summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorShreyas Kalyan <shreyaskalyan@gmail.com>2018-09-13 11:57:49 -0400
committerShreyas Kalyan <shreyaskalyan@gmail.com>2018-09-13 11:57:49 -0400
commit27174a7951377fbe4e1a0db9ea61bdb6d0018bc9 (patch)
tree68e60c19d8c28b1a777a675ad4031945c5348886
parentea179ee5116ea0fdcb5498e0415a41ecfc5120dd (diff)
downloadmongo-27174a7951377fbe4e1a0db9ea61bdb6d0018bc9.tar.gz
SERVER-36895 updated SAN recognition for IP addresses on Mac and OpenSSL
Diffstat
-rw-r--r--jstests/libs/README.ssl23
-rw-r--r--jstests/libs/client_SAN.pem49
-rw-r--r--jstests/libs/openssl_SAN.cfg31
-rw-r--r--jstests/libs/openssl_SAN2.cfg30
-rw-r--r--jstests/libs/server_SAN.pem49
-rw-r--r--jstests/libs/server_SAN2.pem49
-rw-r--r--jstests/ssl/ssl_x509_SAN.js79
-rw-r--r--src/mongo/util/net/ssl_manager_apple.cpp38
-rw-r--r--src/mongo/util/net/ssl_manager_openssl.cpp23
9 files changed, 364 insertions, 7 deletions
diff --git a/jstests/libs/README.ssl b/jstests/libs/README.ssl
index 1e230e730ff..d86cb9f77a7 100644
--- a/jstests/libs/README.ssl
+++ b/jstests/libs/README.ssl
@@ -51,3 +51,26 @@ cat roles.pem roles2.key > roles_final.pem
Example Commands for UTF-8
--------------------------
openssl req -new -utf8 -nameopt multiline,utf8 -config .\jstests\libs\client_utf8.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr
+
+
+openssl x509 -req -sha256 -in CSR.csr -days 3650 -out roles.pem -extfile openssl.cnf -CA jstests/libs/ca.pem -CAcreateserial
+
+openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout privateKey.key -out roles.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=KernelUser/CN=client/emailAddress=example@mongodb.com"
+
+--------------------------
+
+Example of Extension: To sign certificate with SAN
+
+Copy or use the ca.pem file from jstests/libs/ca.pem
+Copy the openssl_SAN.cfg from jstests/libs/openssl_SAN.cfg or create your own
+
+#Create the client certificate
+openssl genrsa -out client.key 2048 #Creates the client key
+openssl req -new -key client.key -out client.csr -config openssl_SAN.cfg -extensions v3_req #Creates the unsigned client certificate (change v3_req to whatever extensions in the cfg file)
+openssl x509 -req -days 3650 -in client.csr -CA ca.pem -set_serial 01 -out client.crt -extfile openssl_SAN.cfg -extensions v3_req #Creates the signed client certificate
+cat client.crt client.key > client.pem #Joins the signed cert with the key for the client pem
+
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -out server.csr -config openssl_SAN.cfg -extensions v3_req #Creates the unsigned server certificate (change v3_req to whatever extensions in the cfg file)
