SERVER-47051 Investigate OCSP failures on 4.3.4 and on 4.5.0

8 files changed, 138 insertions, 72 deletions

diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js
index 1cff413b531..1d8691bd26e 100644
--- a/jstests/ocsp/lib/mock_ocsp.js
+++ b/jstests/ocsp/lib/mock_ocsp.js
@@ -17,8 +17,9 @@ class MockOCSPServer {
      *
      * @param {string} fault_type
      * @param {number} next_update_secs
+     * @param {boolean} responder_is_ca
      */
-    constructor(fault_type, next_update_secs) {
+    constructor(fault_type, next_update_secs, responder_is_ca = false) {
         this.python = "python3";
         this.fault_type = fault_type;
 
@@ -26,10 +27,16 @@ class MockOCSPServer {
             this.python = "python.exe";
         }
 
+        if (responder_is_ca) {
+            this.ocsp_cert_file = OCSP_CA_CERT;
+            this.ocsp_cert_key = OCSP_CA_KEY;
+        } else {
+            this.ocsp_cert_file = OCSP_RESPONDER_CERT;
+            this.ocsp_cert_key = OCSP_RESPONDER_KEY;
+        }
+
         print("Using python interpreter: " + this.python);
-        this.ca_file = OCSP_CA_CERT;
-        this.ocsp_cert_file = OCSP_RESPONDER_CERT;
-        this.ocsp_cert_key = OCSP_RESPONDER_KEY;
+        this.ca_file = OCSP_CA_PEM;
         // The port must be hard coded to match the port of the
         // responder in the certificates.
         this.port = 8100;
diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js
index b5aa320518f..9855c9405ad 100644
--- a/jstests/ocsp/lib/ocsp_helpers.js
+++ b/jstests/ocsp/lib/ocsp_helpers.js
@@ -4,7 +4,9 @@
 
 load("jstests/ssl/libs/ssl_helpers.js");
 
