Path("client_revoked.pem"),
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--eval",
";",
);
assert.eq(out, 0, "Initial mongo invocation failed");
// Rotate in new CRL
copyCertificateFile("jstests/libs/crl_client_revoked.pem", dbPath + "/crl-test.pem");
copyCertificateFile(getX509Path("crl_client_revoked.pem"), dbPath + "/crl-test.pem");
assert.commandWorked(mongod.adminCommand({rotateCertificates: 1}));
@ -47,9 +47,9 @@ out = runMongoProgram(
host,
"--tls",
"--tlsCertificateKeyFile",
"jstests/libs/client_revoked.pem",
getX509Path("client_revoked.pem"),
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--eval",
";",
);
@ -62,9 +62,9 @@ out = runMongoProgram(
host,
"--tls",
"--tlsCertificateKeyFile",
"jstests/libs/client.pem",
getX509Path("client.pem"),
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--eval",
";",
);

4
jstests/ssl/disable_x509.js
View File

@ -5,8 +5,8 @@ let CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=c
let conn = MongoRunner.runMongod({
auth: "",
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
});
// Find out if this build supports the authenticationMechanisms startup parameter.

5
jstests/ssl/libs/BUILD.bazel
View File

@ -10,8 +10,3 @@ mongo_js_library(
)
all_subpackage_javascript_files()
sh_binary(
name = "localhost_cn_with_san",
srcs = ["localhost-cn-with-san.pem.sh"],
)

22
jstests/ssl/libs/localhost-cn-with-san.pem.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
# Create a certificate with `CN=localhost` to satisfy CN matching,
# but override it with a SAN field which will not match.
set -ev
RDN="/C=US/ST=New York/L=New York City/O=MongoDB/OU=Kernel/CN=localhost"
OPENSSL="/opt/mongodbtoolchain/v4/bin/openssl"
FILE="jstests/ssl/libs/localhost-cn-with-san"
$OPENSSL req -new -subj "${RDN}" \
-keyout "${FILE}.key" -out "${FILE}.csr" \
-nodes -batch -sha256 -newkey rsa:2048
$OPENSSL rsa -in "${FILE}.key" -out "${FILE}.rsa"
$OPENSSL x509 -in "${FILE}.csr" -out "${FILE}.pem" -req -CA "jstests/libs/ca.pem" \
-days 3650 -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:example.com")
# Create final bundle and cleanup.
cat "${FILE}.rsa" >>"${FILE}.pem"
rm jstests/libs/ca.srl
rm "${FILE}.key" "${FILE}.rsa" "${FILE}.csr"

16
jstests/ssl/libs/ssl_helpers.js
View File

@ -12,14 +12,14 @@ TestData.ignoreUnterminatedProcesses = true;
export var KEYFILE = "jstests/libs/key1";
export var SERVER_CERT = "jstests/libs/server.pem";
export var TRUSTED_SERVER_CERT = "jstests/libs/trusted-server.pem";
export var CA_CERT = "jstests/libs/ca.pem";
export var TRUSTED_CA_CERT = "jstests/libs/trusted-ca.pem";
export var CLIENT_CERT = "jstests/libs/client.pem";
export var TRUSTED_CLIENT_CERT = "jstests/libs/trusted-client.pem";
export var SERVER_CERT = getX509Path("server.pem");
export var TRUSTED_SERVER_CERT = getX509Path("trusted-server.pem");
export var CA_CERT = getX509Path("ca.pem");
export var TRUSTED_CA_CERT = getX509Path("trusted-ca.pem");
export var CLIENT_CERT = getX509Path("client.pem");
export var TRUSTED_CLIENT_CERT = getX509Path("trusted-client.pem");
export var DH_PARAM = "jstests/libs/8k-prime.dhparam";
export var CLUSTER_CERT = "jstests/libs/cluster_cert.pem";
export var CLUSTER_CERT = getX509Path("cluster_cert.pem");
// Note: "tlsAllowInvalidCertificates" is enabled to avoid
// hostname conflicts with our testing certificates
@ -386,7 +386,7 @@ export function copyCertificateFile(a, b) {
assert.eq(0, runProgram("cmd.exe", "/c", "copy", a, b));
return;
}
assert.eq(0, runProgram("cp", a, b));
assert.eq(0, runProgram("cp", "-f", a, b));
}
export function clientSupportsTLS1_1() {

4
jstests/ssl/macos_encrypted_pem.js
View File

@ -6,10 +6,10 @@ requireSSLProvider("apple", function () {
jsTest.log("Verifying that mongod will fail to start using an encrypted PEM file");
const config = MongoRunner.mongodOptions({
tlsCertificateKeyFile: "jstests/libs/password_protected.pem",
tlsCertificateKeyFile: getX509Path("password_protected.pem"),
tlsMode: "requireTLS",
tlsCertificateKeyFilePassword: "qwerty",
tlsCAFile: "jstests/libs/ca.pem",
tlsCAFile: getX509Path("ca.pem"),
});
assert.throws(() => MongoRunner.runMongod(config), [], "MongoD unexpectedly started up");

10
jstests/ssl/multi-ca.js
View File

@ -2,12 +2,12 @@
// "root-and-trusted-ca.pem" contains the combined ca.pem and trusted-ca.pem certs.
// This *should* permit client.pem or trusted-client.pem to connect equally.
const CA_CERT = "jstests/ssl/x509/root-and-trusted-ca.pem";
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = getX509Path("root-and-trusted-ca.pem");
const SERVER_CERT = getX509Path("server.pem");
const CLIENT_CA_CERT = "jstests/libs/ca.pem";
const CLIENT_CERT = "jstests/libs/client.pem";
const TRUSTED_CLIENT_CERT = "jstests/libs/trusted-client.pem";
const CLIENT_CA_CERT = getX509Path("ca.pem");
const CLIENT_CERT = getX509Path("client.pem");
const TRUSTED_CLIENT_CERT = getX509Path("trusted-client.pem");
const mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",

8
jstests/ssl/openssl_ciphersuites.js
View File

@ -15,8 +15,8 @@ if (determineSSLProvider() !== "openssl") {
const baseParams = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/ssl/x509/root-and-trusted-ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("root-and-trusted-ca.pem"),
waitForConnect: false,
};
@ -29,9 +29,9 @@ function testConn() {
mongod.port,
"--tls",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
"jstests/libs/trusted-client.pem",
getX509Path("trusted-client.pem"),
"--eval",
";",
);

14
jstests/ssl/peer_validation_without_cafile.js
View File

@ -18,7 +18,7 @@ import {ReplSetTest} from "jstests/libs/replsettest.js";
const rs = new ReplSetTest(rsOpts);
rs.startSet({
env: {
SSL_CERT_FILE: "jstests/libs/ca.pem",
SSL_CERT_FILE: getX509Path("ca.pem"),
},
});
if (succeed) {
@ -55,15 +55,15 @@ import {ReplSetTest} from "jstests/libs/replsettest.js";
// Sanity check that ca.pem can be used to properly authenticate.
const options_manual_systemca = {
tlsMode: "requireTLS",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsCertificateKeyFile: getX509Path("server.pem"),
};
testRS(options_manual_systemca, true);
// Ensure that we can authenticate with system CA.
const options_systemca = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
setParameter: {tlsUseSystemCA: true},
};
testRS(options_systemca, true);
@ -71,15 +71,15 @@ import {ReplSetTest} from "jstests/libs/replsettest.js";
// Sanity check that ca.pem can be used to properly fail to authenticate.
const options_manual_systemca_nomatch = {
tlsMode: "requireTLS",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
};
testRS(options_manual_systemca_nomatch, false);
// Ensure that we can properly fail to authenticate with system CA.
const options_systemca_nomatch = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
setParameter: {tlsUseSystemCA: true},
};

8
jstests/ssl/repl_ssl_split_horizon.js
View File

@ -78,7 +78,7 @@ let replTest = new ReplSetTest({
nodes: 2,
nodeOptions: {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/splithorizon-server.pem",
tlsCertificateKeyFile: getX509Path("splithorizon-server.pem"),
setParameter: {tlsUseSystemCA: true},
},
host: "localhost",
@ -87,7 +87,7 @@ let replTest = new ReplSetTest({
replTest.startSet({
env: {
SSL_CERT_FILE: "jstests/libs/ca.pem",
SSL_CERT_FILE: getX509Path("ca.pem"),
},
});
@ -122,11 +122,11 @@ let checkExpectedHorizon = function (url, memberIndex, expectedHostname) {
let argv = [
"env",
"HOSTALIASES=" + hostsFile,
"SSL_CERT_FILE=jstests/libs/ca.pem",
"SSL_CERT_FILE=" + getX509Path("ca.pem"),
"mongo",
"--tls",
"--tlsCertificateKeyFile",
"jstests/libs/splithorizon-server.pem",
getX509Path("splithorizon-server.pem"),
url,
"--eval",
assertion,