+openssl x509 -req -days 3650 -in server.csr -CA ca.pem -set_serial 01 -out server.crt -extfile openssl_SAN.cfg -extensions v3_req #Creates the signed server certificate
+cat server.crt server.key > server.pem #Joins the signed cert with the key for the server pem
diff --git a/jstests/libs/client_SAN.pem b/jstests/libs/client_SAN.pem
new file mode 100644
index 00000000000..4aa340e32ed
--- /dev/null
+++ b/jstests/libs/client_SAN.pem
@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu
+ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw
+FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
+BhMCVVMwHhcNMTgwOTEyMTkxMDI5WhcNMjgwOTA5MTkxMDI5WjCBgzELMAkGA1UE
+BhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5
+MRAwDgYDVQQKDAdNb25nb0RCMRUwEwYDVQQLDAxLZXJuZWwgVXNlcnMxIDAeBgNV
+BAMMF0tlcm5lbCBDbGllbnQgUGVlciBSb2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAxE+R+vp8wuzGAMwqCHN5xJAAgoXLUZQLR9mvzcE12Ek33RC9
++JBMVa0w6RdPsucnsZDRc/iZBXXEPIPc9tYvt2iObkRNGOxATzNpd05Ocfd4pE7t
+MudZFrqFUec7A96GpC0SvK7fvBIg2Ez17w+7pDqewCd7prpTO5IJLVODOR8rN/Fh
+vPzFWR6etUKgtmuxOpg6b75bmUxW7Fe0pItWLdnv+hievXN4C66mUJcDMFaWDHji
+nJHxV+hODoFyT1+AxBlurp66LqeFwt/eZF8pQHJy8GK1Pw7dy6sBPmETseNgY3V4
+ZcuGj2cH1I7vNKZonFKNSRVeAkLdsnu3xHH5+wIDAQABozAwLjAsBgNVHREEJTAj
+gglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEF
+BQADggEBACXw8iijEpGrPzrqVhtz/qfictU4TlgCrE+KVbbYm7tC0DyqS1QKw3TJ
+yh5wYX4xVmipP9sN7LPXR82qZ1ckXapYRjfwhCJHNNblXj7xlaWyL4c/K990/aWD
+vvvlzuMV4TVXDkZ2ILPxp1DRbBNHUQAyJ9Et6x4AULJAVhi5+pUzFavN2GQ2/WXi
+Njw2j20Mw3gfjxhMynJIDCe1IfEBonHQGX6kkor4jMo91DK/nKlannmewVCOoOed
+3KXX9OzSGZIWW2EytNeB0GkyYaX/RZsZDKhTVff6Xckwy2W5tNcz/ylzz4bw/a00
+I3XxO2bSzxLGp3OCvcCHpBSuUO7mqZM=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAxE+R+vp8wuzGAMwqCHN5xJAAgoXLUZQLR9mvzcE12Ek33RC9
++JBMVa0w6RdPsucnsZDRc/iZBXXEPIPc9tYvt2iObkRNGOxATzNpd05Ocfd4pE7t
+MudZFrqFUec7A96GpC0SvK7fvBIg2Ez17w+7pDqewCd7prpTO5IJLVODOR8rN/Fh
+vPzFWR6etUKgtmuxOpg6b75bmUxW7Fe0pItWLdnv+hievXN4C66mUJcDMFaWDHji
+nJHxV+hODoFyT1+AxBlurp66LqeFwt/eZF8pQHJy8GK1Pw7dy6sBPmETseNgY3V4
+ZcuGj2cH1I7vNKZonFKNSRVeAkLdsnu3xHH5+wIDAQABAoIBAQC5zMXR0Xp70zWk
+U5gE36aET/brkk5ZK9Fxc6tdBl08FDB3Xv0uYQSeookEVDfuj7GV8gcLyGKsNEZD
+MFrWlOocoS0NWD/QMuq7C2HqtYaxfxQED1+ZKjW7uVWtqzjD9L1ibfap9qlzi4Ti
+tBSg6zchvQm7vKLfrsJQQ2vEJqKwUBNviBhelK4vHSYewXk1ANuaf+dObsycg+AG
+hCwhBHlbSBJy31OnIooCRoEY35RN0HpPaEu9bR3v4EQbOeXcV0yNHaoV7CKVwEPv
+NSzAnL5i+xkE/HLnYky069Xv7jaUc0+Qtf2Cl53ojJxot+eojM0TgmRRtz8jupGO
+Tn/MIz7hAoGBAOEs1QizQTIyXkbGdUTX8oGndN8yIPm0f1Qn50uL+5Wsei2s0rAq
+NkxxeuFOwmoJrA/HrLGusPsUdwcL5FGhZcwnxA/3Oq3BFvSJML9dWSEbw3muH4z7
+eg+RZmrxxq9iaLAtqPxqxqT8g+ahJm1z+IBs2McI688Zk/u35c0fTSjdAoGBAN8v
