From 77d90a66d36389ffe36edbf2c8326ec9de0bfbb8 Mon Sep 17 00:00:00 2001 From: Gabriel Marks Date: Wed, 28 Jan 2026 12:22:51 -0500 Subject: [PATCH] SERVER-99750 Use generated certificates in jstests (#46650) GitOrigin-RevId: 303ffa3be9ec56f70a9ff9e38d4430fd0c927599 --- BUILD.bazel | 6 ++ .../resmokeconfig/suites/client_encrypt.yml | 4 +- buildscripts/resmokeconfig/suites/fle.yml | 4 +- .../suites/fle2_query_analysis.yml | 4 +- .../integration_tests_replset_ssl_auth.yml | 4 +- .../integration_tests_standalone_grpc.yml | 8 +- buildscripts/resmokeconfig/suites/ocsp.yml | 4 +- .../suites/search_community_ssl.yml | 4 +- .../resmokeconfig/suites/search_ssl.yml | 4 +- buildscripts/resmokeconfig/suites/ssl.yml | 4 +- .../resmokeconfig/suites/ssl_linear.yml | 4 +- .../resmokeconfig/suites/ssl_x509.yml | 4 +- .../suites/vector_search_ssl.yml | 4 +- .../testing/fixtures/multi_replica_set.py | 11 ++- .../testing/fixtures/multi_sharded_cluster.py | 11 ++- .../resmokelib/testing/fixtures/replicaset.py | 3 +- .../testing/fixtures/shardedcluster.py | 5 +- .../resmokelib/testing/fixtures/standalone.py | 3 +- .../testing/testcases/cpp_integration_test.py | 2 + .../resmokelib/testing/testcases/jstest.py | 3 +- buildscripts/resmokelib/utils/BUILD.bazel | 1 + buildscripts/resmokelib/utils/certs.py | 23 ++++++ eslint.config.mjs | 1 + evergreen/selinux_test_executor.sh | 1 + jstests/core/testing/certs_are_generated.js | 12 +-- jstests/libs/ssl_test.js | 11 ++- .../noPassthrough/libs/x509/main_certs.json | 2 +- jstests/noPassthrough/shell/shell_grpc_uri.js | 4 +- jstests/ocsp/lib/ocsp_helpers.js | 37 +++++---- jstests/ssl/auth-counters.js | 8 +- jstests/ssl/canonicalize_command_line_opts.js | 8 +- jstests/ssl/client_x509_rotate.js | 14 ++-- jstests/ssl/cluster_member.js | 14 ++-- jstests/ssl/cluster_x509_rotate.js | 30 +++---- .../ssl/config-canonicalize-normal-ports.js | 4 +- jstests/ssl/crl_x509_rotate.js | 20 ++--- jstests/ssl/disable_x509.js | 4 +- jstests/ssl/libs/BUILD.bazel | 5 -- jstests/ssl/libs/localhost-cn-with-san.pem.sh | 22 ----- jstests/ssl/libs/ssl_helpers.js | 16 ++-- jstests/ssl/macos_encrypted_pem.js | 4 +- jstests/ssl/multi-ca.js | 10 +-- jstests/ssl/openssl_ciphersuites.js | 8 +- jstests/ssl/peer_validation_without_cafile.js | 14 ++-- jstests/ssl/repl_ssl_split_horizon.js | 8 +- jstests/ssl/server_x509_rotate.js | 12 +-- jstests/ssl/set_parameter_ssl.js | 4 +- jstests/ssl/shell_option_parsing.js | 4 +- jstests/ssl/speculative-authenticate.js | 12 +-- jstests/ssl/ssl_ECDHE_suites.js | 20 ++--- jstests/ssl/ssl_alert_reporting.js | 8 +- jstests/ssl/ssl_cert_selector_apple.js | 6 +- .../ssl/ssl_client_bad_certificate_warning.js | 6 +- ..._client_certificate_warning_suppression.js | 4 +- jstests/ssl/ssl_cluster_ca.js | 18 ++--- jstests/ssl/ssl_cluster_file.js | 8 +- jstests/ssl/ssl_cn_with_san.js | 4 +- jstests/ssl/ssl_count_protocols.js | 6 +- jstests/ssl/ssl_crl.js | 4 +- jstests/ssl/ssl_crl_revoked.js | 10 +-- jstests/ssl/ssl_fragment.js | 8 +- jstests/ssl/ssl_hostname_validation.js | 16 ++-- jstests/ssl/ssl_ingress_conn_metrics.js | 8 +- jstests/ssl/ssl_intermediate_ca.js | 16 ++-- jstests/ssl/ssl_invalid_server_cert.js | 24 +++--- jstests/ssl/ssl_mongodb_x509.js | 4 +- jstests/ssl/ssl_options.js | 4 +- jstests/ssl/ssl_private_key.js | 6 +- jstests/ssl/ssl_restricted_protocols.js | 6 +- jstests/ssl/ssl_uri.js | 8 +- jstests/ssl/ssl_weak.js | 16 ++-- jstests/ssl/ssl_withhold_client_cert.js | 4 +- jstests/ssl/ssl_x509_SAN.js | 8 +- jstests/ssl/ssl_x509_roles.js | 14 ++-- jstests/ssl/tlsCATrusts.js | 14 ++-- jstests/ssl/tls_enumerator.py | 3 +- jstests/ssl/upgrade_to_ssl.js | 2 +- jstests/ssl/user_cache_entry_lifetime.js | 6 +- jstests/ssl/x509_all_the_oids.js | 8 +- jstests/ssl/x509_client.js | 4 +- jstests/ssl/x509_custom.js | 12 +-- .../x509_enforce_user_cluster_separation.js | 8 +- jstests/ssl/x509_expiring.js | 4 +- jstests/ssl/x509_extended_key_usage.js | 24 +++--- jstests/ssl/x509_invalid.js | 8 +- jstests/ssl/x509_multivalue.js | 6 +- jstests/ssl/x509_rotate_missing_files.js | 16 ++-- jstests/ssl/x509_startup_certificate_info.js | 8 +- jstests/ssl/x509_startup_warning.js | 4 +- ...cluster_auth_x509_rolling_configuration.js | 12 +-- .../cluster_auth_x509_subject_attributes.js | 20 ++--- jstests/sslSpecial/shardsvr_ssl_restart.js | 6 +- jstests/sslSpecial/ssl_cipher_default.js | 12 +-- jstests/sslSpecial/ssl_ecdsa_cert.js | 6 +- .../sslSpecial/x509_cluster_auth_rollover.js | 16 ++-- jstests/ssl_linear/mongo_uri_secondaries.js | 20 ++--- jstests/ssl_linear/repl_ssl_noca.js | 20 ++--- jstests/ssl_linear/ssl_cert_selector.js | 21 +++-- jstests/ssl_linear/ssl_with_system_ca.js | 40 +++++----- jstests/ssl_x509/cluster_x509_restart.js | 4 +- jstests/ssl_x509/initial_sync1_x509.js | 8 +- jstests/ssl_x509/sharding_with_x509.js | 6 +- jstests/ssl_x509/shell_x509_system_user.js | 8 +- jstests/ssl_x509/speculative-auth-replset.js | 4 +- jstests/ssl_x509/speculative-auth-sharding.js | 8 +- jstests/ssl_x509/x509_basic.js | 6 +- .../search_mocked/ssl/mongot_ssl_required.js | 4 +- .../ssl/mongot_ssl_required.js | 4 +- src/mongo/shell/servers.js | 6 +- src/mongo/shell/servers_global.js | 9 ++- .../util/net/network_interface_ssl_test.cpp | 16 ++-- x509/README | 2 - x509/main_certs_def.bzl | 20 ++--- x509/mkcert.py | 80 +++++++++++-------- x509/static/README.md | 30 +++++++ x509/static/ca_key.pem | 2 - x509/static/ec_ca_key.pem | 2 - x509/static/ec_key.pem | 2 - x509/static/ec_ocsp_ca_key.pem | 2 - x509/static/ec_ocsp_key.pem | 2 - x509/static/intermediate_b_ca_key.pem | 2 - x509/static/intermediate_b_key.pem | 2 - x509/static/intermediate_ca_key.pem | 2 - x509/static/intermediate_key.pem | 2 - x509/static/intermediate_ocsp_ca_key.pem | 2 - x509/static/intermediate_ocsp_key.pem | 2 - x509/static/key.pem | 2 - x509/static/macos_ca_key.pem | 2 - x509/static/macos_key.pem | 2 - x509/static/ocsp_ca_key.pem | 2 - x509/static/ocsp_key.pem | 2 - x509/static/ocsp_responder_key.pem | 28 +++++++ x509/static/pkcs1_encrypted_key.pem | 2 - x509/static/pkcs1_encrypted_trusted_key.pem | 2 - x509/static/pkcs8_encrypted_ec_key.pem | 2 - .../static/pkcs8_encrypted_ec_ocsp_ca_key.pem | 2 - x509/static/pkcs8_encrypted_ec_ocsp_key.pem | 2 - .../pkcs8_encrypted_ec_ocsp_responder_key.pem | 5 ++ x509/static/rollover_ca_key.pem | 2 - x509/static/rollover_key.pem | 2 - x509/static/trusted_ca_key.pem | 2 - x509/static/trusted_key.pem | 2 - 142 files changed, 643 insertions(+), 600 deletions(-) create mode 100644 buildscripts/resmokelib/utils/certs.py delete mode 100755 jstests/ssl/libs/localhost-cn-with-san.pem.sh create mode 100644 x509/static/ocsp_responder_key.pem create mode 100644 x509/static/pkcs8_encrypted_ec_ocsp_responder_key.pem diff --git a/BUILD.bazel b/BUILD.bazel index e884702a79b..a18ea30dda3 100644 --- a/BUILD.bazel +++ b/BUILD.bazel @@ -427,6 +427,12 @@ mongo_install( ], "//conditions:default": [], }), + root_files = select({ + "//bazel/config:include_autogenerated_targets_enabled": { + "//x509:generate_main_certificates": "bin/x509", + }, + "//conditions:default": {}, + }), ) # This sets up targets for install-mongotmock and archive-mongotmock diff --git a/buildscripts/resmokeconfig/suites/client_encrypt.yml b/buildscripts/resmokeconfig/suites/client_encrypt.yml index c06deb9b350..5917062b3f6 100644 --- a/buildscripts/resmokeconfig/suites/client_encrypt.yml +++ b/buildscripts/resmokeconfig/suites/client_encrypt.yml @@ -11,5 +11,5 @@ executor: ssl: "" tlsAllowInvalidHostnames: "" tlsAllowInvalidCertificates: "" - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/client.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/client.pem diff --git a/buildscripts/resmokeconfig/suites/fle.yml b/buildscripts/resmokeconfig/suites/fle.yml index 98d1ab1b8b6..737d6896cb1 100644 --- a/buildscripts/resmokeconfig/suites/fle.yml +++ b/buildscripts/resmokeconfig/suites/fle.yml @@ -12,8 +12,8 @@ executor: ssl: "" tlsAllowInvalidHostnames: "" tlsAllowInvalidCertificates: "" - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/client.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/client.pem global_vars: TestData: useFle2Protocol: false diff --git a/buildscripts/resmokeconfig/suites/fle2_query_analysis.yml b/buildscripts/resmokeconfig/suites/fle2_query_analysis.yml index 9471f62cec5..e107f1872ae 100644 --- a/buildscripts/resmokeconfig/suites/fle2_query_analysis.yml +++ b/buildscripts/resmokeconfig/suites/fle2_query_analysis.yml @@ -13,8 +13,8 @@ executor: ssl: "" tlsAllowInvalidHostnames: "" tlsAllowInvalidCertificates: "" - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/client.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/client.pem global_vars: TestData: useFle2Protocol: true diff --git a/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml b/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml index b4fbd12cd09..dcb198337a6 100644 --- a/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml +++ b/buildscripts/resmokeconfig/suites/integration_tests_replset_ssl_auth.yml @@ -57,8 +57,8 @@ executor: command: 2 enableTestCommands: 1 tlsMode: preferTLS - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/server.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/server.pem keyFile: *keyFile clusterAuthMode: sendX509 auth: "" diff --git a/buildscripts/resmokeconfig/suites/integration_tests_standalone_grpc.yml b/buildscripts/resmokeconfig/suites/integration_tests_standalone_grpc.yml index 9ccacb89d0f..d63b3eab64e 100644 --- a/buildscripts/resmokeconfig/suites/integration_tests_standalone_grpc.yml +++ b/buildscripts/resmokeconfig/suites/integration_tests_standalone_grpc.yml @@ -13,8 +13,8 @@ executor: config: program_options: tlsMode: "preferTLS" - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/client.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/client.pem useEgressGRPC: true hooks: - class: ValidateCollections @@ -29,5 +29,5 @@ executor: command: 2 enableTestCommands: 1 tlsMode: preferTLS - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/server.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/server.pem diff --git a/buildscripts/resmokeconfig/suites/ocsp.yml b/buildscripts/resmokeconfig/suites/ocsp.yml index aa9b988b884..824791a1ca8 100644 --- a/buildscripts/resmokeconfig/suites/ocsp.yml +++ b/buildscripts/resmokeconfig/suites/ocsp.yml @@ -9,7 +9,7 @@ executor: shell_options: nodb: "" tls: "" - tlsCAFile: jstests/libs/ocsp/ca_ocsp.pem - tlsCertificateKeyFile: jstests/libs/ocsp/client_ocsp.pem + tlsCAFile: ${x509ObjDir}/ca_ocsp.pem + tlsCertificateKeyFile: ${x509ObjDir}/client_ocsp.pem tlsAllowInvalidHostnames: "" setShellParameter: ocspEnabled=true diff --git a/buildscripts/resmokeconfig/suites/search_community_ssl.yml b/buildscripts/resmokeconfig/suites/search_community_ssl.yml index 86593948933..8eceb7b2be2 100644 --- a/buildscripts/resmokeconfig/suites/search_community_ssl.yml +++ b/buildscripts/resmokeconfig/suites/search_community_ssl.yml @@ -28,5 +28,5 @@ executor: ssl: "" tlsAllowInvalidHostnames: "" tlsAllowInvalidCertificates: "" - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/client.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/client.pem diff --git a/buildscripts/resmokeconfig/suites/search_ssl.yml b/buildscripts/resmokeconfig/suites/search_ssl.yml index 502a7825bac..391862ce940 100644 --- a/buildscripts/resmokeconfig/suites/search_ssl.yml +++ b/buildscripts/resmokeconfig/suites/search_ssl.yml @@ -22,5 +22,5 @@ executor: ssl: "" tlsAllowInvalidHostnames: "" tlsAllowInvalidCertificates: "" - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/client.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/client.pem diff --git a/buildscripts/resmokeconfig/suites/ssl.yml b/buildscripts/resmokeconfig/suites/ssl.yml index 25718cd1dc8..4248b4d41b9 100644 --- a/buildscripts/resmokeconfig/suites/ssl.yml +++ b/buildscripts/resmokeconfig/suites/ssl.yml @@ -12,8 +12,8 @@ executor: nodb: "" ssl: "" sslAllowInvalidCertificates: "" - sslCAFile: jstests/libs/ca.pem - sslPEMKeyFile: jstests/libs/client.pem + sslCAFile: ${x509ObjDir}/ca.pem + sslPEMKeyFile: ${x509ObjDir}/client.pem global_vars: TestData: setParameters: diff --git a/buildscripts/resmokeconfig/suites/ssl_linear.yml b/buildscripts/resmokeconfig/suites/ssl_linear.yml index 9f90942f34c..805408e4236 100644 --- a/buildscripts/resmokeconfig/suites/ssl_linear.yml +++ b/buildscripts/resmokeconfig/suites/ssl_linear.yml @@ -13,8 +13,8 @@ executor: nodb: "" ssl: "" sslAllowInvalidCertificates: "" - sslCAFile: jstests/libs/trusted-ca.pem - sslPEMKeyFile: jstests/libs/trusted-client.pem + sslCAFile: ${x509ObjDir}/trusted-ca.pem + sslPEMKeyFile: ${x509ObjDir}/trusted-client.pem global_vars: TestData: setParameters: diff --git a/buildscripts/resmokeconfig/suites/ssl_x509.yml b/buildscripts/resmokeconfig/suites/ssl_x509.yml index 374c0f4e42b..694396b80db 100644 --- a/buildscripts/resmokeconfig/suites/ssl_x509.yml +++ b/buildscripts/resmokeconfig/suites/ssl_x509.yml @@ -11,9 +11,9 @@ executor: nodb: "" ssl: "" sslAllowInvalidCertificates: "" - sslCAFile: jstests/libs/ca.pem + sslCAFile: ${x509ObjDir}/ca.pem # We use server.pem so that shell can auth as __system. - sslPEMKeyFile: jstests/libs/server.pem + sslPEMKeyFile: ${x509ObjDir}/server.pem global_vars: TestData: setParameters: diff --git a/buildscripts/resmokeconfig/suites/vector_search_ssl.yml b/buildscripts/resmokeconfig/suites/vector_search_ssl.yml index 243bc540b88..a0cddc2bfc4 100644 --- a/buildscripts/resmokeconfig/suites/vector_search_ssl.yml +++ b/buildscripts/resmokeconfig/suites/vector_search_ssl.yml @@ -11,5 +11,5 @@ executor: ssl: "" tlsAllowInvalidHostnames: "" tlsAllowInvalidCertificates: "" - tlsCAFile: jstests/libs/ca.pem - tlsCertificateKeyFile: jstests/libs/client.pem + tlsCAFile: ${x509ObjDir}/ca.pem + tlsCertificateKeyFile: ${x509ObjDir}/client.pem diff --git a/buildscripts/resmokelib/testing/fixtures/multi_replica_set.py b/buildscripts/resmokelib/testing/fixtures/multi_replica_set.py index 45ed8f73560..b55d324f016 100644 --- a/buildscripts/resmokelib/testing/fixtures/multi_replica_set.py +++ b/buildscripts/resmokelib/testing/fixtures/multi_replica_set.py @@ -4,7 +4,7 @@ import copy import os.path from buildscripts.resmokelib.testing.fixtures import interface -from buildscripts.resmokelib.utils import dictionary +from buildscripts.resmokelib.utils import certs, dictionary class MultiReplicaSetFixture(interface.MultiClusterFixture): @@ -38,8 +38,13 @@ class MultiReplicaSetFixture(interface.MultiClusterFixture): raise ValueError("num_replica_sets must be greater or equal to 2") self.num_nodes_per_replica_set = num_nodes_per_replica_set - self.common_mongod_options = self.fixturelib.default_if_none(common_mongod_options, {}) - self.per_mongod_options = self.fixturelib.default_if_none(per_mongod_options, []) + self.common_mongod_options = certs.expand_x509_paths( + self.fixturelib.default_if_none(common_mongod_options, {}) + ) + self.per_mongod_options = [ + certs.expand_x509_paths(opts) + for opts in self.fixturelib.default_if_none(per_mongod_options, []) + ] self.common_replica_set_options = common_replica_set_options self.per_replica_set_options = self.fixturelib.default_if_none(per_replica_set_options, []) self.persist_connection_strings = persist_connection_strings diff --git a/buildscripts/resmokelib/testing/fixtures/multi_sharded_cluster.py b/buildscripts/resmokelib/testing/fixtures/multi_sharded_cluster.py index f84038502e2..6d7ec32187b 100644 --- a/buildscripts/resmokelib/testing/fixtures/multi_sharded_cluster.py +++ b/buildscripts/resmokelib/testing/fixtures/multi_sharded_cluster.py @@ -6,7 +6,7 @@ import os.path import pymongo from buildscripts.resmokelib.testing.fixtures import interface -from buildscripts.resmokelib.utils import dictionary +from buildscripts.resmokelib.utils import certs, dictionary class MultiShardedClusterFixture(interface.MultiClusterFixture): @@ -38,8 +38,13 @@ class MultiShardedClusterFixture(interface.MultiClusterFixture): raise ValueError("num_sharded_clusters must be greater or equal to 2") self.num_sharded_clusters = num_sharded_clusters - self.common_mongod_options = self.fixturelib.default_if_none(common_mongod_options, {}) - self.per_mongod_options = self.fixturelib.default_if_none(per_mongod_options, []) + self.common_mongod_options = certs.expand_x509_paths( + self.fixturelib.default_if_none(common_mongod_options, {}) + ) + self.per_mongod_options = [ + certs.expand_x509_paths(opts) + for opts in self.fixturelib.default_if_none(per_mongod_options, []) + ] self.common_sharded_cluster_options = common_sharded_cluster_options self.per_sharded_cluster_options = self.fixturelib.default_if_none( per_sharded_cluster_options, [] diff --git a/buildscripts/resmokelib/testing/fixtures/replicaset.py b/buildscripts/resmokelib/testing/fixtures/replicaset.py index da3c3fbc8f0..4bacd7555d6 100644 --- a/buildscripts/resmokelib/testing/fixtures/replicaset.py +++ b/buildscripts/resmokelib/testing/fixtures/replicaset.py @@ -17,6 +17,7 @@ from buildscripts.resmokelib.extensions import ( find_and_generate_extension_configs, ) from buildscripts.resmokelib.testing.fixtures import interface +from buildscripts.resmokelib.utils import certs def compare_timestamp(timestamp1, timestamp2): @@ -90,7 +91,7 @@ class ReplicaSetFixture(interface.ReplFixture, interface._DockerComposeInterface self.mongod_executable = mongod_executable self.mongod_options = self.fixturelib.make_historic( - self.fixturelib.default_if_none(mongod_options, {}) + certs.expand_x509_paths(self.fixturelib.default_if_none(mongod_options, {})) ) self.load_all_extensions = load_all_extensions or self.config.LOAD_ALL_EXTENSIONS diff --git a/buildscripts/resmokelib/testing/fixtures/shardedcluster.py b/buildscripts/resmokelib/testing/fixtures/shardedcluster.py index 135ce8bb0cf..5c58e2f3d1b 100644 --- a/buildscripts/resmokelib/testing/fixtures/shardedcluster.py +++ b/buildscripts/resmokelib/testing/fixtures/shardedcluster.py @@ -15,6 +15,7 @@ from buildscripts.resmokelib.extensions import ( find_and_generate_extension_configs, ) from buildscripts.resmokelib.testing.fixtures import _builder, external, interface +from buildscripts.resmokelib.utils import certs from buildscripts.resmokelib.utils.sharded_cluster_util import ( inject_catalog_metadata_on_the_csrs, refresh_logical_session_cache_with_retry, @@ -65,7 +66,7 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface raise ValueError("Cannot specify mongod_options.dbpath") self.mongos_options = self.fixturelib.make_historic( - self.fixturelib.default_if_none(mongos_options, {}) + certs.expand_x509_paths(self.fixturelib.default_if_none(mongos_options, {})) ) # The mongotHost and searchIndexManagementHostAndPort options cannot be set on mongos_options yet because # the port value is only assigned in MongoDFixture initialization, which happens later. @@ -73,7 +74,7 @@ class ShardedClusterFixture(interface.Fixture, interface._DockerComposeInterface # mongod options self.mongod_options = self.fixturelib.make_historic( - self.fixturelib.default_if_none(mongod_options, {}) + certs.expand_x509_paths(self.fixturelib.default_if_none(mongod_options, {})) ) self.load_all_extensions = load_all_extensions or self.config.LOAD_ALL_EXTENSIONS diff --git a/buildscripts/resmokelib/testing/fixtures/standalone.py b/buildscripts/resmokelib/testing/fixtures/standalone.py index 70b8fcd1b1b..e1a4d374e0e 100644 --- a/buildscripts/resmokelib/testing/fixtures/standalone.py +++ b/buildscripts/resmokelib/testing/fixtures/standalone.py @@ -19,6 +19,7 @@ from buildscripts.resmokelib.extensions import ( ) from buildscripts.resmokelib.testing.fixtures import interface from buildscripts.resmokelib.testing.fixtures.fixturelib import FixtureLib +from buildscripts.resmokelib.utils import certs from buildscripts.resmokelib.utils.history import HistoryDict @@ -61,7 +62,7 @@ class MongoDFixture(interface.Fixture, interface._DockerComposeInterface): """ interface.Fixture.__init__(self, logger, job_num, fixturelib, dbpath_prefix=dbpath_prefix) self.mongod_options = self.fixturelib.make_historic( - self.fixturelib.default_if_none(mongod_options, {}) + certs.expand_x509_paths(self.fixturelib.default_if_none(mongod_options, {})) ) self.load_all_extensions = load_all_extensions or self.config.LOAD_ALL_EXTENSIONS if self.load_all_extensions: diff --git a/buildscripts/resmokelib/testing/testcases/cpp_integration_test.py b/buildscripts/resmokelib/testing/testcases/cpp_integration_test.py index a0a28809b64..71d589ba55a 100644 --- a/buildscripts/resmokelib/testing/testcases/cpp_integration_test.py +++ b/buildscripts/resmokelib/testing/testcases/cpp_integration_test.py @@ -5,6 +5,7 @@ from typing import Optional from buildscripts.resmokelib import core, logging, utils from buildscripts.resmokelib.testing.testcases import interface +from buildscripts.resmokelib.utils import certs class CPPIntegrationTestCase(interface.ProcessTestCase): @@ -39,6 +40,7 @@ class CPPIntegrationTestCase(interface.ProcessTestCase): process_kwargs = copy.deepcopy(self.program_options.get("process_kwargs", {})) interface.append_process_tracking_options(process_kwargs, self._id) self.program_options["process_kwargs"] = process_kwargs + self.program_options = certs.expand_x509_paths(self.program_options) def _make_process(self): return core.programs.generic_program( diff --git a/buildscripts/resmokelib/testing/testcases/jstest.py b/buildscripts/resmokelib/testing/testcases/jstest.py index 60a4446bf57..1c6889d0995 100644 --- a/buildscripts/resmokelib/testing/testcases/jstest.py +++ b/buildscripts/resmokelib/testing/testcases/jstest.py @@ -15,7 +15,7 @@ from bson.objectid import ObjectId from buildscripts.resmokelib import config, core, errors, logging, utils from buildscripts.resmokelib.testing.testcases import interface -from buildscripts.resmokelib.utils import registry +from buildscripts.resmokelib.utils import certs, registry class _SingleJSTestCase(interface.ProcessTestCase): @@ -125,6 +125,7 @@ class _SingleJSTestCase(interface.ProcessTestCase): interface.append_process_tracking_options(process_kwargs, self._id) self.shell_options["process_kwargs"] = process_kwargs + self.shell_options = certs.expand_x509_paths(self.shell_options) def _get_data_dir(self, global_vars: dict) -> str: """Return the value that mongo shell should set for the MongoRunner.dataDir property.""" diff --git a/buildscripts/resmokelib/utils/BUILD.bazel b/buildscripts/resmokelib/utils/BUILD.bazel index 4af9adfba89..25004cd8f11 100644 --- a/buildscripts/resmokelib/utils/BUILD.bazel +++ b/buildscripts/resmokelib/utils/BUILD.bazel @@ -7,6 +7,7 @@ py_library( "archival.py", "autoloader.py", "batched_baggage_span_processor.py", + "certs.py", "check_has_tag.py", "dictionary.py", "evergreen_conn.py", diff --git a/buildscripts/resmokelib/utils/certs.py b/buildscripts/resmokelib/utils/certs.py new file mode 100644 index 00000000000..baff5cbe4ae --- /dev/null +++ b/buildscripts/resmokelib/utils/certs.py @@ -0,0 +1,23 @@ +import os + +from buildscripts.resmokelib import config + + +def _get_x509_basepath(): + return ( + "x509" + if config.INSTALL_DIR is None or config.INSTALL_DIR == "" + else os.path.join(config.INSTALL_DIR, "x509") + ) + + +def expand_x509_paths(options: dict) -> dict: + """Shallowly replace any references to ${x509ObjDir} in option values with the real directory + containing x509 certificates for testing.""" + new_options = {} + for k, v in options.items(): + if type(v) == str and r"${x509ObjDir}" in v: + new_options[k] = v.replace(r"${x509ObjDir}", _get_x509_basepath()) + else: + new_options[k] = v + return new_options diff --git a/eslint.config.mjs b/eslint.config.mjs index d3dd7a68de1..578ab9a468f 100644 --- a/eslint.config.mjs +++ b/eslint.config.mjs @@ -90,6 +90,7 @@ export default [ ___it___: true, // src/mongo/shell/servers_global.js + getX509Path: true, MongoRunner: true, myPort: true, runMongoProgram: true, diff --git a/evergreen/selinux_test_executor.sh b/evergreen/selinux_test_executor.sh index 217a59c4be5..6313557fc35 100755 --- a/evergreen/selinux_test_executor.sh +++ b/evergreen/selinux_test_executor.sh @@ -7,6 +7,7 @@ readonly k_test_path="$1" return_code=1 export PATH="$(dirname "$k_mongo"):$PATH" +export INSTALL_DIR="$(dirname "$k_mongo")" function print_err() { echo "$@" >&2 diff --git a/jstests/core/testing/certs_are_generated.js b/jstests/core/testing/certs_are_generated.js index 5a855b41d11..072980676ee 100644 --- a/jstests/core/testing/certs_are_generated.js +++ b/jstests/core/testing/certs_are_generated.js @@ -7,16 +7,10 @@ * ] */ -let installDir = _getEnv("INSTALL_DIR"); -if (installDir === "") { - installDir = "."; -} -const pathsep = _isWindows() ? "\\" : "/"; -const certDir = installDir + pathsep + "x509"; +const certDir = getX509Path(""); jsTest.log.info(certDir); -jsTest.log.info(ls(installDir)); jsTest.log.info(ls(certDir)); -assert(fileExists(certDir + pathsep + "ca.pem")); -assert(fileExists(certDir + pathsep + "crl.pem.digest.sha1")); +assert(fileExists(getX509Path("ca.pem"))); +assert(fileExists(getX509Path("crl.pem.digest.sha1"))); diff --git a/jstests/libs/ssl_test.js b/jstests/libs/ssl_test.js index 84c56c3bf7b..2b6392fa60e 100644 --- a/jstests/libs/ssl_test.js +++ b/jstests/libs/ssl_test.js @@ -12,8 +12,7 @@ * {'cmdLineParam': 'value', ...