12
jstests/ssl/server_x509_rotate.js
View File

@ -2,13 +2,13 @@
import {copyCertificateFile} from "jstests/ssl/libs/ssl_helpers.js";
const OLD_SERVER = "jstests/libs/server.pem";
const OLD_CLIENT = "jstests/libs/client.pem";
const OLD_CA = "jstests/libs/ca.pem";
const OLD_SERVER = getX509Path("server.pem");
const OLD_CLIENT = getX509Path("client.pem");
const OLD_CA = getX509Path("ca.pem");
const NEW_SERVER = "jstests/libs/trusted-server.pem";
const NEW_CLIENT = "jstests/libs/trusted-client.pem";
const NEW_CA = "jstests/libs/trusted-ca.pem";
const NEW_SERVER = getX509Path("trusted-server.pem");
const NEW_CLIENT = getX509Path("trusted-client.pem");
const NEW_CA = getX509Path("trusted-ca.pem");
const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/");
mkdir(dbPath);

4
jstests/ssl/set_parameter_ssl.js
View File

@ -2,8 +2,8 @@
import {ReplSetTest} from "jstests/libs/replsettest.js";
let SERVER_CERT = "jstests/libs/server.pem";
let CA_CERT = "jstests/libs/ca.pem";
let SERVER_CERT = getX509Path("server.pem");
let CA_CERT = getX509Path("ca.pem");
class TransportMode {
constructor(sslName, tlsName) {

4
jstests/ssl/shell_option_parsing.js
View File

@ -1,8 +1,8 @@
// Test mongo shell connect strings.
import {ReplSetTest} from "jstests/libs/replsettest.js";
const SERVER_CERT = "jstests/libs/server.pem";
const CAFILE = "jstests/libs/ca.pem";
const SERVER_CERT = getX509Path("server.pem");
const CAFILE = getX509Path("ca.pem");
let opts = {
tlsMode: "allowTLS",

12
jstests/ssl/speculative-authenticate.js
View File

@ -3,8 +3,8 @@
const mongod = MongoRunner.runMongod({
auth: "",
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
clusterAuthMode: "x509",
});
const admin = mongod.getDB("admin");
@ -21,9 +21,9 @@ function test(uri) {
"mongo",
"--tls",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
"jstests/libs/client.pem",
getX509Path("client.pem"),
uri,
"--eval",
";",
@ -36,9 +36,9 @@ function testInternal(uri) {
"mongo",
"--tls",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
"jstests/libs/server.pem",
getX509Path("server.pem"),
uri,
"--eval",
";",

20
jstests/ssl/ssl_ECDHE_suites.js
View File

@ -11,7 +11,7 @@ if (_isWindows()) {
// Amazon linux does not currently support ECDHE
const EXCLUDED_BUILDS = ["amazon", "amzn64"];
const SERVER_CERT = "jstests/libs/server.pem";
const SERVER_CERT = getX509Path("server.pem");
const OUTFILE = "jstests/ssl/ciphers.json";
const suites = ["sslv2", "sslv3", "tls1", "tls1_1", "tls1_2"];
@ -43,19 +43,13 @@ const python_command =
CLIENT_CERT +
" --outfile=" +
OUTFILE;
assert.eq(runProgram("/bin/sh", "-c", python_command), 0);
// Parse its output
let cipherDict = {};
try {
cipherDict = JSON.parse(cat(OUTFILE));
} catch (e) {
jsTestLog("Failed to parse ciphers.json");
throw e;
} finally {
const delete_command = "rm " + OUTFILE;
assert.eq(runProgram("/bin/sh", "-c", delete_command), 0);
}
clearRawMongoProgramOutput();
assert.eq(runProgram("/bin/sh", "-c", python_command), 0);
const resIndicator = "Enumeration results: ";
const res = rawMongoProgramOutput(resIndicator);
assert.gte(res.indexOf(resIndicator), 0, "Expected enumeration results in output");
let cipherDict = JSON.parse(res.substring(res.indexOf(resIndicator) + resIndicator.length));
// Checking that SSLv2, SSLv3 and TLS 1.0 are not accepted
suites.slice(0, suites.indexOf("tls1")).forEach((tlsVersion) => assert(cipherDict[tlsVersion].length === 0));

8
jstests/ssl/ssl_alert_reporting.js
View File

@ -5,9 +5,9 @@ import {determineSSLProvider, sslProviderSupportsTLS1_1} from "jstests/ssl/libs/
const clientOptions = [
"--tls",
"--tlsCertificateKeyFile",
"jstests/libs/client.pem",
getX509Path("client.pem"),
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--eval",
";",
];
@ -33,8 +33,8 @@ function runTest(serverDisabledProtos, clientDisabledProtos) {
let md = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsDisabledProtocols: serverDisabledProtos,
});

6
jstests/ssl/ssl_cert_selector_apple.js
View File

@ -42,8 +42,8 @@ requireSSLProvider("apple", function () {
const trusted_server_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Server").toUpperCase();
const trusted_client_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Client").toUpperCase();
const expected_server_thumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1").toUpperCase();
const expected_client_thumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1").toUpperCase();
const expected_server_thumbprint = cat(getX509Path("trusted-server.pem.digest.sha1")).toUpperCase();
const expected_client_thumbprint = cat(getX509Path("trusted-client.pem.digest.sha1")).toUpperCase();
// If we fall into this case, our trusted certificates are not installed on the machine's
// certificate keychain. This probably means that certificates have just been renewed, but have
@ -53,7 +53,7 @@ requireSSLProvider("apple", function () {
expected_client_thumbprint !== trusted_client_thumbprint
) {
jsTest.log.error(
"macOS host has an unexpected version of the trusted server certificate (jstests/libs/trusted-server.pem) or trusted client certificate (jstests/libs/trusted-client.pem) installed.",
"macOS host has an unexpected version of the trusted server certificate (trusted-server.pem) or trusted client certificate (trusted-client.pem) installed.",
);
jsTest.log.error(
"Expecting server thumbprint: " + expected_server_thumbprint + ", got: " + trusted_server_thumbprint,

6
jstests/ssl/ssl_client_bad_certificate_warning.js
View File

@ -1,9 +1,9 @@
// Test mongo shell output logs correct messages when not including certificates or using bad
// certificates.
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
const BAD_CLIENT_CERT = "jstests/libs/trusted-client.pem";
const BAD_CLIENT_CERT = getX509Path("trusted-client.pem");
function testConnect(outputLog, ...args) {
const command = ["mongo", "--host", "localhost", "--port", mongod.port, "--tls", ...args];

4
jstests/ssl/ssl_client_certificate_warning_suppression.js
View File

@ -12,8 +12,8 @@ import {CA_CERT} from "jstests/ssl/libs/ssl_helpers.js";
function test(suppress) {
const opts = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
waitForConnect: false,
tlsAllowConnectionsWithoutCertificates: "",
setParameter: {suppressNoTLSPeerCertificateWarning: suppress},

18
jstests/ssl/ssl_cluster_ca.js
View File

@ -48,12 +48,12 @@ const valid_options = {
tlsMode: "requireTLS",
// Servers present trusted-server.pem to clients and each other for inbound connections.
// Peers validate trusted-server.pem using trusted-ca.pem when making those connections.
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCAFile: "jstests/libs/trusted-ca.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
tlsCAFile: getX509Path("trusted-ca.pem"),
// Servers making outbound connections to other servers present server.pem to their peers
// which their peers validate using ca.pem.
tlsClusterFile: "jstests/libs/server.pem",
tlsClusterCAFile: "jstests/libs/ca.pem",
tlsClusterFile: getX509Path("server.pem"),
tlsClusterCAFile: getX509Path("ca.pem"),
// SERVER-36895: IP based hostname validation with SubjectAlternateName
tlsAllowInvalidHostnames: "",
};
@ -69,12 +69,12 @@ testRS(wrong_key_file, wrong_key_file, false);
// Test self-signed clusterFile validated against peer's CAFile
const cafile_only_options = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidHostnames: "",
clusterAuthMode: "x509",
};
const selfsigned_cluster_file = Object.merge(cafile_only_options, {tlsClusterFile: "jstests/libs/smoke.pem"});
const selfsigned_cluster_file = Object.merge(cafile_only_options, {tlsClusterFile: getX509Path("smoke.pem")});
testRS(cafile_only_options, selfsigned_cluster_file, false);
const mongod = MongoRunner.runMongod(valid_options);
@ -100,7 +100,7 @@ function testConnect(cert, succeed) {
assert.eq(mongo === 0, succeed);
}
testConnect("jstests/libs/client.pem", true);
testConnect("jstests/libs/trusted-client.pem", false);
testConnect(getX509Path("client.pem"), true);
testConnect(getX509Path("trusted-client.pem"), false);
MongoRunner.stopMongod(mongod);

8
jstests/ssl/ssl_cluster_file.js
View File

@ -1,7 +1,7 @@
let CA_CERT = "jstests/libs/ca.pem";
let SERVER_CERT = "jstests/libs/server.pem";
let CLIENT_CERT = "jstests/libs/client.pem";
let BAD_SAN_CERT = "jstests/libs/badSAN.pem";
let CA_CERT = getX509Path("ca.pem");
let SERVER_CERT = getX509Path("server.pem");
let CLIENT_CERT = getX509Path("client.pem");
let BAD_SAN_CERT = getX509Path("badSAN.pem");
let mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",