+M1x+aWQ30vXOP658FvTsDkzmyXbpgPg5lXYqeJBiMyU55rMRVvPACbl8lg779Hdg
+3j0WyKF8wGMTuZnC78e1odMvz/rrxzyvxBqYgiGzKensA9SZRdgemN5cTV5W/9jj
+LtV0hKw3kT4ikW4nrM+JZo8ceO2sRVZk959rspS3AoGBANmPsJHEaHSwl8h4Tavj
+nirJejGAxL2fOPs9xsuGh+FYkX/6IGMXlfkMF/cDWvKLP9TLTz8qE1O0tUB4q/R3
+Jd04esYWUHq7Oouw1gm/jrNfmOHDbDaSb6AFE1i3HAou4gl/RGwGWsHkPSkjgPZ1
++59SC61bIEOsaf/m8cDbwnh9AoGBAICbjWg+O/MRLBKTECU2wm/OWws7blqEgdoI
+LLVUEfd5bumDrQoA8u8w+SmWvk3SKHRmMIpZR7Gu1poBMtGFAHE/nAm7IokANuYk
+jseYnFxZBs0SQL7Qt+uq7gIshDTZw0Ky3zkHlLA8sQhyGQW1/SH2lk/fY1vqCmaX
+dg26nMSPAoGBAIgSXaH1PvBia8LZFJ6Og2I7vHcbdJC/sDNGGkI3Vg3caOIGmjE1
+j6SglyXS225hWlUDzhEj5BrqVgOHEW5VrP1k2VlEASudeN3lUWW3BR8+toPAdbt+
+tX4VmK74SmHrrfq/g0jCnF77y1N9ASnEt5FwJ6Q+s9kv9EGECi5u6axE
+-----END RSA PRIVATE KEY-----
diff --git a/jstests/libs/openssl_SAN.cfg b/jstests/libs/openssl_SAN.cfg
new file mode 100644
index 00000000000..ce2930fda92
--- /dev/null
+++ b/jstests/libs/openssl_SAN.cfg
@@ -0,0 +1,31 @@
+[ ca ]
+
+default_ca = CA_default
+
+[ CA_default ]
+dir = .
+certificate = $dir/ca.pem
+
+
+[ req ]
+default_bits = 4096
+default_keyfile = privateKey.pem
+distinguished_name = req_distinguished_name
+prompt = no
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+countryName = US
+stateOrProvinceName = New York
+localityName = New York City
+organizationName = MongoDB
+organizationalUnitName = Kernel Users
+commonName = Kernel Client Peer Role
+
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+IP.2 = ::1
diff --git a/jstests/libs/openssl_SAN2.cfg b/jstests/libs/openssl_SAN2.cfg
new file mode 100644
index 00000000000..6241781de54
--- /dev/null
+++ b/jstests/libs/openssl_SAN2.cfg
@@ -0,0 +1,30 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = .
+certificate = $dir/ca.pem
+
+
+[ req ]
+default_bits = 4096
+default_keyfile = privateKey.pem
+distinguished_name = req_distinguished_name
+prompt = no
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+countryName = US
+stateOrProvinceName = New York
+localityName = New York City
+organizationName = MongoDB
+organizationalUnitName = Kernel Users
+commonName = Kernel Users
+
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+DNS.2 = 127.0.0.1
+DNS.3 = ::1
diff --git a/jstests/libs/server_SAN.pem b/jstests/libs/server_SAN.pem
new file mode 100644
index 00000000000..d7bccc7dd76
--- /dev/null
+++ b/jstests/libs/server_SAN.pem
@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu
+ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw
+FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
+BhMCVVMwHhcNMTgwOTEyMTgyOTMxWhcNMjgwOTA5MTgyOTMxWjCBgzELMAkGA1UE
+BhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5