-const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.pem";
+const OCSP_CA_PEM = "jstests/libs/ocsp/ca_ocsp.pem";
+const OCSP_CA_CERT = "jstests/libs/ocsp/ca_ocsp.crt";
+const OCSP_CA_KEY = "jstests/libs/ocsp/ca_ocsp.key";
 const OCSP_SERVER_CERT = "jstests/libs/ocsp/server_ocsp.pem";
 const OCSP_CLIENT_CERT = "jstests/libs/ocsp/client_ocsp.pem";
 const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pem";
@@ -37,7 +39,7 @@ var waitForServer = function(conn) {
                                 host,
                                 '--tls',
                                 '--tlsCAFile',
-                                OCSP_CA_CERT,
+                                OCSP_CA_PEM,
                                 '--tlsCertificateKeyFile',
                                 OCSP_CLIENT_CERT,
                                 '--tlsAllowInvalidCertificates',
diff --git a/jstests/ocsp/ocsp_basic.js b/jstests/ocsp/ocsp_basic.js
index eb784793681..c8a635dace9 100644
--- a/jstests/ocsp/ocsp_basic.js
+++ b/jstests/ocsp/ocsp_basic.js
@@ -9,7 +9,7 @@ load("jstests/ocsp/lib/mock_ocsp.js");
 var ocsp_options = {
     sslMode: "requireSSL",
     sslPEMKeyFile: OCSP_SERVER_CERT,
-    sslCAFile: OCSP_CA_CERT,
+    sslCAFile: OCSP_CA_PEM,
     sslAllowInvalidHostnames: "",
     setParameter: {
         "failpoint.disableStapling": "{'mode':'alwaysOn'}",
diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js
new file mode 100644
index 00000000000..0a13d0acad7
--- /dev/null
+++ b/jstests/ocsp/ocsp_basic_ca_responder.js
@@ -0,0 +1,52 @@
+// Check that OCSP verification works
+// @tags: [requires_http_client]
+
+load("jstests/ocsp/lib/mock_ocsp.js");
+
+(function() {
+"use strict";
+
+if (determineSSLProvider() === "apple") {
+    return;
+}
+
+clearOCSPCache();
+
+const ocsp_options = {
+    sslMode: "requireSSL",
+    sslPEMKeyFile: OCSP_SERVER_CERT,
+    sslCAFile: OCSP_CA_PEM,
+    sslAllowInvalidHostnames: "",
+    setParameter: {
+        "failpoint.disableStapling": "{'mode':'alwaysOn'}",
+        "ocspEnabled": "true",
+    },
+};
+
+// This is to test what happens when the responder is down,
+// making sure that we soft fail.
+let conn = null;
+
+let mock_ocsp = new MockOCSPServer("", 1, true);
+mock_ocsp.start();
+
+assert.doesNotThrow(() => {
+    conn = MongoRunner.runMongod(ocsp_options);
+});
+
+mock_ocsp.stop();
+mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, true);
+mock_ocsp.start();
+
+assert.throws(() => {
+    new Mongo(conn.host);
+});
+
+MongoRunner.stopMongod(conn);
+
+// The mongoRunner spawns a new Mongo Object to validate the collections which races
+// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+// sleep to make sure that the threads don't interfere with each other.
+sleep(1000);
+mock_ocsp.stop();
+}());
\ No newline at end of file
diff --git a/jstests/ocsp/ocsp_connection_type_testing.js b/jstests/ocsp/ocsp_connection_type_testing.js
index b4f7ccae42b..062b25094c8 100644
--- a/jstests/ocsp/ocsp_connection_type_testing.js
+++ b/jstests/ocsp/ocsp_connection_type_testing.js
@@ -24,7 +24,7 @@ MongoRunner.runHangAnalyzer.disable();
 const ocsp_options = {
     sslMode: "requireSSL",
     sslPEMKeyFile: OCSP_SERVER_CERT,
-    sslCAFile: OCSP_CA_CERT,
+    sslCAFile: OCSP_CA_PEM,
     sslAllowInvalidHostnames: "",
     setParameter: {
         "ocspEnabled": "true",
diff --git a/jstests/ocsp/ocsp_must_staple.js b/jstests/ocsp/ocsp_must_staple.js
index 229572ec2d1..1cef7d23e3e 100644
--- a/jstests/ocsp/ocsp_must_staple.js
+++ b/jstests/ocsp/ocsp_must_staple.js
@@ -20,7 +20,7 @@ mock_ocsp.start();
 let ocsp_options = {
     sslMode: "requireSSL",
     sslPEMKeyFile: OCSP_SERVER_MUSTSTAPLE_CERT,
-    sslCAFile: OCSP_CA_CERT,
+    sslCAFile: OCSP_CA_PEM,
     sslAllowInvalidHostnames: "",
     setParameter: {
         "ocspEnabled": "true",
diff --git a/jstests/ocsp/ocsp_server_refresh.js b/jstests/ocsp/ocsp_server_refresh.js
index b3fa01c959a..699f6e397f2 100644
--- a/jstests/ocsp/ocsp_server_refresh.js
+++ b/jstests/ocsp/ocsp_server_refresh.js
@@ -20,7 +20,7 @@ mock_ocsp.start();
 const ocsp_options = {
     sslMode: "requireSSL",
     sslPEMKeyFile: OCSP_SERVER_CERT,
-    sslCAFile: OCSP_CA_CERT,
+    sslCAFile: OCSP_CA_PEM,
     sslAllowInvalidHostnames: "",
     setParameter: {
         "ocspEnabled": "true",
diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js
index 707c90f05f0..02671770fb6 100644
--- a/jstests/ocsp/ocsp_stapling.js
+++ b/jstests/ocsp/ocsp_stapling.js
@@ -6,7 +6,7 @@ load("jstests/ocsp/lib/mock_ocsp.js");
 (function() {
 "use strict";
 
-if (determineSSLProvider() != "openssl") {
+if (determineSSLProvider() !== "openssl") {
     return;
 }
 