4
jstests/ssl/ssl_cn_with_san.js
View File

@ -4,8 +4,8 @@
import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
// server-intermediate-ca was signed by ca.pem, not trusted-ca.pem
const CA = "jstests/libs/ca.pem";
const SERVER = "jstests/ssl/libs/localhost-cn-with-san.pem";
const CA = getX509Path("ca.pem");
const SERVER = getX509Path("localhost-cn-with-san.pem");
const mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",

6
jstests/ssl/ssl_count_protocols.js
View File

@ -5,9 +5,9 @@ import {
sslProviderSupportsTLS1_1,
} from "jstests/ssl/libs/ssl_helpers.js";
let SERVER_CERT = "jstests/libs/server.pem";
let CLIENT_CERT = "jstests/libs/client.pem";
let CA_CERT = "jstests/libs/ca.pem";
let SERVER_CERT = getX509Path("server.pem");
let CLIENT_CERT = getX509Path("client.pem");
let CA_CERT = getX509Path("ca.pem");
const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"];

4
jstests/ssl/ssl_crl.js
View File

@ -10,14 +10,14 @@ import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
requireSSLProvider(["openssl", "windows"], function () {
let testUnrevoked = new TLSTest(
// Server option overrides
{tlsMode: "requireTLS", tlsCRLFile: "jstests/libs/crl.pem"},
{tlsMode: "requireTLS", tlsCRLFile: getX509Path("crl.pem")},
);
assert(testUnrevoked.connectWorked());
let testRevoked = new TLSTest(
// Server option overrides
{tlsMode: "requireTLS", tlsCRLFile: "jstests/libs/crl_expired.pem"},
{tlsMode: "requireTLS", tlsCRLFile: getX509Path("crl_expired.pem")},
);
assert(!testRevoked.connectWorked());

10
jstests/ssl/ssl_crl_revoked.js
View File

@ -7,9 +7,9 @@ import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
requireSSLProvider(["openssl", "windows"], function () {
let md = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCRLFile: "jstests/libs/crl_client_revoked.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsCRLFile: getX509Path("crl_client_revoked.pem"),
});
let mongo = runMongoProgram(
@ -18,9 +18,9 @@ requireSSLProvider(["openssl", "windows"], function () {
md.port,
"--tls",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
"jstests/libs/client_revoked.pem",
getX509Path("client_revoked.pem"),
"--eval",
";",
);

8
jstests/ssl/ssl_fragment.js
View File

@ -21,17 +21,17 @@ function runTest(conn) {
let options = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
networkMessageCompressors: "disabled",
tlsCAFile: "jstests/libs/ca.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidCertificates: "",
};
let mongosOptions = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
networkMessageCompressors: "disabled",
tlsCAFile: "jstests/libs/ca.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidCertificates: "",
};

16
jstests/ssl/ssl_hostname_validation.js
View File

@ -2,14 +2,14 @@
// for client-server and server-server connections
import {ReplSetTest} from "jstests/libs/replsettest.js";
let CA_CERT = "jstests/libs/ca.pem";
let SERVER_CERT = "jstests/libs/server.pem";
let CN_CERT = "jstests/libs/localhostnameCN.pem";
let SAN_CERT = "jstests/libs/localhostnameSAN.pem";
let CLIENT_CERT = "jstests/libs/client.pem";
let BAD_SAN_CERT = "jstests/libs/badSAN.pem";
let NOSUBJ_CERT = "jstests/libs/server_no_subject.pem";
let NOSUBJ_NOSAN_CERT = "jstests/libs/server_no_subject_no_SAN.pem";
let CA_CERT = getX509Path("ca.pem");
let SERVER_CERT = getX509Path("server.pem");
let CN_CERT = getX509Path("localhostnameCN.pem");
let SAN_CERT = getX509Path("localhostnameSAN.pem");
let CLIENT_CERT = getX509Path("client.pem");
let BAD_SAN_CERT = getX509Path("badSAN.pem");
let NOSUBJ_CERT = getX509Path("server_no_subject.pem");
let NOSUBJ_NOSAN_CERT = getX509Path("server_no_subject_no_SAN.pem");
function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSucceed) {
jsTestLog("Testing certificate: " + JSON.stringify(arguments));

8
jstests/ssl/ssl_ingress_conn_metrics.js
View File

@ -19,8 +19,8 @@ let cipherSuite = "TLS_AES_256_GCM_SHA384";
const mongodOptions = (connectionHealthLoggingOn) => {
let options = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
setParameter: {
opensslCipherSuiteConfig: cipherSuite,
enableDetailedConnectionHealthMetricLogLines: connectionHealthLoggingOn,
@ -39,9 +39,9 @@ function testConn(mongod) {
mongod.port,
"--tls",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
"jstests/libs/client.pem",
getX509Path("client.pem"),
"--eval",
";",
);

16
jstests/ssl/ssl_intermediate_ca.js
View File

@ -4,14 +4,14 @@
import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
// server-intermediate-ca was signed by ca.pem, not trusted-ca.pem
const VALID_CA = "jstests/libs/ca.pem";
const INVALID_CA = "jstests/libs/trusted-ca.pem";
const VALID_CA = getX509Path("ca.pem");
const INVALID_CA = getX509Path("trusted-ca.pem");
function runTest(inbound, outbound) {
const mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsAllowConnectionsWithoutCertificates: "",
tlsCertificateKeyFile: "jstests/libs/server-intermediate-ca.pem",
tlsCertificateKeyFile: getX509Path("server-intermediate-ca.pem"),
tlsCAFile: outbound,
tlsClusterCAFile: inbound,
});
@ -32,7 +32,7 @@ runTest(VALID_CA, INVALID_CA);
const mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsAllowConnectionsWithoutCertificates: "",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: VALID_CA,
});
assert(mongod);
@ -48,7 +48,7 @@ runTest(VALID_CA, INVALID_CA);
"--tlsCAFile",
VALID_CA,
"--tlsCertificateKeyFile",
"jstests/libs/server-intermediate-ca.pem",
getX509Path("server-intermediate-ca.pem"),
"--eval",
"1;",
);
@ -69,8 +69,8 @@ if (determineSSLProvider() === "apple") {
const mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsAllowConnectionsWithoutCertificates: "",
tlsCertificateKeyFile: "jstests/libs/server-intermediate-leaf.pem",
tlsCAFile: "jstests/libs/intermediate-ca-chain.pem",
tlsCertificateKeyFile: getX509Path("server-intermediate-leaf.pem"),
tlsCAFile: getX509Path("intermediate-ca-chain.pem"),
});
assert(mongod);
assert.eq(mongod.getDB("admin").system.users.find({}).toArray(), []);
@ -85,7 +85,7 @@ if (determineSSLProvider() === "apple") {
"--tlsCAFile",
VALID_CA,
"--tlsCertificateKeyFile",
"jstests/libs/client.pem",
getX509Path("client.pem"),
"--eval",
"1;",
);

24
jstests/ssl/ssl_invalid_server_cert.js
View File

@ -23,30 +23,30 @@ const validityMessage = "The provided SSL certificate is expired or not yet vali
// Test that startup fails with certificate that has yet to become valid.
const notYetValid = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/not_yet_valid.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("not_yet_valid.pem"),
tlsCAFile: getX509Path("ca.pem"),
};
runTest("not-yet-valid", notYetValid, validityMessage);
// Test that startup fails with expired certificate.
const expired = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/expired.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("expired.pem"),
tlsCAFile: getX509Path("ca.pem"),
};
runTest("expired", expired, validityMessage);
// Test that startup fails with no certificate at all.
const needKeyFile = "need tlsCertificateKeyFile or certificateSelector when TLS is enabled";
runTest("no-key-file", {tlsMode: "requireTLS", tlsCAFile: "jstests/libs/ca.pem"}, needKeyFile);
runTest("no-key-file", {tlsMode: "requireTLS", tlsCAFile: getX509Path("ca.pem")}, needKeyFile);
// Test that startup also fails if only tlsClusterFile is provided
runTest(
"cluster-file-only",
{
tlsMode: "requireTLS",
tlsCAFile: "jstests/libs/ca.pem",
tlsClusterFile: "jstests/libs/client.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsClusterFile: getX509Path("client.pem"),
},
needKeyFile,
);
@ -59,7 +59,7 @@ requireSSLProvider(["windows", "apple"], function () {
"cluster-selector-only",
{
tlsMode: "requireTLS",
tlsCAFile: "jstests/libs/ca.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsClusterCertificateSelector: selector,
},
needKeyFile,
@ -68,8 +68,8 @@ requireSSLProvider(["windows", "apple"], function () {
// Test that startup fails if both key file and cert selector are provided
const keyFileAndSelector = {
tlsMode: "requireTLS",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: "jstests/libs/client.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsCertificateKeyFile: getX509Path("client.pem"),
tlsCertificateSelector: selector,
};
runTest(
@ -81,8 +81,8 @@ requireSSLProvider(["windows", "apple"], function () {
// Test that startup fails if both cluster file and cluster cert selector are provided
const clusterFileAndSelector = {
tlsMode: "requireTLS",
tlsCAFile: "jstests/libs/ca.pem",
tlsClusterFile: "jstests/libs/client.pem",
tlsCAFile: getX509Path("ca.pem"),
tlsClusterFile: getX509Path("client.pem"),
tlsClusterCertificateSelector: selector,
};
runTest(

