diff options
author | Gabriel Marks <gabriel.marks@mongodb.com> | 2022-01-25 18:07:53 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-02-03 22:38:30 +0000 |
commit | 58a819a56aadb91e7cd62b8c2e2e493ce85fc0e1 (patch) | |
tree | b728f0b50a4de4242dbbc7ae14ae6af0f163ef88 /jstests/ssl | |
parent | d4baf64a2da1a785d428888f3ce047367ccc2a7a (diff) | |
download | mongo-58a819a56aadb91e7cd62b8c2e2e493ce85fc0e1.tar.gz |
SERVER-56346 Change certificate definitions to match OSX requirements
Diffstat (limited to 'jstests/ssl')
19 files changed, 310 insertions, 168 deletions
diff --git a/jstests/ssl/libs/localhost-cn-with-san.pem b/jstests/ssl/libs/localhost-cn-with-san.pem index 556ffb85b0a..d91b1ae5069 100644 --- a/jstests/ssl/libs/localhost-cn-with-san.pem +++ b/jstests/ssl/libs/localhost-cn-with-san.pem @@ -3,51 +3,52 @@ # # Localhost based certificate using non-matching subject alternate name. -----BEGIN CERTIFICATE----- -MIIDdjCCAl4CBA3WteIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCVVMxETAP -BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK -DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5lbCBUZXN0 -IENBMB4XDTE5MDkyNTIzMjc0MFoXDTM5MDkyNzIzMjc0MFowbzELMAkGA1UEBhMC -VVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAw -DgYDVQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2Fs -aG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMn0WG6/vxv4bmh+ -lv1axKQM/fIiRavdIFqJOYw84Km+fahcUTgFY2oOEAxQ+y8nN/2rpXrZYlL5etqs -iv/1m0EZDFl+SCOvxULrmyd2GhFJeaJu+O714e1lxpBPDT2LWKCa3g4qK+krKWMU -glaAGJKrYmyfhKdMUN0XN/ISxIuwzZCbSQ6/N70cU4CFZyzmxixSyW7xZR+wsIgg -pX1BrMbsGLcGoVknWt2yrp/qFKRrBda/b3k+gs6zSvpJvt1dTNuGG4drPF+pfvA5 -4NPelXvccdmz86Fg7YULE/hCbrDfzngkMgqD3Em9sXarlA7GO+tCxp2uyV52FBq3 -dLe9Jq0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZIhvcN -AQELBQADggEBAIpIUe0R7nHDGxABrK9nAIVF2etluEZZz18RnaPn5cLzjwbhbDQy -gKTHt7nv2xWDlRqPv4GwcsyqpK9Sr4tjFgwBVzGlNEUSh8cLFmWOVz+9yZnk/mGm -Y35jqFM1VgnWGU+NuC71IEfUJsNV1intMECHY0IaglmjDAZCJ2nWDfNT+qrS7zpJ -+c/El6XYx9Wx9BoWlEY+4Z/ipabXzivDwKw4G1UoQvVmmU6NywVhQmSudiySBSce -JEPIa+RCCq+ahtSWilpDXqpKvieY0M2go46MHgUgUfOMnsUTlTgFjgRVMqkXnccI -alfeM9ukvz0JXRYERI8GCTVG+35vSw13MGs= +MIIDkDCCAnigAwIBAgIEV9X0HjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjIwMTI3MjE1OTQ0WhcNMjQwNDMwMjE1OTQ0WjBvMQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDESMBAGA1UEAwwJ +bG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5uaoVP0l +xsKbPIr8qNsd7OQ2Vks2WzaPiwiyQ7uRd8+kRymJE/F+nKAgZvUFebjT70FJs/kI +D1dQqcAn3OxOZFSCv62i0Owp7oLrQ3fiQR2xwuQVFa2D8hV9z8vLc7CZyiKdi4EU +EZOv8N1K8KxThV7E12YI5OVXQl+oniXwbDf4Dkiex7go4mgIqv9SBDjBLvWheCkP +WTSGULtsL8Dg42neqR7Uh/4Iawm7ka0czwluM0GrLjDAirdw6OOBYNuc3Be1XhjK +/5zY6JOt6yeHce2jjte7YzLoCBv0hm1sVyIkocrxPi6kvC8crw+RGI0m9ijZIq0K +N90aMGwVq32jkwIDAQABoy8wLTATBgNVHSUEDDAKBggrBgEFBQcDATAWBgNVHREE +DzANggtleGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAKroMjfypcbZ5Nq6x +chBMOgVZRMtleqosP51zBk8KTkLSyfQCYbwM+lq+Us4Y5zzLHjHUmQltJi5Yn4l6 +Voe33UEAi5xA0SEPGBvG2uzGzeY6ShQl+BhfUxgMWxaitm8/Hr0wnpm8AqOglskb +9GozqQHfWISwY+9JDxR7aLaFofgRhR2iZEqbELkz+1KwOoUtHm8HMvS+k6tZziTE +fO6Ergg8iCVixvtV0EOKUMqmiUSXH0ZT6uOw/z1XFloJSolg95g07z5LgCRMe+zT +zwNOmnHdJwJTDYjXMQS1sEdvjQvBKObJ4xIKhkwqrTOx+PY40yBNYN2iPIViWEOv +sHxp0A== -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQDJ9Fhuv78b+G5o -fpb9WsSkDP3yIkWr3SBaiTmMPOCpvn2oXFE4BWNqDhAMUPsvJzf9q6V62WJS+Xra -rIr/9ZtBGQxZfkgjr8VC65sndhoRSXmibvju9eHtZcaQTw09i1igmt4OKivpKylj -FIJWgBiSq2Jsn4SnTFDdFzfyEsSLsM2Qm0kOvze9HFOAhWcs5sYsUslu8WUfsLCI -IKV9QazG7Bi3BqFZJ1rdsq6f6hSkawXWv295PoLOs0r6Sb7dXUzbhhuHazxfqX7w -OeDT3pV73HHZs/OhYO2FCxP4Qm6w3854JDIKg9xJvbF2q5QOxjvrQsadrsledhQa -t3S3vSatAgMBAAECggEADsKzK/ULzMmNmEmYU5Asyyi/7tCecv9IfBWHhT511TI9 -EO8eaI/MQlYgyiWpFjsxlnLTN3VoAFSHrC/sQOT8ofdotanLMACK1GdQAcRaB2Vt -ZHfj7eM+zhEgQC/m8dabdbGcBUED0Jj8/2biV9wo759jJDlMgsXLKz2lMyY4A1WZ -kwCrdTqSn+TqA4+t7RdteY1YQZIV/qKNABT9CCRyH9Hqr5MyByYGiLtsrimI8WH/ -/UlE4R8/dHI5yA/FrtNgPM7QB1UElMBHaixWGUJTWSIcZtGuZ82N+uVjgVREfeML -3RmDfwRAsgy3oz2zisQmz2qJDDdO1qJSn34ezOmYqQKBgQDmlAK0TnoxlYExmHWg -fqm1Ee2n6rls14y0lm1GP0NoTOakSiZ9yBbQwYNNR7/P7YCppTt4/EdO2Skgpqg6 -KEd8ur2zsjWSEbMb/Pd0OB+pLUKjfrMQ+Kft8lalpcO5OcF2RmQnLTZAn9Endx/l -TikvmB3Pq3r5RcfNAMDrrNrN9wKBgQDgOHDmht5Pq2zasVnFW1OydCNneuameREV -kFM4D2raUkGbQNft/yhkjStZkEVAmooWHLYxJkWFo5KY8RpRJ50vW01UzH7jnA13 -PCvbJ1ITxzNuUbMcg4b8V6D0pM/Y8b7Me24iI1RAJntAx/+doAdRnLggYQcTp1Dl -ahce8/0XewKBgDSqT+fRGPXkWQrz8MIEzExwWOEGqu2iWiART8pAvuu+zNtvmFUY -c6Wg3ZW0MqqSa9XTyL68mKj4zv0HM9t8wb9Kg/PcW4IOiuN0pyyjeQ/SJ6tiUBIr -SWf+9y2ErCzNdVPHhi6wk/i0yDgEbIOak6usSfraBw+Ska1QY8AwzhVHAn9UFNZB -nFHBjodDez4uxBCe2u5r36qewselTnnmi+GF/VKc5bQTi5uaGVYoP/G4SDuAD0RD -KhboBm7y63by9+f52kMliYoL0Hk8PVQ02ons4MZomDqSdsAn4LR7CVLoB7+E7sRe -COGPLN8La/RvJ5OXBy4E9l2xAQ1U+nOxJ83BAoGBANHLPoIQ2lug421Kqc07P9rI -66CVYX8XQrpqFHPytFQv7SQkUU+cp+7qpo33b62FkV5qi+oZ+bqyQ6Ung5Ro7R4q -2JFLdxRw1nKVCFog/WFvs9XSw8tJUW4pnEcXLBtbWpozmhe5ZhgFes1LldPSgYXK -XC6Jr1/6OJQGM4wklSiS +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDm5qhU/SXGwps8 +ivyo2x3s5DZWSzZbNo+LCLJDu5F3z6RHKYkT8X6coCBm9QV5uNPvQUmz+QgPV1Cp +wCfc7E5kVIK/raLQ7CnugutDd+JBHbHC5BUVrYPyFX3Py8tzsJnKIp2LgRQRk6/w +3UrwrFOFXsTXZgjk5VdCX6ieJfBsN/gOSJ7HuCjiaAiq/1IEOMEu9aF4KQ9ZNIZQ +u2wvwODjad6pHtSH/ghrCbuRrRzPCW4zQasuMMCKt3Do44Fg25zcF7VeGMr/nNjo +k63rJ4dx7aOO17tjMugIG/SGbWxXIiShyvE+LqS8LxyvD5EYjSb2KNkirQo33Row +bBWrfaOTAgMBAAECggEBAMqFgRuaNeoRgqsllNpd5e+Dcw1ZRsHWJyzhYcn62Gpn +20T3b13osQ6bfBAR1M2giXMOpqCOSr157iwVeGFTeqaRYWTR3T62BUlH1yYEHpTS +gLnZ54xt9o78vq7lpvs/6IPcvKZBfuKz0NvInRRfcZpHNwteWWq6pUB4OqMLz8Z5 +3j9mo+69izUOaTbLptXngV9c0TYi2J7JHVwV7nxZga4sbq5btxN7gTv/M6dKKEvl +CB7p/aD+EVMUgIICw++FvykgOfCXVbUEWld97k68R+UY805xec15ovAIIwzPWViG +ry8yVUewVM6a03AOHEV9lOtfyJOm683EnflvFVG3nDECgYEA8zDwjk+gDfbEC0+1 +C1zsC9ojyg3tve80chrnpwQfL8hrrdUWq0eHpL1boA1vYvgl5Uukqkj6xKFaJXFZ +0QaDB6xTemxpeXX/+KffjgZbglvpm4Yr5C/tCv6U0lUx19ReQB9L+Qqpzg5kJvDc +xc7eSFW3RPo7bZJJLUwLq3Np1GcCgYEA8xAA+3N2+/TjTOae4Ks1VtcvBn5shs4Z +kg3IraLznpkL1SlQ4asxr3iy0ie7gWUIKS4TwELDjXnNprfgmJZfZMgE2MZfZwCO +9P0/p+BCtqubekVFnMGezul3XzzT+wPCGoOlqz5VeiW6ognm9RBm5e0jz42j13dp +B5z/wFatm/UCgYBVF1OkR8IWALjZyFrtjebdwsbxBOyhn5f3MOjLLIsI+hSLL1sO +NSoF/2eW2fyWYYNI9q24E28C6/4RydaGZ8PjJG3VESfaouochAiZtinAtA5KJ6kl +34sOZMOH0N1uylTsFMdNbWi6u5hZc7+byuVF5BALJ48xqJTIL6qJpAlskwKBgE3j +Xf011fYNVl1JNbZXBsOqNvaEwrA8ETOdWSZTJnA3KPSIxdNa8ZQCQINZmhtvzbqs +ekXM3y9RzdXT7JPY8/6uneb9QosWQbk+Ag0Ar0AsI6l90z3VSdeSNt989YzlemjW +sNr8IZX/yxurwqfbNq4NXMFg6RTdvfljlQ0EeaOVAoGAR002FIKL1Z/3DqbVV+tQ +FlOksFDTshG1Y9mDQAfTCSlNBeGDz/bQnSo1WWj/DXVLoHxpBglvFmWSajmOUa1R +W4JDOK/W949pPYfP1QRvbJVGmZ/Y8u90GZbBjWQF+E9yLicESOpN/BH45FIbxQHQ +2wH/9G1OCozBqCVXGhJw7CA= -----END PRIVATE KEY----- diff --git a/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha1 b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha1 new file mode 100644 index 00000000000..1127761edbf --- /dev/null +++ b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha1 @@ -0,0 +1 @@ +A8FBDA18A45E8945D1D6E08E77B3070314B80458
\ No newline at end of file diff --git a/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha256 b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha256 new file mode 100644 index 00000000000..4bb65aa4d90 --- /dev/null +++ b/jstests/ssl/libs/localhost-cn-with-san.pem.digest.sha256 @@ -0,0 +1 @@ +5926109C2D0A4565771FFA92814319B5946DF5710A4F99A77FFF9A7881681376
\ No newline at end of file diff --git a/jstests/ssl/ssl_cert_selector.js b/jstests/ssl/ssl_cert_selector.js index 11c97eff270..f53c784f799 100644 --- a/jstests/ssl/ssl_cert_selector.js +++ b/jstests/ssl/ssl_cert_selector.js @@ -42,14 +42,10 @@ requireSSLProvider('windows', function() { assert.eq(exitStatus, 0, "successfully connected with SSL"); }; + const trusted_client_thumbprint = cat('jstests/libs/trusted-client.pem.digest.sha1'); + assert.doesNotThrow(function() { - try { - // trusted-client.pfx - testWithCert("thumbprint=6AE38B35F4551B6BDCDB89AFABE0B277046F2735"); - } catch (e) { - // Transitional: Pre Oct-2019 trusted-client.pfx - testWithCert("thumbprint=9ca511552f14d3fc2009d425873599bf77832238"); - } + testWithCert("thumbprint=" + trusted_client_thumbprint); }); assert.doesNotThrow(function() { diff --git a/jstests/ssl/ssl_cert_selector_apple.js b/jstests/ssl/ssl_cert_selector_apple.js index 0f23f04eed6..7e059316095 100644 --- a/jstests/ssl/ssl_cert_selector_apple.js +++ b/jstests/ssl/ssl_cert_selector_apple.js @@ -20,12 +20,54 @@ requireSSLProvider('apple', function() { 'C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel,CN=Trusted Kernel Test Server'; const INVALID = null; + function getCertificateSHA1BySubject(subject) { + clearRawMongoProgramOutput(); + // security find-certificate prints out info about certificates matching the given search + // criteria. In this case, we use -c, matching common name, and -Z, which includes SHA-1 and + // SHA-256 thumbprints in the output. + assert.eq(0, runNonMongoProgram("security", "find-certificate", "-c", subject, "-Z")); + const out = rawMongoProgramOutput(); + + const kSearchStr = "SHA-1 hash: "; + const kHashHexitLen = 40; + + const searchIdx = out.indexOf(kSearchStr); + assert.neq(searchIdx, -1, "SHA-1 hash not found in command output!"); + + return out.substr(searchIdx + searchStr.length, kHashHexitLen); + } + + // Using the thumbprint of the certificate stored in the keychain should always work as a + // selector. + const trusted_server_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Server"); + const trusted_client_thumbprint = getCertificateSHA1BySubject("Trusted Kernel Test Client"); + + const expected_server_thumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1"); + const expected_client_thumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1"); + + // If we fall into this case, our trusted certificates are not installed on the machine's + // certificate keychain. This probably means that certificates have just been renewed, but have + // not been installed in MacOS machines yet. + if (expected_server_thumbprint !== trusted_server_thumbprint || + expected_client_thumbprint !== trusted_client_thumbprint) { + print("****************"); + print("****************"); + print( + "macOS host has an unexpected version of the trusted server certificate (jstests/libs/trusted-server.pem) or trusted client certificate (jstests/libs/trusted-client.pem) installed."); + print("Expecting server thumbprint: " + expected_server_thumbprint + + ", got: " + trusted_server_thumbprint); + print("Expecting client thumbprint: " + expected_client_thumbprint + + ", got: " + trusted_client_thumbprint); + print("****************"); + print("****************"); + } + const testCases = [ - {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A8', name: SERVER}, + {selector: 'thumbprint=' + trusted_server_thumbprint, name: SERVER}, {selector: 'subject=Trusted Kernel Test Server', name: SERVER}, - {selector: 'thumbprint=9CA511552F14D3FC2009D425873599BF77832238', name: CLIENT}, + {selector: 'thumbprint=' + trusted_client_thumbprint, name: CLIENT}, {selector: 'subject=Trusted Kernel Test Client', name: CLIENT}, - {selector: 'thumbprint=D7421F7442CA313821E19EE0509721F4D60B25A9', name: INVALID}, + {selector: 'thumbprint=DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF', name: INVALID}, {selector: 'subject=Unknown Test Client', name: INVALID} ]; diff --git a/jstests/ssl/tlsCATrusts.js b/jstests/ssl/tlsCATrusts.js index bf12c80f78e..2b787ef7971 100644 --- a/jstests/ssl/tlsCATrusts.js +++ b/jstests/ssl/tlsCATrusts.js @@ -6,8 +6,8 @@ requireSSLProvider('openssl', function() { const SERVER_CERT = 'jstests/libs/server.pem'; const COMBINED_CA_CERT = 'jstests/ssl/x509/root-and-trusted-ca.pem'; - const CA_HASH = '539D91F8202641BF85C0C36C88FF69F3062D4AB370CECBF9B950A8B97DE72EAE'; - const