}. For flag arguments, the empty string is used as the value. * * For serverOpts a few defaults are set if values are not provided: specifically 'tlsMode' - * (preferTLS), tlsCertificateKeyFile ("jstests/libs/server.pem"), and tlsCAFile - * "jstests/libs/ca.pem"). + * (preferTLS), tlsCertificateKeyFile ("server.pem"), and tlsCAFile ("ca.pem"). */ export function TLSTest(serverOpts, clientOpts) { let canonicalServerOpts = function (userProvidedOpts) { @@ -27,10 +26,10 @@ export function TLSTest(serverOpts, clientOpts) { } if (!canonical.hasOwnProperty("tlsCertificateKeyFile")) { - canonical.tlsCertificateKeyFile = "jstests/libs/server.pem"; + canonical.tlsCertificateKeyFile = getX509Path("server.pem"); } if (!canonical.hasOwnProperty("tlsCAFile")) { - canonical.tlsCAFile = "jstests/libs/ca.pem"; + canonical.tlsCAFile = getX509Path("ca.pem"); } return canonical; }; @@ -48,8 +47,8 @@ export function TLSTest(serverOpts, clientOpts) { */ TLSTest.prototype.defaultTLSClientOptions = { "tls": "", - "tlsCertificateKeyFile": "jstests/libs/client.pem", - "tlsCAFile": "jstests/libs/ca.pem", + "tlsCertificateKeyFile": getX509Path("client.pem"), + "tlsCAFile": getX509Path("ca.pem"), "eval": ";", // prevent the shell from entering interactive mode }; diff --git a/jstests/noPassthrough/libs/x509/main_certs.json b/jstests/noPassthrough/libs/x509/main_certs.json index c5b8a1c7eec..e4a38f63aca 100644 --- a/jstests/noPassthrough/libs/x509/main_certs.json +++ b/jstests/noPassthrough/libs/x509/main_certs.json @@ -1 +1 @@ -{"certs":[{"Issuer":"self","Subject":{"CN":"Kernel Test CA"},"description":"Primary Root Certificate Authority Most Certificates are issued by this CA.","extensions":{"basicConstraints":{"CA":true,"critical":true}},"keyfile":"ca_key.pem","name":"ca.pem"},{"Issuer":"ca.pem","Subject":{"CN":"127.0.0.1"},"description":"Certificate with an otherwise permissible CommonName, but with an unmatchable SubjectAlternateName.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"badSAN"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"badSAN.pem"},{"Issuer":"ca.pem","Subject":{"2.5.4.13":"Datum-13","2.5.4.14":"Datum-14","2.5.4.15":"Datum-15","2.5.4.16":"Datum-16","2.5.4.17":"Datum-17","2.5.4.18":"Datum-18","2.5.4.19":"Datum-19","2.5.4.20":"Datum-20","2.5.4.21":"Datum-21","2.5.4.22":"Datum-22","2.5.4.23":"Datum-23","2.5.4.24":"Datum-24","2.5.4.25":"Datum-25","2.5.4.26":"Datum-26","2.5.4.27":"Datum-27","2.5.4.28":"Datum-28","2.5.4.29":"Datum-29","2.5.4.30":"Datum-30","2.5.4.31":"Datum-31","2.5.4.32":"Datum-32","2.5.4.33":"Datum-33","2.5.4.34":"Datum-34","2.5.4.35":"Datum-35","2.5.4.36":"Datum-36","2.5.4.37":"Datum-37","2.5.4.38":"Datum-38","2.5.4.39":"Datum-39","2.5.4.40":"Datum-40","2.5.4.41":"Datum-41","2.5.4.42":"Datum-42","2.5.4.43":"Datum-43","2.5.4.44":"Datum-44","2.5.4.45":"Datum-45","2.5.4.46":"Datum-46","2.5.4.47":"Datum-47","2.5.4.48":"Datum-48","2.5.4.49":"Datum-49","2.5.4.50":"Datum-50","2.5.4.51":"Datum-51","2.5.4.52":"Datum-52","2.5.4.53":"Datum-53","2.5.4.54":"Datum-54","2.5.4.65":"Datum-65","2.5.4.72":"Datum-72","C":"US","CN":"Datum-3","L":"Datum-7","O":"Datum-10","OU":"Datum-11","SN":"Datum-4","ST":"NY","serialNumber":"Datum-5","streetAddress":"Datum-9","title":"Datum-12"},"description":"Client certificate with a long list of OIDs. Ensures the server functions well in unexpected circumstances.","explicit_subject":true,"keyfile":"key.pem","name":"client-all-the-oids.pem"},{"Issuer":"ca.pem","Subject":{"1.2.3.45":"Value,Rando","1.2.3.56":"RandoValue","CN":"client","OU":"KernelUser"},"description":"Client certificate using non-standard OIDs.","keyfile":"key.pem","name":"client-custom-oids.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser","emailAddress":"example@mongodb.com"},"description":"Client certificate containing an email address. Includes authorizations for queryable backup.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_email.pem"},{"Issuer":"ca.pem","Subject":{"C":",+","CN":"Test","L":" >","O":"; ","OU":"Escape","ST":"\"\\<"},"description":"Client certificate with reserved characters in subject name. Includes authorizations for queryable backup.","explicit_subject":true,"extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_escape.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"General purpose client certificate.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"Client certificate configured with serverAuth EKU (should be disallowed when received on ingress connections)","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_with_serverAuth_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"Client certificate configured with no EKUs","extensions":{"basicConstraints":{"CA":false},"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_without_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"Client certificate configured with both serverAuth and clientAuth EKUs","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth","serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_with_serverAuth_and_clientAuth_eku.pem"},{"Issuer":"ca.pem","Subject":[{"CN":"client","O":"MongoDB","OU":"KernelUser"},{"C":"US","L":"New York City","ST":"New York"}],"description":"Client certificate containing multivalue RDNs","explicit_subject":true,"keyfile":"key.pem","name":"client-multivalue-rdn.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","emailAddress":"example@mongodb.com","title":"A Test Certificate"},"description":"General purpose client certificate with roles.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_privatekey.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client_revoked"},"description":"Client certificate which has been explicitly revoked.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_revoked.pem","serial":4},{"Issuer":"ca.pem","Subject":{"CN":"Kernel Client Peer Role","OU":"Kernel Users"},"description":"General purpose client certificate with roles.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_roles.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser","emailAddress":"example@mongodb.com","title":"A Test Certificate"},"description":"General purpose client certificate with roles.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_title.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Калоян","OU":"Kernel Users"},"description":"Client certificate with non latin-1 unicode characters.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_utf8.pem"},{"Issuer":"ca.pem","Subject":{"CN":"clustertest"},"description":"Alternate cert for use in intra-cluster communication.","keyfile":"key.pem","name":"cluster_cert.pem"},{"Issuer":"ca.pem","Subject":{"CN":"expired"},"description":"A certificate which has passed its expiration date.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"expired.pem","not_after":-1000000,"not_before":-10000000},{"Issuer":"ca.pem","Subject":{"CN":"127.0.0.1"},"description":"Server certificate with IP localhost in CN, includes a SAN.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"localhostnameCN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"localhost"},"description":"Localhost based certificate using non-matching subject alternate name.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"example.com"}},"keyfile":"key.pem","name":"localhost-cn-with-san.pem"},{"Issuer":"ca.pem","Subject":{"CN":"santesthostname.com"},"description":"Server certificate with a selection of SANs","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":["*.example.com","localhost","morefun!"],"IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"localhostnameSAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"not_yet_valid"},"description":"A certificate which has yet to reach its validity date.","extensions":{"extendedKeyUsage":["serverAuth"],"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"not_yet_valid.pem","not_after":701913600,"not_before":630720000},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"Server cerificate using an encrypted private key.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs1_encrypted_key.pem","name":"password_protected.pem","passphrase":"qwerty"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file with clientAuth EKU (should be disallowed when received on egress connections)","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_with_clientAuth_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file with serverAuth EKU only","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_with_serverAuth_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file without any EKUs","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_without_eku.pem"},{"Issuer":"ca.pem","description":"Server certificate with empty Subject, but critical SAN.","explicit_subject":true,"extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":["127.0.0.1","::1"],"critical":true},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_no_subject.pem"},{"Issuer":"ca.pem","description":"Server certificate with empty Subject, and no SANs.","explicit_subject":true,"extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_no_subject_no_SAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Kernel Client Peer Role"},"description":"General purpose server certificate with good SANs.","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":["127.0.0.1","::1"]}},"keyfile":"key.pem","name":"server_SAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Kernel Client Peer Role"},"description":"General purpose server certificate with bad SANs.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":["127.0.0.1","::1"]}},"keyfile":"key.pem","name":"server_SAN2.pem"},{"Issuer":"ca.pem","Subject":{"CN":"localhost","title":"Server no SAN attribute"},"description":"General purpose server certificate with missing SAN.","extensions":{"extendedKeyUsage":["serverAuth"]},"keyfile":"key.pem","name":"server_no_SAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"A server certificate with the mongoClusterMembership extension with a value of foo","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mongoClusterMembership":"foo","subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"cluster-member-foo.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"A server certificate with the mongoClusterMembership extension with a value of bar","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mongoClusterMembership":"bar","subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"cluster-member-bar.pem"},{"Issuer":"ca.pem","Subject":{"C":"ZZ","CN":"Doer","L":"Fakesville","O":"Company","OU":"Business","ST":"Example"},"description":"A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mongoClusterMembership":"foo","subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"cluster-member-foo-alt-rdn.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server","title":"foo"},"description":"Server certificate including the title attribute set to foo.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_foo.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server","title":"bar"},"description":"Server certificate including the title attribute set to bar.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_bar.pem"},{"Issuer":"ca.pem","Subject":{"CN":"clustertest","title":"foo"},"description":"Alternate certificate for intracluster auth including the title attribute set to foo.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"cluster_title_foo.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"server","L":"New York City","ST":"New York","title":"foo"},"description":"Server certificate including the title attribute set to foo without O, OU, or DC.","explicit_subject":true,"extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_foo_no_o_ou_dc.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"server","L":"New York City","ST":"New York","title":"bar"},"description":"Server certificate including the title attribute set to bar without O, OU, or DC.","explicit_subject":true,"extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_bar_no_o_ou_dc.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"clustertest","L":"New York City","ST":"New York","title":"foo"},"description":"Alternate certificate for intracluster auth including the title attribute set to foo without O, OU, or DC.","explicit_subject":true,"extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"cluster_title_foo_no_o_ou_dc.pem"},{"Issuer":"ca.pem","Subject":{"OU":"rs0"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"rs0.pem"},{"Issuer":"ca.pem","Subject":{"OU":"rs1"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"rs1.pem"},{"Issuer":"ca.pem","Subject":{"OU":"rs2"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"rs2.pem"},{"Issuer":"self","Subject":{"CN":"client","OU":"KernelUser"},"description":"A basic self-signed certificate.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment","nonRepudiation"],"nsComment":"OpenSSL Generated Certificate","subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client-self-signed.pem"},{"Issuer":"self","Subject":{"CN":"smoke"},"description":"A self-signed certificate used for smoke testing.","extensions":{"basicConstraints":{"CA":true}},"keyfile":"key.pem","name":"smoke.pem"},{"Issuer":"self","Subject":{"CN":"Kernel Test CA"},"description":"OCSP Root Certificate Authority","extensions":{"basicConstraints":{"CA":true,"critical":true}},"include_header":false,"keyfile":"ocsp_ca_key.pem","name":"ca_ocsp.pem","split_cert_and_key":true},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"ocsp_key.pem","name":"server_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"Non-OCSP certificate for the mongodb server using the OCSP CA.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"ocsp_key.pem","name":"server_no_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"badHost","L":"OCSP-1","ST":"NY"},"description":"An expired OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"badHost"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"ocsp_key.pem","name":"server_ocsp_invalid.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"ocsp_key.pem","name":"server_ocsp_revoked.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"Must Staple OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mustStaple":true,"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"ocsp_key.pem","name":"server_ocsp_mustStaple.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-2","ST":"NY"},"description":"OCSP certificate for the mongodb client.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"ocsp_key.pem","name":"client_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"CN":"Intermediate CA for OCSP"},"description":"CA issued by the primary OCSP CA, which then issues its own server OCSP cert.","extensions":{"basicConstraints":{"CA":true,"critical":true},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"intermediate_ocsp_ca_key.pem","name":"intermediate_ca_only_ocsp.pem","split_cert_and_key":true},{"append_cert":["intermediate_ca_only_ocsp.pem","ca_ocsp.pem"],"description":"OCSP CA and OCSP Intermediate appended together","include_header":false,"name":"intermediate_ca_with_root_ocsp.pem"},{"Issuer":"intermediate_ca_only_ocsp.pem","Subject":{"CN":"Server OCSP Via Intermediate"},"description":"Server OCSP certificate signed by intermediate CA.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"intermediate_ocsp_key.pem","name":"server_signed_by_intermediate_ca_ocsp.pem"},{"Issuer":"intermediate_ca_only_ocsp.pem","Subject":{"CN":"Server OCSP Via Intermediate"},"append_cert":"intermediate_ca_only_ocsp.pem","description":"Server OCSP certificate signed by intermediate CA.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"include_header":false,"keyfile":"intermediate_ocsp_key.pem","name":"server_and_intermediate_ca_appended_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-3","ST":"NY"},"description":"Certificate and key for the OCSP responder","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["OCSPSigning"],"keyUsage":["nonRepudiation","digitalSignature","keyEncipherment"]},"include_header":false,"keyfile":"ocsp_key.pem","name":"ocsp_responder.pem","split_cert_and_key":true},{"Issuer":"self","Subject":{"C":"US","CN":"Kernel Rollover Test CA","L":"New York","O":"MongoDB, Inc.","OU":"Kernel","ST":"New York"},"description":"Separate CA used during rollover tests.","explicit_subject":true,"extensions":{"authorityKeyIdentifier":"keyid","basicConstraints":{"CA":true,"critical":true},"keyUsage":["critical","digitalSignature","keyCertSign","cRLSign"],"subjectKeyIdentifier":"hash"},"keyfile":"rollover_ca_key.pem","name":"rollover_ca.pem"},{"append_cert":["rollover_ca.pem","ca.pem"],"description":"Combination of rollover_ca.pem and ca.pem","name":"rollover_ca_merged.pem"},{"Issuer":"rollover_ca.pem","Subject":{"C":"US","CN":"server","L":"New York","O":"MongoDB, Inc. (Rollover)","OU":"Kernel","ST":"New York"},"description":"Server rollover certificate.","explicit_subject":true,"extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"rollover_key.pem","name":"rollover_server.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Intermediate CA"},"description":"CA issues by the primary root CA, which then issues its own server cert.","extensions":{"basicConstraints":{"CA":true}},"keyfile":"intermediate_ca_key.pem","name":"intermediate-ca.pem"},{"Issuer":"intermediate-ca.pem","Subject":{"CN":"Server Via Intermediate"},"append_cert":"intermediate-ca.pem","description":"Server certificate signed by intermediate CA, including intermediate CA in bundle.","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"intermediate_key.pem","name":"server-intermediate-ca.pem"},{"Issuer":"intermediate-ca.pem","Subject":{"CN":"Server Leaf Via Intermediate"},"description":"Server certificate signed by intermediate CA.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"intermediate_key.pem","name":"server-intermediate-leaf.pem"},{"append_cert":["ca.pem","intermediate-ca.pem"],"description":"CA pem including intermediate certs.","name":"intermediate-ca-chain.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Intermediate CA B"},"description":"Secondary intermediate CA issued by the primary root CA.","extensions":{"basicConstraints":{"CA":true}},"keyfile":"intermediate_b_ca_key.pem","name":"intermediate-ca-B.pem"},{"Issuer":"intermediate-ca-B.pem","Subject":{"CN":"End-entity certificate via Intermediate CA B"},"description":"First end-entity certificate signed by intermediate CA B","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"intermediate_b_key.pem","name":"intermediate-ca-B-leaf.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server","O":"MongoDB, Inc. (Splithorizon)"},"description":"Server certificate for split horizon testing.","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":["localhost","splithorizon1","splithorizon2"],"IP":"127.0.0.1"}},"keyfile":"key.pem","name":"splithorizon-server.pem"},{"Issuer":"self","Subject":{"CN":"Trusted Kernel Test CA"},"description":"CA for alternate client/server certificate chain.","extensions":{"basicConstraints":{"CA":true},"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_ca_key.pem","name":"trusted-ca.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Client"},"description":"Client certificate for trusted chain.","extensions":{"extendedKeyUsage":["clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_key.pem","name":"trusted-client.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Server"},"description":"Server certificate for trusted chain.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_key.pem","name":"trusted-server.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Cluster Server"},"description":"Server cluster certificate for trusted chain.","extensions":{"extendedKeyUsage":["clientAuth","serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_key.pem","name":"trusted-cluster-server.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Client With Roles","OU":"Kernel Users"},"description":"Client certificate with X509 role grants via trusted chain.","extensions":{"mongoRoles":[{"db":"testDB","role":"role1"},{"db":"testDB","role":"role2"}]},"keyfile":"trusted_key.pem","name":"trusted-client-testdb-roles.pem"},{"append_cert":["ca.pem","trusted-ca.pem"],"description":"Combined ca.pem and trusted-ca.pem","name":"root-and-trusted-ca.pem"},{"Issuer":"self","Subject":{"CN":"Kernel Test ECDSA CA"},"description":"Root of ECDSA tree.","extensions":{"basicConstraints":{"CA":true},"subjectKeyIdentifier":"hash"},"keyfile":"ec_ca_key.pem","name":"ecdsa-ca.pem"},{"Issuer":"ecdsa-ca.pem","Subject":{"CN":"client"},"description":"Client certificate for ECDSA tree.","keyfile":"ec_key.pem","name":"ecdsa-client.pem"},{"Issuer":"ecdsa-ca.pem","Subject":{"CN":"server"},"description":"Server certificate for ECDSA tree.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"ec_key.pem","name":"ecdsa-server.pem"},{"Issuer":"self","Subject":{"CN":"Kernel Test ECDSA CA"},"description":"Root of ECDSA tree for OCSP testing","extensions":{"basicConstraints":{"CA":true},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_ca_key.pem","name":"ecdsa-ca-ocsp.pem","split_cert_and_key":true},{"Issuer":"ecdsa-ca-ocsp.pem","Subject":{"CN":"server"},"description":"ECDSA server certificate w/OCSP","extensions":{"authorityInfoAccess":[{"location":"http://localhost:9001/power/level","method":"OCSP"},{"location":"http://localhost:8100/status","method":"OCSP"}],"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_key.pem","name":"ecdsa-server-ocsp.pem"},{"Issuer":"ecdsa-ca-ocsp.pem","Subject":{"CN":"server"},"description":"ECDSA server certificate w/OCSP + must-staple","extensions":{"authorityInfoAccess":[{"location":"http://localhost:9001/power/level","method":"OCSP"},{"location":"http://localhost:8100/status","method":"OCSP"}],"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mustStaple":true,"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_key.pem","name":"ecdsa-server-ocsp-mustStaple.pem"},{"Issuer":"ecdsa-ca-ocsp.pem","Subject":{"CN":"server"},"description":"ECDSA certificate and key for OCSP responder","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth","OCSPSigning"],"keyUsage":["nonRepudiation","digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_key.pem","name":"ecdsa-ocsp-responder.pem","split_cert_and_key":true},{"Issuer":"trusted-ca.pem","Subject":{"C":"US","CN":"trusted_client_password_protected","L":"New York City","O":"MongoDB","OU":"KernelUser","ST":"New York"},"description":"Encrypted storage engine KMIP client certificate.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"pkcs1_encrypted_trusted_key.pem","name":"trusted_client_password_protected.pem","passphrase":"qwerty"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"ldapz_x509_1","L":"New York City","O":"MongoDB","OU":"KernelUser","ST":"New York"},"description":"X.509 LDAP Auth Test Cert.","keyfile":"key.pem","name":"ldapz_x509_1.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"ldapz_x509_2","L":"New York City","O":"MongoDB","OU":"KernelUser","ST":"New York"},"description":"X.509 LDAP Auth Test Cert.","keyfile":"key.pem","name":"ldapz_x509_2.pem"}],"crls":["crl.pem","crl_client_revoked.pem","crl_intermediate_ca_B_revoked.pem","crl_from_trusted_ca.pem","crl_from_intermediate_ca_B.pem"],"global":{"Subject":{"C":"US","L":"New York City","O":"MongoDB","OU":"Kernel","ST":"New York"}}} +{"certs":[{"Issuer":"self","Subject":{"CN":"Kernel Test CA"},"description":"Primary Root Certificate Authority Most Certificates are issued by this CA.","extensions":{"basicConstraints":{"CA":true,"critical":true}},"keyfile":"ca_key.pem","name":"ca.pem"},{"Issuer":"ca.pem","Subject":{"CN":"127.0.0.1"},"description":"Certificate with an otherwise permissible CommonName, but with an unmatchable SubjectAlternateName.