4
jstests/ssl/ssl_mongodb_x509.js
View File

@ -25,8 +25,8 @@ let startOptions = {
configsvr: "",
storageEngine: "wiredTiger",
tlsMode: "allowTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
tlsCAFile: getX509Path("ca.pem"),
};
let configRS = new ReplSetTest(rstOptions);

4
jstests/ssl/ssl_options.js
View File

@ -8,11 +8,11 @@ requireSSLProvider("openssl", function () {
jsTest.log("Testing censorship of ssl options");
const mongodConfig = {
tlsCertificateKeyFile: "jstests/libs/password_protected.pem",
tlsCertificateKeyFile: getX509Path("password_protected.pem"),
tlsMode: "requireTLS",
tlsCertificateKeyFilePassword: "qwerty",
tlsClusterPassword: "qwerty",
tlsCAFile: "jstests/libs/ca.pem",
tlsCAFile: getX509Path("ca.pem"),
};
const mongodSource = MongoRunner.runMongod(mongodConfig);

6
jstests/ssl/ssl_private_key.js
View File

@ -1,7 +1,7 @@
// Test that clients support "BEGIN PRIVATE KEY" pems with RSA keys
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const CLIENT_CERT = "jstests/libs/client_privatekey.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
const CLIENT_CERT = getX509Path("client_privatekey.pem");
function authAndTest(port) {
const mongo = runMongoProgram(

6
jstests/ssl/ssl_restricted_protocols.js
View File

@ -3,9 +3,9 @@
import {clientSupportsTLS1_2, clientSupportsTLS1_3, determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
let SERVER_CERT = "jstests/libs/server.pem";
let CLIENT_CERT = "jstests/libs/client.pem";
let CA_CERT = "jstests/libs/ca.pem";
let SERVER_CERT = getX509Path("server.pem");
let CLIENT_CERT = getX509Path("client.pem");
let CA_CERT = getX509Path("ca.pem");
const supportsTLS1_2 = clientSupportsTLS1_2();
const supportsTLS1_3 = clientSupportsTLS1_3();

8
jstests/ssl/ssl_uri.js
View File

@ -19,8 +19,8 @@ let shouldFail = function (uri) {
// Start up a mongod with ssl required.
let tlsMongo = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
});
let tlsURI = "mongodb://localhost:" + tlsMongo.port + "/admin";
@ -36,9 +36,9 @@ let connectWithURI = function (uri) {
"--tls",
"--tlsAllowInvalidCertificates",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
"jstests/libs/client.pem",
getX509Path("client.pem"),
uri,
"--eval",
"db.runCommand({hello: 1})",

16
jstests/ssl/ssl_weak.js
View File

@ -6,12 +6,12 @@
// (an alias for sslWeakCertificateValidation) connects successfully.
let md = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsAllowConnectionsWithoutCertificates: "",
});
let mongo = runMongoProgram("mongo", "--port", md.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";");
let mongo = runMongoProgram("mongo", "--port", md.port, "--tls", "--tlsCAFile", getX509Path("ca.pem"), "--eval", ";");
// 0 is the exit code for success
assert(mongo == 0);
@ -23,9 +23,9 @@ mongo = runMongoProgram(
md.port,
"--tls",
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--tlsCertificateKeyFile",
"jstests/libs/client.pem",
getX509Path("client.pem"),
"--eval",
";",
);
@ -37,11 +37,11 @@ MongoRunner.stopMongod(md);
// fails to connect.
let md2 = MongoRunner.runMongod({
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
});
mongo = runMongoProgram("mongo", "--port", md2.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";");
mongo = runMongoProgram("mongo", "--port", md2.port, "--tls", "--tlsCAFile", getX509Path("ca.pem"), "--eval", ";");
// 1 is the exit code for failure
assert(mongo == 1);

4
jstests/ssl/ssl_withhold_client_cert.js
View File

@ -26,8 +26,8 @@ function testRS(opts, expectWarning) {
const base_options = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidHostnames: "",
useLogFiles: true,
};

8
jstests/ssl/ssl_x509_SAN.js
View File

@ -1,7 +1,7 @@
const SERVER1_CERT = "jstests/libs/server_SAN.pem";
const SERVER2_CERT = "jstests/libs/server_SAN2.pem";
const CA_CERT = "jstests/libs/ca.pem";
const CLIENT_CERT = "jstests/libs/client.pem";
const SERVER1_CERT = getX509Path("server_SAN.pem");
const SERVER2_CERT = getX509Path("server_SAN2.pem");
const CA_CERT = getX509Path("ca.pem");
const CLIENT_CERT = getX509Path("client.pem");
// Some test machines lack ipv6 so test for by starting a mongod that needs to bind to an ipv6
// address.

14
jstests/ssl/ssl_x509_roles.js
View File

@ -2,13 +2,13 @@
// Also validates RFC2253
import {ShardingTest} from "jstests/libs/shardingtest.js";
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const CLIENT_CERT = "jstests/libs/client_roles.pem";
const CLIENT_ESCAPE_CERT = "jstests/libs/client_escape.pem";
const CLIENT_UTF8_CERT = "jstests/libs/client_utf8.pem";
const CLIENT_EMAIL_CERT = "jstests/libs/client_email.pem";
const CLIENT_CERT_NO_ROLES = "jstests/libs/client.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
const CLIENT_CERT = getX509Path("client_roles.pem");
const CLIENT_ESCAPE_CERT = getX509Path("client_escape.pem");
const CLIENT_UTF8_CERT = getX509Path("client_utf8.pem");
const CLIENT_EMAIL_CERT = getX509Path("client_email.pem");
const CLIENT_CERT_NO_ROLES = getX509Path("client.pem");
const CLIENT_USER_NO_ROLES = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
const smokeScript = "assert(db.getSiblingDB('$external').auth({ mechanism: 'MONGODB-X509' }));";

14
jstests/ssl/tlsCATrusts.js
View File

@ -2,23 +2,23 @@
import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
requireSSLProvider("openssl", function () {
const SERVER_CERT = "jstests/libs/server.pem";
const COMBINED_CA_CERT = "jstests/ssl/x509/root-and-trusted-ca.pem";
const CA_HASH = cat("jstests/libs/ca.pem.digest.sha256");
const TRUSTED_CA_HASH = cat("jstests/libs/trusted-ca.pem.digest.sha256");
const SERVER_CERT = getX509Path("server.pem");
const COMBINED_CA_CERT = getX509Path("root-and-trusted-ca.pem");
const CA_HASH = cat(getX509Path("ca.pem.digest.sha256"));
const TRUSTED_CA_HASH = cat(getX509Path("trusted-ca.pem.digest.sha256"));
// Common suffix, keep the lines short.
const RDN_SUFFIX = ",O=MongoDB,L=New York City,ST=New York,C=US";
const USERS = [];
const CLIENT = {
cert: "jstests/libs/client.pem",
cert: getX509Path("client.pem"),
roles: [],
};
USERS.push("CN=client,OU=KernelUser");
const CLIENT_ROLES = {
cert: "jstests/libs/client_roles.pem",
cert: getX509Path("client_roles.pem"),
roles: [
{role: "backup", db: "admin"},
{role: "readAnyDatabase", db: "admin"},
@ -27,7 +27,7 @@ requireSSLProvider("openssl", function () {
USERS.push("CN=Kernel Client Peer Role,OU=Kernel Users");
const TRUSTED_CLIENT_TESTDB_ROLES = {
cert: "jstests/ssl/x509/trusted-client-testdb-roles.pem",
cert: getX509Path("trusted-client-testdb-roles.pem"),
roles: [
{role: "role1", db: "testDB"},
{role: "role2", db: "testDB"},

3
jstests/ssl/tls_enumerator.py
View File

@ -90,5 +90,4 @@ if __name__ == "__main__":
for cipher, error in exception_ciphers.items():
print(cipher + "\tError: " + error)
with open(args.outfile, "w+") as outfile:
json.dump(results, outfile)
print("Enumeration results:", json.dumps(results))

2
jstests/ssl/upgrade_to_ssl.js
View File

@ -16,7 +16,7 @@ let opts = {
tlsCertificateKeyFile: SERVER_CERT,
tlsAllowInvalidCertificates: "",
tlsAllowConnectionsWithoutCertificates: "",
tlsCAFile: "jstests/libs/ca.pem",
tlsCAFile: getX509Path("ca.pem"),
};
let rst = new ReplSetTest({name: "tlsSet", nodes: 3, nodeOptions: opts});
rst.startSet();

6
jstests/ssl/user_cache_entry_lifetime.js
View File

@ -1,8 +1,8 @@
// Test that we can safely use entries in the user cache created by old connections.
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const CLIENT_CERT = "jstests/libs/client_roles.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
const CLIENT_CERT = getX509Path("client_roles.pem");
function runTest(port) {
// Run given test function in a parallel shell.