+MRAwDgYDVQQKDAdNb25nb0RCMRUwEwYDVQQLDAxLZXJuZWwgVXNlcnMxIDAeBgNV
+BAMMF0tlcm5lbCBDbGllbnQgUGVlciBSb2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAx1rjAuUCMIASFj7G9Yfop/YSi5kLpVap/VE8tzJzIk1jXyH5
+v6AdFYADm38tlhMOmIKJVGWwVsiYvusE3SM2rLsBht2n2qsWyXz+FTbpW3wHb3cT
+3Lr9C3+5MxN85rFEO9eaoirZTZfxngf6dympsJhh7k+avz2XDQY/UAuzA7nQcTal
+G/H6juf76lP5+moIp+GaJJ3Pgf/IPguZQ+Kp4Fu71c1rvwyNdIlrxmzERgDlnr/v
+GDxOaHYLXp+g1L5tHoHzBAmDSNHzVGsZdkpbogBDOulxF2/jpRubwNA8n/QEt8FX
+qBOh+JRC5eHMZbHcD7XZ/c8FHoDAGkSa69Cb6QIDAQABozAwLjAsBgNVHREEJTAj
+gglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEF
+BQADggEBAH3X1zh8Mtplmtznyby7QIojvIwAKI++57ctEqeZ1fEmi+HaS2OLTO/j
+EgsEWfmYDDnHyTYFDnBYziFW0JFEoORMtz380ESH+iWITVmQy86nB/GhbEc80H5+
+zZpFUtk6n7P6G1g7HGksISllVHMOiH6Pg2kjVJ4gtcX5gNCoU+GDStw9WZypei6G
+SAg+Kl5q7Q15TM7Mys2/d0fMqapNzMpFDdu9IQvJBtq4jysJFkQV/Or/r54RAEcV
+U14iadBkEYubwEYPlYqDYJejkWGsO9f5FursZr2HfnmvghzKccnFXQEeyP0wVXbx
+URldTTLtXOOYWxHQqWwUs1UlbB47Ihc=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAx1rjAuUCMIASFj7G9Yfop/YSi5kLpVap/VE8tzJzIk1jXyH5
+v6AdFYADm38tlhMOmIKJVGWwVsiYvusE3SM2rLsBht2n2qsWyXz+FTbpW3wHb3cT
+3Lr9C3+5MxN85rFEO9eaoirZTZfxngf6dympsJhh7k+avz2XDQY/UAuzA7nQcTal
+G/H6juf76lP5+moIp+GaJJ3Pgf/IPguZQ+Kp4Fu71c1rvwyNdIlrxmzERgDlnr/v
+GDxOaHYLXp+g1L5tHoHzBAmDSNHzVGsZdkpbogBDOulxF2/jpRubwNA8n/QEt8FX
+qBOh+JRC5eHMZbHcD7XZ/c8FHoDAGkSa69Cb6QIDAQABAoIBAFiTgnAjzrA8B01J
+AV/QzkfqptzN2IXTFt6N/NstGEjyd6eqUeyZuLJ32aJ6hIe82exbe6c7M3mr0Wpq
+xBN5dO6UfJ4u2EjpYcuOtNo6Nr9GQYt+Lh4SGyLD0kbmbsWVl8q7BmLthPXcACgG
+RXwyz8m+Oy0Gw6wbMoU/9FudhyGs4hQEg6DxG5tYHujo+XFU48eAJBSbCgqWbBT8
+HBB/DNlqzsgPDDv/fr2lzPAsjgSM0HH3FH1l64MiIQillucYvitCbgAHZ9kNf5Go
+0ZzaOaGQAqK2nzIIELuxxvuXSk/5bVCcOCwUojIE7WdfDNM9PFCakHcTPP4t1ZV6
+4BLtYwECgYEA6mh8f0TaZpuOjzeIounlA9/mOd+S+YeKVfeuSqPnG1Hu5G3Da98K
+PPPzUfcpAtIG9JGotqEUiuz+ChMyjwdy8dWTAspIdZDwOIZji/deLjFqheGFtz3V
+FUxXUW6dIPVNMeG2B4rqftNHuupXUSBIkr7f4O6DWRXb34ABIviUNqECgYEA2bfS
+jCAboEE1lpJ1y6wk3W1MVzv362yTye5ym8herZhWEdYBORb8F6V2QvjBmr47HPU3
+lj/D5JB1DvVniOu+Mx2If1ass8twmFc3tdEJZW9N9IkyDgOidywXtP55xmv6sSoP
+WaQqMtmzHZgI3dbJg23XD/t9rXIOR+ZrnVDYCEkCgYBQ3NqVzNrKqr7zCOVJzgYC
+4Co7rLS2/9ro7RhjB0eiVRFkG7lebQLLJBy8Gdc78dgUZmsdFVRQ2JCKSTUXwioU
+4uhj/gQhCm7UEQgmMJ98r+9fX/0QyXPIdR1qKg5qYDTREFwLHhDmz1vfTxfwFIL0
+nIP+xEjrYm8HGtFJjxcSAQKBgA1kKBgkVW6q9B/ZzFMFuJLCCUMIVjxtxj1SZEw+
+q8wjpY+dSR/40PKnY7nE0SuybbJfRtb//w2M8RZFc+PRFDbSpzWl4COC7N8B5lRR
+kjFiAjp7Qc/o21JXLPIeAOF6fMXu31jVJx9PkpvMYSc78dMaq3K5Nka30DcN7iqT
+8WW5AoGBAIhr9DyU4Cclw7JfAzgg0OZC1wWgefLDxE6qE2fAvKPhaasngErEVVn0
+OeztsXIMR8rD2VgK9sMbqoeBFAkNbw2AHLX2+ODFKv+3l0kiMUh4nA1AYD2nqgB+
+mCdony1vJ7p/njB4d8h7qHkHM8V+9Eqxum2YibR02hQIKxdOsfxj
+-----END RSA PRIVATE KEY-----