@@ -14,73 +14,78 @@ if (!supportsStapling()) {
     return;
 }
 
-const ocsp_options = {
-    sslMode: "requireSSL",
-    sslPEMKeyFile: OCSP_SERVER_CERT,
-    sslCAFile: OCSP_CA_CERT,
-    sslAllowInvalidHostnames: "",
-    setParameter: {
-        "ocspEnabled": "true",
-    },
-};
-
-// This is to test what happens when the responder is down,
-// making sure that we soft fail.
-let conn = null;
-
-assert.doesNotThrow(() => {
-    conn = MongoRunner.runMongod(ocsp_options);
-});
-
-MongoRunner.stopMongod(conn);
-
-let mock_ocsp = new MockOCSPServer("", 1000);
-mock_ocsp.start();
-
-// In this scenario, the Mongod has the ocsp response stapled
-// which should allow the connection to proceed. Even when the
-// responder says that the certificate is revoked, the mongod
-// should still have the old response stashed and doesn't have
-// to refresh the response, so the shell should connect.
-assert.doesNotThrow(() => {
+var test = function(responderCA) {
+    const ocsp_options = {
+        sslMode: "requireSSL",
+        sslPEMKeyFile: OCSP_SERVER_CERT,
+        sslCAFile: OCSP_CA_PEM,
+        sslAllowInvalidHostnames: "",
+        setParameter: {
+            "ocspEnabled": "true",
+        },
+    };
+
+    // This is to test what happens when the responder is down,
+    // making sure that we soft fail.
+    let conn = null;
+
+    assert.doesNotThrow(() => {
+        conn = MongoRunner.runMongod(ocsp_options);
+    });
+
+    MongoRunner.stopMongod(conn);
+
+    let mock_ocsp = new MockOCSPServer("", 1000, responderCA);
+    mock_ocsp.start();
+
+    // In this scenario, the Mongod has the ocsp response stapled
+    // which should allow the connection to proceed. Even when the
+    // responder says that the certificate is revoked, the mongod
+    // should still have the old response stashed and doesn't have
+    // to refresh the response, so the shell should connect.
+    assert.doesNotThrow(() => {
+        conn = MongoRunner.runMongod(ocsp_options);
+    });
+    mock_ocsp.stop();
+
+    mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000, responderCA);
+    mock_ocsp.start();
+    assert.doesNotThrow(() => {
+        new Mongo(conn.host);
+    });
+
+    MongoRunner.stopMongod(conn);
+
+    // This is the same scenario as above, except that the mongod has
+    // the status saying that the certificate is revoked. If we have a shell
+    // waiting to connect, it will fail because the certificate status of
+    // the mongod's cert is revoked.
+    Object.extend(ocsp_options, {waitForConnect: false});
     conn = MongoRunner.runMongod(ocsp_options);
-});
-mock_ocsp.stop();
-
-mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000);
-mock_ocsp.start();
-assert.doesNotThrow(() => {
-    new Mongo(conn.host);
-});
 
-MongoRunner.stopMongod(conn);
+    waitForServer(conn);
 
-// This is the same scenario as above, except that the mongod has
-// the status saying that the certificate is revoked. If we have a shell
-// waiting to connect, it will fail because the certificate status of
-// the mongod's cert is revoked.
-Object.extend(ocsp_options, {waitForConnect: false});
-conn = MongoRunner.runMongod(ocsp_options);
+    assert.throws(() => {
+        new Mongo(conn.host);
+    });
+    mock_ocsp.stop();
 
-waitForServer(conn);
+    mock_ocsp = new MockOCSPServer("", 1000, responderCA);
+    mock_ocsp.start();
 
-assert.throws(() => {
-    new Mongo(conn.host);
-});
-mock_ocsp.stop();
+    assert.throws(() => {
+        new Mongo(conn.host);
+    });
 
-mock_ocsp = new MockOCSPServer("", 1000);
-mock_ocsp.start();
+    MongoRunner.stopMongod(conn);
 
-assert.throws(() => {
-    new Mongo(conn.host);
-});
-
-MongoRunner.stopMongod(conn);
+    // The mongoRunner spawns a new Mongo Object to validate the collections which races
+    // with the shutdown logic of the mock_ocsp responder on some platforms. We need this
+    // sleep to make sure that the threads don't interfere with each other.
+    sleep(1000);
+    mock_ocsp.stop();
+};
 
-// The mongoRunner spawns a new Mongo Object to validate the collections which races
-// with the shutdown logic of the mock_ocsp responder on some platforms. We need this
-// sleep to make sure that the threads don't interfere with each other.
-sleep(1000);
-mock_ocsp.stop();
+test(false);
+test(true);
 }());
\ No newline at end of file