8
jstests/ssl/x509_all_the_oids.js
View File

@ -1,7 +1,7 @@
// Test X509 auth with all known RDN OIDs.
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
function runTest(conn) {
const script = "assert(db.getSiblingDB('$external').auth({mechanism: 'MONGODB-X509'}));";
@ -11,7 +11,7 @@ function runTest(conn) {
"--tls",
"--tlsAllowInvalidHostnames",
"--tlsCertificateKeyFile",
"jstests/libs/client-all-the-oids.pem",
getX509Path("client-all-the-oids.pem"),
"--tlsCAFile",
CA_CERT,
"--port",
@ -26,7 +26,7 @@ function runTest(conn) {
const output = rawMongoProgramOutput(".*");
const NAME =
"role=Datum-72,pseudonym=Datum-65,dmdName=Datum-54,deltaRevocationList=Datum-53,supportedAlgorithms=Datum-52,houseIdentifier=Datum-51,uniqueMember=Datum-50,distinguishedName=Datum-49,protocolInformation=Datum-48,enhancedSearchGuide=Datum-47,dnQualifier=Datum-46,x500UniqueIdentifier=Datum-45,generationQualifier=Datum-44,initials=Datum-43,GN=Datum-42,name=Datum-41,crossCertificatePair=Datum-40,certificateRevocationList=Datum-39,authorityRevocationList=Datum-38,cACertificate=Datum-37,userCertificate=Datum-36,userPassword=Datum-35,seeAlso=Datum-34,roleOccupant=Datum-33,owner=Datum-32,member=Datum-31,supportedApplicationContext=Datum-30,presentationAddress=Datum-29,preferredDeliveryMethod=Datum-28,destinationIndicator=Datum-27,registeredAddress=Datum-26,internationaliSDNNumber=Datum-25,x121Address=Datum-24,facsimileTelephoneNumber=Datum-23,teletexTerminalIdentifier=Datum-22,telexNumber=Datum-21,telephoneNumber=Datum-20,physicalDeliveryOfficeName=Datum-19,postOfficeBox=Datum-18,postalCode=Datum-17,postalAddress=Datum-16,businessCategory=Datum-15,searchGuide=Datum-14,description=Datum-13,title=Datum-12,OU=Datum-11,O=Datum-10,street=Datum-9,ST=NY,L=Datum-7,C=US,serialNumber=Datum-5,SN=Datum-4,CN=Datum-3";
"street=Datum-9,role=Datum-72,pseudonym=Datum-65,dmdName=Datum-54,deltaRevocationList=Datum-53,supportedAlgorithms=Datum-52,houseIdentifier=Datum-51,uniqueMember=Datum-50,serialNumber=Datum-5,distinguishedName=Datum-49,protocolInformation=Datum-48,enhancedSearchGuide=Datum-47,dnQualifier=Datum-46,x500UniqueIdentifier=Datum-45,generationQualifier=Datum-44,initials=Datum-43,GN=Datum-42,name=Datum-41,crossCertificatePair=Datum-40,SN=Datum-4,certificateRevocationList=Datum-39,authorityRevocationList=Datum-38,cACertificate=Datum-37,userCertificate=Datum-36,userPassword=Datum-35,seeAlso=Datum-34,roleOccupant=Datum-33,owner=Datum-32,member=Datum-31,supportedApplicationContext=Datum-30,presentationAddress=Datum-29,preferredDeliveryMethod=Datum-28,destinationIndicator=Datum-27,registeredAddress=Datum-26,internationaliSDNNumber=Datum-25,x121Address=Datum-24,facsimileTelephoneNumber=Datum-23,teletexTerminalIdentifier=Datum-22,telexNumber=Datum-21,telephoneNumber=Datum-20,physicalDeliveryOfficeName=Datum-19,postOfficeBox=Datum-18,postalCode=Datum-17,postalAddress=Datum-16,businessCategory=Datum-15,searchGuide=Datum-14,description=Datum-13,title=Datum-12,CN=Datum-3,OU=Datum-11,O=Datum-10,L=Datum-7,ST=NY,C=US";
assert(
output.includes('Error: Could not find user "' + NAME + '" for db "$external"'),

4
jstests/ssl/x509_client.js
View File

@ -2,8 +2,8 @@
import {ShardingTest} from "jstests/libs/shardingtest.js";
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
const INTERNAL_USER = "CN=internal,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
const SERVER_USER = "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";

12
jstests/ssl/x509_custom.js
View File

@ -12,9 +12,9 @@ function testClient(conn, name) {
"--tls",
"--tlsAllowInvalidHostnames",
"--tlsCertificateKeyFile",
"jstests/libs/client-custom-oids.pem",
getX509Path("client-custom-oids.pem"),
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--port",
conn.port,
"--eval",
@ -26,7 +26,7 @@ function testClient(conn, name) {
function runTest(conn) {
const NAME =
"1.2.3.45=Value\\,Rando,1.2.3.56=RandoValue,CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
"1.2.3.56=RandoValue,1.2.3.45=Value\\,Rando,CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
const admin = conn.getDB("admin");
admin.createUser({user: "admin", pwd: "admin", roles: ["root"]});
admin.auth("admin", "admin");
@ -43,9 +43,9 @@ const mongod = MongoRunner.runMongod({
auth: "",
tlsMode: "requireTLS",
// Server PEM file is server.pem to match the shell's ca.pem.
tlsCertificateKeyFile: "jstests/libs/server.pem",
// Server CA file is non-expiring-ca.pem to match the shell's client-custom-oids.pem.
tlsCAFile: "jstests/libs/non-expiring-ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
// Server CA file is ca.pem to match the shell's client-custom-oids.pem.
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidCertificates: "",
});
runTest(mongod);

8
jstests/ssl/x509_enforce_user_cluster_separation.js
View File

@ -2,10 +2,10 @@
import {ShardingTest} from "jstests/libs/shardingtest.js";
const SERVER_CERT = "jstests/libs/server.pem";
const SERVER_SAN_CERT = "jstests/libs/server_SAN.pem";
const CLIENT_CERT = "jstests/libs/client.pem";
const CA_CERT = "jstests/libs/ca.pem";
const SERVER_CERT = getX509Path("server.pem");
const SERVER_SAN_CERT = getX509Path("server_SAN.pem");
const CLIENT_CERT = getX509Path("client.pem");
const CA_CERT = getX509Path("ca.pem");
const SERVER_USER = "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
const SERVER_SAN_USER = "CN=Kernel Client Peer Role,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";

4
jstests/ssl/x509_expiring.js
View File

@ -1,7 +1,7 @@
// Verify a warning is emitted when a certificate is about to expire.
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
function test(expiration, expect) {

24
jstests/ssl/x509_extended_key_usage.js
View File

@ -3,17 +3,17 @@
import {ReplSetTest} from "jstests/libs/replsettest.js";
import {isMacOS} from "jstests/ssl/libs/ssl_helpers.js";
const kServerAuthClientCert = "jstests/libs/client_with_serverAuth_eku.pem";
const kBothEKUsClientCert = "jstests/libs/client_with_serverAuth_and_clientAuth_eku.pem";
const kNoEKUsClientCert = "jstests/libs/client_without_eku.pem";
const kClientAuthClientCert = "jstests/libs/client.pem";
const kServerAuthClientCert = getX509Path("client_with_serverAuth_eku.pem");
const kBothEKUsClientCert = getX509Path("client_with_serverAuth_and_clientAuth_eku.pem");
const kNoEKUsClientCert = getX509Path("client_without_eku.pem");
const kClientAuthClientCert = getX509Path("client.pem");
const kClientAuthServerCert = "jstests/libs/server_with_clientAuth_eku.pem";
const kBothEKUsServerCert = "jstests/libs/server.pem";
const kNoEKUsServerCert = "jstests/libs/server_without_eku.pem";
const kServerAuthServerCert = "jstests/libs/server_with_serverAuth_eku.pem";
const kClientAuthServerCert = getX509Path("server_with_clientAuth_eku.pem");
const kBothEKUsServerCert = getX509Path("server.pem");
const kNoEKUsServerCert = getX509Path("server_without_eku.pem");
const kServerAuthServerCert = getX509Path("server_with_serverAuth_eku.pem");
const kCACert = "jstests/libs/ca.pem";
const kCACert = getX509Path("ca.pem");
function testClientAuthEKU(conn, clientCert, shouldFail) {
clearRawMongoProgramOutput();
@ -24,7 +24,7 @@ function testClientAuthEKU(conn, clientCert, shouldFail) {
"--tlsCertificateKeyFile",
clientCert,
"--tlsCAFile",
"jstests/libs/ca.pem",
getX509Path("ca.pem"),
"--port",
conn.port,
"--eval",
@ -91,8 +91,8 @@ function testServerAuthEKU(serverCert, shouldFail) {
auth: "",
tlsMode: "requireTLS",
// Server PEM file is server.pem to match the shell's ca.pem.
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidCertificates: "",
});
testClientAuthEKU(mongod, kClientAuthClientCert, false /* shouldFail */);