diff --git a/jstests/libs/server_SAN2.pem b/jstests/libs/server_SAN2.pem
new file mode 100644
index 00000000000..e256620984d
--- /dev/null
+++ b/jstests/libs/server_SAN2.pem
@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu
+ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw
+FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
+BhMCVVMwHhcNMTgwOTEyMTgzMDIyWhcNMjgwOTA5MTgzMDIyWjCBgzELMAkGA1UE
+BhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5
+MRAwDgYDVQQKDAdNb25nb0RCMRUwEwYDVQQLDAxLZXJuZWwgVXNlcnMxIDAeBgNV
+BAMMF0tlcm5lbCBDbGllbnQgUGVlciBSb2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAu3WYGDgUaagugfhvjKfZN5/0gFkTrnlm7ew1PKh2AwKBfeIZ
+vNk1sm/SUXsfObEGsEvxj0W0UMHQrDnzcNBaO4N3lTQ9ityLAdZFcI4kH2+52TU2
+Jkh7MZfpAGPtP+RTJKVWcg5RLFpjDir/PHph0PSv8kelByZknYk/VJ7ZJob6zNRY
+2X5+icoNPRNaFk+4sj0pemQXClgqWdO1/yZMU10rTOyJM8lbDHZ+qYIkAPI836EF
+SLaR+n4Dc6kSTzDbdiTX/RXs03RsupeEYVU/BVq3CHKRE4V3MECUZKknjmQng8r1
+uV0dj7Ly7A8WtPFCswpDqRxBtLYGvdG+MhoA2wIDAQABozAwLjAsBgNVHREEJTAj
+gglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEF
+BQADggEBAEfftgjjMio80O5KeETWh2eS17R8USVFEg2mueuX0XcDkIW3AO+5APjy
+6kpgChRqPRcQFH1F4o6jWwqjk95/sSksXetGhCG3RRd84pQ28V/N4PtIXmG5XcLg
+by5aS2DofmUvgLJnUIxuCyYJWJF2ctwYOdtzHAipaFbGog8I635FoZFNOWOc4t8t
+2KVPbjSTy739jumScuM1Ip447W0rmvNd7xE9IAqktrAfnf6BvrS/HpA8e4fi7Hda
+PvHT1biUQ/z4b9DbnXCekgGVoiBRWNL5wfaLJxTXHCzN4mF2kQUXdzJ94cID+LvU
+Jh1bi7PRj4TofHq3Y4dixeSL6gaXJhQ=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAu3WYGDgUaagugfhvjKfZN5/0gFkTrnlm7ew1PKh2AwKBfeIZ
+vNk1sm/SUXsfObEGsEvxj0W0UMHQrDnzcNBaO4N3lTQ9ityLAdZFcI4kH2+52TU2
+Jkh7MZfpAGPtP+RTJKVWcg5RLFpjDir/PHph0PSv8kelByZknYk/VJ7ZJob6zNRY
+2X5+icoNPRNaFk+4sj0pemQXClgqWdO1/yZMU10rTOyJM8lbDHZ+qYIkAPI836EF
+SLaR+n4Dc6kSTzDbdiTX/RXs03RsupeEYVU/BVq3CHKRE4V3MECUZKknjmQng8r1
+uV0dj7Ly7A8WtPFCswpDqRxBtLYGvdG+MhoA2wIDAQABAoIBAQCFLOrLsfOWiFva
+DAQ7mfcwlFugXygjWK4uMxQzLr8ALmSOaPW9+1YxmU2Cg4TQeJp23s0S6wNKKBc2
+c8kmCW9BPonTHxTltP6wZGhaqTCygK44yJvaoL2cov5uP4+KR4xlyWxbhR5X8zLS
+GuvPLGaXi24AIrP0G2t5m8q5NEyzGBR15dzV6V/r0a+tLiiWF4bY5zg8defKTBn0
+V9FmfOpP3HRwEgOpxfRAnbo4k2joLJFZh6G9kMV5RhLMjFDt3Li2fk+t0WL6f+Al
+h7jhqjLiL0JTvQ1ny+f6CWJQBgkrsOoJxfeMJAFbCqivy691Qo1xPhatWBaY6sfr
+zcktHLFpAoGBAOBHErgh6lCR9o2ewiS8M9PdsJbVWQP+PKsxP2btJxxlcMwRzM80
+MXDZvQ0KTULZ+2cCsQs6FTCOgNCmB0luJftj9Df4Zt+IEtwnbgDLoQOOoEikOM/s
+ZqZsCTVHioIBCGB94EAnZ2MSjYRcHJIpH7aPnZR+IIEcLdlM0pizI6oVAoGBANX5
+W8KqXAlMVU64zc2to9j+zzfZ9B4BJlJZf/Xwhr2JUgTu74SfAVBDBZHwmI1FWetP
+z2F7IKQLsrSqok9WAaEaKZjgCscA5/Vlk13vY1NoPqMugQ/9XSK3Bg3xsmpFGoNO
+eUO21ai5J9pI0WeuC8hY09y22l3KIBw0yQltW2svAoGBALHUKOePHLcdxRytkMqH
+36BR2z79k0MzRu+GcPsvdx9w32svgfGZNMqCGwBH9tLW/BvFapO4TizeEQ1fV8/F