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"badSAN"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"badSAN.pem"},{"Issuer":"ca.pem","Subject":{"2.5.4.13":"Datum-13","2.5.4.14":"Datum-14","2.5.4.15":"Datum-15","2.5.4.16":"Datum-16","2.5.4.17":"Datum-17","2.5.4.18":"Datum-18","2.5.4.19":"Datum-19","2.5.4.20":"Datum-20","2.5.4.21":"Datum-21","2.5.4.22":"Datum-22","2.5.4.23":"Datum-23","2.5.4.24":"Datum-24","2.5.4.25":"Datum-25","2.5.4.26":"Datum-26","2.5.4.27":"Datum-27","2.5.4.28":"Datum-28","2.5.4.29":"Datum-29","2.5.4.30":"Datum-30","2.5.4.31":"Datum-31","2.5.4.32":"Datum-32","2.5.4.33":"Datum-33","2.5.4.34":"Datum-34","2.5.4.35":"Datum-35","2.5.4.36":"Datum-36","2.5.4.37":"Datum-37","2.5.4.38":"Datum-38","2.5.4.39":"Datum-39","2.5.4.40":"Datum-40","2.5.4.41":"Datum-41","2.5.4.42":"Datum-42","2.5.4.43":"Datum-43","2.5.4.44":"Datum-44","2.5.4.45":"Datum-45","2.5.4.46":"Datum-46","2.5.4.47":"Datum-47","2.5.4.48":"Datum-48","2.5.4.49":"Datum-49","2.5.4.50":"Datum-50","2.5.4.51":"Datum-51","2.5.4.52":"Datum-52","2.5.4.53":"Datum-53","2.5.4.54":"Datum-54","2.5.4.65":"Datum-65","2.5.4.72":"Datum-72","C":"US","CN":"Datum-3","L":"Datum-7","O":"Datum-10","OU":"Datum-11","SN":"Datum-4","ST":"NY","serialNumber":"Datum-5","streetAddress":"Datum-9","title":"Datum-12"},"description":"Client certificate with a long list of OIDs. Ensures the server functions well in unexpected circumstances.","explicit_subject":true,"keyfile":"key.pem","name":"client-all-the-oids.pem"},{"Issuer":"ca.pem","Subject":{"1.2.3.45":"Value,Rando","1.2.3.56":"RandoValue","CN":"client","OU":"KernelUser"},"description":"Client certificate using non-standard OIDs.","keyfile":"key.pem","name":"client-custom-oids.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser","emailAddress":"example@mongodb.com"},"description":"Client certificate containing an email address. Includes authorizations for queryable backup.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_email.pem"},{"Issuer":"ca.pem","Subject":{"C":",+","CN":"Test","L":" >","O":"; ","OU":"Escape","ST":"\"\\<"},"description":"Client certificate with reserved characters in subject name. Includes authorizations for queryable backup.","explicit_subject":true,"extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_escape.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"General purpose client certificate.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"Client certificate configured with serverAuth EKU (should be disallowed when received on ingress connections)","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_with_serverAuth_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"Client certificate configured with no EKUs","extensions":{"basicConstraints":{"CA":false},"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_without_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"Client certificate configured with both serverAuth and clientAuth EKUs","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth","serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_with_serverAuth_and_clientAuth_eku.pem"},{"Issuer":"ca.pem","Subject":[{"CN":"client","O":"MongoDB","OU":"KernelUser"},{"C":"US","L":"New York City","ST":"New York"}],"description":"Client certificate containing multivalue RDNs","explicit_subject":true,"keyfile":"key.pem","name":"client-multivalue-rdn.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","emailAddress":"example@mongodb.com","title":"A Test Certificate"},"description":"General purpose client certificate with roles.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_privatekey.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client_revoked"},"description":"Client certificate which has been explicitly revoked.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client_revoked.pem","serial":4},{"Issuer":"ca.pem","Subject":{"CN":"Kernel Client Peer Role","OU":"Kernel Users"},"description":"General purpose client certificate with roles.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_roles.pem"},{"Issuer":"ca.pem","Subject":{"CN":"client","OU":"KernelUser","emailAddress":"example@mongodb.com","title":"A Test Certificate"},"description":"General purpose client certificate with roles.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_title.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Калоян","OU":"Kernel Users"},"description":"Client certificate with non latin-1 unicode characters.","extensions":{"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}]},"keyfile":"key.pem","name":"client_utf8.pem"},{"Issuer":"ca.pem","Subject":{"CN":"clustertest"},"description":"Alternate cert for use in intra-cluster communication.","keyfile":"key.pem","name":"cluster_cert.pem"},{"Issuer":"ca.pem","Subject":{"CN":"expired"},"description":"A certificate which has passed its expiration date.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"expired.pem","not_after":-1000000,"not_before":-10000000},{"Issuer":"ca.pem","Subject":{"CN":"127.0.0.1"},"description":"Server certificate with IP localhost in CN, includes a SAN.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"localhostnameCN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"localhost"},"description":"Localhost based certificate using non-matching subject alternate name.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"example.com"}},"keyfile":"key.pem","name":"localhost-cn-with-san.pem"},{"Issuer":"ca.pem","Subject":{"CN":"santesthostname.com"},"description":"Server certificate with a selection of SANs","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":["*.example.com","localhost","morefun!"],"IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"localhostnameSAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"not_yet_valid"},"description":"A certificate which has yet to reach its validity date.","extensions":{"extendedKeyUsage":["serverAuth"],"mongoRoles":[{"db":"admin","role":"backup"},{"db":"admin","role":"readAnyDatabase"}],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"not_yet_valid.pem","not_after":701913600,"not_before":630720000},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"Server cerificate using an encrypted private key.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs1_encrypted_key.pem","name":"password_protected.pem","passphrase":"qwerty"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file with clientAuth EKU (should be disallowed when received on egress connections)","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_with_clientAuth_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file with serverAuth EKU only","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_with_serverAuth_eku.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"General purpose server certificate file without any EKUs","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_without_eku.pem"},{"Issuer":"ca.pem","description":"Server certificate with empty Subject, but critical SAN.","explicit_subject":true,"extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":["127.0.0.1","::1"],"critical":true},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_no_subject.pem"},{"Issuer":"ca.pem","description":"Server certificate with empty Subject, and no SANs.","explicit_subject":true,"extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"server_no_subject_no_SAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Kernel Client Peer Role"},"description":"General purpose server certificate with good SANs.","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":["127.0.0.1","::1"]}},"keyfile":"key.pem","name":"server_SAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Kernel Client Peer Role"},"description":"General purpose server certificate with bad SANs.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":["127.0.0.1","::1"]}},"keyfile":"key.pem","name":"server_SAN2.pem"},{"Issuer":"ca.pem","Subject":{"CN":"localhost","title":"Server no SAN attribute"},"description":"General purpose server certificate with missing SAN.","extensions":{"extendedKeyUsage":["serverAuth"]},"keyfile":"key.pem","name":"server_no_SAN.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"A server certificate with the mongoClusterMembership extension with a value of foo","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mongoClusterMembership":"foo","subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"cluster-member-foo.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server"},"description":"A server certificate with the mongoClusterMembership extension with a value of bar","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mongoClusterMembership":"bar","subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"cluster-member-bar.pem"},{"Issuer":"ca.pem","Subject":{"C":"ZZ","CN":"Doer","L":"Fakesville","O":"Company","OU":"Business","ST":"Example"},"description":"A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mongoClusterMembership":"foo","subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"cluster-member-foo-alt-rdn.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server","title":"foo"},"description":"Server certificate including the title attribute set to foo.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_foo.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server","title":"bar"},"description":"Server certificate including the title attribute set to bar.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_bar.pem"},{"Issuer":"ca.pem","Subject":{"CN":"clustertest","title":"foo"},"description":"Alternate certificate for intracluster auth including the title attribute set to foo.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"cluster_title_foo.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"server","L":"New York City","ST":"New York","title":"foo"},"description":"Server certificate including the title attribute set to foo without O, OU, or DC.","explicit_subject":true,"extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_foo_no_o_ou_dc.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"server","L":"New York City","ST":"New York","title":"bar"},"description":"Server certificate including the title attribute set to bar without O, OU, or DC.","explicit_subject":true,"extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"server_title_bar_no_o_ou_dc.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"clustertest","L":"New York City","ST":"New York","title":"foo"},"description":"Alternate certificate for intracluster auth including the title attribute set to foo without O, OU, or DC.","explicit_subject":true,"extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"key.pem","name":"cluster_title_foo_no_o_ou_dc.pem"},{"Issuer":"ca.pem","Subject":{"OU":"rs0"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"rs0.pem"},{"Issuer":"ca.pem","Subject":{"OU":"rs1"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"rs1.pem"},{"Issuer":"ca.pem","Subject":{"OU":"rs2"},"description":"General purpose server certificate file.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"rs2.pem"},{"Issuer":"self","Subject":{"CN":"client","OU":"KernelUser"},"description":"A basic self-signed certificate.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment","nonRepudiation"],"nsComment":"OpenSSL Generated Certificate","subjectKeyIdentifier":"hash"},"keyfile":"key.pem","name":"client-self-signed.pem"},{"Issuer":"self","Subject":{"CN":"smoke"},"description":"A self-signed certificate used for smoke testing.","extensions":{"basicConstraints":{"CA":true}},"keyfile":"key.pem","name":"smoke.pem"},{"Issuer":"self","Subject":{"CN":"Kernel Test CA"},"description":"OCSP Root Certificate Authority","extensions":{"basicConstraints":{"CA":true,"critical":true}},"keyfile":"ocsp_ca_key.pem","name":"ca_ocsp.pem","split_cert_and_key":true},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"ocsp_key.pem","name":"server_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"Non-OCSP certificate for the mongodb server using the OCSP CA.","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"ocsp_key.pem","name":"server_no_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"badHost","L":"OCSP-1","ST":"NY"},"description":"An expired OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"badHost"},"subjectKeyIdentifier":"hash"},"keyfile":"ocsp_key.pem","name":"server_ocsp_invalid.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"ocsp_key.pem","name":"server_ocsp_revoked.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-1","ST":"NY"},"description":"Must Staple OCSP certificate for the mongodb server.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mustStaple":true,"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"ocsp_key.pem","name":"server_ocsp_mustStaple.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-2","ST":"NY"},"description":"OCSP certificate for the mongodb client.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"ocsp_key.pem","name":"client_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"CN":"Intermediate CA for OCSP"},"description":"CA issued by the primary OCSP CA, which then issues its own server OCSP cert.","extensions":{"basicConstraints":{"CA":true,"critical":true},"subjectKeyIdentifier":"hash"},"keyfile":"intermediate_ocsp_ca_key.pem","name":"intermediate_ca_only_ocsp.pem","split_cert_and_key":true},{"append_cert":["intermediate_ca_only_ocsp.pem","ca_ocsp.pem"],"description":"OCSP CA and OCSP Intermediate appended together","name":"intermediate_ca_with_root_ocsp.pem"},{"Issuer":"intermediate_ca_only_ocsp.pem","Subject":{"CN":"Server OCSP Via Intermediate"},"description":"Server OCSP certificate signed by intermediate CA.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"intermediate_ocsp_key.pem","name":"server_signed_by_intermediate_ca_ocsp.pem"},{"Issuer":"intermediate_ca_only_ocsp.pem","Subject":{"CN":"Server OCSP Via Intermediate"},"append_cert":"intermediate_ca_only_ocsp.pem","description":"Server OCSP certificate signed by intermediate CA.","extensions":{"authorityInfoAccess":{"location":"http://localhost:8100/status","method":"OCSP"},"basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"intermediate_ocsp_key.pem","name":"server_and_intermediate_ca_appended_ocsp.pem"},{"Issuer":"ca_ocsp.pem","Subject":{"C":"US","CN":"localhost","L":"OCSP-3","ST":"NY"},"description":"Certificate and key for the OCSP responder","extensions":{"basicConstraints":{"CA":false},"extendedKeyUsage":["OCSPSigning"],"keyUsage":["nonRepudiation","digitalSignature","keyEncipherment"]},"keyfile":"ocsp_responder_key.pem","name":"ocsp_responder.pem","split_cert_and_key":true},{"Issuer":"self","Subject":{"C":"US","CN":"Kernel Rollover Test CA","L":"New York","O":"MongoDB, Inc.","OU":"Kernel","ST":"New York"},"description":"Separate CA used during rollover tests.","explicit_subject":true,"extensions":{"authorityKeyIdentifier":"keyid","basicConstraints":{"CA":true,"critical":true},"keyUsage":["critical","digitalSignature","keyCertSign","cRLSign"],"subjectKeyIdentifier":"hash"},"keyfile":"rollover_ca_key.pem","name":"rollover_ca.pem"},{"append_cert":["rollover_ca.pem","ca.pem"],"description":"Combination of rollover_ca.pem and ca.pem","name":"rollover_ca_merged.pem"},{"Issuer":"rollover_ca.pem","Subject":{"C":"US","CN":"server","L":"New York","O":"MongoDB, Inc. (Rollover)","OU":"Kernel","ST":"New York"},"description":"Server rollover certificate.","explicit_subject":true,"extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"rollover_key.pem","name":"rollover_server.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Intermediate CA"},"description":"CA issues by the primary root CA, which then issues its own server cert.","extensions":{"basicConstraints":{"CA":true}},"keyfile":"intermediate_ca_key.pem","name":"intermediate-ca.pem"},{"Issuer":"intermediate-ca.pem","Subject":{"CN":"Server Via Intermediate"},"append_cert":"intermediate-ca.pem","description":"Server certificate signed by intermediate CA, including intermediate CA in bundle.","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"intermediate_key.pem","name":"server-intermediate-ca.pem"},{"Issuer":"intermediate-ca.pem","Subject":{"CN":"Server Leaf Via Intermediate"},"description":"Server certificate signed by intermediate CA.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"intermediate_key.pem","name":"server-intermediate-leaf.pem"},{"append_cert":["ca.pem","intermediate-ca.pem"],"description":"CA pem including intermediate certs.","name":"intermediate-ca-chain.pem"},{"Issuer":"ca.pem","Subject":{"CN":"Intermediate CA B"},"description":"Secondary intermediate CA issued by the primary root CA.","extensions":{"basicConstraints":{"CA":true}},"keyfile":"intermediate_b_ca_key.pem","name":"intermediate-ca-B.pem"},{"Issuer":"intermediate-ca-B.pem","Subject":{"CN":"End-entity certificate via Intermediate CA B"},"description":"First end-entity certificate signed by intermediate CA B","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"intermediate_b_key.pem","name":"intermediate-ca-B-leaf.pem"},{"Issuer":"ca.pem","Subject":{"CN":"server","O":"MongoDB, Inc. (Splithorizon)"},"description":"Server certificate for split horizon testing.","extensions":{"extendedKeyUsage":["serverAuth","clientAuth"],"subjectAltName":{"DNS":["localhost","splithorizon1","splithorizon2"],"IP":"127.0.0.1"}},"keyfile":"key.pem","name":"splithorizon-server.pem"},{"Issuer":"self","Subject":{"CN":"Trusted Kernel Test CA"},"description":"CA for alternate client/server certificate chain.","extensions":{"basicConstraints":{"CA":true},"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_ca_key.pem","name":"trusted-ca.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Client"},"description":"Client certificate for trusted chain.","extensions":{"extendedKeyUsage":["clientAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_key.pem","name":"trusted-client.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Server"},"description":"Server certificate for trusted chain.","extensions":{"extendedKeyUsage":["serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_key.pem","name":"trusted-server.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Cluster Server"},"description":"Server cluster certificate for trusted chain.","extensions":{"extendedKeyUsage":["clientAuth","serverAuth"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"trusted_key.pem","name":"trusted-cluster-server.pem"},{"Issuer":"trusted-ca.pem","Subject":{"CN":"Trusted Kernel Test Client With Roles","OU":"Kernel Users"},"description":"Client certificate with X509 role grants via trusted chain.","extensions":{"mongoRoles":[{"db":"testDB","role":"role1"},{"db":"testDB","role":"role2"}]},"keyfile":"trusted_key.pem","name":"trusted-client-testdb-roles.pem"},{"append_cert":["ca.pem","trusted-ca.pem"],"description":"Combined ca.pem and trusted-ca.pem","name":"root-and-trusted-ca.pem"},{"Issuer":"self","Subject":{"CN":"Kernel Test ECDSA CA"},"description":"Root of ECDSA tree.","extensions":{"basicConstraints":{"CA":true},"subjectKeyIdentifier":"hash"},"keyfile":"ec_ca_key.pem","name":"ecdsa-ca.pem"},{"Issuer":"ecdsa-ca.pem","Subject":{"CN":"client","OU":"KernelUser"},"description":"Client certificate for ECDSA tree.","keyfile":"ec_key.pem","name":"ecdsa-client.pem"},{"Issuer":"ecdsa-ca.pem","Subject":{"CN":"server"},"description":"Server certificate for ECDSA tree.","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"ec_key.pem","name":"ecdsa-server.pem"},{"Issuer":"self","Subject":{"CN":"Kernel Test ECDSA CA"},"description":"Root of ECDSA tree for OCSP testing","extensions":{"basicConstraints":{"CA":true},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_ca_key.pem","name":"ecdsa-ca-ocsp.pem","split_cert_and_key":true},{"Issuer":"ecdsa-ca-ocsp.pem","Subject":{"CN":"server"},"description":"ECDSA server certificate w/OCSP","extensions":{"authorityInfoAccess":[{"location":"http://localhost:9001/power/level","method":"OCSP"},{"location":"http://localhost:8100/status","method":"OCSP"}],"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_key.pem","name":"ecdsa-server-ocsp.pem"},{"Issuer":"ecdsa-ca-ocsp.pem","Subject":{"CN":"server"},"description":"ECDSA server certificate w/OCSP + must-staple","extensions":{"authorityInfoAccess":[{"location":"http://localhost:9001/power/level","method":"OCSP"},{"location":"http://localhost:8100/status","method":"OCSP"}],"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth"],"keyUsage":["digitalSignature","keyEncipherment"],"mustStaple":true,"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_key.pem","name":"ecdsa-server-ocsp-mustStaple.pem"},{"Issuer":"ecdsa-ca-ocsp.pem","Subject":{"CN":"server"},"description":"ECDSA certificate and key for OCSP responder","extensions":{"authorityKeyIdentifier":"issuer","basicConstraints":{"CA":false},"extendedKeyUsage":["serverAuth","clientAuth","OCSPSigning"],"keyUsage":["nonRepudiation","digitalSignature","keyEncipherment"],"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"},"subjectKeyIdentifier":"hash"},"keyfile":"pkcs8_encrypted_ec_ocsp_responder_key.pem","name":"ecdsa-ocsp-responder.pem","split_cert_and_key":true},{"Issuer":"trusted-ca.pem","Subject":{"C":"US","CN":"trusted_client_password_protected","L":"New York City","O":"MongoDB","OU":"KernelUser","ST":"New York"},"description":"Encrypted storage engine KMIP client certificate.","extensions":{"subjectAltName":{"DNS":"localhost","IP":"127.0.0.1"}},"keyfile":"pkcs1_encrypted_trusted_key.pem","name":"trusted_client_password_protected.pem","passphrase":"qwerty"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"ldapz_x509_1","L":"New York City","O":"MongoDB","OU":"KernelUser","ST":"New York"},"description":"X.509 LDAP Auth Test Cert.","keyfile":"key.pem","name":"ldapz_x509_1.pem"},{"Issuer":"ca.pem","Subject":{"C":"US","CN":"ldapz_x509_2","L":"New York City","O":"MongoDB","OU":"KernelUser","ST":"New York"},"description":"X.509 LDAP Auth Test Cert.","keyfile":"key.pem","name":"ldapz_x509_2.pem"}],"crls":["crl.pem","crl_client_revoked.pem","crl_intermediate_ca_B_revoked.pem","crl_from_trusted_ca.pem","crl_from_intermediate_ca_B.pem"],"global":{"Subject":{"C":"US","L":"New York City","O":"MongoDB","OU":"Kernel","ST":"New York"}}} \ No newline at end of file diff --git a/jstests/noPassthrough/shell/shell_grpc_uri.js b/jstests/noPassthrough/shell/shell_grpc_uri.js index 44926c3a4b5..888ebffafc8 100644 --- a/jstests/noPassthrough/shell/shell_grpc_uri.js +++ b/jstests/noPassthrough/shell/shell_grpc_uri.js @@ -38,11 +38,11 @@ function testGRPCConnect(ok, ...args) { testGRPCConnect(true); // Options currently prohibited when using gRPC. -testGRPCConnect(false, "--tlsCRLFile", "jstests/libs/crl.pem"); +testGRPCConnect(false, "--tlsCRLFile", getX509Path("crl.pem")); testGRPCConnect( false, "--tlsCertificateKeyFile", - "jstests/libs/password_protected.pem", + getX509Path("password_protected.pem"), "--tlsCertificateKeyFilePassword", "qwerty", ); diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js index 68d56334712..d918096c54b 100644 --- a/jstests/ocsp/lib/ocsp_helpers.js +++ b/jstests/ocsp/lib/ocsp_helpers.js @@ -5,27 +5,26 @@ import {isUbuntu1804} from "jstests/libs/os_helpers.js"; import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; -export const OCSP_CA_PEM = "jstests/libs/ocsp/ca_ocsp.pem"; -export const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.crt"; -export const OCSP_CA_KEY = "jstests/libs/ocsp/ca_ocsp.key"; -export const CLUSTER_CA_CERT = "jstests/libs/ca.pem"; -export const CLUSTER_KEY = "jstests/libs/server.pem"; -export const OCSP_SERVER_CERT = "jstests/libs/ocsp/server_ocsp.pem"; -export const OCSP_NO_OCSP_SERVER_CERT = "jstests/libs/ocsp/server_no_ocsp.pem"; -export const OCSP_CLIENT_CERT = "jstests/libs/ocsp/client_ocsp.pem"; -export const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pem"; -export const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem"; -export const OCSP_SERVER_CERT_INVALID = "jstests/libs/ocsp/server_ocsp_invalid.pem"; -export const OCSP_RESPONDER_CERT = "jstests/libs/ocsp/ocsp_responder.crt"; -export const OCSP_RESPONDER_KEY = "jstests/libs/ocsp/ocsp_responder.key"; -export const OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM = "jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem"; -export const OCSP_INTERMEDIATE_CA_ONLY_CERT = "jstests/libs/ocsp/intermediate_ca_only_ocsp.crt"; -export const OCSP_INTERMEDIATE_CA_ONLY_KEY = "jstests/libs/ocsp/intermediate_ca_only_ocsp.key"; +export const OCSP_CA_PEM = getX509Path("ca_ocsp.pem"); +export const OCSP_CA_CERT = getX509Path("ca_ocsp.crt"); +export const OCSP_CA_KEY = getX509Path("ca_ocsp.key"); +export const CLUSTER_CA_CERT = getX509Path("ca.pem"); +export const CLUSTER_KEY = getX509Path("server.pem"); +export const OCSP_SERVER_CERT = getX509Path("server_ocsp.pem"); +export const OCSP_NO_OCSP_SERVER_CERT = getX509Path("server_no_ocsp.pem"); +export const OCSP_CLIENT_CERT = getX509Path("client_ocsp.pem"); +export const OCSP_SERVER_MUSTSTAPLE_CERT = getX509Path("server_ocsp_mustStaple.pem"); +export const OCSP_SERVER_CERT_REVOKED = getX509Path("server_ocsp_revoked.pem"); +export const OCSP_SERVER_CERT_INVALID = getX509Path("server_ocsp_invalid.pem"); +export const OCSP_RESPONDER_CERT = getX509Path("ocsp_responder.crt"); +export const OCSP_RESPONDER_KEY = getX509Path("ocsp_responder.key"); +export const OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM = getX509Path("intermediate_ca_with_root_ocsp.pem"); +export const OCSP_INTERMEDIATE_CA_ONLY_CERT = getX509Path("intermediate_ca_only_ocsp.crt"); +export const OCSP_INTERMEDIATE_CA_ONLY_KEY = getX509Path("intermediate_ca_only_ocsp.key"); -export const OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM = "jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem"; +export const OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM = getX509Path("server_signed_by_intermediate_ca_ocsp.pem"); -export const OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM = - "jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem"; +export const OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM = getX509Path("server_and_intermediate_ca_appended_ocsp.pem"); export var clearOCSPCache = function () { let provider = determineSSLProvider(); diff --git a/jstests/ssl/auth-counters.js b/jstests/ssl/auth-counters.js index 6a7e8a6493d..e912a54129d 100644 --- a/jstests/ssl/auth-counters.js +++ b/jstests/ssl/auth-counters.js @@ -4,8 +4,8 @@ const x509 = "MONGODB-X509"; const mongod = MongoRunner.runMongod({ auth: "", tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), clusterAuthMode: "x509", }); const admin = mongod.getDB("admin"); @@ -67,9 +67,9 @@ function assertSuccessInternal() { "--port", mongod.port, "--tlsCertificateKeyFile", - "jstests/libs/server.pem", + getX509Path("server.pem"), "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--authenticationDatabase", "$external", "--authenticationMechanism", diff --git a/jstests/ssl/canonicalize_command_line_opts.js b/jstests/ssl/canonicalize_command_line_opts.js index 29682a59b23..7280d32f9b6 100644 --- a/jstests/ssl/canonicalize_command_line_opts.js +++ b/jstests/ssl/canonicalize_command_line_opts.js @@ -16,16 +16,16 @@ function runTest(mongod) { const tls = net.tls; assert.eq(tls.mode, "requireTLS"); - assert.eq(tls.CAFile, "jstests/libs/ca.pem"); - assert.eq(tls.certificateKeyFile, "jstests/libs/server.pem"); + assert.eq(tls.CAFile, getX509Path("ca.pem")); + assert.eq(tls.certificateKeyFile, getX509Path("server.pem")); assert.eq(tls.allowConnectionsWithoutCertificates, true); assert.eq(tls.allowInvalidHostnames, true); } const options = { sslMode: "requireSSL", - sslCAFile: "jstests/libs/ca.pem", - sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: getX509Path("ca.pem"), + sslPEMKeyFile: getX509Path("server.pem"), sslAllowConnectionsWithoutCertificates: "", sslAllowInvalidHostnames: "", }; diff --git a/jstests/ssl/client_x509_rotate.js b/jstests/ssl/client_x509_rotate.js index 316268f242b..9e1eab35531 100644 --- a/jstests/ssl/client_x509_rotate.js +++ b/jstests/ssl/client_x509_rotate.js @@ -8,13 +8,13 @@ import { import {ShardingTest} from "jstests/libs/shardingtest.js"; import {copyCertificateFile} from "jstests/ssl/libs/ssl_helpers.js"; -const OLD_CA = "jstests/libs/ca.pem"; -const OLD_CLIENT = "jstests/libs/client.pem"; -const OLD_SERVER = "jstests/libs/server.pem"; +const OLD_CA = getX509Path("ca.pem"); +const OLD_CLIENT = getX509Path("client.pem"); +const OLD_SERVER = getX509Path("server.pem"); -const NEW_CA = "jstests/libs/trusted-ca.pem"; -const NEW_CLIENT = "jstests/libs/trusted-client.pem"; -const NEW_SERVER = "jstests/libs/trusted-server.pem"; +const NEW_CA = getX509Path("trusted-ca.pem"); +const NEW_CLIENT = getX509Path("trusted-client.pem"); +const NEW_SERVER = getX509Path("trusted-server.pem"); (function () { let mongos; @@ -32,7 +32,7 @@ const NEW_SERVER = "jstests/libs/trusted-server.pem"; // rotate, and make sure it can communicate with ONLY that shard after a rotate. const mongosOptions = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), tlsCAFile: dbPath + "/ca-test.pem", tlsClusterFile: dbPath + "/client-test.pem", tlsAllowInvalidHostnames: "", diff --git a/jstests/ssl/cluster_member.js b/jstests/ssl/cluster_member.js index 803a1cf1136..7f85795fdb4 100644 --- a/jstests/ssl/cluster_member.js +++ b/jstests/ssl/cluster_member.js @@ -42,7 +42,7 @@ function authAndDo(port, cert, cmd = ";") { port, "--tls", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", cert, "--eval", @@ -53,10 +53,10 @@ function authAndDo(port, cert, cmd = ";") { function runTest(conn) { const SERVER_RDN = "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; - const SERVER = "jstests/libs/server.pem"; - const FOO_MEMBER = "jstests/ssl/libs/cluster-member-foo.pem"; - const BAR_MEMBER = "jstests/ssl/libs/cluster-member-bar.pem"; - const FOO_MEMBER_ALT = "jstests/ssl/libs/cluster-member-foo-alt-rdn.pem"; + const SERVER = getX509Path("server.pem"); + const FOO_MEMBER = getX509Path("cluster-member-foo.pem"); + const BAR_MEMBER = getX509Path("cluster-member-bar.pem"); + const FOO_MEMBER_ALT = getX509Path("cluster-member-foo-alt-rdn.pem"); const FOO_MEMBER_ALT_RDN = "CN=Doer,OU=Business,O=Company,L=Fakesville,ST=Example,C=ZZ"; const admin = conn.getDB("admin"); @@ -99,8 +99,8 @@ function runTest(conn) { const opts = { auth: "", tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/ssl/libs/cluster-member-foo.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("cluster-member-foo.pem"), + tlsCAFile: getX509Path("ca.pem"), clusterAuthMode: "x509", tlsClusterAuthX509ExtensionValue: "foo", setParameter: { diff --git a/jstests/ssl/cluster_x509_rotate.js b/jstests/ssl/cluster_x509_rotate.js index 6b47b883685..09244a683b9 100644 --- a/jstests/ssl/cluster_x509_rotate.js +++ b/jstests/ssl/cluster_x509_rotate.js @@ -6,9 +6,9 @@ import {copyCertificateFile} from "jstests/ssl/libs/ssl_helpers.js"; const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/"); mkdir(dbPath); -copyCertificateFile("jstests/libs/ca.pem", dbPath + "/ca-test.pem"); -copyCertificateFile("jstests/libs/client.pem", dbPath + "/client-test.pem"); -copyCertificateFile("jstests/libs/server.pem", dbPath + "/server-test.pem"); +copyCertificateFile(getX509Path("ca.pem"), dbPath + "/ca-test.pem"); +copyCertificateFile(getX509Path("client.pem"), dbPath + "/client-test.pem"); +copyCertificateFile(getX509Path("server.pem"), dbPath + "/server-test.pem"); // Make replset with old certificates, rotate to new certificates, and try to add // a node with new certificates. @@ -24,9 +24,9 @@ rst.startSet({ rst.initiate(); rst.awaitReplication(); -copyCertificateFile("jstests/libs/trusted-ca.pem", dbPath + "/ca-test.pem"); -copyCertificateFile("jstests/libs/trusted-client.pem", dbPath + "/client-test.pem"); -copyCertificateFile("jstests/libs/trusted-server.pem", dbPath + "/server-test.pem"); +copyCertificateFile(getX509Path("trusted-ca.pem"), dbPath + "/ca-test.pem"); +copyCertificateFile(getX509Path("trusted-client.pem"), dbPath + "/client-test.pem"); +copyCertificateFile(getX509Path("trusted-server.pem"), dbPath + "/server-test.pem"); for (let node of rst.nodes) { assert.commandWorked(node.adminCommand({rotateCertificates: 1})); @@ -34,9 +34,9 @@ for (let node of rst.nodes) { const newnode = rst.add({ tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", - tlsCAFile: "jstests/libs/trusted-ca.pem", - tlsClusterFile: "jstests/libs/trusted-client.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), + tlsCAFile: getX509Path("trusted-ca.pem"), + tlsClusterFile: getX509Path("trusted-client.pem"), tlsAllowInvalidHostnames: "", // IMPORTANT: shell will not be able to talk to the new node due to cert rotation // therefore we set "waitForConnect:false" to ensure shell does not try to acess it @@ -50,8 +50,8 @@ assert.soon(() => { try { new Mongo(host, undefined, { tls: { - certificateKeyFile: "jstests/libs/trusted-client.pem", - CAFile: "jstests/libs/trusted-ca.pem", + certificateKeyFile: getX509Path("trusted-client.pem"), + CAFile: getX509Path("trusted-ca.pem"), allowInvalidHostnames: true, }, }); @@ -69,8 +69,8 @@ assert.soon(() => { try { const conn = new Mongo(host, undefined, { tls: { - certificateKeyFile: "jstests/libs/trusted-client.pem", - CAFile: "jstests/libs/trusted-ca.pem", + certificateKeyFile: getX509Path("trusted-client.pem"), + CAFile: getX509Path("trusted-ca.pem"), allowInvalidHostnames: true, }, }); @@ -99,8 +99,8 @@ for (let node of rst.nodeList()) { print(`Testing connectivity of ${node} to ${target}`); const conn = new Mongo(node, undefined, { tls: { - certificateKeyFile: "jstests/libs/trusted-client.pem", - CAFile: "jstests/libs/trusted-ca.pem", + certificateKeyFile: getX509Path("trusted-client.pem"), + CAFile: getX509Path("trusted-ca.pem"), allowInvalidHostnames: true, }, }); diff --git a/jstests/ssl/config-canonicalize-normal-ports.js b/jstests/ssl/config-canonicalize-normal-ports.js index 15188031b7a..6101226731f 100644 --- a/jstests/ssl/config-canonicalize-normal-ports.js +++ b/jstests/ssl/config-canonicalize-normal-ports.js @@ -2,8 +2,8 @@ const mongod = MongoRunner.runMongod({ tlsOnNormalPorts: "", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), }); assert(mongod); assert.commandWorked(mongod.getDB("admin").runCommand({hello: 1})); diff --git a/jstests/ssl/crl_x509_rotate.js b/jstests/ssl/crl_x509_rotate.js index 8e8900d8fa4..5aca0143177 100644 --- a/jstests/ssl/crl_x509_rotate.js +++ b/jstests/ssl/crl_x509_rotate.js @@ -9,12 +9,12 @@ if (determineSSLProvider() === "apple") { const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/"); mkdir(dbPath); -copyCertificateFile("jstests/libs/crl.pem", dbPath + "/crl-test.pem"); +copyCertificateFile(getX509Path("crl.pem"), dbPath + "/crl-test.pem"); const mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsCRLFile: dbPath + "/crl-test.pem", }); @@ -27,16 +27,16 @@ let out = runMongoProgram( host, "--tls", "--tlsCertificateKeyFile", - "jstests/libs/client_revoked.pem", + getX509Path("client_revoked.pem"), "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--eval", ";", ); assert.eq(out, 0, "Initial mongo invocation failed"); // Rotate in new CRL -copyCertificateFile("jstests/libs/crl_client_revoked.pem", dbPath + "/crl-test.pem"); +copyCertificateFile(getX509Path("crl_client_revoked.pem"), dbPath + "/crl-test.pem"); assert.commandWorked(mongod.adminCommand({rotateCertificates: 1})); @@ -47,9 +47,9 @@ out = runMongoProgram( host, "--tls", "--tlsCertificateKeyFile", - "jstests/libs/client_revoked.pem", + getX509Path("client_revoked.pem"), "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--eval", ";", ); @@ -62,9 +62,9 @@ out = runMongoProgram( host, "--tls", "--tlsCertificateKeyFile", - "jstests/libs/client.pem", + getX509Path("client.pem"), "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--eval", ";", ); diff --git a/jstests/ssl/disable_x509.js b/jstests/ssl/disable_x509.js index 32e0ec06937..4e2862fd8fa 100644 --- a/jstests/ssl/disable_x509.js +++ b/jstests/ssl/disable_x509.js @@ -5,8 +5,8 @@ let CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=c let conn = MongoRunner.runMongod({ auth: "", tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), }); // Find out if this build supports the authenticationMechanisms startup parameter. diff --git a/jstests/ssl/libs/BUILD.bazel b/jstests/ssl/libs/BUILD.bazel index 34fd7e2acb6..97513de081b 100644 --- a/jstests/ssl/libs/BUILD.bazel +++ b/jstests/ssl/libs/BUILD.bazel @@ -10,8 +10,3 @@ mongo_js_library( ) all_subpackage_javascript_files() - -sh_binary( - name = "localhost_cn_with_san", - srcs = ["localhost-cn-with-san.pem.sh"], -) diff --git a/jstests/ssl/libs/localhost-cn-with-san.pem.sh b/jstests/ssl/libs/localhost-cn-with-san.pem.sh deleted file mode 100755 index 1b87e1e8cd3..00000000000 --- a/jstests/ssl/libs/localhost-cn-with-san.pem.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# Create a certificate with `CN=localhost` to satisfy CN matching, -# but override it with a SAN field which will not match. -set -ev - -RDN="/C=US/ST=New York/L=New York City/O=MongoDB/OU=Kernel/CN=localhost" -OPENSSL="/opt/mongodbtoolchain/v4/bin/openssl" -FILE="jstests/ssl/libs/localhost-cn-with-san" - -$OPENSSL req -new -subj "${RDN}" \ - -keyout "${FILE}.key" -out "${FILE}.csr" \ - -nodes -batch -sha256 -newkey rsa:2048 -$OPENSSL rsa -in "${FILE}.key" -out "${FILE}.rsa" -$OPENSSL x509 -in "${FILE}.csr" -out "${FILE}.pem" -req -CA "jstests/libs/ca.pem" \ - -days 3650 -CAcreateserial \ - -extfile <(printf "subjectAltName=DNS:example.com") - -# Create final bundle and cleanup. -cat "${FILE}.rsa" >>"${FILE}.pem" - -rm jstests/libs/ca.srl -rm "${FILE}.key" "${FILE}.rsa" "${FILE}.csr" diff --git a/jstests/ssl/libs/ssl_helpers.js b/jstests/ssl/libs/ssl_helpers.js index 6028c813587..aef34498948 100644 --- a/jstests/ssl/libs/ssl_helpers.js +++ b/jstests/ssl/libs/ssl_helpers.js @@ -12,14 +12,14 @@ TestData.ignoreUnterminatedProcesses = true; export var KEYFILE = "jstests/libs/key1"; -export var SERVER_CERT = "jstests/libs/server.pem"; -export var TRUSTED_SERVER_CERT = "jstests/libs/trusted-server.pem"; -export var CA_CERT = "jstests/libs/ca.pem"; -export var TRUSTED_CA_CERT = "jstests/libs/trusted-ca.pem"; -export var CLIENT_CERT = "jstests/libs/client.pem"; -export var TRUSTED_CLIENT_CERT = "jstests/libs/trusted-client.pem"; +export var SERVER_CERT = getX509Path("server.pem"); +export var TRUSTED_SERVER_CERT = getX509Path("trusted-server.pem"); +export var CA_CERT = getX509Path("ca.pem"); +export var TRUSTED_CA_CERT = getX509Path("trusted-ca.pem"); +export var CLIENT_CERT = getX509Path("client.pem"); +export var TRUSTED_CLIENT_CERT = getX509Path("trusted-client.pem"); export var DH_PARAM = "jstests/libs/8k-prime.dhparam"; -export var CLUSTER_CERT = "jstests/libs/cluster_cert.pem"; +export var CLUSTER_CERT = getX509Path("cluster_cert.pem"); // Note: "tlsAllowInvalidCertificates" is enabled to avoid // hostname conflicts with our testing certificates @@ -386,7 +386,7 @@ export function copyCertificateFile(a, b) { assert.eq(0, runProgram("cmd.exe", "/c", "copy", a, b)); return; } - assert.eq(0, runProgram("cp", a, b)); + assert.eq(0, runProgram("cp", "-f", a, b)); } export function clientSupportsTLS1_1() { diff --git a/jstests/ssl/macos_encrypted_pem.js b/jstests/ssl/macos_encrypted_pem.js index 0ff3c945d69..762ff15edfe 100644 --- a/jstests/ssl/macos_encrypted_pem.js +++ b/jstests/ssl/macos_encrypted_pem.js @@ -6,10 +6,10 @@ requireSSLProvider("apple", function () { jsTest.log("Verifying that mongod will fail to start using an encrypted PEM file"); const config = MongoRunner.mongodOptions({ - tlsCertificateKeyFile: "jstests/libs/password_protected.pem", + tlsCertificateKeyFile: getX509Path("password_protected.pem"), tlsMode: "requireTLS", tlsCertificateKeyFilePassword: "qwerty", - tlsCAFile: "jstests/libs/ca.pem", + tlsCAFile: getX509Path("ca.pem"), }); assert.throws(() => MongoRunner.runMongod(config), [], "MongoD unexpectedly started up"); diff --git a/jstests/ssl/multi-ca.js b/jstests/ssl/multi-ca.js index 5e2ff0d7de0..78c89bba694 100644 --- a/jstests/ssl/multi-ca.js +++ b/jstests/ssl/multi-ca.js @@ -2,12 +2,12 @@ // "root-and-trusted-ca.pem" contains the combined ca.pem and trusted-ca.pem certs. // This *should* permit client.pem or trusted-client.pem to connect equally. -const CA_CERT = "jstests/ssl/x509/root-and-trusted-ca.pem"; -const SERVER_CERT = "jstests/libs/server.pem"; +const CA_CERT = getX509Path("root-and-trusted-ca.pem"); +const SERVER_CERT = getX509Path("server.pem"); -const CLIENT_CA_CERT = "jstests/libs/ca.pem"; -const CLIENT_CERT = "jstests/libs/client.pem"; -const TRUSTED_CLIENT_CERT = "jstests/libs/trusted-client.pem"; +const CLIENT_CA_CERT = getX509Path("ca.pem"); +const CLIENT_CERT = getX509Path("client.pem"); +const TRUSTED_CLIENT_CERT = getX509Path("trusted-client.pem"); const mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", diff --git a/jstests/ssl/openssl_ciphersuites.js b/jstests/ssl/openssl_ciphersuites.js index 04bf7e221b2..b50df8ca94a 100644 --- a/jstests/ssl/openssl_ciphersuites.js +++ b/jstests/ssl/openssl_ciphersuites.js @@ -15,8 +15,8 @@ if (determineSSLProvider() !== "openssl") { const baseParams = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/ssl/x509/root-and-trusted-ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("root-and-trusted-ca.pem"), waitForConnect: false, }; @@ -29,9 +29,9 @@ function testConn() { mongod.port, "--tls", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", - "jstests/libs/trusted-client.pem", + getX509Path("trusted-client.pem"), "--eval", ";", ); diff --git a/jstests/ssl/peer_validation_without_cafile.js b/jstests/ssl/peer_validation_without_cafile.js index 45c4d4bacc8..0e0d52ff97e 100644 --- a/jstests/ssl/peer_validation_without_cafile.js +++ b/jstests/ssl/peer_validation_without_cafile.js @@ -18,7 +18,7 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; const rs = new ReplSetTest(rsOpts); rs.startSet({ env: { - SSL_CERT_FILE: "jstests/libs/ca.pem", + SSL_CERT_FILE: getX509Path("ca.pem"), }, }); if (succeed) { @@ -55,15 +55,15 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; // Sanity check that ca.pem can be used to properly authenticate. const options_manual_systemca = { tlsMode: "requireTLS", - tlsCAFile: "jstests/libs/ca.pem", - tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCAFile: getX509Path("ca.pem"), + tlsCertificateKeyFile: getX509Path("server.pem"), }; testRS(options_manual_systemca, true); // Ensure that we can authenticate with system CA. const options_systemca = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), setParameter: {tlsUseSystemCA: true}, }; testRS(options_systemca, true); @@ -71,15 +71,15 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; // Sanity check that ca.pem can be used to properly fail to authenticate. const options_manual_systemca_nomatch = { tlsMode: "requireTLS", - tlsCAFile: "jstests/libs/ca.pem", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", + tlsCAFile: getX509Path("ca.pem"), + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), }; testRS(options_manual_systemca_nomatch, false); // Ensure that we can properly fail to authenticate with system CA. const options_systemca_nomatch = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), setParameter: {tlsUseSystemCA: true}, }; diff --git a/jstests/ssl/repl_ssl_split_horizon.js b/jstests/ssl/repl_ssl_split_horizon.js index 30178fc4a47..3d281627df2 100644 --- a/jstests/ssl/repl_ssl_split_horizon.js +++ b/jstests/ssl/repl_ssl_split_horizon.js @@ -78,7 +78,7 @@ let replTest = new ReplSetTest({ nodes: 2, nodeOptions: { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/splithorizon-server.pem", + tlsCertificateKeyFile: getX509Path("splithorizon-server.pem"), setParameter: {tlsUseSystemCA: true}, }, host: "localhost", @@ -87,7 +87,7 @@ let replTest = new ReplSetTest({ replTest.startSet({ env: { - SSL_CERT_FILE: "jstests/libs/ca.pem", + SSL_CERT_FILE: getX509Path("ca.pem"), }, }); @@ -122,11 +122,11 @@ let checkExpectedHorizon = function (url, memberIndex, expectedHostname) { let argv = [ "env", "HOSTALIASES=" + hostsFile, - "SSL_CERT_FILE=jstests/libs/ca.pem", + "SSL_CERT_FILE=" + getX509Path("ca.pem"), "mongo", "--tls", "--tlsCertificateKeyFile", - "jstests/libs/splithorizon-server.pem", + getX509Path("splithorizon-server.pem"), url, "--eval", assertion, diff --git a/jstests/ssl/server_x509_rotate.js b/jstests/ssl/server_x509_rotate.js index 9e9e0cbbfa3..36ceb612cf5 100644 --- a/jstests/ssl/server_x509_rotate.js +++ b/jstests/ssl/server_x509_rotate.js @@ -2,13 +2,13 @@ import {copyCertificateFile} from "jstests/ssl/libs/ssl_helpers.js"; -const OLD_SERVER = "jstests/libs/server.pem"; -const OLD_CLIENT = "jstests/libs/client.pem"; -const OLD_CA = "jstests/libs/ca.pem"; +const OLD_SERVER = getX509Path("server.pem"); +const OLD_CLIENT = getX509Path("client.pem"); +const OLD_CA = getX509Path("ca.pem"); -const NEW_SERVER = "jstests/libs/trusted-server.pem"; -const NEW_CLIENT = "jstests/libs/trusted-client.pem"; -const NEW_CA = "jstests/libs/trusted-ca.pem"; +const NEW_SERVER = getX509Path("trusted-server.pem"); +const NEW_CLIENT = getX509Path("trusted-client.pem"); +const NEW_CA = getX509Path("trusted-ca.pem"); const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/"); mkdir(dbPath); diff --git a/jstests/ssl/set_parameter_ssl.js b/jstests/ssl/set_parameter_ssl.js index 0efe6fe1485..9bbe95b2cf5 100644 --- a/jstests/ssl/set_parameter_ssl.js +++ b/jstests/ssl/set_parameter_ssl.js @@ -2,8 +2,8 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; -let SERVER_CERT = "jstests/libs/server.pem"; -let CA_CERT = "jstests/libs/ca.pem"; +let SERVER_CERT = getX509Path("server.pem"); +let CA_CERT = getX509Path("ca.pem"); class TransportMode { constructor(sslName, tlsName) { diff --git a/jstests/ssl/shell_option_parsing.js b/jstests/ssl/shell_option_parsing.js index 892b0e7bf07..ffba83a53d4 100644 --- a/jstests/ssl/shell_option_parsing.js +++ b/jstests/ssl/shell_option_parsing.js @@ -1,8 +1,8 @@ // Test mongo shell connect strings. import {ReplSetTest} from "jstests/libs/replsettest.js"; -const SERVER_CERT = "jstests/libs/server.pem"; -const CAFILE = "jstests/libs/ca.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CAFILE = getX509Path("ca.pem"); let opts = { tlsMode: "allowTLS", diff --git a/jstests/ssl/speculative-authenticate.js b/jstests/ssl/speculative-authenticate.js index 36ac9bfbca5..f0ce38473e1 100644 --- a/jstests/ssl/speculative-authenticate.js +++ b/jstests/ssl/speculative-authenticate.js @@ -3,8 +3,8 @@ const mongod = MongoRunner.runMongod({ auth: "", tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), clusterAuthMode: "x509", }); const admin = mongod.getDB("admin"); @@ -21,9 +21,9 @@ function test(uri) { "mongo", "--tls", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", - "jstests/libs/client.pem", + getX509Path("client.pem"), uri, "--eval", ";", @@ -36,9 +36,9 @@ function testInternal(uri) { "mongo", "--tls", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", - "jstests/libs/server.pem", + getX509Path("server.pem"), uri, "--eval", ";", diff --git a/jstests/ssl/ssl_ECDHE_suites.js b/jstests/ssl/ssl_ECDHE_suites.js index b0b7cb4bb3b..06056dd805e 100644 --- a/jstests/ssl/ssl_ECDHE_suites.js +++ b/jstests/ssl/ssl_ECDHE_suites.js @@ -11,7 +11,7 @@ if (_isWindows()) { // Amazon linux does not currently support ECDHE const EXCLUDED_BUILDS = ["amazon", "amzn64"]; -const SERVER_CERT = "jstests/libs/server.pem"; +const SERVER_CERT = getX509Path("server.pem"); const OUTFILE = "jstests/ssl/ciphers.json"; const suites = ["sslv2", "sslv3", "tls1", "tls1_1", "tls1_2"]; @@ -43,19 +43,13 @@ const python_command = CLIENT_CERT + " --outfile=" + OUTFILE; -assert.eq(runProgram("/bin/sh", "-c", python_command), 0); -// Parse its output -let cipherDict = {}; -try { - cipherDict = JSON.parse(cat(OUTFILE)); -} catch (e) { - jsTestLog("Failed to parse ciphers.json"); - throw e; -} finally { - const delete_command = "rm " + OUTFILE; - assert.eq(runProgram("/bin/sh", "-c", delete_command), 0); -} +clearRawMongoProgramOutput(); +assert.eq(runProgram("/bin/sh", "-c", python_command), 0); +const resIndicator = "Enumeration results: "; +const res = rawMongoProgramOutput(resIndicator); +assert.gte(res.indexOf(resIndicator), 0, "Expected enumeration results in output"); +let cipherDict = JSON.parse(res.substring(res.indexOf(resIndicator) + resIndicator.length)); // Checking that SSLv2, SSLv3 and TLS 1.0 are not accepted suites.slice(0, suites.indexOf("tls1")).forEach((tlsVersion) => assert(cipherDict[tlsVersion].length === 0)); diff --git a/jstests/ssl/ssl_alert_reporting.js b/jstests/ssl/ssl_alert_reporting.js index c665df3e82a..b016391fd58 100644 --- a/jstests/ssl/ssl_alert_reporting.js +++ b/jstests/ssl/ssl_alert_reporting.js @@ -5,9 +5,9 @@ import {determineSSLProvider, sslProviderSupportsTLS1_1} from "jstests/ssl/libs/ const clientOptions = [ "--tls", "--tlsCertificateKeyFile", - "jstests/libs/client.pem", + getX509Path("client.pem"), "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--eval", ";", ]; @@ -33,8 +33,8 @@ function runTest(serverDisabledProtos, clientDisabledProtos) { let md = MongoRunner.runMongod({ tlsMode: "requireTLS", - tlsCAFile: "jstests/libs/ca.pem", - tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCAFile: getX509Path("ca.pem"), + tlsCertificateKeyFile: getX509Path("server.pem"), tlsDisabledProtocols: serverDisabledProtos, }); diff --git a/jstests/ssl/ssl_cert_selector_apple.js b/jstests/ssl/ssl_cert_selector_apple.js index 24e3c34533c..48409b8614a 100644 --- a/jstests/ssl/ssl_cert_selector_apple.js +++ b/jstests/ssl/ssl_cert_selector_apple.js @@ -42,8 +42,8 @@ requireSSLProvider("apple", function () { const trusted_server_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Server").toUpperCase(); const trusted_client_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Client").toUpperCase(); - const expected_server_thumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1").toUpperCase(); - const expected_client_thumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1").toUpperCase(); + const expected_server_thumbprint = cat(getX509Path("trusted-server.pem.digest.sha1")).toUpperCase(); + const expected_client_thumbprint = cat(getX509Path("trusted-client.pem.digest.sha1")).toUpperCase(); // If we fall into this case, our trusted certificates are not installed on the machine's // certificate keychain. This probably means that certificates have just been renewed, but have @@ -53,7 +53,7 @@ requireSSLProvider("apple", function () { expected_client_thumbprint !