8
jstests/ssl/x509_invalid.js
View File

@ -1,10 +1,10 @@
// Test X509 auth when --tlsAllowInvalidCertificates is enabled
const CLIENT_NAME = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";
const CLIENT_CERT = "jstests/libs/client.pem";
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const SELF_SIGNED_CERT = "jstests/libs/client-self-signed.pem";
const CLIENT_CERT = getX509Path("client.pem");
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
const SELF_SIGNED_CERT = getX509Path("client-self-signed.pem");
function hasX509AuthSucceeded(conn) {
if (checkLog.checkContainsOnce(conn, "No verified subject name available from client")) {

6
jstests/ssl/x509_multivalue.js
View File

@ -1,7 +1,7 @@
// Test X509 auth with custom OIDs.
const SERVER_CERT = "jstests/libs/server.pem";
const CA_CERT = "jstests/libs/ca.pem";
const SERVER_CERT = getX509Path("server.pem");
const CA_CERT = getX509Path("ca.pem");
function testClient(conn, name) {
let auth = {mechanism: "MONGODB-X509"};
@ -15,7 +15,7 @@ function testClient(conn, name) {
"--tls",
"--tlsAllowInvalidHostnames",
"--tlsCertificateKeyFile",
"jstests/libs/client-multivalue-rdn.pem",
getX509Path("client-multivalue-rdn.pem"),
"--tlsCAFile",
CA_CERT,
"--port",

16
jstests/ssl/x509_rotate_missing_files.js
View File

@ -15,10 +15,10 @@ function deleteFile(file) {
const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/");
mkdir(dbPath);
copyCertificateFile("jstests/libs/ca.pem", dbPath + "/ca-test.pem");
copyCertificateFile("jstests/libs/client.pem", dbPath + "/client-test.pem");
copyCertificateFile("jstests/libs/server.pem", dbPath + "/server-test.pem");
copyCertificateFile("jstests/libs/crl.pem", dbPath + "/crl-test.pem");
copyCertificateFile(getX509Path("ca.pem"), dbPath + "/ca-test.pem");
copyCertificateFile(getX509Path("client.pem"), dbPath + "/client-test.pem");
copyCertificateFile(getX509Path("server.pem"), dbPath + "/server-test.pem");
copyCertificateFile(getX509Path("crl.pem"), dbPath + "/crl-test.pem");
const mongod = MongoRunner.runMongod({
tlsMode: "requireTLS",
@ -35,10 +35,10 @@ if (determineSSLProvider() !== "apple") {
}
for (let certType of certTypes) {
copyCertificateFile("jstests/libs/ca.pem", dbPath + "/ca-test.pem");
copyCertificateFile("jstests/libs/client.pem", dbPath + "/client-test.pem");
copyCertificateFile("jstests/libs/server.pem", dbPath + "/server-test.pem");
copyCertificateFile("jstests/libs/crl.pem", dbPath + "/crl-test.pem");
copyCertificateFile(getX509Path("ca.pem"), dbPath + "/ca-test.pem");
copyCertificateFile(getX509Path("client.pem"), dbPath + "/client-test.pem");
copyCertificateFile(getX509Path("server.pem"), dbPath + "/server-test.pem");
copyCertificateFile(getX509Path("crl.pem"), dbPath + "/crl-test.pem");
assert.commandWorked(mongod.adminCommand({rotateCertificates: 1}));
deleteFile(`${dbPath}/${certType}-test.pem`);

8
jstests/ssl/x509_startup_certificate_info.js
View File

@ -3,10 +3,10 @@
import {ShardingTest} from "jstests/libs/shardingtest.js";
import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
const CA_CERT = "jstests/libs/ca.pem";
const SERVER_CERT = "jstests/libs/server.pem";
const CLUSTER_CERT = "jstests/libs/cluster_cert.pem";
const CRL_FILE = "jstests/libs/crl.pem";
const CA_CERT = getX509Path("ca.pem");
const SERVER_CERT = getX509Path("server.pem");
const CLUSTER_CERT = getX509Path("cluster_cert.pem");
const CRL_FILE = getX509Path("crl.pem");
const SERVER_CERT_INFO = {
"type": "Server",

4
jstests/ssl/x509_startup_warning.js
View File

@ -30,8 +30,8 @@ function runTest(checkMongos, opts, expectWarningCertifcates, expectWarningHostn
{
auth: "",
tlsMode: "preferTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
waitForConnect: false,
},
opts,

12
jstests/sslSpecial/cluster_auth_x509_rolling_configuration.js
View File

@ -19,8 +19,8 @@ if (determineSSLProvider() !== "openssl") {
*/
// Subject: C=US, ST=New York, L=New York, O=MongoDB, OU=Kernel, CN=server
const originalDNAttributes = "O=MongoDB, OU=Kernel";
const originalCert = "jstests/libs/server.pem";
const originalCACert = "jstests/libs/ca.pem";
const originalCert = getX509Path("server.pem");
const originalCACert = getX509Path("ca.pem");
const defaultPolicyClusterAuthX509Override = {
attributes: originalDNAttributes,
};
@ -30,7 +30,7 @@ const defaultPolicyClusterAuthX509Override = {
*/
// Subject: C=US, ST=New York, L=New York City, CN=server, title=foo
const fooTitleDNAttributes = "C=US, ST=New York, L=New York City, title=foo";
const fooTitleDNCert = "jstests/libs/server_title_foo_no_o_ou_dc.pem";
const fooTitleDNCert = getX509Path("server_title_foo_no_o_ou_dc.pem");
const fooTitleClusterAuthX509Override = {
attributes: fooTitleDNAttributes,
};
@ -40,21 +40,21 @@ const fooTitleClusterAuthX509Override = {
*/
// Subject: C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel, CN=server, title=bar
const barTitleDNAttributes = "C=US, ST=New York, L=New York City, title=bar";
const barTitleDNCert = "jstests/libs/server_title_bar.pem";
const barTitleDNCert = getX509Path("server_title_bar.pem");
const barTitleClusterAuthX509Override = {
attributes: barTitleDNAttributes,
};
/**
* This is the path of the certificate containing the cluster membership extension set to 'foo'.
*/
const fooExtensionCert = "jstests/ssl/libs/cluster-member-foo.pem";
const fooExtensionCert = getX509Path("cluster-member-foo.pem");
const fooExtensionClusterAuthX509Override = {
extensionValue: "foo",
};
/**
* This is the path of the certificate containing the cluster membership extension set to 'bar'.
*/
const barExtensionCert = "jstests/ssl/libs/cluster-member-bar.pem";
const barExtensionCert = getX509Path("cluster-member-bar.pem");
const barExtensionClusterAuthX509Override = {
extensionValue: "bar",
};

20
jstests/sslSpecial/cluster_auth_x509_subject_attributes.js
View File

@ -22,29 +22,29 @@ const clusterMembershipOverrideDN =
* tlsClusterAuthX509Attributes.
*/
// Subject: CN=server, title=foo, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel
const serverTitleFooCert = "jstests/libs/server_title_foo.pem";
const serverTitleFooCert = getX509Path("server_title_foo.pem");
// Subject: CN=clusterTest, title=foo, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel
const clusterTitleFooCert = "jstests/libs/cluster_title_foo.pem";
const clusterTitleFooCert = getX509Path("cluster_title_foo.pem");
/**
* Member certificates whose subjects do not include DC, OU, or O.
*/
// Subject: CN=server, title=foo, C=US, ST=New York, L=New York City
const serverTitleFooNoDefaultCert = "jstests/libs/server_title_foo_no_o_ou_dc.pem";
const serverTitleFooNoDefaultCert = getX509Path("server_title_foo_no_o_ou_dc.pem");
// Subject: CN=clusterTest, title=foo, C=US, ST=New York, L=New York City
const clusterTitleFooNoDefaultCert = "jstests/libs/cluster_title_foo_no_o_ou_dc.pem";
const clusterTitleFooNoDefaultCert = getX509Path("cluster_title_foo_no_o_ou_dc.pem");
/**
* Certificates that will not satisfy clusterMembershipAttributesDN.
*/
// Subject: CN=server, title=bar, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel
const serverTitleBarCert = "jstests/libs/server_title_bar.pem";
const serverTitleBarCert = getX509Path("server_title_bar.pem");
// Subject: CN=server, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel
const serverDefaultOnlyCert = "jstests/libs/server.pem";
const serverDefaultOnlyCert = getX509Path("server.pem");
// Subject: CN=clusterTest, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel
const clusterDefaultOnlyCert = "jstests/libs/cluster_cert.pem";
const clusterDefaultOnlyCert = getX509Path("cluster_cert.pem");
const serverCAFile = "jstests/libs/ca.pem";
const serverCAFile = getX509Path("ca.pem");
function assertNoStart(opts, errmsg) {
clearRawMongoProgramOutput();
@ -200,11 +200,11 @@ runValidMongodTest(
opts,
{user: "__system", certificate: serverDefaultOnlyCert},
{
user: "L=New York City,ST=New York,C=US,title=foo,CN=server",
user: "title=foo,CN=server,L=New York City,ST=New York,C=US",
certificate: serverTitleFooNoDefaultCert,
},
{
user: "L=New York City,ST=New York,C=US,title=foo,CN=clustertest",
user: "title=foo,CN=clustertest,L=New York City,ST=New York,C=US",
certificate: clusterTitleFooNoDefaultCert,
},
);