+YqBdtLrcXtVGk420ReijjNvBLx3p+JIEo6+5YeO5Af3qy7WWmUTE+Zj4kPUuBAlw
+ShD69rtS9nro2QG/hAxHnjOxAoGAGclVT55sPQqf9T68Pp9AcbQzkM2JZ9xHnAEB
+NMhp1ImqAsIwx1DKPbv1/eJ63/uNnJgfq+XEx0BJpxAxQ1JgG+QlQzEs21K2oZI+
+MkHZPIIBmnTORPkJsldQOXn5QGlXip94abqtAQpfTSUdZ1tIPDrIPX8jzc3AFOYf
+nC07qS0CgYAWRPBVF86m1qD9VdvuzxQfni6aqPAfc4kzB4MCnrpTA7jfNJ6aT83p
+LhNsM3XuLa/iwWt1VDySl2DuTHlYcWmCsnaXg7hg1MUVt/piQRTd6R+018z0BJNn
+/u5F9Eusl5JfxNdriu7wUdt+ht+d8jsUY3MtVQFjzJ+lTb2SNm1ntw==
+-----END RSA PRIVATE KEY-----
diff --git a/jstests/ssl/ssl_x509_SAN.js b/jstests/ssl/ssl_x509_SAN.js
new file mode 100644
index 00000000000..3d0a9886193
--- /dev/null
+++ b/jstests/ssl/ssl_x509_SAN.js
@@ -0,0 +1,79 @@
+load('jstests/ssl/libs/ssl_helpers.js');
+
+(function() {
+ "use strict";
+
+ const SERVER1_CERT = "jstests/libs/server_SAN.pem";
+ const SERVER2_CERT = "jstests/libs/server_SAN2.pem"
+ const CA_CERT = "jstests/libs/ca.pem";
+ const CLIENT_CERT = "jstests/libs/client_SAN.pem";
+
+ const CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel Users,CN=KernelUser";
+ function authAndTest(port) {
+ const mongo_localhost = runMongoProgram("mongo",
+ "--host",
+ "localhost",
+ "--port",
+ port,
+ "--ssl",
+ "--sslCAFile",
+ CA_CERT,
+ "--sslPEMKeyFile",
+ CLIENT_CERT,
+ "--eval",
+ ";");
+
+ assert.eq(0, mongo_localhost, "Connection succeeded");
+
+ const mongo_IPv4 = runMongoProgram("mongo",
+ "--host",
+ "127.0.0.1",
+ "--port",
+ port,
+ "--ssl",
+ "--sslCAFile",
+ CA_CERT,
+ "--sslPEMKeyFile",
+ CLIENT_CERT,
+ "--eval",
+ ";");
+
+ assert.eq(0, mongo_IPv4, "Connection succeeded");
+
+ const mongo_IPv6 = runMongoProgram("mongo",
+ "--host",
+ "::1",
+ "--port",
+ port,
+ "--ssl",
+ "--sslCAFile",
+ CA_CERT,
+ "--sslPEMKeyFile",
+ CLIENT_CERT,
+ "--ipv6",
+ "--eval",
+ ";");
+
+ assert.eq(0, mongo_IPv6, "Connection succeeded");
+
+ }
+ const x509_options = {sslMode: "requireSSL", sslPEMKeyFile: SERVER1_CERT, sslCAFile: CA_CERT, ipv6: "", bind_ip_all: ""};
+
+ print("1. Testing x.509 auth to mongod");
+ {
+ let mongo = MongoRunner.runMongod(x509_options);
+ print("MMONGONSDOJNFOSNDF")
+ authAndTest(mongo.port);
+ MongoRunner.stopMongod(mongo);
+ }
+
+ const x509_options2 = {sslMode: "requireSSL", sslPEMKeyFile: SERVER2_CERT, sslCAFile: CA_CERT, ipv6: "", bind_ip_all: ""};
+
+ print("2. Testing IPv6 in DNS Name field");
+ {
+ let mongo = MongoRunner.runMongod(Object.merge(x509_options2, {auth: ""}));
+ authAndTest(mongo.port);
+ MongoRunner.stopMongod(mongo);
+ }
+
+}()); \ No newline at end of file
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index 4f7cf85c3db..aa30764ae40 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -51,6 +51,7 @@
#include "mongo/util/net/ssl/apple.hpp"