== trusted_client_thumbprint ) { jsTest.log.error( - "macOS host has an unexpected version of the trusted server certificate (jstests/libs/trusted-server.pem) or trusted client certificate (jstests/libs/trusted-client.pem) installed.", + "macOS host has an unexpected version of the trusted server certificate (trusted-server.pem) or trusted client certificate (trusted-client.pem) installed.", ); jsTest.log.error( "Expecting server thumbprint: " + expected_server_thumbprint + ", got: " + trusted_server_thumbprint, diff --git a/jstests/ssl/ssl_client_bad_certificate_warning.js b/jstests/ssl/ssl_client_bad_certificate_warning.js index 4c484d4a954..6eb9f3fe8f2 100644 --- a/jstests/ssl/ssl_client_bad_certificate_warning.js +++ b/jstests/ssl/ssl_client_bad_certificate_warning.js @@ -1,9 +1,9 @@ // Test mongo shell output logs correct messages when not including certificates or using bad // certificates. -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); -const BAD_CLIENT_CERT = "jstests/libs/trusted-client.pem"; +const BAD_CLIENT_CERT = getX509Path("trusted-client.pem"); function testConnect(outputLog, ...args) { const command = ["mongo", "--host", "localhost", "--port", mongod.port, "--tls", ...args]; diff --git a/jstests/ssl/ssl_client_certificate_warning_suppression.js b/jstests/ssl/ssl_client_certificate_warning_suppression.js index c4093af7d57..b48916e62dc 100644 --- a/jstests/ssl/ssl_client_certificate_warning_suppression.js +++ b/jstests/ssl/ssl_client_certificate_warning_suppression.js @@ -12,8 +12,8 @@ import {CA_CERT} from "jstests/ssl/libs/ssl_helpers.js"; function test(suppress) { const opts = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), waitForConnect: false, tlsAllowConnectionsWithoutCertificates: "", setParameter: {suppressNoTLSPeerCertificateWarning: suppress}, diff --git a/jstests/ssl/ssl_cluster_ca.js b/jstests/ssl/ssl_cluster_ca.js index 34219f7fc77..297c641cfac 100644 --- a/jstests/ssl/ssl_cluster_ca.js +++ b/jstests/ssl/ssl_cluster_ca.js @@ -48,12 +48,12 @@ const valid_options = { tlsMode: "requireTLS", // Servers present trusted-server.pem to clients and each other for inbound connections. // Peers validate trusted-server.pem using trusted-ca.pem when making those connections. - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", - tlsCAFile: "jstests/libs/trusted-ca.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), + tlsCAFile: getX509Path("trusted-ca.pem"), // Servers making outbound connections to other servers present server.pem to their peers // which their peers validate using ca.pem. - tlsClusterFile: "jstests/libs/server.pem", - tlsClusterCAFile: "jstests/libs/ca.pem", + tlsClusterFile: getX509Path("server.pem"), + tlsClusterCAFile: getX509Path("ca.pem"), // SERVER-36895: IP based hostname validation with SubjectAlternateName tlsAllowInvalidHostnames: "", }; @@ -69,12 +69,12 @@ testRS(wrong_key_file, wrong_key_file, false); // Test self-signed clusterFile validated against peer's CAFile const cafile_only_options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidHostnames: "", clusterAuthMode: "x509", }; -const selfsigned_cluster_file = Object.merge(cafile_only_options, {tlsClusterFile: "jstests/libs/smoke.pem"}); +const selfsigned_cluster_file = Object.merge(cafile_only_options, {tlsClusterFile: getX509Path("smoke.pem")}); testRS(cafile_only_options, selfsigned_cluster_file, false); const mongod = MongoRunner.runMongod(valid_options); @@ -100,7 +100,7 @@ function testConnect(cert, succeed) { assert.eq(mongo === 0, succeed); } -testConnect("jstests/libs/client.pem", true); -testConnect("jstests/libs/trusted-client.pem", false); +testConnect(getX509Path("client.pem"), true); +testConnect(getX509Path("trusted-client.pem"), false); MongoRunner.stopMongod(mongod); diff --git a/jstests/ssl/ssl_cluster_file.js b/jstests/ssl/ssl_cluster_file.js index 93f8972cc4d..627dcf907fd 100644 --- a/jstests/ssl/ssl_cluster_file.js +++ b/jstests/ssl/ssl_cluster_file.js @@ -1,7 +1,7 @@ -let CA_CERT = "jstests/libs/ca.pem"; -let SERVER_CERT = "jstests/libs/server.pem"; -let CLIENT_CERT = "jstests/libs/client.pem"; -let BAD_SAN_CERT = "jstests/libs/badSAN.pem"; +let CA_CERT = getX509Path("ca.pem"); +let SERVER_CERT = getX509Path("server.pem"); +let CLIENT_CERT = getX509Path("client.pem"); +let BAD_SAN_CERT = getX509Path("badSAN.pem"); let mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", diff --git a/jstests/ssl/ssl_cn_with_san.js b/jstests/ssl/ssl_cn_with_san.js index 3a317520ce0..bcf3a88e29c 100644 --- a/jstests/ssl/ssl_cn_with_san.js +++ b/jstests/ssl/ssl_cn_with_san.js @@ -4,8 +4,8 @@ import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; // server-intermediate-ca was signed by ca.pem, not trusted-ca.pem -const CA = "jstests/libs/ca.pem"; -const SERVER = "jstests/ssl/libs/localhost-cn-with-san.pem"; +const CA = getX509Path("ca.pem"); +const SERVER = getX509Path("localhost-cn-with-san.pem"); const mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", diff --git a/jstests/ssl/ssl_count_protocols.js b/jstests/ssl/ssl_count_protocols.js index 41de75ec41b..5f61cebf093 100644 --- a/jstests/ssl/ssl_count_protocols.js +++ b/jstests/ssl/ssl_count_protocols.js @@ -5,9 +5,9 @@ import { sslProviderSupportsTLS1_1, } from "jstests/ssl/libs/ssl_helpers.js"; -let SERVER_CERT = "jstests/libs/server.pem"; -let CLIENT_CERT = "jstests/libs/client.pem"; -let CA_CERT = "jstests/libs/ca.pem"; +let SERVER_CERT = getX509Path("server.pem"); +let CLIENT_CERT = getX509Path("client.pem"); +let CA_CERT = getX509Path("ca.pem"); const protocols = ["TLS1_0", "TLS1_1", "TLS1_2", "TLS1_3"]; diff --git a/jstests/ssl/ssl_crl.js b/jstests/ssl/ssl_crl.js index 07610d91821..24db11a89d7 100644 --- a/jstests/ssl/ssl_crl.js +++ b/jstests/ssl/ssl_crl.js @@ -10,14 +10,14 @@ import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; requireSSLProvider(["openssl", "windows"], function () { let testUnrevoked = new TLSTest( // Server option overrides - {tlsMode: "requireTLS", tlsCRLFile: "jstests/libs/crl.pem"}, + {tlsMode: "requireTLS", tlsCRLFile: getX509Path("crl.pem")}, ); assert(testUnrevoked.connectWorked()); let testRevoked = new TLSTest( // Server option overrides - {tlsMode: "requireTLS", tlsCRLFile: "jstests/libs/crl_expired.pem"}, + {tlsMode: "requireTLS", tlsCRLFile: getX509Path("crl_expired.pem")}, ); assert(!testRevoked.connectWorked()); diff --git a/jstests/ssl/ssl_crl_revoked.js b/jstests/ssl/ssl_crl_revoked.js index 37796de763a..3c4041313c5 100644 --- a/jstests/ssl/ssl_crl_revoked.js +++ b/jstests/ssl/ssl_crl_revoked.js @@ -7,9 +7,9 @@ import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; requireSSLProvider(["openssl", "windows"], function () { let md = MongoRunner.runMongod({ tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", - tlsCRLFile: "jstests/libs/crl_client_revoked.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), + tlsCRLFile: getX509Path("crl_client_revoked.pem"), }); let mongo = runMongoProgram( @@ -18,9 +18,9 @@ requireSSLProvider(["openssl", "windows"], function () { md.port, "--tls", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", - "jstests/libs/client_revoked.pem", + getX509Path("client_revoked.pem"), "--eval", ";", ); diff --git a/jstests/ssl/ssl_fragment.js b/jstests/ssl/ssl_fragment.js index 21f01e3f071..f7889551ca2 100644 --- a/jstests/ssl/ssl_fragment.js +++ b/jstests/ssl/ssl_fragment.js @@ -21,17 +21,17 @@ function runTest(conn) { let options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), networkMessageCompressors: "disabled", - tlsCAFile: "jstests/libs/ca.pem", + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidCertificates: "", }; let mongosOptions = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), networkMessageCompressors: "disabled", - tlsCAFile: "jstests/libs/ca.pem", + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidCertificates: "", }; diff --git a/jstests/ssl/ssl_hostname_validation.js b/jstests/ssl/ssl_hostname_validation.js index 2730bff5ae5..fbf219aeb60 100644 --- a/jstests/ssl/ssl_hostname_validation.js +++ b/jstests/ssl/ssl_hostname_validation.js @@ -2,14 +2,14 @@ // for client-server and server-server connections import {ReplSetTest} from "jstests/libs/replsettest.js"; -let CA_CERT = "jstests/libs/ca.pem"; -let SERVER_CERT = "jstests/libs/server.pem"; -let CN_CERT = "jstests/libs/localhostnameCN.pem"; -let SAN_CERT = "jstests/libs/localhostnameSAN.pem"; -let CLIENT_CERT = "jstests/libs/client.pem"; -let BAD_SAN_CERT = "jstests/libs/badSAN.pem"; -let NOSUBJ_CERT = "jstests/libs/server_no_subject.pem"; -let NOSUBJ_NOSAN_CERT = "jstests/libs/server_no_subject_no_SAN.pem"; +let CA_CERT = getX509Path("ca.pem"); +let SERVER_CERT = getX509Path("server.pem"); +let CN_CERT = getX509Path("localhostnameCN.pem"); +let SAN_CERT = getX509Path("localhostnameSAN.pem"); +let CLIENT_CERT = getX509Path("client.pem"); +let BAD_SAN_CERT = getX509Path("badSAN.pem"); +let NOSUBJ_CERT = getX509Path("server_no_subject.pem"); +let NOSUBJ_NOSAN_CERT = getX509Path("server_no_subject_no_SAN.pem"); function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSucceed) { jsTestLog("Testing certificate: " + JSON.stringify(arguments)); diff --git a/jstests/ssl/ssl_ingress_conn_metrics.js b/jstests/ssl/ssl_ingress_conn_metrics.js index 4d6fe5da6f0..c68bc37dfd3 100644 --- a/jstests/ssl/ssl_ingress_conn_metrics.js +++ b/jstests/ssl/ssl_ingress_conn_metrics.js @@ -19,8 +19,8 @@ let cipherSuite = "TLS_AES_256_GCM_SHA384"; const mongodOptions = (connectionHealthLoggingOn) => { let options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), setParameter: { opensslCipherSuiteConfig: cipherSuite, enableDetailedConnectionHealthMetricLogLines: connectionHealthLoggingOn, @@ -39,9 +39,9 @@ function testConn(mongod) { mongod.port, "--tls", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", - "jstests/libs/client.pem", + getX509Path("client.pem"), "--eval", ";", ); diff --git a/jstests/ssl/ssl_intermediate_ca.js b/jstests/ssl/ssl_intermediate_ca.js index 919229b14b4..9738a29897c 100644 --- a/jstests/ssl/ssl_intermediate_ca.js +++ b/jstests/ssl/ssl_intermediate_ca.js @@ -4,14 +4,14 @@ import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; // server-intermediate-ca was signed by ca.pem, not trusted-ca.pem -const VALID_CA = "jstests/libs/ca.pem"; -const INVALID_CA = "jstests/libs/trusted-ca.pem"; +const VALID_CA = getX509Path("ca.pem"); +const INVALID_CA = getX509Path("trusted-ca.pem"); function runTest(inbound, outbound) { const mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", tlsAllowConnectionsWithoutCertificates: "", - tlsCertificateKeyFile: "jstests/libs/server-intermediate-ca.pem", + tlsCertificateKeyFile: getX509Path("server-intermediate-ca.pem"), tlsCAFile: outbound, tlsClusterCAFile: inbound, }); @@ -32,7 +32,7 @@ runTest(VALID_CA, INVALID_CA); const mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", tlsAllowConnectionsWithoutCertificates: "", - tlsCertificateKeyFile: "jstests/libs/server.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), tlsCAFile: VALID_CA, }); assert(mongod); @@ -48,7 +48,7 @@ runTest(VALID_CA, INVALID_CA); "--tlsCAFile", VALID_CA, "--tlsCertificateKeyFile", - "jstests/libs/server-intermediate-ca.pem", + getX509Path("server-intermediate-ca.pem"), "--eval", "1;", ); @@ -69,8 +69,8 @@ if (determineSSLProvider() === "apple") { const mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", tlsAllowConnectionsWithoutCertificates: "", - tlsCertificateKeyFile: "jstests/libs/server-intermediate-leaf.pem", - tlsCAFile: "jstests/libs/intermediate-ca-chain.pem", + tlsCertificateKeyFile: getX509Path("server-intermediate-leaf.pem"), + tlsCAFile: getX509Path("intermediate-ca-chain.pem"), }); assert(mongod); assert.eq(mongod.getDB("admin").system.users.find({}).toArray(), []); @@ -85,7 +85,7 @@ if (determineSSLProvider() === "apple") { "--tlsCAFile", VALID_CA, "--tlsCertificateKeyFile", - "jstests/libs/client.pem", + getX509Path("client.pem"), "--eval", "1;", ); diff --git a/jstests/ssl/ssl_invalid_server_cert.js b/jstests/ssl/ssl_invalid_server_cert.js index 082b529bfab..215dd224d93 100644 --- a/jstests/ssl/ssl_invalid_server_cert.js +++ b/jstests/ssl/ssl_invalid_server_cert.js @@ -23,30 +23,30 @@ const validityMessage = "The provided SSL certificate is expired or not yet vali // Test that startup fails with certificate that has yet to become valid. const notYetValid = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/not_yet_valid.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("not_yet_valid.pem"), + tlsCAFile: getX509Path("ca.pem"), }; runTest("not-yet-valid", notYetValid, validityMessage); // Test that startup fails with expired certificate. const expired = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/expired.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("expired.pem"), + tlsCAFile: getX509Path("ca.pem"), }; runTest("expired", expired, validityMessage); // Test that startup fails with no certificate at all. const needKeyFile = "need tlsCertificateKeyFile or certificateSelector when TLS is enabled"; -runTest("no-key-file", {tlsMode: "requireTLS", tlsCAFile: "jstests/libs/ca.pem"}, needKeyFile); +runTest("no-key-file", {tlsMode: "requireTLS", tlsCAFile: getX509Path("ca.pem")}, needKeyFile); // Test that startup also fails if only tlsClusterFile is provided runTest( "cluster-file-only", { tlsMode: "requireTLS", - tlsCAFile: "jstests/libs/ca.pem", - tlsClusterFile: "jstests/libs/client.pem", + tlsCAFile: getX509Path("ca.pem"), + tlsClusterFile: getX509Path("client.pem"), }, needKeyFile, ); @@ -59,7 +59,7 @@ requireSSLProvider(["windows", "apple"], function () { "cluster-selector-only", { tlsMode: "requireTLS", - tlsCAFile: "jstests/libs/ca.pem", + tlsCAFile: getX509Path("ca.pem"), tlsClusterCertificateSelector: selector, }, needKeyFile, @@ -68,8 +68,8 @@ requireSSLProvider(["windows", "apple"], function () { // Test that startup fails if both key file and cert selector are provided const keyFileAndSelector = { tlsMode: "requireTLS", - tlsCAFile: "jstests/libs/ca.pem", - tlsCertificateKeyFile: "jstests/libs/client.pem", + tlsCAFile: getX509Path("ca.pem"), + tlsCertificateKeyFile: getX509Path("client.pem"), tlsCertificateSelector: selector, }; runTest( @@ -81,8 +81,8 @@ requireSSLProvider(["windows", "apple"], function () { // Test that startup fails if both cluster file and cluster cert selector are provided const clusterFileAndSelector = { tlsMode: "requireTLS", - tlsCAFile: "jstests/libs/ca.pem", - tlsClusterFile: "jstests/libs/client.pem", + tlsCAFile: getX509Path("ca.pem"), + tlsClusterFile: getX509Path("client.pem"), tlsClusterCertificateSelector: selector, }; runTest( diff --git a/jstests/ssl/ssl_mongodb_x509.js b/jstests/ssl/ssl_mongodb_x509.js index cfe9657fdea..7a13bb1f375 100644 --- a/jstests/ssl/ssl_mongodb_x509.js +++ b/jstests/ssl/ssl_mongodb_x509.js @@ -25,8 +25,8 @@ let startOptions = { configsvr: "", storageEngine: "wiredTiger", tlsMode: "allowTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), + tlsCAFile: getX509Path("ca.pem"), }; let configRS = new ReplSetTest(rstOptions); diff --git a/jstests/ssl/ssl_options.js b/jstests/ssl/ssl_options.js index 25bed1abe73..12af7428b96 100644 --- a/jstests/ssl/ssl_options.js +++ b/jstests/ssl/ssl_options.js @@ -8,11 +8,11 @@ requireSSLProvider("openssl", function () { jsTest.log("Testing censorship of ssl options"); const mongodConfig = { - tlsCertificateKeyFile: "jstests/libs/password_protected.pem", + tlsCertificateKeyFile: getX509Path("password_protected.pem"), tlsMode: "requireTLS", tlsCertificateKeyFilePassword: "qwerty", tlsClusterPassword: "qwerty", - tlsCAFile: "jstests/libs/ca.pem", + tlsCAFile: getX509Path("ca.pem"), }; const mongodSource = MongoRunner.runMongod(mongodConfig); diff --git a/jstests/ssl/ssl_private_key.js b/jstests/ssl/ssl_private_key.js index 7c862d0626c..4bf4526d9db 100644 --- a/jstests/ssl/ssl_private_key.js +++ b/jstests/ssl/ssl_private_key.js @@ -1,7 +1,7 @@ // Test that clients support "BEGIN PRIVATE KEY" pems with RSA keys -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; -const CLIENT_CERT = "jstests/libs/client_privatekey.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); +const CLIENT_CERT = getX509Path("client_privatekey.pem"); function authAndTest(port) { const mongo = runMongoProgram( diff --git a/jstests/ssl/ssl_restricted_protocols.js b/jstests/ssl/ssl_restricted_protocols.js index 8195fd3f558..80431152da1 100644 --- a/jstests/ssl/ssl_restricted_protocols.js +++ b/jstests/ssl/ssl_restricted_protocols.js @@ -3,9 +3,9 @@ import {clientSupportsTLS1_2, clientSupportsTLS1_3, determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; -let SERVER_CERT = "jstests/libs/server.pem"; -let CLIENT_CERT = "jstests/libs/client.pem"; -let CA_CERT = "jstests/libs/ca.pem"; +let SERVER_CERT = getX509Path("server.pem"); +let CLIENT_CERT = getX509Path("client.pem"); +let CA_CERT = getX509Path("ca.pem"); const supportsTLS1_2 = clientSupportsTLS1_2(); const supportsTLS1_3 = clientSupportsTLS1_3(); diff --git a/jstests/ssl/ssl_uri.js b/jstests/ssl/ssl_uri.js index 0821c7378ef..101e7d48436 100644 --- a/jstests/ssl/ssl_uri.js +++ b/jstests/ssl/ssl_uri.js @@ -19,8 +19,8 @@ let shouldFail = function (uri) { // Start up a mongod with ssl required. let tlsMongo = MongoRunner.runMongod({ tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), }); let tlsURI = "mongodb://localhost:" + tlsMongo.port + "/admin"; @@ -36,9 +36,9 @@ let connectWithURI = function (uri) { "--tls", "--tlsAllowInvalidCertificates", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", - "jstests/libs/client.pem", + getX509Path("client.pem"), uri, "--eval", "db.runCommand({hello: 1})", diff --git a/jstests/ssl/ssl_weak.js b/jstests/ssl/ssl_weak.js index 0b0b224f735..72abd2f9b43 100644 --- a/jstests/ssl/ssl_weak.js +++ b/jstests/ssl/ssl_weak.js @@ -6,12 +6,12 @@ // (an alias for sslWeakCertificateValidation) connects successfully. let md = MongoRunner.runMongod({ tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowConnectionsWithoutCertificates: "", }); -let mongo = runMongoProgram("mongo", "--port", md.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";"); +let mongo = runMongoProgram("mongo", "--port", md.port, "--tls", "--tlsCAFile", getX509Path("ca.pem"), "--eval", ";"); // 0 is the exit code for success assert(mongo == 0); @@ -23,9 +23,9 @@ mongo = runMongoProgram( md.port, "--tls", "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--tlsCertificateKeyFile", - "jstests/libs/client.pem", + getX509Path("client.pem"), "--eval", ";", ); @@ -37,11 +37,11 @@ MongoRunner.stopMongod(md); // fails to connect. let md2 = MongoRunner.runMongod({ tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), }); -mongo = runMongoProgram("mongo", "--port", md2.port, "--tls", "--tlsCAFile", "jstests/libs/ca.pem", "--eval", ";"); +mongo = runMongoProgram("mongo", "--port", md2.port, "--tls", "--tlsCAFile", getX509Path("ca.pem"), "--eval", ";"); // 1 is the exit code for failure assert(mongo == 1); diff --git a/jstests/ssl/ssl_withhold_client_cert.js b/jstests/ssl/ssl_withhold_client_cert.js index c1b1ba5f82b..6caeba4ab48 100644 --- a/jstests/ssl/ssl_withhold_client_cert.js +++ b/jstests/ssl/ssl_withhold_client_cert.js @@ -26,8 +26,8 @@ function testRS(opts, expectWarning) { const base_options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidHostnames: "", useLogFiles: true, }; diff --git a/jstests/ssl/ssl_x509_SAN.js b/jstests/ssl/ssl_x509_SAN.js index a5f41283e94..049fee69111 100644 --- a/jstests/ssl/ssl_x509_SAN.js +++ b/jstests/ssl/ssl_x509_SAN.js @@ -1,7 +1,7 @@ -const SERVER1_CERT = "jstests/libs/server_SAN.pem"; -const SERVER2_CERT = "jstests/libs/server_SAN2.pem"; -const CA_CERT = "jstests/libs/ca.pem"; -const CLIENT_CERT = "jstests/libs/client.pem"; +const SERVER1_CERT = getX509Path("server_SAN.pem"); +const SERVER2_CERT = getX509Path("server_SAN2.pem"); +const CA_CERT = getX509Path("ca.pem"); +const CLIENT_CERT = getX509Path("client.pem"); // Some test machines lack ipv6 so test for by starting a mongod that needs to bind to an ipv6 // address. diff --git a/jstests/ssl/ssl_x509_roles.js b/jstests/ssl/ssl_x509_roles.js index 54083ed69d3..bef1d976ab9 100644 --- a/jstests/ssl/ssl_x509_roles.js +++ b/jstests/ssl/ssl_x509_roles.js @@ -2,13 +2,13 @@ // Also validates RFC2253 import {ShardingTest} from "jstests/libs/shardingtest.js"; -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; -const CLIENT_CERT = "jstests/libs/client_roles.pem"; -const CLIENT_ESCAPE_CERT = "jstests/libs/client_escape.pem"; -const CLIENT_UTF8_CERT = "jstests/libs/client_utf8.pem"; -const CLIENT_EMAIL_CERT = "jstests/libs/client_email.pem"; -const CLIENT_CERT_NO_ROLES = "jstests/libs/client.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); +const CLIENT_CERT = getX509Path("client_roles.pem"); +const CLIENT_ESCAPE_CERT = getX509Path("client_escape.pem"); +const CLIENT_UTF8_CERT = getX509Path("client_utf8.pem"); +const CLIENT_EMAIL_CERT = getX509Path("client_email.pem"); +const CLIENT_CERT_NO_ROLES = getX509Path("client.pem"); const CLIENT_USER_NO_ROLES = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; const smokeScript = "assert(db.getSiblingDB('$external').auth({ mechanism: 'MONGODB-X509' }));"; diff --git a/jstests/ssl/tlsCATrusts.js b/jstests/ssl/tlsCATrusts.js index 7fbe42860b9..5eb45412acf 100644 --- a/jstests/ssl/tlsCATrusts.js +++ b/jstests/ssl/tlsCATrusts.js @@ -2,23 +2,23 @@ import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; requireSSLProvider("openssl", function () { - const SERVER_CERT = "jstests/libs/server.pem"; - const COMBINED_CA_CERT = "jstests/ssl/x509/root-and-trusted-ca.pem"; - const CA_HASH = cat("jstests/libs/ca.pem.digest.sha256"); - const TRUSTED_CA_HASH = cat("jstests/libs/trusted-ca.pem.digest.sha256"); + const SERVER_CERT = getX509Path("server.pem"); + const COMBINED_CA_CERT = getX509Path("root-and-trusted-ca.pem"); + const CA_HASH = cat(getX509Path("ca.pem.digest.sha256")); + const TRUSTED_CA_HASH = cat(getX509Path("trusted-ca.pem.digest.sha256")); // Common suffix, keep the lines short. const RDN_SUFFIX = ",O=MongoDB,L=New York City,ST=New York,C=US"; const USERS = []; const CLIENT = { - cert: "jstests/libs/client.pem", + cert: getX509Path("client.pem"), roles: [], }; USERS.push("CN=client,OU=KernelUser"); const CLIENT_ROLES = { - cert: "jstests/libs/client_roles.pem", + cert: getX509Path("client_roles.pem"), roles: [ {role: "backup", db: "admin"}, {role: "readAnyDatabase", db: "admin"}, @@ -27,7 +27,7 @@ requireSSLProvider("openssl", function () { USERS.push("CN=Kernel Client Peer Role,OU=Kernel Users"); const TRUSTED_CLIENT_TESTDB_ROLES = { - cert: "jstests/ssl/x509/trusted-client-testdb-roles.pem", + cert: getX509Path("trusted-client-testdb-roles.pem"), roles: [ {role: "role1", db: "testDB"}, {role: "role2", db: "testDB"}, diff --git a/jstests/ssl/tls_enumerator.py b/jstests/ssl/tls_enumerator.py index b2aa95c31aa..90fd91101ea 100644 --- a/jstests/ssl/tls_enumerator.py +++ b/jstests/ssl/tls_enumerator.py @@ -90,5 +90,4 @@ if __name__ == "__main__": for cipher, error in exception_ciphers.items(): print(cipher + "\tError: " + error) - with open(args.outfile, "w+") as outfile: - json.dump(results, outfile) + print("Enumeration results:", json.dumps(results)) diff --git a/jstests/ssl/upgrade_to_ssl.js b/jstests/ssl/upgrade_to_ssl.js index 0a3d14cb817..9afa6f4d3be 100644 --- a/jstests/ssl/upgrade_to_ssl.js +++ b/jstests/ssl/upgrade_to_ssl.js @@ -16,7 +16,7 @@ let opts = { tlsCertificateKeyFile: SERVER_CERT, tlsAllowInvalidCertificates: "", tlsAllowConnectionsWithoutCertificates: "", - tlsCAFile: "jstests/libs/ca.pem", + tlsCAFile: getX509Path("ca.pem"), }; let rst = new ReplSetTest({name: "tlsSet", nodes: 3, nodeOptions: opts}); rst.startSet(); diff --git a/jstests/ssl/user_cache_entry_lifetime.js b/jstests/ssl/user_cache_entry_lifetime.js index 5c34f7e98f7..a22da992db5 100644 --- a/jstests/ssl/user_cache_entry_lifetime.js +++ b/jstests/ssl/user_cache_entry_lifetime.js @@ -1,8 +1,8 @@ // Test that we can safely use entries in the user cache created by old connections. -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; -const CLIENT_CERT = "jstests/libs/client_roles.