SERVER-55122 Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile

5 files changed, 55 insertions, 11 deletions

diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js
index 2827ece5e4c..1896b2943c0 100644
--- a/jstests/ocsp/lib/mock_ocsp.js
+++ b/jstests/ocsp/lib/mock_ocsp.js
@@ -28,8 +28,9 @@ class ResponderCertSet {
 const OCSP_DELEGATE_RESPONDER =
     new ResponderCertSet(OCSP_CA_PEM, OCSP_RESPONDER_CERT, OCSP_RESPONDER_KEY);
 const OCSP_CA_RESPONDER = new ResponderCertSet(OCSP_CA_PEM, OCSP_CA_CERT, OCSP_CA_KEY);
-const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet(
-    OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_KEY);
+const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet(OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM,
+                                                         OCSP_INTERMEDIATE_CA_ONLY_CERT,
+                                                         OCSP_INTERMEDIATE_CA_ONLY_KEY);
 
 class MockOCSPServer {
     /**
diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js
index cbb0755a457..09d6d79ad6f 100644
--- a/jstests/ocsp/lib/ocsp_helpers.js
+++ b/jstests/ocsp/lib/ocsp_helpers.js
@@ -13,10 +13,13 @@ const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pe
 const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem";
 const OCSP_RESPONDER_CERT = "jstests/libs/ocsp/ocsp_responder.crt";
 const OCSP_RESPONDER_KEY = "jstests/libs/ocsp/ocsp_responder.key";
-const OCSP_INTERMEDIATE_CA_PEM = "jstests/libs/ocsp/intermediate_ca_ocsp.pem";
-const OCSP_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/intermediate_ca_ocsp.crt";
-const OCSP_INTERMEDIATE_CA_KEY = "jstests/libs/ocsp/intermediate_ca_ocsp.key";
-const OCSP_SERVER_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/server_intermediate_ca_ocsp.pem";
+const OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM = "jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem";
+const OCSP_INTERMEDIATE_CA_ONLY_CERT = "jstests/libs/ocsp/intermediate_ca_only_ocsp.crt";
+const OCSP_INTERMEDIATE_CA_ONLY_KEY = "jstests/libs/ocsp/intermediate_ca_only_ocsp.key";
+const OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM =
+    "jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem";
+const OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM =
+    "jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem";
 
 var clearOCSPCache = function() {
     let provider = determineSSLProvider();
@@ -60,8 +63,8 @@ var supportsStapling = function() {
     if (determineSSLProvider() !== "openssl") {
         return false;
     }
-
     if (isUbuntu1804() === true) {
         return false;
     }
+    return true;
 };
\ No newline at end of file
diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js
index 5f23aef59d0..e63ca98d499 100644
--- a/jstests/ocsp/ocsp_basic_ca_responder.js
+++ b/jstests/ocsp/ocsp_basic_ca_responder.js
@@ -52,6 +52,8 @@ function test(serverCert, caCert, responderCertPair) {
 }
 
 test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER);
-
-test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
+     OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM,
+     OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM, OCSP_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
 }());
\ No newline at end of file
diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js
index 69ac0866a02..e2735f758d9 100644
--- a/jstests/ocsp/ocsp_stapling.js
+++ b/jstests/ocsp/ocsp_stapling.js
@@ -1,4 +1,4 @@
-// Check that OCSP verification works
+// Check that OCSP stapling works
 // @tags: [requires_http_client, requires_ocsp_stapling]
 
 load("jstests/ocsp/lib/mock_ocsp.js");
@@ -85,5 +85,8 @@ function test(serverCert, caCert, responderCertPair) {
 
 test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_DELEGATE_RESPONDER);
 test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER);
-test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
+     OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM,
+     OCSP_INTERMEDIATE_RESPONDER);
+test(OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM, OCSP_CA_PEM, OCSP_INTERMEDIATE_RESPONDER);
 }());
diff --git a/jstests/ocsp/ocsp_unable_to_staple_log.js b/jstests/ocsp/ocsp_unable_to_staple_log.js
new file mode 100644
index 00000000000..f09d892ae80
--- /dev/null
+++ b/jstests/ocsp/ocsp_unable_to_staple_log.js
@@ -0,0 +1,35 @@
+// Check that log messages for OCSP stapling work
+// @tags: [requires_http_client, requires_ocsp_stapling]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+if (!supportsStapling()) {
+    return;
+}
+
+const logPath = MongoRunner.dataPath + "mongod.log";
+
+const ocsp_options = {
+    logpath: logPath,
+    sslMode: "requireSSL",
+    sslPEMKeyFile: OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM,
+    sslCAFile: OCSP_CA_PEM,
+    sslAllowInvalidHostnames: "",
+    waitForConnect: false,
+};
+
+// Because waitForConnect is off, we need to wait for the process to create the
+// mongod logfile, hence the sleep.
+const conn = MongoRunner.runMongod(ocsp_options);
+sleep(5000);
+
+const failedToStapleID = 5512202;
+assert.soon(() => {
+    return cat(logPath).trim().split("\n").some((line) => JSON.parse(line).id === failedToStapleID);
+});
+
+MongoRunner.stopMongod(conn);
+})();
\ No newline at end of file