diff options
author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2021-03-16 11:02:28 -0700 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-03-21 03:03:38 +0000 |
commit | 17c516775aa4f5848671340f21545b7dffdc2d74 (patch) | |
tree | 34dceeb9b74b39a6550d3ef07186624b72d11186 /jstests/ocsp | |
parent | cb83b3ca319e5054bd960b6f4ac089676a478827 (diff) | |
download | mongo-17c516775aa4f5848671340f21545b7dffdc2d74.tar.gz |
SERVER-55122 Fix OCSP to allow intermediate certificates in tlsCertificateKeyFile
Diffstat (limited to 'jstests/ocsp')
-rw-r--r-- | jstests/ocsp/lib/mock_ocsp.js | 5 | ||||
-rw-r--r-- | jstests/ocsp/lib/ocsp_helpers.js | 13 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_basic_ca_responder.js | 6 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_stapling.js | 7 | ||||
-rw-r--r-- | jstests/ocsp/ocsp_unable_to_staple_log.js | 35 |
5 files changed, 55 insertions, 11 deletions
diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js index 2827ece5e4c..1896b2943c0 100644 --- a/jstests/ocsp/lib/mock_ocsp.js +++ b/jstests/ocsp/lib/mock_ocsp.js @@ -28,8 +28,9 @@ class ResponderCertSet { const OCSP_DELEGATE_RESPONDER = new ResponderCertSet(OCSP_CA_PEM, OCSP_RESPONDER_CERT, OCSP_RESPONDER_KEY); const OCSP_CA_RESPONDER = new ResponderCertSet(OCSP_CA_PEM, OCSP_CA_CERT, OCSP_CA_KEY); -const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet( - OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_KEY); +const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet(OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM, + OCSP_INTERMEDIATE_CA_ONLY_CERT, + OCSP_INTERMEDIATE_CA_ONLY_KEY); class MockOCSPServer { /** diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js index cbb0755a457..09d6d79ad6f 100644 --- a/jstests/ocsp/lib/ocsp_helpers.js +++ b/jstests/ocsp/lib/ocsp_helpers.js @@ -13,10 +13,13 @@ const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pe const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem"; const OCSP_RESPONDER_CERT = "jstests/libs/ocsp/ocsp_responder.crt"; const OCSP_RESPONDER_KEY = "jstests/libs/ocsp/ocsp_responder.key"; -const OCSP_INTERMEDIATE_CA_PEM = "jstests/libs/ocsp/intermediate_ca_ocsp.pem"; -const OCSP_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/intermediate_ca_ocsp.crt"; -const OCSP_INTERMEDIATE_CA_KEY = "jstests/libs/ocsp/intermediate_ca_ocsp.key"; -const OCSP_SERVER_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/server_intermediate_ca_ocsp.pem"; +const OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM = "jstests/libs/ocsp/intermediate_ca_with_root_ocsp.pem"; +const OCSP_INTERMEDIATE_CA_ONLY_CERT = "jstests/libs/ocsp/intermediate_ca_only_ocsp.crt"; +const OCSP_INTERMEDIATE_CA_ONLY_KEY = "jstests/libs/ocsp/intermediate_ca_only_ocsp.key"; +const OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM = + "jstests/libs/ocsp/server_signed_by_intermediate_ca_ocsp.pem"; +const OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM = + "jstests/libs/ocsp/server_and_intermediate_ca_appended_ocsp.pem"; var clearOCSPCache = function() { let provider = determineSSLProvider(); @@ -60,8 +63,8 @@ var supportsStapling = function() { if (determineSSLProvider() !== "openssl") { return false; } - if (isUbuntu1804() === true) { return false; } + return true; };
\ No newline at end of file diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js index 5f23aef59d0..e63ca98d499 100644 --- a/jstests/ocsp/ocsp_basic_ca_responder.js +++ b/jstests/ocsp/ocsp_basic_ca_responder.js @@ -52,6 +52,8 @@ function test(serverCert, caCert, responderCertPair) { } test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER); - -test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER); +test(OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM, + OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM, + OCSP_INTERMEDIATE_RESPONDER); +test(OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM, OCSP_CA_PEM, OCSP_INTERMEDIATE_RESPONDER); }());
\ No newline at end of file diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js index 69ac0866a02..e2735f758d9 100644 --- a/jstests/ocsp/ocsp_stapling.js +++ b/jstests/ocsp/ocsp_stapling.js @@ -1,4 +1,4 @@ -// Check that OCSP verification works +// Check that OCSP stapling works // @tags: [requires_http_client, requires_ocsp_stapling] load("jstests/ocsp/lib/mock_ocsp.js"); @@ -85,5 +85,8 @@ function test(serverCert, caCert, responderCertPair) { test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_DELEGATE_RESPONDER); test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER); -test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER); +test(OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM, + OCSP_INTERMEDIATE_CA_WITH_ROOT_PEM, + OCSP_INTERMEDIATE_RESPONDER); +test(OCSP_SERVER_AND_INTERMEDIATE_APPENDED_PEM, OCSP_CA_PEM, OCSP_INTERMEDIATE_RESPONDER); }()); diff --git a/jstests/ocsp/ocsp_unable_to_staple_log.js b/jstests/ocsp/ocsp_unable_to_staple_log.js new file mode 100644 index 00000000000..f09d892ae80 --- /dev/null +++ b/jstests/ocsp/ocsp_unable_to_staple_log.js @@ -0,0 +1,35 @@ +// Check that log messages for OCSP stapling work +// @tags: [requires_http_client, requires_ocsp_stapling] + +load("jstests/ocsp/lib/mock_ocsp.js"); + +(function() { +"use strict"; + +if (!supportsStapling()) { + return; +} + +const logPath = MongoRunner.dataPath + "mongod.log"; + +const ocsp_options = { + logpath: logPath, + sslMode: "requireSSL", + sslPEMKeyFile: OCSP_SERVER_SIGNED_BY_INTERMEDIATE_CA_PEM, + sslCAFile: OCSP_CA_PEM, + sslAllowInvalidHostnames: "", + waitForConnect: false, +}; + +// Because waitForConnect is off, we need to wait for the process to create the +// mongod logfile, hence the sleep. +const conn = MongoRunner.runMongod(ocsp_options); +sleep(5000); + +const failedToStapleID = 5512202; +assert.soon(() => { + return cat(logPath).trim().split("\n").some((line) => JSON.parse(line).id === failedToStapleID); +}); + +MongoRunner.stopMongod(conn); +})();
\ No newline at end of file |