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); +const CLIENT_CERT = getX509Path("client_roles.pem"); function runTest(port) { // Run given test function in a parallel shell. diff --git a/jstests/ssl/x509_all_the_oids.js b/jstests/ssl/x509_all_the_oids.js index d4bd82e4662..101ccc0b38c 100644 --- a/jstests/ssl/x509_all_the_oids.js +++ b/jstests/ssl/x509_all_the_oids.js @@ -1,7 +1,7 @@ // Test X509 auth with all known RDN OIDs. -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); function runTest(conn) { const script = "assert(db.getSiblingDB('$external').auth({mechanism: 'MONGODB-X509'}));"; @@ -11,7 +11,7 @@ function runTest(conn) { "--tls", "--tlsAllowInvalidHostnames", "--tlsCertificateKeyFile", - "jstests/libs/client-all-the-oids.pem", + getX509Path("client-all-the-oids.pem"), "--tlsCAFile", CA_CERT, "--port", @@ -26,7 +26,7 @@ function runTest(conn) { const output = rawMongoProgramOutput(".*"); const NAME = - "role=Datum-72,pseudonym=Datum-65,dmdName=Datum-54,deltaRevocationList=Datum-53,supportedAlgorithms=Datum-52,houseIdentifier=Datum-51,uniqueMember=Datum-50,distinguishedName=Datum-49,protocolInformation=Datum-48,enhancedSearchGuide=Datum-47,dnQualifier=Datum-46,x500UniqueIdentifier=Datum-45,generationQualifier=Datum-44,initials=Datum-43,GN=Datum-42,name=Datum-41,crossCertificatePair=Datum-40,certificateRevocationList=Datum-39,authorityRevocationList=Datum-38,cACertificate=Datum-37,userCertificate=Datum-36,userPassword=Datum-35,seeAlso=Datum-34,roleOccupant=Datum-33,owner=Datum-32,member=Datum-31,supportedApplicationContext=Datum-30,presentationAddress=Datum-29,preferredDeliveryMethod=Datum-28,destinationIndicator=Datum-27,registeredAddress=Datum-26,internationaliSDNNumber=Datum-25,x121Address=Datum-24,facsimileTelephoneNumber=Datum-23,teletexTerminalIdentifier=Datum-22,telexNumber=Datum-21,telephoneNumber=Datum-20,physicalDeliveryOfficeName=Datum-19,postOfficeBox=Datum-18,postalCode=Datum-17,postalAddress=Datum-16,businessCategory=Datum-15,searchGuide=Datum-14,description=Datum-13,title=Datum-12,OU=Datum-11,O=Datum-10,street=Datum-9,ST=NY,L=Datum-7,C=US,serialNumber=Datum-5,SN=Datum-4,CN=Datum-3"; + "street=Datum-9,role=Datum-72,pseudonym=Datum-65,dmdName=Datum-54,deltaRevocationList=Datum-53,supportedAlgorithms=Datum-52,houseIdentifier=Datum-51,uniqueMember=Datum-50,serialNumber=Datum-5,distinguishedName=Datum-49,protocolInformation=Datum-48,enhancedSearchGuide=Datum-47,dnQualifier=Datum-46,x500UniqueIdentifier=Datum-45,generationQualifier=Datum-44,initials=Datum-43,GN=Datum-42,name=Datum-41,crossCertificatePair=Datum-40,SN=Datum-4,certificateRevocationList=Datum-39,authorityRevocationList=Datum-38,cACertificate=Datum-37,userCertificate=Datum-36,userPassword=Datum-35,seeAlso=Datum-34,roleOccupant=Datum-33,owner=Datum-32,member=Datum-31,supportedApplicationContext=Datum-30,presentationAddress=Datum-29,preferredDeliveryMethod=Datum-28,destinationIndicator=Datum-27,registeredAddress=Datum-26,internationaliSDNNumber=Datum-25,x121Address=Datum-24,facsimileTelephoneNumber=Datum-23,teletexTerminalIdentifier=Datum-22,telexNumber=Datum-21,telephoneNumber=Datum-20,physicalDeliveryOfficeName=Datum-19,postOfficeBox=Datum-18,postalCode=Datum-17,postalAddress=Datum-16,businessCategory=Datum-15,searchGuide=Datum-14,description=Datum-13,title=Datum-12,CN=Datum-3,OU=Datum-11,O=Datum-10,L=Datum-7,ST=NY,C=US"; assert( output.includes('Error: Could not find user "' + NAME + '" for db "$external"'), diff --git a/jstests/ssl/x509_client.js b/jstests/ssl/x509_client.js index d5e630ebe9d..29e3a095dd1 100644 --- a/jstests/ssl/x509_client.js +++ b/jstests/ssl/x509_client.js @@ -2,8 +2,8 @@ import {ShardingTest} from "jstests/libs/shardingtest.js"; -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); const INTERNAL_USER = "CN=internal,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; const SERVER_USER = "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; diff --git a/jstests/ssl/x509_custom.js b/jstests/ssl/x509_custom.js index 5a5348a5576..8fc78b02afd 100644 --- a/jstests/ssl/x509_custom.js +++ b/jstests/ssl/x509_custom.js @@ -12,9 +12,9 @@ function testClient(conn, name) { "--tls", "--tlsAllowInvalidHostnames", "--tlsCertificateKeyFile", - "jstests/libs/client-custom-oids.pem", + getX509Path("client-custom-oids.pem"), "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--port", conn.port, "--eval", @@ -26,7 +26,7 @@ function testClient(conn, name) { function runTest(conn) { const NAME = - "1.2.3.45=Value\\,Rando,1.2.3.56=RandoValue,CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; + "1.2.3.56=RandoValue,1.2.3.45=Value\\,Rando,CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; const admin = conn.getDB("admin"); admin.createUser({user: "admin", pwd: "admin", roles: ["root"]}); admin.auth("admin", "admin"); @@ -43,9 +43,9 @@ const mongod = MongoRunner.runMongod({ auth: "", tlsMode: "requireTLS", // Server PEM file is server.pem to match the shell's ca.pem. - tlsCertificateKeyFile: "jstests/libs/server.pem", - // Server CA file is non-expiring-ca.pem to match the shell's client-custom-oids.pem. - tlsCAFile: "jstests/libs/non-expiring-ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + // Server CA file is ca.pem to match the shell's client-custom-oids.pem. + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidCertificates: "", }); runTest(mongod); diff --git a/jstests/ssl/x509_enforce_user_cluster_separation.js b/jstests/ssl/x509_enforce_user_cluster_separation.js index ac7c9ac7e6a..88ca3c75572 100644 --- a/jstests/ssl/x509_enforce_user_cluster_separation.js +++ b/jstests/ssl/x509_enforce_user_cluster_separation.js @@ -2,10 +2,10 @@ import {ShardingTest} from "jstests/libs/shardingtest.js"; -const SERVER_CERT = "jstests/libs/server.pem"; -const SERVER_SAN_CERT = "jstests/libs/server_SAN.pem"; -const CLIENT_CERT = "jstests/libs/client.pem"; -const CA_CERT = "jstests/libs/ca.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const SERVER_SAN_CERT = getX509Path("server_SAN.pem"); +const CLIENT_CERT = getX509Path("client.pem"); +const CA_CERT = getX509Path("ca.pem"); const SERVER_USER = "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; const SERVER_SAN_USER = "CN=Kernel Client Peer Role,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; diff --git a/jstests/ssl/x509_expiring.js b/jstests/ssl/x509_expiring.js index abacff922f6..9934082ae64 100644 --- a/jstests/ssl/x509_expiring.js +++ b/jstests/ssl/x509_expiring.js @@ -1,7 +1,7 @@ // Verify a warning is emitted when a certificate is about to expire. -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; function test(expiration, expect) { diff --git a/jstests/ssl/x509_extended_key_usage.js b/jstests/ssl/x509_extended_key_usage.js index 26cc502b661..ee09ff055ee 100644 --- a/jstests/ssl/x509_extended_key_usage.js +++ b/jstests/ssl/x509_extended_key_usage.js @@ -3,17 +3,17 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; import {isMacOS} from "jstests/ssl/libs/ssl_helpers.js"; -const kServerAuthClientCert = "jstests/libs/client_with_serverAuth_eku.pem"; -const kBothEKUsClientCert = "jstests/libs/client_with_serverAuth_and_clientAuth_eku.pem"; -const kNoEKUsClientCert = "jstests/libs/client_without_eku.pem"; -const kClientAuthClientCert = "jstests/libs/client.pem"; +const kServerAuthClientCert = getX509Path("client_with_serverAuth_eku.pem"); +const kBothEKUsClientCert = getX509Path("client_with_serverAuth_and_clientAuth_eku.pem"); +const kNoEKUsClientCert = getX509Path("client_without_eku.pem"); +const kClientAuthClientCert = getX509Path("client.pem"); -const kClientAuthServerCert = "jstests/libs/server_with_clientAuth_eku.pem"; -const kBothEKUsServerCert = "jstests/libs/server.pem"; -const kNoEKUsServerCert = "jstests/libs/server_without_eku.pem"; -const kServerAuthServerCert = "jstests/libs/server_with_serverAuth_eku.pem"; +const kClientAuthServerCert = getX509Path("server_with_clientAuth_eku.pem"); +const kBothEKUsServerCert = getX509Path("server.pem"); +const kNoEKUsServerCert = getX509Path("server_without_eku.pem"); +const kServerAuthServerCert = getX509Path("server_with_serverAuth_eku.pem"); -const kCACert = "jstests/libs/ca.pem"; +const kCACert = getX509Path("ca.pem"); function testClientAuthEKU(conn, clientCert, shouldFail) { clearRawMongoProgramOutput(); @@ -24,7 +24,7 @@ function testClientAuthEKU(conn, clientCert, shouldFail) { "--tlsCertificateKeyFile", clientCert, "--tlsCAFile", - "jstests/libs/ca.pem", + getX509Path("ca.pem"), "--port", conn.port, "--eval", @@ -91,8 +91,8 @@ function testServerAuthEKU(serverCert, shouldFail) { auth: "", tlsMode: "requireTLS", // Server PEM file is server.pem to match the shell's ca.pem. - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidCertificates: "", }); testClientAuthEKU(mongod, kClientAuthClientCert, false /* shouldFail */); diff --git a/jstests/ssl/x509_invalid.js b/jstests/ssl/x509_invalid.js index 6761e8918aa..a9bfd5e9956 100644 --- a/jstests/ssl/x509_invalid.js +++ b/jstests/ssl/x509_invalid.js @@ -1,10 +1,10 @@ // Test X509 auth when --tlsAllowInvalidCertificates is enabled const CLIENT_NAME = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; -const CLIENT_CERT = "jstests/libs/client.pem"; -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; -const SELF_SIGNED_CERT = "jstests/libs/client-self-signed.pem"; +const CLIENT_CERT = getX509Path("client.pem"); +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); +const SELF_SIGNED_CERT = getX509Path("client-self-signed.pem"); function hasX509AuthSucceeded(conn) { if (checkLog.checkContainsOnce(conn, "No verified subject name available from client")) { diff --git a/jstests/ssl/x509_multivalue.js b/jstests/ssl/x509_multivalue.js index d05846fd44d..bc28b6c0163 100644 --- a/jstests/ssl/x509_multivalue.js +++ b/jstests/ssl/x509_multivalue.js @@ -1,7 +1,7 @@ // Test X509 auth with custom OIDs. -const SERVER_CERT = "jstests/libs/server.pem"; -const CA_CERT = "jstests/libs/ca.pem"; +const SERVER_CERT = getX509Path("server.pem"); +const CA_CERT = getX509Path("ca.pem"); function testClient(conn, name) { let auth = {mechanism: "MONGODB-X509"}; @@ -15,7 +15,7 @@ function testClient(conn, name) { "--tls", "--tlsAllowInvalidHostnames", "--tlsCertificateKeyFile", - "jstests/libs/client-multivalue-rdn.pem", + getX509Path("client-multivalue-rdn.pem"), "--tlsCAFile", CA_CERT, "--port", diff --git a/jstests/ssl/x509_rotate_missing_files.js b/jstests/ssl/x509_rotate_missing_files.js index 0e256136e92..5eaf6b4e6eb 100644 --- a/jstests/ssl/x509_rotate_missing_files.js +++ b/jstests/ssl/x509_rotate_missing_files.js @@ -15,10 +15,10 @@ function deleteFile(file) { const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/"); mkdir(dbPath); -copyCertificateFile("jstests/libs/ca.pem", dbPath + "/ca-test.pem"); -copyCertificateFile("jstests/libs/client.pem", dbPath + "/client-test.pem"); -copyCertificateFile("jstests/libs/server.pem", dbPath + "/server-test.pem"); -copyCertificateFile("jstests/libs/crl.pem", dbPath + "/crl-test.pem"); +copyCertificateFile(getX509Path("ca.pem"), dbPath + "/ca-test.pem"); +copyCertificateFile(getX509Path("client.pem"), dbPath + "/client-test.pem"); +copyCertificateFile(getX509Path("server.pem"), dbPath + "/server-test.pem"); +copyCertificateFile(getX509Path("crl.pem"), dbPath + "/crl-test.pem"); const mongod = MongoRunner.runMongod({ tlsMode: "requireTLS", @@ -35,10 +35,10 @@ if (determineSSLProvider() !== "apple") { } for (let certType of certTypes) { - copyCertificateFile("jstests/libs/ca.pem", dbPath + "/ca-test.pem"); - copyCertificateFile("jstests/libs/client.pem", dbPath + "/client-test.pem"); - copyCertificateFile("jstests/libs/server.pem", dbPath + "/server-test.pem"); - copyCertificateFile("jstests/libs/crl.pem", dbPath + "/crl-test.pem"); + copyCertificateFile(getX509Path("ca.pem"), dbPath + "/ca-test.pem"); + copyCertificateFile(getX509Path("client.pem"), dbPath + "/client-test.pem"); + copyCertificateFile(getX509Path("server.pem"), dbPath + "/server-test.pem"); + copyCertificateFile(getX509Path("crl.pem"), dbPath + "/crl-test.pem"); assert.commandWorked(mongod.adminCommand({rotateCertificates: 1})); deleteFile(`${dbPath}/${certType}-test.pem`); diff --git a/jstests/ssl/x509_startup_certificate_info.js b/jstests/ssl/x509_startup_certificate_info.js index 8f4c89f2aee..e9425eb1d1b 100644 --- a/jstests/ssl/x509_startup_certificate_info.js +++ b/jstests/ssl/x509_startup_certificate_info.js @@ -3,10 +3,10 @@ import {ShardingTest} from "jstests/libs/shardingtest.js"; import {determineSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; -const CA_CERT = "jstests/libs/ca.pem"; -const SERVER_CERT = "jstests/libs/server.pem"; -const CLUSTER_CERT = "jstests/libs/cluster_cert.pem"; -const CRL_FILE = "jstests/libs/crl.pem"; +const CA_CERT = getX509Path("ca.pem"); +const SERVER_CERT = getX509Path("server.pem"); +const CLUSTER_CERT = getX509Path("cluster_cert.pem"); +const CRL_FILE = getX509Path("crl.pem"); const SERVER_CERT_INFO = { "type": "Server", diff --git a/jstests/ssl/x509_startup_warning.js b/jstests/ssl/x509_startup_warning.js index 21e64b841a9..f0f3f6eb497 100644 --- a/jstests/ssl/x509_startup_warning.js +++ b/jstests/ssl/x509_startup_warning.js @@ -30,8 +30,8 @@ function runTest(checkMongos, opts, expectWarningCertifcates, expectWarningHostn { auth: "", tlsMode: "preferTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), waitForConnect: false, }, opts, diff --git a/jstests/sslSpecial/cluster_auth_x509_rolling_configuration.js b/jstests/sslSpecial/cluster_auth_x509_rolling_configuration.js index 7c464906c0a..6ebd6beeb63 100644 --- a/jstests/sslSpecial/cluster_auth_x509_rolling_configuration.js +++ b/jstests/sslSpecial/cluster_auth_x509_rolling_configuration.js @@ -19,8 +19,8 @@ if (determineSSLProvider() !== "openssl") { */ // Subject: C=US, ST=New York, L=New York, O=MongoDB, OU=Kernel, CN=server const originalDNAttributes = "O=MongoDB, OU=Kernel"; -const originalCert = "jstests/libs/server.pem"; -const originalCACert = "jstests/libs/ca.pem"; +const originalCert = getX509Path("server.pem"); +const originalCACert = getX509Path("ca.pem"); const defaultPolicyClusterAuthX509Override = { attributes: originalDNAttributes, }; @@ -30,7 +30,7 @@ const defaultPolicyClusterAuthX509Override = { */ // Subject: C=US, ST=New York, L=New York City, CN=server, title=foo const fooTitleDNAttributes = "C=US, ST=New York, L=New York City, title=foo"; -const fooTitleDNCert = "jstests/libs/server_title_foo_no_o_ou_dc.pem"; +const fooTitleDNCert = getX509Path("server_title_foo_no_o_ou_dc.pem"); const fooTitleClusterAuthX509Override = { attributes: fooTitleDNAttributes, }; @@ -40,21 +40,21 @@ const fooTitleClusterAuthX509Override = { */ // Subject: C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel, CN=server, title=bar const barTitleDNAttributes = "C=US, ST=New York, L=New York City, title=bar"; -const barTitleDNCert = "jstests/libs/server_title_bar.pem"; +const barTitleDNCert = getX509Path("server_title_bar.pem"); const barTitleClusterAuthX509Override = { attributes: barTitleDNAttributes, }; /** * This is the path of the certificate containing the cluster membership extension set to 'foo'. */ -const fooExtensionCert = "jstests/ssl/libs/cluster-member-foo.pem"; +const fooExtensionCert = getX509Path("cluster-member-foo.pem"); const fooExtensionClusterAuthX509Override = { extensionValue: "foo", }; /** * This is the path of the certificate containing the cluster membership extension set to 'bar'. */ -const barExtensionCert = "jstests/ssl/libs/cluster-member-bar.pem"; +const barExtensionCert = getX509Path("cluster-member-bar.pem"); const barExtensionClusterAuthX509Override = { extensionValue: "bar", }; diff --git a/jstests/sslSpecial/cluster_auth_x509_subject_attributes.js b/jstests/sslSpecial/cluster_auth_x509_subject_attributes.js index b4d3287054e..b4a5c26b997 100644 --- a/jstests/sslSpecial/cluster_auth_x509_subject_attributes.js +++ b/jstests/sslSpecial/cluster_auth_x509_subject_attributes.js @@ -22,29 +22,29 @@ const clusterMembershipOverrideDN = * tlsClusterAuthX509Attributes. */ // Subject: CN=server, title=foo, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel -const serverTitleFooCert = "jstests/libs/server_title_foo.pem"; +const serverTitleFooCert = getX509Path("server_title_foo.pem"); // Subject: CN=clusterTest, title=foo, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel -const clusterTitleFooCert = "jstests/libs/cluster_title_foo.pem"; +const clusterTitleFooCert = getX509Path("cluster_title_foo.pem"); /** * Member certificates whose subjects do not include DC, OU, or O. */ // Subject: CN=server, title=foo, C=US, ST=New York, L=New York City -const serverTitleFooNoDefaultCert = "jstests/libs/server_title_foo_no_o_ou_dc.pem"; +const serverTitleFooNoDefaultCert = getX509Path("server_title_foo_no_o_ou_dc.pem"); // Subject: CN=clusterTest, title=foo, C=US, ST=New York, L=New York City -const clusterTitleFooNoDefaultCert = "jstests/libs/cluster_title_foo_no_o_ou_dc.pem"; +const clusterTitleFooNoDefaultCert = getX509Path("cluster_title_foo_no_o_ou_dc.pem"); /** * Certificates that will not satisfy clusterMembershipAttributesDN. */ // Subject: CN=server, title=bar, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel -const serverTitleBarCert = "jstests/libs/server_title_bar.pem"; +const serverTitleBarCert = getX509Path("server_title_bar.pem"); // Subject: CN=server, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel -const serverDefaultOnlyCert = "jstests/libs/server.pem"; +const serverDefaultOnlyCert = getX509Path("server.pem"); // Subject: CN=clusterTest, C=US, ST=New York, L=New York City, O=MongoDB, OU=Kernel -const clusterDefaultOnlyCert = "jstests/libs/cluster_cert.pem"; +const clusterDefaultOnlyCert = getX509Path("cluster_cert.pem"); -const serverCAFile = "jstests/libs/ca.pem"; +const serverCAFile = getX509Path("ca.pem"); function assertNoStart(opts, errmsg) { clearRawMongoProgramOutput(); @@ -200,11 +200,11 @@ runValidMongodTest( opts, {user: "__system", certificate: serverDefaultOnlyCert}, { - user: "L=New York City,ST=New York,C=US,title=foo,CN=server", + user: "title=foo,CN=server,L=New York City,ST=New York,C=US", certificate: serverTitleFooNoDefaultCert, }, { - user: "L=New York City,ST=New York,C=US,title=foo,CN=clustertest", + user: "title=foo,CN=clustertest,L=New York City,ST=New York,C=US", certificate: clusterTitleFooNoDefaultCert, }, ); diff --git a/jstests/sslSpecial/shardsvr_ssl_restart.js b/jstests/sslSpecial/shardsvr_ssl_restart.js index 7965ff0ce27..3b5eea3f3e6 100644 --- a/jstests/sslSpecial/shardsvr_ssl_restart.js +++ b/jstests/sslSpecial/shardsvr_ssl_restart.js @@ -12,13 +12,13 @@ import {ShardingTest} from "jstests/libs/shardingtest.js"; const st = new ShardingTest({shards: {rs0: {nodes: 1}}}); let opts = { tlsMode: "allowTLS", - tlsCertificateKeyFile: "jstests/libs/client.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("client.pem"), + tlsCAFile: getX509Path("ca.pem"), shardsvr: "", }; requireSSLProvider("openssl", function () { // Only the OpenSSL provider supports encrypted PKCS#8 - opts.tlsCertificateKeyFile = "jstests/libs/password_protected.pem"; + opts.tlsCertificateKeyFile = getX509Path("password_protected.pem"); opts.tlsCertificateKeyFilePassword = "qwerty"; }); diff --git a/jstests/sslSpecial/ssl_cipher_default.js b/jstests/sslSpecial/ssl_cipher_default.js index 9a8c7780195..e16d39af3bc 100644 --- a/jstests/sslSpecial/ssl_cipher_default.js +++ b/jstests/sslSpecial/ssl_cipher_default.js @@ -23,8 +23,8 @@ assertCorrectConfig({sslMode: "disabled"}, defaultConfig); assertCorrectConfig( { sslMode: "allowSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", + sslPEMKeyFile: getX509Path("server.pem"), + sslCAFile: getX509Path("ca.pem"), }, defaultConfig, ); @@ -33,8 +33,8 @@ assertCorrectConfig( assertCorrectConfig( { sslMode: "allowSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", + sslPEMKeyFile: getX509Path("server.pem"), + sslCAFile: getX509Path("ca.pem"), setParameter: "opensslCipherConfig=HIGH", }, "HIGH", @@ -43,8 +43,8 @@ assertCorrectConfig( assertCorrectConfig( { sslMode: "allowSSL", - sslPEMKeyFile: "jstests/libs/server.pem", - sslCAFile: "jstests/libs/ca.pem", + sslPEMKeyFile: getX509Path("server.pem"), + sslCAFile: getX509Path("ca.pem"), tlsCipherConfig: "HIGH", }, "HIGH", diff --git a/jstests/sslSpecial/ssl_ecdsa_cert.js b/jstests/sslSpecial/ssl_ecdsa_cert.js index 49d63921860..9efe24dacfc 100644 --- a/jstests/sslSpecial/ssl_ecdsa_cert.js +++ b/jstests/sslSpecial/ssl_ecdsa_cert.js @@ -1,9 +1,9 @@ import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js"; const test = () => { - const ECDSA_CA_CERT = "jstests/libs/ecdsa-ca.pem"; - const ECDSA_CLIENT_CERT = "jstests/libs/ecdsa-client.pem"; - const ECDSA_SERVER_CERT = "jstests/libs/ecdsa-server.pem"; + const ECDSA_CA_CERT = getX509Path("ecdsa-ca.pem"); + const ECDSA_CLIENT_CERT = getX509Path("ecdsa-client.pem"); + const ECDSA_SERVER_CERT = getX509Path("ecdsa-server.pem"); const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; diff --git a/jstests/sslSpecial/x509_cluster_auth_rollover.js b/jstests/sslSpecial/x509_cluster_auth_rollover.js index ecc3a3ac23b..440f0fd3656 100644 --- a/jstests/sslSpecial/x509_cluster_auth_rollover.js +++ b/jstests/sslSpecial/x509_cluster_auth_rollover.js @@ -14,8 +14,8 @@ const rst = new ReplSetTest({ nodeOptions: { tlsMode: "preferTLS", clusterAuthMode: "x509", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidHostnames: "", }, }); @@ -96,8 +96,8 @@ const rolloverConfig = function (newConfig) { jsTestLog("Rolling over CA certificate to combined old and new CA's"); rolloverConfig({ - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/rollover_ca_merged.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("rollover_ca_merged.pem"), setParameter: { tlsX509ClusterAuthDNOverride: rolloverDN, }, @@ -105,8 +105,8 @@ rolloverConfig({ jsTestLog("Rolling over to new certificate with new cluster DN and new CA"); rolloverConfig({ - tlsCertificateKeyFile: "jstests/libs/rollover_server.pem", - tlsCAFile: "jstests/libs/rollover_ca_merged.pem", + tlsCertificateKeyFile: getX509Path("rollover_server.pem"), + tlsCAFile: getX509Path("rollover_ca_merged.pem"), setParameter: { tlsX509ClusterAuthDNOverride: originalDN, }, @@ -114,8 +114,8 @@ rolloverConfig({ jsTestLog("Rolling over to new CA only"); rolloverConfig({ - tlsCertificateKeyFile: "jstests/libs/rollover_server.pem", - tlsCAFile: "jstests/libs/rollover_ca.pem", + tlsCertificateKeyFile: getX509Path("rollover_server.pem"), + tlsCAFile: getX509Path("rollover_ca.pem"), }); rst.stopSet(); diff --git a/jstests/ssl_linear/mongo_uri_secondaries.js b/jstests/ssl_linear/mongo_uri_secondaries.js index e6ed6304ecb..8bbf5db3041 100644 --- a/jstests/ssl_linear/mongo_uri_secondaries.js +++ b/jstests/ssl_linear/mongo_uri_secondaries.js @@ -1,9 +1,9 @@ -// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted +// On OSX this test assumes that trusted-ca.pem has been added as a trusted // certificate to the login keychain of the evergreen user. See, // https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961 // for details. // To install trusted-ca.pem for local testing on OSX, invoke the following at a console: -// security add-trusted-cert -d jstests/libs/trusted-ca.pem +// security add-trusted-cert -d bazel-bin/install-devcore/bin/x509/trusted-ca.pem import {getPython3Binary} from "jstests/libs/python.js"; import {ReplSetTest} from "jstests/libs/replsettest.js"; @@ -14,26 +14,26 @@ jsTest.log("HOST_TYPE = " + HOST_TYPE); if (HOST_TYPE == "macOS") { // Ensure trusted-ca.pem is properly installed on MacOS hosts. // (MacOS is the only OS where it is installed outside of this test) - let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem"); + let exitCode = runProgram("security", "verify-cert", "-c", getX509Path("trusted-client.pem")); assert.eq(0, exitCode, "Check for proper installation of Trusted CA on MacOS host"); } if (HOST_TYPE == "windows") { assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py")); // OpenSSL backed imports Root CA and intermediate CA - runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem"); + runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", getX509Path("trusted-ca.pem")); // SChannel backed follows Windows rules and only trusts the Root store in Local Machine and // Current User. - runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem"); + runProgram("certutil.exe", "-addstore", "-f", "Root", getX509Path("trusted-ca.pem")); } try { const x509Options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", - tlsCAFile: "jstests/libs/trusted-ca.pem", - tlsClusterFile: "jstests/libs/trusted-client.