#include "mongo/util/net/ssl_manager.h"
#include "mongo/util/net/ssl_options.h"
+#include "mongo/util/net/cidr.h"
using asio::ssl::apple::CFUniquePtr;
@@ -486,11 +487,16 @@ StatusWith<std::vector<std::string>> extractSubjectAlternateNames(::CFDictionary
if (!swLabel.isOK()) {
return swLabel.getStatus();
}
- if (::CFStringCompare(swLabel.getValue(), CFSTR("DNS Name"), ::kCFCompareCaseInsensitive) !=
- ::kCFCompareEqualTo) {
+ if ((::CFStringCompare(swLabel.getValue(), CFSTR("DNS Name"), ::kCFCompareCaseInsensitive) != ::kCFCompareEqualTo)
+ && (::CFStringCompare(swLabel.getValue(), CFSTR("IP Address"), ::kCFCompareCaseInsensitive) != ::kCFCompareEqualTo)) {
// Skip other elements, e.g. 'Critical'
continue;
}
+ bool dnsFlag = false;
+ if (::CFStringCompare(swLabel.getValue(), CFSTR("DNS Name"), ::kCFCompareCaseInsensitive) == ::kCFCompareEqualTo) {
+ dnsFlag = true;
+ }
+
auto swName = extractDictionaryValue<::CFStringRef>(elem, ::kSecPropertyKeyValue);
if (!swName.isOK()) {
return swName.getStatus();
@@ -499,6 +505,13 @@ StatusWith<std::vector<std::string>> extractSubjectAlternateNames(::CFDictionary
if (!swNameStr.isOK()) {
return swNameStr.getStatus();
}
+ auto swCIDRValue = CIDR::parse(swNameStr.getValue());
+ if (swCIDRValue.isOK()) {
+ swNameStr = swCIDRValue.getValue().toString();
+ if (dnsFlag) {
+ warning() << "You have an IP Address in the DNS Name field on your certificate. We will not allow this in MongoDB version 4.2.";
+ }
+ }
ret.push_back(swNameStr.getValue());
}
return ret;
@@ -1368,9 +1381,22 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
}
}
+ bool ipv6 = false;
+ auto remoteHostName = remoteHost;
+
+ if (!remoteHost.empty()) {
+ auto swCIDRRemoteHost = CIDR::parse(remoteHost);
+ if (swCIDRRemoteHost.isOK()) {
+ remoteHostName = swCIDRRemoteHost.getValue().toString();
+ if (remoteHostName.find(':') != std::string::npos) {
+ ipv6 = true;
+ }
+ }
+ }
+
auto result = ::kSecTrustResultInvalid;
uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed);
- if ((result != ::kSecTrustResultProceed) && (result != ::kSecTrustResultUnspecified)) {
+ if ((result != ::kSecTrustResultProceed) && (result != ::kSecTrustResultUnspecified) && (!ipv6)) {
return badCert(explainTrustFailure(cftrust.get(), result), _allowInvalidCertificates);
}
@@ -1431,7 +1457,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
if (!sans.empty()) {
certErr << "SAN(s): ";
for (auto& san : sans) {
- if (hostNameMatchForX509Certificates(remoteHost, san)) {
+ if (hostNameMatchForX509Certificates(remoteHostName, san)) {
sanMatch = true;
break;
}
@@ -1442,7 +1468,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