6
jstests/sslSpecial/shardsvr_ssl_restart.js
View File

@ -12,13 +12,13 @@ import {ShardingTest} from "jstests/libs/shardingtest.js";
const st = new ShardingTest({shards: {rs0: {nodes: 1}}});
let opts = {
tlsMode: "allowTLS",
tlsCertificateKeyFile: "jstests/libs/client.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("client.pem"),
tlsCAFile: getX509Path("ca.pem"),
shardsvr: "",
};
requireSSLProvider("openssl", function () {
// Only the OpenSSL provider supports encrypted PKCS#8
opts.tlsCertificateKeyFile = "jstests/libs/password_protected.pem";
opts.tlsCertificateKeyFile = getX509Path("password_protected.pem");
opts.tlsCertificateKeyFilePassword = "qwerty";
});

12
jstests/sslSpecial/ssl_cipher_default.js
View File

@ -23,8 +23,8 @@ assertCorrectConfig({sslMode: "disabled"}, defaultConfig);
assertCorrectConfig(
{
sslMode: "allowSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslPEMKeyFile: getX509Path("server.pem"),
sslCAFile: getX509Path("ca.pem"),
},
defaultConfig,
);
@ -33,8 +33,8 @@ assertCorrectConfig(
assertCorrectConfig(
{
sslMode: "allowSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslPEMKeyFile: getX509Path("server.pem"),
sslCAFile: getX509Path("ca.pem"),
setParameter: "opensslCipherConfig=HIGH",
},
"HIGH",
@ -43,8 +43,8 @@ assertCorrectConfig(
assertCorrectConfig(
{
sslMode: "allowSSL",
sslPEMKeyFile: "jstests/libs/server.pem",
sslCAFile: "jstests/libs/ca.pem",
sslPEMKeyFile: getX509Path("server.pem"),
sslCAFile: getX509Path("ca.pem"),
tlsCipherConfig: "HIGH",
},
"HIGH",

6
jstests/sslSpecial/ssl_ecdsa_cert.js
View File

@ -1,9 +1,9 @@
import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";
const test = () => {
const ECDSA_CA_CERT = "jstests/libs/ecdsa-ca.pem";
const ECDSA_CLIENT_CERT = "jstests/libs/ecdsa-client.pem";
const ECDSA_SERVER_CERT = "jstests/libs/ecdsa-server.pem";
const ECDSA_CA_CERT = getX509Path("ecdsa-ca.pem");
const ECDSA_CLIENT_CERT = getX509Path("ecdsa-client.pem");
const ECDSA_SERVER_CERT = getX509Path("ecdsa-server.pem");
const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";

16
jstests/sslSpecial/x509_cluster_auth_rollover.js
View File

@ -14,8 +14,8 @@ const rst = new ReplSetTest({
nodeOptions: {
tlsMode: "preferTLS",
clusterAuthMode: "x509",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidHostnames: "",
},
});
@ -96,8 +96,8 @@ const rolloverConfig = function (newConfig) {
jsTestLog("Rolling over CA certificate to combined old and new CA's");
rolloverConfig({
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/rollover_ca_merged.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("rollover_ca_merged.pem"),
setParameter: {
tlsX509ClusterAuthDNOverride: rolloverDN,
},
@ -105,8 +105,8 @@ rolloverConfig({
jsTestLog("Rolling over to new certificate with new cluster DN and new CA");
rolloverConfig({
tlsCertificateKeyFile: "jstests/libs/rollover_server.pem",
tlsCAFile: "jstests/libs/rollover_ca_merged.pem",
tlsCertificateKeyFile: getX509Path("rollover_server.pem"),
tlsCAFile: getX509Path("rollover_ca_merged.pem"),
setParameter: {
tlsX509ClusterAuthDNOverride: originalDN,
},
@ -114,8 +114,8 @@ rolloverConfig({
jsTestLog("Rolling over to new CA only");
rolloverConfig({
tlsCertificateKeyFile: "jstests/libs/rollover_server.pem",
tlsCAFile: "jstests/libs/rollover_ca.pem",
tlsCertificateKeyFile: getX509Path("rollover_server.pem"),
tlsCAFile: getX509Path("rollover_ca.pem"),
});
rst.stopSet();

20
jstests/ssl_linear/mongo_uri_secondaries.js
View File

@ -1,9 +1,9 @@
// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
// On OSX this test assumes that trusted-ca.pem has been added as a trusted
// certificate to the login keychain of the evergreen user. See,
// https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
// for details.
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
// security add-trusted-cert -d jstests/libs/trusted-ca.pem
// security add-trusted-cert -d bazel-bin/install-devcore/bin/x509/trusted-ca.pem
import {getPython3Binary} from "jstests/libs/python.js";
import {ReplSetTest} from "jstests/libs/replsettest.js";
@ -14,26 +14,26 @@ jsTest.log("HOST_TYPE = " + HOST_TYPE);
if (HOST_TYPE == "macOS") {
// Ensure trusted-ca.pem is properly installed on MacOS hosts.
// (MacOS is the only OS where it is installed outside of this test)
let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem");
let exitCode = runProgram("security", "verify-cert", "-c", getX509Path("trusted-client.pem"));
assert.eq(0, exitCode, "Check for proper installation of Trusted CA on MacOS host");
}
if (HOST_TYPE == "windows") {
assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py"));
// OpenSSL backed imports Root CA and intermediate CA
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", getX509Path("trusted-ca.pem"));
// SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
// Current User.
runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
runProgram("certutil.exe", "-addstore", "-f", "Root", getX509Path("trusted-ca.pem"));
}
try {
const x509Options = {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCAFile: "jstests/libs/trusted-ca.pem",
tlsClusterFile: "jstests/libs/trusted-client.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
tlsCAFile: getX509Path("trusted-ca.pem"),
tlsClusterFile: getX509Path("trusted-client.pem"),
tlsAllowInvalidCertificates: "",
tlsWeakCertificateValidation: "",
};
@ -84,13 +84,13 @@ try {
const subShellArgs = ["mongo", "--nodb", "--eval", subShellCommandFormatter(rst)];
const retVal = runWithEnv(subShellArgs, {"SSL_CERT_FILE": "jstests/libs/trusted-ca.pem"});
const retVal = runWithEnv(subShellArgs, {"SSL_CERT_FILE": getX509Path("trusted-ca.pem")});
assert.eq(retVal, 0, "mongo shell did not succeed with exit code 0");
rst.stopSet();
} finally {
if (HOST_TYPE == "windows") {
const trusted_ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1");
const trusted_ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1"));
runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint);
runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", trusted_ca_thumbprint);
}

20
jstests/ssl_linear/repl_ssl_noca.js
View File

@ -1,9 +1,9 @@
// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
// On OSX this test assumes that trusted-ca.pem has been added as a trusted
// certificate to the login keychain of the evergreen user. See,
// https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
// for details.
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
// security add-trusted-cert -d jstests/libs/trusted-ca.pem
// security add-trusted-cert -d bazel-bin/install-devcore/bin/x509/trusted-ca.pem
import {getPython3Binary} from "jstests/libs/python.js";
import {ReplSetTest} from "jstests/libs/replsettest.js";
@ -14,18 +14,18 @@ jsTest.log("HOST_TYPE = " + HOST_TYPE);
if (HOST_TYPE == "macOS") {
// Ensure trusted-ca.pem is properly installed on MacOS hosts.
// (MacOS is the only OS where it is installed outside of this test)
let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem");
let exitCode = runProgram("security", "verify-cert", "-c", getX509Path("trusted-client.pem"));
assert.eq(0, exitCode, "Check for proper installation of Trusted CA on MacOS host");
}
if (HOST_TYPE == "windows") {
assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py"));
// OpenSSL backed imports Root CA and intermediate CA
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", getX509Path("trusted-ca.pem"));
// SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
// Current User.
runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
runProgram("certutil.exe", "-addstore", "-f", "Root", getX509Path("trusted-ca.pem"));
}
try {
@ -34,7 +34,7 @@ try {
nodes: 1,
nodeOptions: {
tlsMode: "requireTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
setParameter: {tlsUseSystemCA: true},
},
host: "localhost",
@ -43,7 +43,7 @@ try {
replTest.startSet({
env: {
SSL_CERT_FILE: "jstests/libs/trusted-ca.pem",
SSL_CERT_FILE: getX509Path("trusted-ca.pem"),
},
});
@ -57,13 +57,13 @@ try {
let argv = ["mongo", url, "--eval", "db.runCommand({replSetGetStatus: 1})"];
if (url.endsWith("&ssl=true")) {
argv.push("--tls", "--tlsCertificateKeyFile", "jstests/libs/trusted-client.pem");
argv.push("--tls", "--tlsCertificateKeyFile", getX509Path("trusted-client.pem"));
}
if (!_isWindows()) {
// On Linux we override the default path to the system CA store to point to our
// system CA. On Windows, this CA will have been added to the user's trusted CA list
argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem");
argv.unshift("env", "SSL_CERT_FILE=" + getX509Path("trusted-ca.pem"));
}
let ret = runMongoProgram(...argv);
return ret;
@ -84,7 +84,7 @@ try {
replTest.stopSet();
} finally {
if (_isWindows()) {
const ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1");
const ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1"));
runProgram("certutil.exe", "-delstore", "-f", "Root", ca_thumbprint);
runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", ca_thumbprint);
}