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), + tlsCAFile: getX509Path("trusted-ca.pem"), + tlsClusterFile: getX509Path("trusted-client.pem"), tlsAllowInvalidCertificates: "", tlsWeakCertificateValidation: "", }; @@ -84,13 +84,13 @@ try { const subShellArgs = ["mongo", "--nodb", "--eval", subShellCommandFormatter(rst)]; - const retVal = runWithEnv(subShellArgs, {"SSL_CERT_FILE": "jstests/libs/trusted-ca.pem"}); + const retVal = runWithEnv(subShellArgs, {"SSL_CERT_FILE": getX509Path("trusted-ca.pem")}); assert.eq(retVal, 0, "mongo shell did not succeed with exit code 0"); rst.stopSet(); } finally { if (HOST_TYPE == "windows") { - const trusted_ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1"); + const trusted_ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1")); runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint); runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", trusted_ca_thumbprint); } diff --git a/jstests/ssl_linear/repl_ssl_noca.js b/jstests/ssl_linear/repl_ssl_noca.js index 5b0156cffe9..fbbbdf26211 100644 --- a/jstests/ssl_linear/repl_ssl_noca.js +++ b/jstests/ssl_linear/repl_ssl_noca.js @@ -1,9 +1,9 @@ -// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted +// On OSX this test assumes that trusted-ca.pem has been added as a trusted // certificate to the login keychain of the evergreen user. See, // https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961 // for details. // To install trusted-ca.pem for local testing on OSX, invoke the following at a console: -// security add-trusted-cert -d jstests/libs/trusted-ca.pem +// security add-trusted-cert -d bazel-bin/install-devcore/bin/x509/trusted-ca.pem import {getPython3Binary} from "jstests/libs/python.js"; import {ReplSetTest} from "jstests/libs/replsettest.js"; @@ -14,18 +14,18 @@ jsTest.log("HOST_TYPE = " + HOST_TYPE); if (HOST_TYPE == "macOS") { // Ensure trusted-ca.pem is properly installed on MacOS hosts. // (MacOS is the only OS where it is installed outside of this test) - let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem"); + let exitCode = runProgram("security", "verify-cert", "-c", getX509Path("trusted-client.pem")); assert.eq(0, exitCode, "Check for proper installation of Trusted CA on MacOS host"); } if (HOST_TYPE == "windows") { assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py")); // OpenSSL backed imports Root CA and intermediate CA - runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem"); + runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", getX509Path("trusted-ca.pem")); // SChannel backed follows Windows rules and only trusts the Root store in Local Machine and // Current User. - runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem"); + runProgram("certutil.exe", "-addstore", "-f", "Root", getX509Path("trusted-ca.pem")); } try { @@ -34,7 +34,7 @@ try { nodes: 1, nodeOptions: { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), setParameter: {tlsUseSystemCA: true}, }, host: "localhost", @@ -43,7 +43,7 @@ try { replTest.startSet({ env: { - SSL_CERT_FILE: "jstests/libs/trusted-ca.pem", + SSL_CERT_FILE: getX509Path("trusted-ca.pem"), }, }); @@ -57,13 +57,13 @@ try { let argv = ["mongo", url, "--eval", "db.runCommand({replSetGetStatus: 1})"]; if (url.endsWith("&ssl=true")) { - argv.push("--tls", "--tlsCertificateKeyFile", "jstests/libs/trusted-client.pem"); + argv.push("--tls", "--tlsCertificateKeyFile", getX509Path("trusted-client.pem")); } if (!_isWindows()) { // On Linux we override the default path to the system CA store to point to our // system CA. On Windows, this CA will have been added to the user's trusted CA list - argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem"); + argv.unshift("env", "SSL_CERT_FILE=" + getX509Path("trusted-ca.pem")); } let ret = runMongoProgram(...argv); return ret; @@ -84,7 +84,7 @@ try { replTest.stopSet(); } finally { if (_isWindows()) { - const ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1"); + const ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1")); runProgram("certutil.exe", "-delstore", "-f", "Root", ca_thumbprint); runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", ca_thumbprint); } diff --git a/jstests/ssl_linear/ssl_cert_selector.js b/jstests/ssl_linear/ssl_cert_selector.js index db57295d742..bcc88a6d964 100644 --- a/jstests/ssl_linear/ssl_cert_selector.js +++ b/jstests/ssl_linear/ssl_cert_selector.js @@ -12,9 +12,9 @@ import { TRUSTED_SERVER_CERT, } from "jstests/ssl/libs/ssl_helpers.js"; -const clientThumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1"); -const serverThumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1"); -const clusterServerThumbprint = cat("jstests/libs/trusted-cluster-server.pem.digest.sha1"); +const clientThumbprint = cat(getX509Path("trusted-client.pem.digest.sha1")); +const serverThumbprint = cat(getX509Path("trusted-server.pem.digest.sha1")); +const clusterServerThumbprint = cat(getX509Path("trusted-cluster-server.pem.digest.sha1")); const CLIENT = "CN=Trusted Kernel Test Client,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; const SERVER = "CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; const CLUSTER_SERVER = "CN=Trusted Kernel Test Cluster Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"; @@ -142,19 +142,24 @@ requireSSLProvider("windows", function () { runProgram("certutil.exe", "-addstore", "-f", "Root", TRUSTED_CA_CERT); // Import a pfx file since it contains both a cert and private key and is easy to import // via command line. - const importPfx = function (pfxFile) { + const createAndImportPfx = function (basename) { + const pemFile = getX509Path(basename + ".pem"); + const dbPath = MongoRunner.toRealPath("$dataDir\\ssl_cert_selector\\"); + mkdir(dbPath); + const pfxFile = dbPath + basename + ".pfx"; + runProgram("certutil.exe", "-mergepfx", "-f", "-p", "qwerty,qwerty", pemFile, pfxFile); return runProgram("certutil.exe", "-importpfx", "-f", "-p", "qwerty", pfxFile); }; - assert.eq(0, importPfx("jstests\\libs\\trusted-client.pfx")); - assert.eq(0, importPfx("jstests\\libs\\trusted-server.pfx")); - assert.eq(0, importPfx("jstests\\libs\\trusted-cluster-server.pfx")); + assert.eq(0, createAndImportPfx("trusted-client")); + assert.eq(0, createAndImportPfx("trusted-server")); + assert.eq(0, createAndImportPfx("trusted-cluster-server")); } try { testCases.forEach((test) => testServerSelectorKeyUsage(test)); } finally { if (_isWindows()) { - const trusted_ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1"); + const trusted_ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1")); runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint); } } diff --git a/jstests/ssl_linear/ssl_with_system_ca.js b/jstests/ssl_linear/ssl_with_system_ca.js index 974dac25abb..40eacc4f53a 100644 --- a/jstests/ssl_linear/ssl_with_system_ca.js +++ b/jstests/ssl_linear/ssl_with_system_ca.js @@ -1,9 +1,9 @@ -// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted +// On OSX this test assumes that trusted-ca.pem has been added as a trusted // certificate to the login keychain of the evergreen user. See, // https://github.com/10gen/buildhost-configuration/blob/f60ba13f506ef035d14e46fb5935f26ba3ca6bed/roles/macos/tasks/keychains.yml#L39-L100 // for details. // To install trusted-ca.pem for local testing on OSX, invoke the following at a console: -// security add-trusted-cert -d jstests/libs/trusted-ca.pem +// security add-trusted-cert -d bazel-bin/install-devcore/bin/x509/trusted-ca.pem import {getPython3Binary} from "jstests/libs/python.js"; import {ReplSetTest} from "jstests/libs/replsettest.js"; @@ -15,29 +15,29 @@ jsTest.log("HOST_TYPE = " + HOST_TYPE); if (HOST_TYPE == "macOS") { // Ensure trusted-ca.pem is properly installed on MacOS hosts. // (MacOS is the only OS where it is installed outside of this test) - let exitCode = runProgram("security", "verify-cert", "-c", "./jstests/libs/trusted-client.pem"); + let exitCode = runProgram("security", "verify-cert", "-c", getX509Path("trusted-client.pem")); assert.eq(0, exitCode, "Check for proper installation of Trusted CA on MacOS host"); } if (HOST_TYPE == "windows") { assert.eq(0, runProgram(getPython3Binary(), "jstests/ssl_linear/windows_castore_cleanup.py")); // OpenSSL backed imports Root CA and intermediate CA - runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem"); + runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", getX509Path("trusted-ca.pem")); // SChannel backed follows Windows rules and only trusts the Root store in Local Machine and // Current User. - runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem"); + runProgram("certutil.exe", "-addstore", "-f", "Root", getX509Path("trusted-ca.pem")); } const certDir = MongoRunner.toRealDir("$dataDir/ssl_with_system_ca_test/"); if (HOST_TYPE == "linux") { mkdir(certDir); clearRawMongoProgramOutput(); - assert.eq(0, runProgram("openssl", "x509", "-hash", "-noout", "-in", "jstests/libs/trusted-ca.pem")); + assert.eq(0, runProgram("openssl", "x509", "-hash", "-noout", "-in", getX509Path("trusted-ca.pem"))); let hash = rawMongoProgramOutput(".*"); jsTestLog(hash); // has form: "|sh \n" hash = hash.trim().split(" ")[1]; - copyCertificateFile("jstests/libs/trusted-ca.pem", `${certDir}/${hash}.0`); + copyCertificateFile(getX509Path("trusted-ca.pem"), `${certDir}/${hash}.0`); } // Tests server ingress validation works if the server is configured to use system CA. @@ -48,7 +48,7 @@ function testServerIngress() { // and a system CA store containing trusted-ca.pem. const serverOpts = { tlsMode: "preferTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), tlsAllowInvalidHostnames: "", waitForConnect: true, setParameter: {tlsUseSystemCA: true}, @@ -60,8 +60,8 @@ function testServerIngress() { jsTestLog("Testing server ingress validates trusted client certificate"); let clientOpts = { tls: { - certificateKeyFile: "jstests/libs/trusted-client.pem", - CAFile: "jstests/libs/trusted-ca.pem", + certificateKeyFile: getX509Path("trusted-client.pem"), + CAFile: getX509Path("trusted-ca.pem"), allowInvalidHostnames: true, }, }; @@ -72,7 +72,7 @@ function testServerIngress() { // Using untrusted keys, verify the server rejects the client. jsTestLog("Testing server ingress rejects untrusted client certificate"); - clientOpts.tls.certificateKeyFile = "jstests/libs/client.pem"; + clientOpts.tls.certificateKeyFile = getX509Path("client.pem"); assert.commandWorked(conn.adminCommand({clearLog: "global"})); let error = assert.throwsWithCode(() => { @@ -94,8 +94,8 @@ function testServerEgress() { const rst = new ReplSetTest({nodes: 1}); rst.startSet({ tlsMode: "preferTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", // used on ingress - tlsClusterFile: "jstests/libs/trusted-client.pem", // used on egress to node2 + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), // used on ingress + tlsClusterFile: getX509Path("trusted-client.pem"), // used on egress to node2 tlsAllowInvalidHostnames: "", waitForConnect: true, setParameter: {tlsUseSystemCA: true}, @@ -108,9 +108,9 @@ function testServerEgress() { // Add new node that uses a key not trusted by the first node. let badNode = rst.add({ tlsMode: "preferTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", // used on ingress, untrusted - tlsClusterFile: "jstests/libs/trusted-client.pem", // used on egress to node1 - tlsCAFile: "jstests/libs/trusted-ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), // used on ingress, untrusted + tlsClusterFile: getX509Path("trusted-client.pem"), // used on egress to node1 + tlsCAFile: getX509Path("trusted-ca.pem"), tlsAllowInvalidHostnames: "", waitForConnect: true, }); @@ -127,9 +127,9 @@ function testServerEgress() { // Add new node that uses a key trusted by the first node. let goodNode = rst.add({ tlsMode: "preferTLS", - tlsCertificateKeyFile: "jstests/libs/trusted-server.pem", // used on ingress, trusted - tlsClusterFile: "jstests/libs/trusted-client.pem", // used on egress to node1 - tlsCAFile: "jstests/libs/trusted-ca.pem", + tlsCertificateKeyFile: getX509Path("trusted-server.pem"), // used on ingress, trusted + tlsClusterFile: getX509Path("trusted-client.pem"), // used on egress to node1 + tlsCAFile: getX509Path("trusted-ca.pem"), tlsAllowInvalidHostnames: "", waitForConnect: true, }); @@ -151,7 +151,7 @@ try { testServerEgress(); } finally { if (HOST_TYPE == "windows") { - const trusted_ca_thumbprint = cat("jstests/libs/trusted-ca.pem.digest.sha1"); + const trusted_ca_thumbprint = cat(getX509Path("trusted-ca.pem.digest.sha1")); runProgram("certutil.exe", "-delstore", "-f", "Root", trusted_ca_thumbprint); runProgram("certutil.exe", "-delstore", "-user", "-f", "CA", trusted_ca_thumbprint); } diff --git a/jstests/ssl_x509/cluster_x509_restart.js b/jstests/ssl_x509/cluster_x509_restart.js index 9ddb7f58097..268a98facec 100644 --- a/jstests/ssl_x509/cluster_x509_restart.js +++ b/jstests/ssl_x509/cluster_x509_restart.js @@ -13,8 +13,8 @@ const rst = new ReplSetTest({ tlsMode: "requireTLS", clusterAuthMode: "x509", keyFile: "jstests/libs/key1", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidHostnames: "", }, }); diff --git a/jstests/ssl_x509/initial_sync1_x509.js b/jstests/ssl_x509/initial_sync1_x509.js index e8ea78beb11..16f6c52d891 100644 --- a/jstests/ssl_x509/initial_sync1_x509.js +++ b/jstests/ssl_x509/initial_sync1_x509.js @@ -5,8 +5,8 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; let common_options = { keyFile: "jstests/libs/key1", tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidHostnames: "", }; @@ -58,7 +58,7 @@ function runInitialSyncTest() { // Standard case, clusterAuthMode: x509 var x509_options1 = Object.merge(common_options, { - tlsClusterFile: "jstests/libs/cluster_cert.pem", + tlsClusterFile: getX509Path("cluster_cert.pem"), clusterAuthMode: "x509", }); var x509_options2 = x509_options1; @@ -66,7 +66,7 @@ runInitialSyncTest(); // Mixed clusterAuthMode: sendX509 and sendKeyFile and try adding --auth x509_options1 = Object.merge(common_options, { - tlsClusterFile: "jstests/libs/cluster_cert.pem", + tlsClusterFile: getX509Path("cluster_cert.pem"), clusterAuthMode: "sendX509", auth: "", }); diff --git a/jstests/ssl_x509/sharding_with_x509.js b/jstests/ssl_x509/sharding_with_x509.js index 8d93c03b75d..63e0524131c 100644 --- a/jstests/ssl_x509/sharding_with_x509.js +++ b/jstests/ssl_x509/sharding_with_x509.js @@ -8,9 +8,9 @@ import {ShardingTest} from "jstests/libs/shardingtest.js"; const x509_options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", - tlsClusterFile: "jstests/libs/cluster_cert.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), + tlsClusterFile: getX509Path("cluster_cert.pem"), tlsAllowInvalidHostnames: "", clusterAuthMode: "x509", }; diff --git a/jstests/ssl_x509/shell_x509_system_user.js b/jstests/ssl_x509/shell_x509_system_user.js index 5f4f8e854ad..7a9459c45fd 100644 --- a/jstests/ssl_x509/shell_x509_system_user.js +++ b/jstests/ssl_x509/shell_x509_system_user.js @@ -6,8 +6,8 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; const x509Options = { clusterAuthMode: "x509", tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), tlsAllowInvalidCertificates: "", }; @@ -42,8 +42,8 @@ const subShellCommands = async function () { const subShellArgs = [ "mongo", "--ssl", - "--tlsCAFile=jstests/libs/ca.pem", - "--tlsCertificateKeyFile=jstests/libs/server.pem", + "--tlsCAFile=" + getX509Path("ca.pem"), + "--tlsCertificateKeyFile=" + getX509Path("server.pem"), "--tlsAllowInvalidHostnames", "--authenticationDatabase=$external", "--authenticationMechanism=MONGODB-X509", diff --git a/jstests/ssl_x509/speculative-auth-replset.js b/jstests/ssl_x509/speculative-auth-replset.js index b4607792b6f..1dd1419f911 100644 --- a/jstests/ssl_x509/speculative-auth-replset.js +++ b/jstests/ssl_x509/speculative-auth-replset.js @@ -6,8 +6,8 @@ import {ReplSetTest} from "jstests/libs/replsettest.js"; const x509_options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), clusterAuthMode: "sendX509", }; diff --git a/jstests/ssl_x509/speculative-auth-sharding.js b/jstests/ssl_x509/speculative-auth-sharding.js index 682d1ec504f..76e37eec04a 100644 --- a/jstests/ssl_x509/speculative-auth-sharding.js +++ b/jstests/ssl_x509/speculative-auth-sharding.js @@ -4,10 +4,10 @@ import {ShardingTest} from "jstests/libs/shardingtest.js"; const CLIENT_NAME = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"; -const CLIENT_CERT = "jstests/libs/client.pem"; -const SERVER_CERT = "jstests/libs/server.pem"; -const CLUSTER_CERT = "jstests/libs/cluster_cert.pem"; -const CA_CERT = "jstests/libs/ca.pem"; +const CLIENT_CERT = getX509Path("client.pem"); +const SERVER_CERT = getX509Path("server.pem"); +const CLUSTER_CERT = getX509Path("cluster_cert.pem"); +const CA_CERT = getX509Path("ca.pem"); const options = { tlsMode: "requireTLS", diff --git a/jstests/ssl_x509/x509_basic.js b/jstests/ssl_x509/x509_basic.js index 4142dd446d3..3b69d594650 100644 --- a/jstests/ssl_x509/x509_basic.js +++ b/jstests/ssl_x509/x509_basic.js @@ -8,9 +8,9 @@ import {findMatchingLogLine} from "jstests/libs/log.js"; const x509_options = { tlsMode: "requireTLS", - tlsCertificateKeyFile: "jstests/libs/server.pem", - tlsCAFile: "jstests/libs/ca.pem", - tlsClusterFile: "jstests/libs/cluster_cert.pem", + tlsCertificateKeyFile: getX509Path("server.pem"), + tlsCAFile: getX509Path("ca.pem"), + tlsClusterFile: getX509Path("cluster_cert.pem"), tlsAllowInvalidHostnames: "", clusterAuthMode: "x509", }; diff --git a/jstests/with_mongot/search_mocked/ssl/mongot_ssl_required.js b/jstests/with_mongot/search_mocked/ssl/mongot_ssl_required.js index c37aa2c89c5..8a0f39d80d7 100644 --- a/jstests/with_mongot/search_mocked/ssl/mongot_ssl_required.js +++ b/jstests/with_mongot/search_mocked/ssl/mongot_ssl_required.js @@ -16,10 +16,10 @@ const mongotConn = mongotmock.getConnection(); const conn = MongoRunner.runMongod({ sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/password_protected.pem", + sslPEMKeyFile: getX509Path("password_protected.pem"), sslPEMKeyPassword: "qwerty", setParameter: {mongotHost: mongotConn.host, searchTLSMode: "disabled"}, - sslCAFile: "jstests/libs/ca.pem", + sslCAFile: getX509Path("ca.pem"), }); const db = conn.getDB("test"); diff --git a/jstests/with_mongot/vector_search_mocked/ssl/mongot_ssl_required.js b/jstests/with_mongot/vector_search_mocked/ssl/mongot_ssl_required.js index d87af1737d1..a914d8c0d05 100644 --- a/jstests/with_mongot/vector_search_mocked/ssl/mongot_ssl_required.js +++ b/jstests/with_mongot/vector_search_mocked/ssl/mongot_ssl_required.js @@ -15,10 +15,10 @@ const mongotConn = mongotmock.getConnection(); const conn = MongoRunner.runMongod({ sslMode: "requireSSL", - sslPEMKeyFile: "jstests/libs/password_protected.pem", + sslPEMKeyFile: getX509Path("password_protected.pem"), sslPEMKeyPassword: "qwerty", setParameter: {mongotHost: mongotConn.host, searchTLSMode: "disabled"}, - sslCAFile: "jstests/libs/ca.pem", + sslCAFile: getX509Path("ca.pem"), }); const dbName = "test"; diff --git a/src/mongo/shell/servers.js b/src/mongo/shell/servers.js index 4600bb68a56..2b0019a7fa4 100644 --- a/src/mongo/shell/servers.js +++ b/src/mongo/shell/servers.js @@ -40,6 +40,10 @@ function getMongoSuffixPath(binary_name) { return binary_name; } +function getX509Path(x509_name) { + return MongoRunner.getInstallPath("x509", x509_name); +} + MongoRunner.getMongodPath = function () { return getMongoSuffixPath("mongod"); }; @@ -1693,4 +1697,4 @@ function startMongoProgramNoConnect(...args) { return _startMongoProgram(..._getMongoProgramArguments(args)); } -export {MongoRunner, runMongoProgram, startMongoProgram, startMongoProgramNoConnect}; +export {MongoRunner, runMongoProgram, startMongoProgram, startMongoProgramNoConnect, getX509Path}; diff --git a/src/mongo/shell/servers_global.js b/src/mongo/shell/servers_global.js index bfd999f5488..aea8f462725 100644 --- a/src/mongo/shell/servers_global.js +++ b/src/mongo/shell/servers_global.js @@ -1,8 +1,15 @@ // Populate global variables from modules for backwards compatibility -import {MongoRunner, runMongoProgram, startMongoProgram, startMongoProgramNoConnect} from "src/mongo/shell/servers.js"; +import { + MongoRunner, + runMongoProgram, + startMongoProgram, + startMongoProgramNoConnect, + getX509Path, +} from "src/mongo/shell/servers.js"; globalThis.MongoRunner = MongoRunner; globalThis.runMongoProgram = runMongoProgram; globalThis.startMongoProgram = startMongoProgram; globalThis.startMongoProgramNoConnect = startMongoProgramNoConnect; +globalThis.getX509Path = getX509Path; diff --git a/src/mongo/util/net/network_interface_ssl_test.cpp b/src/mongo/util/net/network_interface_ssl_test.cpp index f0e6d57db32..058e4e8d960 100644 --- a/src/mongo/util/net/network_interface_ssl_test.cpp +++ b/src/mongo/util/net/network_interface_ssl_test.cpp @@ -38,13 +38,13 @@ #include "mongo/unittest/unittest.h" #include "mongo/util/net/ssl_options.h" +#include #include #include #include #define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kTest - namespace mongo { namespace executor { namespace { @@ -68,9 +68,11 @@ public: internalSecurity.setUser(user); - sslGlobalParams.sslCAFile = "jstests/libs/ca.pem"; + installDir = std::getenv("INSTALL_DIR"); + + sslGlobalParams.sslCAFile = (installDir / "x509/ca.pem").string(); // Set a client cert that should be ignored if we use the transient cert correctly. - sslGlobalParams.sslPEMKeyFile = "jstests/libs/client.pem"; + sslGlobalParams.sslPEMKeyFile = (installDir / "x509/client.pem").string(); // Set the internal user auth parameters so we auth with X.509 externally auth::setInternalUserAuthParams( @@ -84,10 +86,11 @@ public: transport::TransportProtocol protocol) override { LOGV2(5181101, "Initializing the test connection with transient SSL params"); ConnectionPool::Options options = makeDefaultConnectionPoolOptions(); - options.transientSSLParams.emplace([] { + options.transientSSLParams.emplace([this]() { ClusterConnection clusterConnection; clusterConnection.targetedClusterConnectionString = ConnectionString::forLocal(); - clusterConnection.sslClusterPEMPayload = loadFile("jstests/libs/server.pem"); + clusterConnection.sslClusterPEMPayload = + loadFile((installDir / "x509/server.pem").string()); TransientSSLParams params(clusterConnection); return params; @@ -99,6 +102,9 @@ public: NetworkInterfaceIntegrationFixture::tearDown(); resetIsInternalClient(false); } + +private: + std::filesystem::path installDir; }; TEST_F(NetworkInterfaceSSLFixture, Ping) { diff --git a/x509/README b/x509/README index e6d81ee38ec..80e7e24040d 100644 --- a/x509/README +++ b/x509/README @@ -79,8 +79,6 @@ Certificate definition format: }, # Optional, in addition to the .pem file, write just the certificate to a .crt file and just the signing key to a .key file "split_cert_and_key": True, - # Optional, don't write a header comment to this cert - "include_header": False, # Optional, X.509 extensions to include in the certificate "extensions": { # All extensions are optional. "basicConstraints": {}, diff --git a/x509/main_certs_def.bzl b/x509/main_certs_def.bzl index e0a2f0b8343..e340b1bf8cc 100644 --- a/x509/main_certs_def.bzl +++ b/x509/main_certs_def.bzl @@ -1104,7 +1104,6 @@ certs_def = json.encode({ }, "Issuer": "self", "keyfile": "ocsp_ca_key.pem", - "include_header": False, "split_cert_and_key": True, "extensions": { "basicConstraints": { @@ -1124,7 +1123,6 @@ certs_def = json.encode({ }, "Issuer": "ca_ocsp.pem", "keyfile": "ocsp_key.pem", - "include_header": False, "extensions": { "basicConstraints": { "CA": False, @@ -1159,7 +1157,6 @@ certs_def = json.encode({ }, "Issuer": "ca_ocsp.pem", "keyfile": "ocsp_key.pem", - "include_header": False, "extensions": { "basicConstraints": { "CA": False, @@ -1190,7 +1187,6 @@ certs_def = json.encode({ }, "Issuer": "ca_ocsp.pem", "keyfile": "ocsp_key.pem", - "include_header": False, "extensions": { "basicConstraints": { "CA": False, @@ -1224,7 +1220,6 @@ certs_def = json.encode({ }, "Issuer": "ca_ocsp.pem", "keyfile": "ocsp_key.pem", - "include_header": False, "extensions": { "basicConstraints": { "CA": False, @@ -1259,7 +1254,6 @@ certs_def = json.encode({ }, "Issuer": "ca_ocsp.pem", "keyfile": "ocsp_key.pem", - "include_header": False, "extensions": { "basicConstraints": { "CA": False, @@ -1295,7 +1289,6 @@ certs_def = json.encode({ }, "Issuer": "ca_ocsp.pem", "keyfile": "ocsp_key.pem", - "include_header": False, "extensions": { "basicConstraints": { "CA": False, @@ -1326,7 +1319,6 @@ certs_def = json.encode({ }, "Issuer": "ca_ocsp.pem", "keyfile": "intermediate_ocsp_ca_key.pem", - "include_header": False, "split_cert_and_key": True, "extensions": { "subjectKeyIdentifier": "hash", @@ -1339,7 +1331,6 @@ certs_def = json.encode({ { "name": "intermediate_ca_with_root_ocsp.pem", "description": "OCSP CA and OCSP Intermediate appended together", - "include_header": False, "append_cert": [ "intermediate_ca_only_ocsp.pem", "ca_ocsp.pem", @@ -1353,7 +1344,6 @@ certs_def = json.encode({ }, "Issuer": "intermediate_ca_only_ocsp.pem", "keyfile": "intermediate_ocsp_key.pem", - "include_header": False, "extensions": { "basicConstraints": { "CA": False, @@ -1385,7 +1375,6 @@ certs_def = json.encode({ }, "Issuer": "intermediate_ca_only_ocsp.pem", "keyfile": "intermediate_ocsp_key.pem", - "include_header": False, "append_cert": "intermediate_ca_only_ocsp.pem", "extensions": { "basicConstraints": { @@ -1420,8 +1409,7 @@ certs_def = json.encode({ "L": "OCSP-3", }, "Issuer": "ca_ocsp.pem", - "keyfile": "ocsp_key.pem", - "include_header": False, + "keyfile": "ocsp_responder_key.pem", "split_cert_and_key": True, "extensions": { "basicConstraints": { @@ -1642,6 +1630,7 @@ certs_def = json.encode({ }, "Issuer": "trusted-ca.pem", "keyfile": "trusted_key.pem", + "split_cert_and_key": True, "extensions": { "extendedKeyUsage": [ "clientAuth", @@ -1660,6 +1649,7 @@ certs_def = json.encode({ }, "Issuer": "trusted-ca.pem", "keyfile": "trusted_key.pem", + "split_cert_and_key": True, "extensions": { "extendedKeyUsage": [ "serverAuth", @@ -1678,6 +1668,7 @@ certs_def = json.encode({ }, "Issuer": "trusted-ca.pem", "keyfile": "trusted_key.pem", + "split_cert_and_key": True, "extensions": { "extendedKeyUsage": [ "clientAuth", @@ -1738,6 +1729,7 @@ certs_def = json.encode({ "name": "ecdsa-client.pem", "description": "Client certificate for ECDSA tree.", "Subject": { + "OU": "KernelUser", "CN": "client", }, "Issuer": "ecdsa-ca.pem", @@ -1868,7 +1860,7 @@ certs_def = json.encode({ "name": "ecdsa-ocsp-responder.pem", "description": "ECDSA certificate and key for OCSP responder", "Issuer": "ecdsa-ca-ocsp.pem", - "keyfile": "pkcs8_encrypted_ec_ocsp_key.pem", + "keyfile": "pkcs8_encrypted_ec_ocsp_responder_key.pem", "Subject": { "CN": "server", }, diff --git a/x509/mkcert.py b/x509/mkcert.py index 05950b219bc..601bc134ae2 100644 --- a/x509/mkcert.py +++ b/x509/mkcert.py @@ -30,6 +30,9 @@ NAME_TO_OID["L"] = NAME_TO_OID["localityName"] NAME_TO_OID["SN"] = NAME_TO_OID["surname"] NAME_TO_OID["CN"] = NAME_TO_OID["commonName"] +# The (partial) ordering of OIDs in subject name expected by our jstests. +OID_ORDER = [NAME_TO_OID[n].dotted_string for n in ["C", "ST", "L", "O", "OU", "CN"]] + # Path to the file specifying the config. CONFIGFILE = None @@ -114,15 +117,6 @@ def find_certificate_definition(name): return None -def get_header_comment(cert): - """Get the correct header comment for the certificate.""" - if not cert.get("include_header", True): - return "" - """Header comment for every generated file.""" - comment = "# " + cert.get("description", "").replace("\n", "\n# ") + "\n" - return comment - - def get_cert_and_key(cert_name): """Locate the cert and key file for a given cert name, load them, and return them.""" if DRY_RUN: @@ -197,7 +191,14 @@ def set_subject(builder, cert, set_issuer=False): for key, val in cert["Subject"].items(): oid = get_oid(key) attr_dict[oid] = val - name = x509.Name([x509.NameAttribute(key, val) for key, val in attr_dict.items()]) + + ordered_attrs = sorted( + attr_dict.items(), + key=lambda item: "." + str(OID_ORDER.index(item[0].dotted_string)) + if item[0].dotted_string in OID_ORDER + else item[0].dotted_string, + ) + name = x509.Name([x509.NameAttribute(oid, val) for oid, val in ordered_attrs]) else: # Multivalued RDN case assert isinstance(cert["Subject"], list) @@ -209,8 +210,19 @@ def set_subject(builder, cert, set_issuer=False): attrs = [] for key, val in rdn_def.items(): oid = get_oid(key) - attrs.append(x509.NameAttribute(oid, val)) - rdns.append(x509.RelativeDistinguishedName(attrs)) + attrs.append((oid, val)) + + ordered_attrs = sorted( + attrs, + key=lambda item: "." + str(OID_ORDER.index(item[0].dotted_string) + 1) + if item[0].dotted_string in OID_ORDER + else item[0].dotted_string, + ) + rdns.append( + x509.RelativeDistinguishedName( + [x509.NameAttribute(oid, val) for oid, val in ordered_attrs] + ) + ) name = x509.Name(rdns) if set_issuer: # When issuer = self, set the issuer as well @@ -468,11 +480,21 @@ def sign_ecdsa_deterministic(key, cert): # Get just the certificate content and sign it. cert_bytes = seq["cert_content"].dump() sig = ecdsa_pkey.sign_deterministic(cert_bytes, hashfunc=hashlib.sha256) - # Encode the signature -- Split it in half and make a sequence with the two halves. assert len(sig) == 64 r = sig[:32] s = sig[32:] - ber_sig = b"\x30\x44\x02\x20" + r + b"\x02\x20" + s + # Prepend a 0x00 byte if the high bit is set, to indicate positive integer in ASN.1. + if r[0] & 0x80: + r_der = b"\x02\x21\x00" + r + else: + r_der = b"\x02\x20" + r + if s[0] & 0x80: + s_der = b"\x02\x21\x00" + s + else: + s_der = b"\x02\x20" + s + # Encode the signature -- Split it in half and make a sequence with the two halves. + len_byte = len(r_der) + len(s_der) + ber_sig = b"\x30" + len_byte.to_bytes(1, byteorder="big") + r_der + s_der # Set this as the signature, then dump the new certificate. seq["signature"] = to_bits(ber_sig) signed_bytes = seq.dump() @@ -543,18 +565,17 @@ def process_normal_cert(cert): issuer_ski=issuer_ski, ) - if isinstance(key, ec.EllipticCurvePrivateKey): + if isinstance(issuer_key, ec.EllipticCurvePrivateKey): # For EC, we need to compute a deterministic signature ourselves. While newer versions of OpenSSL support deterministic signing with ECDSA, some of the platforms we run tests on use old versions, so we unfortunately cannot use this feature. - bad_sig_obj = builder.sign(key, hashes.SHA256()) - cert_obj = sign_ecdsa_deterministic(key, bad_sig_obj) + bad_sig_obj = builder.sign(issuer_key, hashes.SHA256()) + cert_obj = sign_ecdsa_deterministic(issuer_key, bad_sig_obj) else: - cert_obj = builder.sign(key, hashes.SHA256()) + cert_obj = builder.sign(issuer_key, hashes.SHA256()) - header = get_header_comment(cert) cert_path = make_filename(cert) - # Write header + certificate PEM + key PEM to the output file. + # Write certificate PEM + key PEM to the output file. with open(cert_path, "wt") as f: - f.write(header + cert_obj.public_bytes(serialization.Encoding.PEM).decode("ascii")) + f.write(cert_obj.public_bytes(serialization.Encoding.PEM).decode("ascii")) with open(str(STATIC_PATH / idx(cert, "keyfile")), "r") as keyf: f.write(keyf.read()) LOADED_CERT_AND_KEYS[cert["name"]] = (cert_obj, key) @@ -568,10 +589,10 @@ def process_normal_cert(cert): key_name = cert["name"][: -len(".pem")] + ".key" if not DRY_RUN: with open(OUTPUT_PATH / crt_name, "wt") as f: - f.write(header + cert_obj.public_bytes(serialization.Encoding.PEM).decode("ascii")) + f.write(cert_obj.public_bytes(serialization.Encoding.PEM).decode("ascii")) with open(OUTPUT_PATH / key_name, "wt") as f: with open(str(STATIC_PATH / idx(cert, "keyfile")), "r") as keyf: - f.write(header + keyf.read()) + f.write(keyf.read()) def process_cert(cert): @@ -586,12 +607,7 @@ def process_cert(cert): explicit_empty_subject = cert.get("explicit_subject", False) and not subject if subject or explicit_empty_subject: process_normal_cert(cert) - elif append_certs: - # Pure composing certificate. Start with a basic preamble. - if not DRY_RUN: - with open(make_filename(cert), "wt") as f: - f.write(get_header_comment(cert) + "\n") - else: + elif not append_certs: raise CertificateGenerationError( "Certificate definitions must have at least one of 'Subject' and/or 'append_cert'" ) @@ -600,11 +616,8 @@ def process_cert(cert): return for cert_name in append_certs: append_cert = get_cert_and_key(cert_name)[0] - header = ( - "# Certificate from " + cert_name + "\n" if cert.get("include_header", True) else "" - ) with open(make_filename(cert), "at") as f: - f.write(header + append_cert.public_bytes(serialization.Encoding.PEM).decode("ascii")) + f.write(append_cert.public_bytes(serialization.Encoding.PEM).decode("ascii") + "\n") DIGEST_NAME_TO_HASH = {"sha256": hashes.SHA256(), "sha1": hashes.SHA1()} @@ -740,7 +753,6 @@ def validate_config(): "append_cert", "extensions", "passphrase", - "include_header", "keyfile", "split_cert_and_key", "explicit_subject", diff --git a/x509/static/README.md b/x509/static/README.md index 16c6d4221bf..90677c2213b 100644 --- a/x509/static/README.md +++ b/x509/static/README.md @@ -1 +1,31 @@ CAs, certificates, digests, keys, etc. which are not generated by mkcert.py are stored here. Contains all of the keys needed by mkcert.py during certificate generation with the main and apple certs. + +| Filename | Generation Command | +| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| ca_key.pem | `openssl genrsa -out x509/static/ca_key.pem 2048` | +| ec_ca_key.pem | `openssl ecparam -name prime256v1 -genkey -out x509/static/ec_ca_key.pem` | +| ec_key.pem | `openssl ecparam -name prime256v1 -genkey -out x509/static/ec_key.pem` | +| ec_ocsp_ca_key.pem | `openssl ecparam -name prime256v1 -genkey -out x509/static/ec_ocsp_ca_key.pem` | +| ec_ocsp_key.pem | `openssl ecparam -name prime256v1 -genkey -out x509/static/ec_ocsp_key.pem` | +| intermediate_b_ca_key.pem | `openssl genrsa -out x509/static/intermediate_b_ca_key.pem 2048` | +| intermediate_b_key.pem | `openssl genrsa -out x509/static/intermediate_b_key.pem 2048` | +| intermediate_ca_key.pem | `openssl genrsa -out x509/static/intermediate_ca_key.pem 2048` | +| intermediate_key.pem | `openssl genrsa -out x509/static/intermediate_key.pem 2048` | +| intermediate_ocsp_ca_key.pem | `openssl genrsa -out x509/static/intermediate_ocsp_ca_key.pem 2048` | +| intermediate_ocsp_key.pem | `openssl genrsa -out x509/static/intermediate_ocsp_key.pem 2048` | +| key.pem | `openssl genrsa -out x509/static/key.pem 2048` | +| macos_ca_key.pem | `openssl genrsa -out x509/static/macos_ca_key.pem 2048` | +| macos_key.pem | `openssl genrsa -out x509/static/macos_key.pem 2048` | +| ocsp_ca_key.pem | `openssl genrsa -out x509/static/ocsp_ca_key.pem 2048` | +| ocsp_key.pem | `openssl genrsa -out x509/static/ocsp_key.pem 2048` | +| ocsp_responder_key.pem | `openssl genrsa -out x509/static/ocsp_responder_key.pem 2048` | +| pkcs1_encrypted_key.pem | `openssl rsa -in x509/static/key.pem -passin pass:qwerty -out x509/static/pkcs1_encrypted_key.pem -aes256 -passout pass:qwerty` | +| pkcs1_encrypted_trusted_key.pem | `openssl rsa -in x509/static/trusted_key.pem -passin pass:qwerty -out x509/static/pkcs1_encrypted_trusted_key.pem -aes256 -passout pass:qwerty` | +| pkcs8_encrypted_ec_key.pem | `openssl pkcs8 -topk8 -nocrypt -in x509/static/ec_key.pem -out x509/static/pkcs8_encrypted_ec_key.pem` | +| pkcs8_encrypted_ec_ocsp_ca_key.pem | `openssl pkcs8 -topk8 -nocrypt -in x509/static/ec_ocsp_ca_key.pem -out x509/static/pkcs8_encrypted_ec_ocsp_ca_key.pem` | +| pkcs8_encrypted_ec_ocsp_key.pem | `openssl pkcs8 -topk8 -nocrypt -in x509/static/ec_ocsp_key.pem -out x509/static/pkcs8_encrypted_ec_ocsp_key.pem` | +| pkcs8_encrypted_ec_ocsp_responder_key.pem | `openssl pkcs8 -topk8 -nocrypt -in x509/static/ec_ocsp_key.pem -out x509/static/pkcs8_encrypted_ec_ocsp_responder_key.pem` | +| rollover_ca_key.pem | `openssl genrsa -out x509/static/rollover_ca_key.pem 2048` | +| rollover_key.pem | `openssl genrsa -out x509/static/rollover_key.pem 2048` | +| trusted_ca_key.pem | `openssl genrsa -out x509/static/trusted_ca_key.pem 2048` | +| trusted_key.pem | `openssl genrsa -out x509/static/trusted_key.pem 2048` | diff --git a/x509/static/ca_key.pem b/x509/static/ca_key.pem index e4552752657..a65f4c6599d 100644 --- a/x509/static/ca_key.pem +++ b/x509/static/ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHstBFbi4KpKUY T2y0dK4BY+97UVzDE4ETCZt4p3GQZDIRC057agnex2XzLks0u5qVigm09mgoVDAS diff --git a/x509/static/ec_ca_key.pem b/x509/static/ec_ca_key.pem index b74bbacf2b2..f3300a37a55 100644 --- a/x509/static/ec_ca_key.pem +++ b/x509/static/ec_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl ecparam -name prime256v1 -genkey -out x509/static/ec_ca_key.pem - -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- diff --git a/x509/static/ec_key.pem b/x509/static/ec_key.pem index c22a6c0f80d..d5972455e2e 100644 --- a/x509/static/ec_key.pem +++ b/x509/static/ec_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl ecparam -name prime256v1 -genkey -out x509/static/ec_key.pem - -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- diff --git a/x509/static/ec_ocsp_ca_key.pem b/x509/static/ec_ocsp_ca_key.pem index 886afec3ef7..24142b3d749 100644 --- a/x509/static/ec_ocsp_ca_key.pem +++ b/x509/static/ec_ocsp_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl ecparam -name prime256v1 -genkey -out x509/static/ec_ocsp_ca_key.pem - -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- diff --git a/x509/static/ec_ocsp_key.pem b/x509/static/ec_ocsp_key.pem index 9e517557416..69d61635106 100644 --- a/x509/static/ec_ocsp_key.pem +++ b/x509/static/ec_ocsp_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl ecparam -name prime256v1 -genkey -out x509/static/ec_ocsp_key.pem - -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- diff --git a/x509/static/intermediate_b_ca_key.pem b/x509/static/intermediate_b_ca_key.pem index ba788f2f3ac..228f1fc8776 100644 --- a/x509/static/intermediate_b_ca_key.pem +++ b/x509/static/intermediate_b_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/intermediate_b_ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMjtMFYF9r18yA anNI4pY712brkcklesA0TSD4PpAn/n2VQM3gci6iwTPybpfQp2BGnTirnc+V0O0e diff --git a/x509/static/intermediate_b_key.pem b/x509/static/intermediate_b_key.pem index e86800d25a3..49a64461f97 100644 --- a/x509/static/intermediate_b_key.pem +++ b/x509/static/intermediate_b_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/intermediate_b_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDaGeC9rIXyghgp JOxaNKpNElTCb4tYrX6r5YP656YLupa2M2bBSR/OXMh2Je2UjtW2l1CG/dPefSVw diff --git a/x509/static/intermediate_ca_key.pem b/x509/static/intermediate_ca_key.pem index a8824551a32..0c0fd573d81 100644 --- a/x509/static/intermediate_ca_key.pem +++ b/x509/static/intermediate_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/intermediate_ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCvzAYkXUq+vGPL 4X4hrkuD+YgSuVbISE3puYrBvR+N4cjJXX6PcbGqNVVsFY3LGczEyfDjGDPnLy6A diff --git a/x509/static/intermediate_key.pem b/x509/static/intermediate_key.pem index 86f955bf3a7..3a50e56963b 100644 --- a/x509/static/intermediate_key.pem +++ b/x509/static/intermediate_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/intermediate_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCtsXu8eWYdy+l5 l4Muc9w6X/g4SbzVLFL2evkmTXARr0HzqNKSRHdVLygL1ns1Vf09k8gPYgXkt7oW diff --git a/x509/static/intermediate_ocsp_ca_key.pem b/x509/static/intermediate_ocsp_ca_key.pem index 7e63ec8ed47..2bd630fe9c3 100644 --- a/x509/static/intermediate_ocsp_ca_key.pem +++ b/x509/static/intermediate_ocsp_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/intermediate_ocsp_ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDKOys4mHEEVLaB KQOqwqYOXVR20sd52yByciXJwpOcXAXnPQJJHGBkre2SX9cJjyz8YfTRhBoay+JI diff --git a/x509/static/intermediate_ocsp_key.pem b/x509/static/intermediate_ocsp_key.pem index 4ec1e3a598d..5b8eb8cb218 100644 --- a/x509/static/intermediate_ocsp_key.pem +++ b/x509/static/intermediate_ocsp_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/intermediate_ocsp_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC3UAPPT0kE8eSm kll2YQURGadQQrcQA2JUtiWOOpVhNO78Yuf3i4whZYlrsYchSMXGPk2nCnb4QUtm diff --git a/x509/static/key.pem b/x509/static/key.pem index 64ecbaf0395..09a8975fa8e 100644 --- a/x509/static/key.pem +++ b/x509/static/key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCo9fNp2LLX5iYr JOsgG41FOv5hgEoUpCsdT+L12njtYFvepXaUpXkRkwM/THJzzDUg5eIUqfLbG+d4 diff --git a/x509/static/macos_ca_key.pem b/x509/static/macos_ca_key.pem index 9ffd7a1f1cf..8d4b51ba3f4 100644 --- a/x509/static/macos_ca_key.pem +++ b/x509/static/macos_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/macos_ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCcHqL2EAPXHo+b mdqXyG5o4N+7zZRV/1KLj0Div/2bektVoWQCoI+vnQrYQj34J97EeYSanXMHsaCq diff --git a/x509/static/macos_key.pem b/x509/static/macos_key.pem index e65feae52f3..d5cd4d3bc05 100644 --- a/x509/static/macos_key.pem +++ b/x509/static/macos_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/macos_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyH9cCuKea1fK0 FPTEGWpsxADfVgIv2onGgjtTM2pcjWVknJt60cPfawlYbvsaKxaUJU4JjtPK0zJ+ diff --git a/x509/static/ocsp_ca_key.pem b/x509/static/ocsp_ca_key.pem index 585ad49e48c..a1bd29c62fb 100644 --- a/x509/static/ocsp_ca_key.pem +++ b/x509/static/ocsp_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/ocsp_ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXBkXMLrrusS+E 7p22IHPEdC2XovIoNSlDjyDYJ8rcPjX0Rus//TdtwGRbbqXZQSMQ+wmlb2tsAAkW diff --git a/x509/static/ocsp_key.pem b/x509/static/ocsp_key.pem index 6af4d88da74..e9e27bc4461 100644 --- a/x509/static/ocsp_key.pem +++ b/x509/static/ocsp_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/ocsp_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+QWH0U0sB3jaH eEoGPUsWU8tAgadlNiZK4KDPaVRjcTbPukYzgaoeqpjQp8A/erGytButj1EywGCU diff --git a/x509/static/ocsp_responder_key.pem b/x509/static/ocsp_responder_key.pem new file mode 100644 index 00000000000..4c0ee94ff5c --- /dev/null +++ b/x509/static/ocsp_responder_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCuKqVSA8xeLXj2 +qx7LzkY13q1vt+TZBjSFqv25mBztTlkd+mEkSmqohyvHiuMsg7hs/96nnY67oWx5 +3BecI3VL9sipwY+UOG8iR/useu0Q0aX523TXKIBHcDpPeMPhJLRh0eaHlIP3Wlp4 +pvWtTYRpCaG4lz2msdyF9yS6/c0yR0V9MoOhf6+JqqJsyaZiGaFa5Dg8uRMfnzse +9Mihk2m5dMKQ/jmpdXChwG7ULEcpVmf6LdctFaZBYxFHaC0H8+dCgSnh3XwU86jR +OPW8RjXI0B9+9GroGPGZyP4KCrAccfv9U1sBdBHx/dIIp92XGVkz3YL4tjHIUrT4 +dAVLCKUFAgMBAAECggEAAzdd5LEVw9J2pqV71NsrEEEbtlGwy/Ixo5tIArakqBw3 +iJZwV015gUG3xQBTWCXZkMe72qAN+/iL6ocuN2+vMZct1vawWlYddUZbhzCg8pvQ +gxfypSuGDOutY/zQrzZwj1LjPTM4qad1Pr+kj038aT0oi6JdXNfxgNbSypI3yRsg +gCdBXEZtjmkRLXShomz40daoxQ28rVnAKMPo1KqYTxEPg81cmswXKgw/YTUO5SKR +Jcocg0WHfnzi9xmZrxoLv0sLGIYBTP86gnQqfYWEDQVuwB6qYSoRPtb1mDKjacyx +WtBbgslEe6rLyF1RufELqFe7U7/HcqMHgRFF7om/YQKBgQDnjCoSmjFmcWQEPW0M +wvNbfLeM8O8BnGmG1EqWA0y5JpwRh0wjesmGZiAyzAR2YzsObgisF1mhqviLD4ko +FZ7CY3WCoV4J1+deG9dXl+F/0Xyt23KDUyGXn6aI+Y4VBMIrwDfYtMbXR6aMPerq +mF55fTQ8jFOcVSzvOoHSK96WJQKBgQDAjzNg5KkDYM2otCKR445KxegBgD8ZeqiC +GocrdpPm9GNG7vaxnuXhowc12rDB340J1RErAP72duyEbFDdxX5D11Dzptr3+cbA +R1myg8pjCjVL+dP6IF+Zqo6qwkdHE6U0V5vxUhCJa4LpG/7flc7lIY70/V0zelgj +iJUuWXRtYQKBgH09myQkssOuYWLJtspISEkb1EwvpZdBevKqsQ0jC8S51YDFpbEr +IQXJB3FyWJeQZMkRSy+KEbkYOQc+h/leeFi8Yzsc/Thlx4dnl7qRNC9mqAGByRav +SGQyvmkoUmmcAUqY1Zwpa8PVxYfllcL+V1tvFWoKnM7aY0uiYcXEZMjhAoGASHSZ +zJe90PuX5ycA6wxI+nHFfusW0yuIRIxe2EfiF0FWKda5FNTJg0Go8Oa9I/ZOR6jY +sOnLBkpxbNKlCw3JGRXn7AaY1j4yPx+Z7MYSXXn13ATBcpjD4DqBPFemImSOAUgF +8aQDfPHrbHOQT+k61JTwCddcPoaGq7g1Ch+244ECgYEA2MgqMArxhDRp3CsQsgAm +EFTUe7kPPXAn0g4rptUJbV1FxCI/ap1Us3au/p7YSO3qcLoGI3pG+kScEnlxdXRG +6KYqwY/+9BQkHGk9Fh83jtHJqWUv45Dq4NLf3tgFIBxd4TS6c6Oui/ZLxbquK1dG +sipB5iW+QprArtYgm9rlbUI= +-----END PRIVATE KEY----- diff --git a/x509/static/pkcs1_encrypted_key.pem b/x509/static/pkcs1_encrypted_key.pem index a63dfff16df..bd1cc78fbec 100644 --- a/x509/static/pkcs1_encrypted_key.pem +++ b/x509/static/pkcs1_encrypted_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl rsa -in x509/static/key.pem -passin pass:qwerty -out x509/static/pkcs1_encrypted_key.pem -aes256 -passout pass:qwerty - -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI3KLbpDchrtwCAggA MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBA01spDZ/sLkgCOEqMcRuRCBIIE diff --git a/x509/static/pkcs1_encrypted_trusted_key.pem b/x509/static/pkcs1_encrypted_trusted_key.pem index 654916240f4..156b03ea89a 100644 --- a/x509/static/pkcs1_encrypted_trusted_key.pem +++ b/x509/static/pkcs1_encrypted_trusted_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl rsa -in x509/static/trusted_key.pem -passin pass:qwerty -out x509/static/pkcs1_encrypted_trusted_key.pem -aes256 -passout pass:qwerty - -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIAgk73pojwy0CAggA MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAGczq7LVH22pU6vE/4Tmc7BIIE diff --git a/x509/static/pkcs8_encrypted_ec_key.pem b/x509/static/pkcs8_encrypted_ec_key.pem index 6bf0c8bd433..0357b9bc4c6 100644 --- a/x509/static/pkcs8_encrypted_ec_key.pem +++ b/x509/static/pkcs8_encrypted_ec_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl pkcs8 -topk8 -nocrypt -in x509/static/ec_key.pem -out x509/static/pkcs8_encrypted_ec_key.pem - -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgRxmpZOL9tO49KR0S D+dJcJhGJeRoTmWLTCsmlbEDGT+hRANCAAQQ3y6ZMbvix/1xQSn4yqk06ktb+/K8 diff --git a/x509/static/pkcs8_encrypted_ec_ocsp_ca_key.pem b/x509/static/pkcs8_encrypted_ec_ocsp_ca_key.pem index 96a03ada9c9..211cbd0ee30 100644 --- a/x509/static/pkcs8_encrypted_ec_ocsp_ca_key.pem +++ b/x509/static/pkcs8_encrypted_ec_ocsp_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl pkcs8 -topk8 -nocrypt -in x509/static/ec_ocsp_ca_key.pem -out x509/static/pkcs8_encrypted_ec_ocsp_ca_key.pem - -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgplGlI1Y/2E+bkAD0 u/MGrmT7fiU5g/KQoJswntgUyaahRANCAARrmfc+xdKiRJ3wPmWvSTYBTH/3qDEJ diff --git a/x509/static/pkcs8_encrypted_ec_ocsp_key.pem b/x509/static/pkcs8_encrypted_ec_ocsp_key.pem index 828d80eaad9..54d953523bf 100644 --- a/x509/static/pkcs8_encrypted_ec_ocsp_key.pem +++ b/x509/static/pkcs8_encrypted_ec_ocsp_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl pkcs8 -topk8 -nocrypt -in x509/static/ec_ocsp_key.pem -out x509/static/pkcs8_encrypted_ec_ocsp_key.pem - -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgY66ADPLLteZvZCsy bkZfEqc+bLjoPtsS0PsCkXHd0wGhRANCAARkBEP8cKq3bPEkZv6O0cYQyYut/LO8 diff --git a/x509/static/pkcs8_encrypted_ec_ocsp_responder_key.pem b/x509/static/pkcs8_encrypted_ec_ocsp_responder_key.pem new file mode 100644 index 00000000000..54d953523bf --- /dev/null +++ b/x509/static/pkcs8_encrypted_ec_ocsp_responder_key.pem @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgY66ADPLLteZvZCsy +bkZfEqc+bLjoPtsS0PsCkXHd0wGhRANCAARkBEP8cKq3bPEkZv6O0cYQyYut/LO8 +vT2PeLBzHP0WZJ2qGAnivN4vIWJ1j7kFZUgvhQtXcnxl08qW+Ktsns0M +-----END PRIVATE KEY----- diff --git a/x509/static/rollover_ca_key.pem b/x509/static/rollover_ca_key.pem index 941a70e8d6a..c6b5122227b 100644 --- a/x509/static/rollover_ca_key.pem +++ b/x509/static/rollover_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/rollover_ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9fuHlCyJ/Cy3y 1x0bJdyAjHFtISe07DiN2/cPFVaLqIxVjqN9D3hqOGsRsaQTIhLqvzCsup7j9j2K diff --git a/x509/static/rollover_key.pem b/x509/static/rollover_key.pem index 618718232c1..9458b998ceb 100644 --- a/x509/static/rollover_key.pem +++ b/x509/static/rollover_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/rollover_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQbf41+9efMuhz KEF6ZV+uACaKw62CliaGl2iqZW0FBzR98pGnS/AJiv5PpcSYe8LxUbpry4FkqItg diff --git a/x509/static/trusted_ca_key.pem b/x509/static/trusted_ca_key.pem index 83ccddbaace..27afe5acf17 100644 --- a/x509/static/trusted_ca_key.pem +++ b/x509/static/trusted_ca_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/trusted_ca_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCtW/NTl/RS3pAT PyuPjCu4YE7lQuQ8JoLAMZBPftsyILi1+fylLizHLSXkhi2Kch2BJO1mijptOiQ3 diff --git a/x509/static/trusted_key.pem b/x509/static/trusted_key.pem index d8213ed5283..c5368b3fb25 100644 --- a/x509/static/trusted_key.pem +++ b/x509/static/trusted_key.pem @@ -1,5 +1,3 @@ -# Generated with: openssl genrsa -out x509/static/trusted_key.pem 2048 - -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCvpTTts3ejYVgy HTOFRDDekFYgjEPpN5/Jel80AOukwPxjA3VRQDV3qMVO5jNg59KLgHrErm+QnpOg