auto swCN = peerSubjectName.getOID(kOID_CommonName);
if (swCN.isOK()) {
auto commonName = std::move(swCN.getValue());
- if (hostNameMatchForX509Certificates(remoteHost, commonName)) {
+ if (hostNameMatchForX509Certificates(remoteHostName, commonName)) {
cnMatch = true;
}
certErr << "CN: " << commonName;
@@ -1453,7 +1479,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
if (!sanMatch && !cnMatch) {
const auto msg = certErr.str();
- if (_allowInvalidCertificates || _allowInvalidHostnames || isUnixDomainSocket(remoteHost)) {
+ if (_allowInvalidCertificates || _allowInvalidHostnames || isUnixDomainSocket(remoteHostName)) {
warning() << msg;
} else {
error() << msg;
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 12d6f46d625..f2b2e759bb8 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1348,6 +1348,12 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer
SSLPeerInfo(peerSubject, std::move(swPeerCertificateRoles.getValue())));
}
+ // This is to standardize the IPAddress format for comparison.
+ auto swCIDRRemoteHost = CIDR::parse(remoteHost);
+ if (swCIDRRemoteHost.isOK()) {
+ remoteHost = swCIDRRemoteHost.getValue().toString();
+ }
+
// Try to match using the Subject Alternate Name, if it exists.
// RFC-2818 requires the Subject Alternate Name to be used if present.
// Otherwise, the most specific Common Name field in the subject field
@@ -1366,12 +1372,27 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer
for (int i = 0; i < sanNamesList; i++) {
const GENERAL_NAME* currentName = sk_GENERAL_NAME_value(sanNames, i);
if (currentName && currentName->type == GEN_DNS) {
- char* dnsName = reinterpret_cast<char*>(ASN1_STRING_data(currentName->d.dNSName));
+ std::string dnsName (reinterpret_cast<char*>(ASN1_STRING_data(currentName->d.dNSName)));
+ auto swCIDRDNSName = CIDR::parse(dnsName);
+ if (swCIDRDNSName.isOK()) {
+ dnsName = swCIDRDNSName.getValue().toString();
+ warning() << "You have an IP Address in the DNS Name field on your certificate. We will not allow this in MongoDB version 4.2.";
+ }
if (hostNameMatchForX509Certificates(remoteHost, dnsName)) {
sanMatch = true;
break;
}
certificateNames << std::string(dnsName) << " ";
+ } else if (currentName && currentName -> type == GEN_IPADD) {
+ std::string ipAddress (reinterpret_cast<char*>(ASN1_STRING_data(currentName->d.iPAddress)));
+ auto swCIDRIPAddress = CIDR::parse(ipAddress);
+ if (swCIDRIPAddress.isOK()) {
+ ipAddress = swCIDRIPAddress.getValue().toString();
+ }
+ if (hostNameMatchForX509Certificates(remoteHost, ipAddress)) {
+ sanMatch = true;
+ break;
+ }
}
}
sk_GENERAL_NAME_pop_free(sanNames, GENERAL_NAME_free);
View Lorry Controller Status