SERVER-34413 Converting Certificate Subject Names to strings need to obey RFC 2253

3 files changed, 70 insertions, 12 deletions

diff --git a/jstests/ssl/libs/ssl_x509_role_auth_escape.js b/jstests/ssl/libs/ssl_x509_role_auth_escape.js
new file mode 100644
index 00000000000..a9a0595667c
--- /dev/null
+++ b/jstests/ssl/libs/ssl_x509_role_auth_escape.js
@@ -0,0 +1,13 @@
+// Helper script used to validate login as x509 auth with a certificate with roles works.
+(function() {
+    "use strict";
+
+    // Auth as user in certificate with a subject name with lots of RFC 2253 escaping
+    // Ex: CN=Test,OU=Escape,O=\;\ ,L=\ \>,ST=\"\\\<,C=\,\+
+    // It validates leading space, and the 7 magic characters
+    const ret = db.getSiblingDB("$external").auth({
+        mechanism: "MONGODB-X509",
+        user: "CN=Test,OU=Escape,O=\\;\\ ,L=\\ \\>,ST=\\\"\\\\\\<,C=\\,\\+"
+    });
+    assert.eq(ret, 1, "Auth failed");
+}());
diff --git a/jstests/ssl/libs/ssl_x509_role_auth_utf8.js b/jstests/ssl/libs/ssl_x509_role_auth_utf8.js
new file mode 100644
index 00000000000..f94db33d27f
--- /dev/null
+++ b/jstests/ssl/libs/ssl_x509_role_auth_utf8.js
@@ -0,0 +1,12 @@
+// Helper script used to validate login as x509 auth with a certificate with roles works.
+(function() {
+    "use strict";
+
+    // Authenticate against a certificate with a RDN in the subject name of type UTF8STRING
+    const retutf8 = db.getSiblingDB("$external").auth({
+        mechanism: "MONGODB-X509",
+        user:
+            "C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel Users,CN=\\D0\\9A\\D0\\B0\\D0\\BB\\D0\\BE\\D1\\8F\\D0\\BD"
+    });
+    assert.eq(retutf8, 1, "Auth failed");
+}());
diff --git a/jstests/ssl/ssl_x509_roles.js b/jstests/ssl/ssl_x509_roles.js
index 9217f9863ba..6bde3f57fae 100644
--- a/jstests/ssl/ssl_x509_roles.js
+++ b/jstests/ssl/ssl_x509_roles.js
@@ -1,32 +1,65 @@
 // Test that a client can authenicate against the server with roles.
+// Also validates RFC2253
 (function() {
     "use strict";
 
     const SERVER_CERT = "jstests/libs/server.pem";
     const CA_CERT = "jstests/libs/ca.pem";
     const CLIENT_CERT = "jstests/libs/client_roles.pem";
+    const CLIENT_ESCAPE_CERT = "jstests/libs/client_escape.pem";
+    const CLIENT_UTF8_CERT = "jstests/libs/client_utf8.pem";
 
     const CLIENT_USER =
         "C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel Users,CN=Kernel Client Peer Role";
 
     function authAndTest(port) {
-        let mongo = runMongoProgram("mongo",
-                                    "--host",
-                                    "localhost",
-                                    "--port",
-                                    port,
-                                    "--ssl",
-                                    "--sslCAFile",
-                                    CA_CERT,
-                                    "--sslPEMKeyFile",
-                                    CLIENT_CERT,
-                                    "jstests/ssl/libs/ssl_x509_role_auth.js");
+        const mongo = runMongoProgram("mongo",
+                                      "--host",
+                                      "localhost",
+                                      "--port",
+                                      port,
+                                      "--ssl",
+                                      "--sslCAFile",
+                                      CA_CERT,
+                                      "--sslPEMKeyFile",
+                                      CLIENT_CERT,
+                                      "jstests/ssl/libs/ssl_x509_role_auth.js");
 
         // runMongoProgram returns 0 on success
         assert.eq(0, mongo, "Connection attempt failed");
+
+        const escaped = runMongoProgram("mongo",
+                                        "--host",
+                                        "localhost",
+                                        "--port",
+                                        port,
+                                        "--ssl",
+                                        "--sslCAFile",
+                                        CA_CERT,
+                                        "--sslPEMKeyFile",
+                                        CLIENT_ESCAPE_CERT,
+                                        "jstests/ssl/libs/ssl_x509_role_auth_escape.js");
+
+        // runMongoProgram returns 0 on success
+        assert.eq(0, escaped, "Connection attempt failed");
+
+        const utf8 = runMongoProgram("mongo",
+                                     "--host",
+                                     "localhost",
+                                     "--port",
+                                     port,
+                                     "--ssl",
+                                     "--sslCAFile",
+                                     CA_CERT,
+                                     "--sslPEMKeyFile",
+                                     CLIENT_UTF8_CERT,
+                                     "jstests/ssl/libs/ssl_x509_role_auth_utf8.js");
+
+        // runMongoProgram returns 0 on success
+        assert.eq(0, utf8, "Connection attempt failed");
     }
 
-    let x509_options = {sslMode: "requireSSL", sslPEMKeyFile: SERVER_CERT, sslCAFile: CA_CERT};
+    const x509_options = {sslMode: "requireSSL", sslPEMKeyFile: SERVER_CERT, sslCAFile: CA_CERT};
 
     print("1. Testing x.509 auth to mongod");
     {