21
jstests/ssl_linear/ssl_cert_selector.js
View File

@ -12,9 +12,9 @@ import {
TRUSTED_SERVER_CERT,
} from "jstests/ssl/libs/ssl_helpers.js";
const clientThumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1");
const serverThumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1");
const clusterServerThumbprint = cat("jstests/libs/trusted-cluster-server.pem.digest.sha1");
const clientThumbprint = cat(getX509Path("trusted-client.pem.digest.sha1"));
const serverThumbprint = cat(getX509Path("trusted-server.pem.digest.sha1"));
const clusterServerThumbprint = cat(getX509Path("trusted-cluster-server.pem.digest.sha1"));
const CLIENT = "CN=Trusted Kernel Test Client,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
const SERVER = "CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
const CLUSTER_SERVER = "CN=Trusted Kernel Test Cluster Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
@ -142,19 +142,24 @@ requireSSLProvider("windows", function () {
runProgram("certutil.exe", "-addstore", "-f", "Root", TRUSTED_CA_CERT);
// Import a pfx file since it contains both a cert and private key and is easy to import
// via command line.
const importPfx = function (pfxFile) {
const createAndImportPfx = function (basename) {
const pemFile = getX509Path(basename + ".pem");
const dbPath = MongoRunner.toRealPath("$dataDir\\ssl_cert_selector\\");
mkdir(dbPath);
const pfxFile = dbPath + basename + ".pfx";
runProgram("certutil.exe", "-mergepfx", "-f", "-p", "qwerty,qwerty", pemFile, pfxFile);
return runProgram("certutil.exe", "-importpfx", "-f", "-p", "qwerty", pfxFile);
};
assert.eq(0, importPfx("jstests\\libs\\trusted-client.pfx"));
assert.eq(0, importPfx("jstests\\libs\\trusted-server.pfx"));
assert.eq(0, importPfx("jstests\\libs\\trusted-cluster-server.pfx"));
assert.eq(0, createAndImportPfx("trusted-client"));
assert.eq(0, createAndImportPfx("trusted-server"));
assert.eq(0, createAndImportPfx("trusted-cluster-server"));
}
try {
testCases.forEach((test) => testServerSelectorKeyUsage(test));
} finally {
if (_isWindows()) {
const trusted_ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1");
const trusted_ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1"));
runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint);
}
}

40
jstests/ssl_linear/ssl_with_system_ca.js
View File

@ -1,9 +1,9 @@
// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
// On OSX this test assumes that trusted-ca.pem has been added as a trusted
// certificate to the login keychain of the evergreen user. See,
// https://github.com/10gen/buildhost-configuration/blob/f60ba13f506ef035d14e46fb5935f26ba3ca6bed/roles/macos/tasks/keychains.yml#L39-L100
// for details.
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
// security add-trusted-cert -d jstests/libs/trusted-ca.pem
// security add-trusted-cert -d bazel-bin/install-devcore/bin/x509/trusted-ca.pem
import {getPython3Binary} from "jstests/libs/python.js";
import {ReplSetTest} from "jstests/libs/replsettest.js";
@ -15,29 +15,29 @@ jsTest.log("HOST_TYPE = " + HOST_TYPE);
if (HOST_TYPE == "macOS") {
// Ensure trusted-ca.pem is properly installed on MacOS hosts.
// (MacOS is the only OS where it is installed outside of this test)
let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem");
let exitCode = runProgram("security", "verify-cert", "-c", getX509Path("trusted-client.pem"));
assert.eq(0, exitCode, "Check for proper installation of Trusted CA on MacOS host");
}
if (HOST_TYPE == "windows") {
assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py"));
// OpenSSL backed imports Root CA and intermediate CA
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");
runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", getX509Path("trusted-ca.pem"));
// SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
// Current User.
runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
runProgram("certutil.exe", "-addstore", "-f", "Root", getX509Path("trusted-ca.pem"));
}
const certDir = MongoRunner.toRealDir("$dataDir/ssl_with_system_ca_test/");
if (HOST_TYPE == "linux") {
mkdir(certDir);
clearRawMongoProgramOutput();
assert.eq(0, runProgram("openssl", "x509", "-hash", "-noout", "-in", "jstests/libs/trusted-ca.pem"));
assert.eq(0, runProgram("openssl", "x509", "-hash", "-noout", "-in", getX509Path("trusted-ca.pem")));
let hash = rawMongoProgramOutput(".*");
jsTestLog(hash); // has form: "|sh<pid> <hash>\n"
hash = hash.trim().split(" ")[1];
copyCertificateFile("jstests/libs/trusted-ca.pem", `${certDir}/${hash}.0`);
copyCertificateFile(getX509Path("trusted-ca.pem"), `${certDir}/${hash}.0`);
}
// Tests server ingress validation works if the server is configured to use system CA.
@ -48,7 +48,7 @@ function testServerIngress() {
// and a system CA store containing trusted-ca.pem.
const serverOpts = {
tlsMode: "preferTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"),
tlsAllowInvalidHostnames: "",
waitForConnect: true,
setParameter: {tlsUseSystemCA: true},
@ -60,8 +60,8 @@ function testServerIngress() {
jsTestLog("Testing server ingress validates trusted client certificate");
let clientOpts = {
tls: {
certificateKeyFile: "jstests/libs/trusted-client.pem",
CAFile: "jstests/libs/trusted-ca.pem",
certificateKeyFile: getX509Path("trusted-client.pem"),
CAFile: getX509Path("trusted-ca.pem"),
allowInvalidHostnames: true,
},
};
@ -72,7 +72,7 @@ function testServerIngress() {
// Using untrusted keys, verify the server rejects the client.
jsTestLog("Testing server ingress rejects untrusted client certificate");
clientOpts.tls.certificateKeyFile = "jstests/libs/client.pem";
clientOpts.tls.certificateKeyFile = getX509Path("client.pem");
assert.commandWorked(conn.adminCommand({clearLog: "global"}));
let error = assert.throwsWithCode(() => {
@ -94,8 +94,8 @@ function testServerEgress() {
const rst = new ReplSetTest({nodes: 1});
rst.startSet({
tlsMode: "preferTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", // used on ingress
tlsClusterFile: "jstests/libs/trusted-client.pem", // used on egress to node2
tlsCertificateKeyFile: getX509Path("trusted-server.pem"), // used on ingress
tlsClusterFile: getX509Path("trusted-client.pem"), // used on egress to node2
tlsAllowInvalidHostnames: "",
waitForConnect: true,
setParameter: {tlsUseSystemCA: true},
@ -108,9 +108,9 @@ function testServerEgress() {
// Add new node that uses a key not trusted by the first node.
let badNode = rst.add({
tlsMode: "preferTLS",
tlsCertificateKeyFile: "jstests/libs/server.pem", // used on ingress, untrusted
tlsClusterFile: "jstests/libs/trusted-client.pem", // used on egress to node1
tlsCAFile: "jstests/libs/trusted-ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"), // used on ingress, untrusted
tlsClusterFile: getX509Path("trusted-client.pem"), // used on egress to node1
tlsCAFile: getX509Path("trusted-ca.pem"),
tlsAllowInvalidHostnames: "",
waitForConnect: true,
});
@ -127,9 +127,9 @@ function testServerEgress() {
// Add new node that uses a key trusted by the first node.
let goodNode = rst.add({
tlsMode: "preferTLS",
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", // used on ingress, trusted
tlsClusterFile: "jstests/libs/trusted-client.pem", // used on egress to node1
tlsCAFile: "jstests/libs/trusted-ca.pem",
tlsCertificateKeyFile: getX509Path("trusted-server.pem"), // used on ingress, trusted
tlsClusterFile: getX509Path("trusted-client.pem"), // used on egress to node1
tlsCAFile: getX509Path("trusted-ca.pem"),
tlsAllowInvalidHostnames: "",
waitForConnect: true,
});
@ -151,7 +151,7 @@ try {
testServerEgress();
} finally {
if (HOST_TYPE == "windows") {
const trusted_ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1");
const trusted_ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1"));
runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint);
runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", trusted_ca_thumbprint);
}

4
jstests/ssl_x509/cluster_x509_restart.js
View File

@ -13,8 +13,8 @@ const rst = new ReplSetTest({
tlsMode: "requireTLS",
clusterAuthMode: "x509",
keyFile: "jstests/libs/key1",
tlsCertificateKeyFile: "jstests/libs/server.pem",
tlsCAFile: "jstests/libs/ca.pem",
tlsCertificateKeyFile: getX509Path("server.pem"),
tlsCAFile: getX509Path("ca.pem"),
tlsAllowInvalidHostnames: "",
},
});

Some files were not shown because too many files have changed in this diff Show More