TRUSTED_CA_HASH = 'AEAEBB1BA947A7C1428D39EF6166B83409D0245D28013C9FDD71DF9E69BEA52B'; + const CA_HASH = cat('jstests/libs/ca.pem.digest.sha256'); + const TRUSTED_CA_HASH = cat('jstests/libs/trusted-ca.pem.digest.sha256'); // Common suffix, keep the lines short. const RDN_SUFFIX = ',O=MongoDB,L=New York City,ST=New York,C=US'; diff --git a/jstests/ssl/x509/README b/jstests/ssl/x509/README index 72378a9b15e..346e06f750d 100644 --- a/jstests/ssl/x509/README +++ b/jstests/ssl/x509/README @@ -35,8 +35,10 @@ certs: serial: 42 # Optional, validity start date, currently expressed in seconds relative to now. not_before: -86400 # 1 day ago - # Optional, validity end date, currently expressed in seconds relative to now. - not_after: 631152000 # 20 years from now + # Optional, validity end date, currently expressed in seconds relative to now. + # Note that not_after - not_before, the validity period, should be less than or equal to 825 days, see: + # https://support.apple.com/en-us/HT210176 + not_after: 71107200 # 823 days from now # Optional, where to store this certificate (overrides global) output_path: 'jstests/ssl/libs/' # Optional, IDs of other public keys to append to the file diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml index 68ecf419e26..b2f50d283ba 100644 --- a/jstests/ssl/x509/certs.yml +++ b/jstests/ssl/x509/certs.yml @@ -213,6 +213,7 @@ certs: not_before: -10000000 not_after: -1000000 extensions: + extendedKeyUsage: [serverAuth] subjectAltName: DNS: localhost IP: 127.0.0.1 @@ -226,7 +227,8 @@ certs: keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [serverAuth] subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 - name: 'localhost-cn-with-san.pem' description: Localhost based certificate using non-matching subject alternate name. @@ -234,6 +236,7 @@ certs: Subject: {CN: 'localhost'} Issuer: 'ca.pem' extensions: + extendedKeyUsage: [serverAuth] subjectAltName: DNS: 'example.com' @@ -246,17 +249,22 @@ certs: keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [serverAuth] subjectAltName: - DNS: ['*.example.com', 'localhost', '127.0.0.1', 'morefun!'] + DNS: ['*.example.com', 'localhost', 'morefun!'] + IP: 127.0.0.1 - name: 'not_yet_valid.pem' description: A certificate which has yet to reach its validity date. Subject: {CN: 'not_yet_valid'} not_before: 630720000 # 20 years hence - not_after: 1261440000 # a further 20 + not_after: 701913600 # a further 824 days after extensions: + extendedKeyUsage: [serverAuth] mongoRoles: - {role: backup, db: admin} - {role: readAnyDatabase, db: admin} + subjectAltName: + DNS: localhost + IP: 127.0.0.1 - name: 'password_protected.pem' description: Server cerificate using an encrypted private key. @@ -270,7 +278,8 @@ certs: extendedKeyUsage: [serverAuth] authorityKeyIdentifier: issuer subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 - name: 'server.pem' description: General purpose server certificate file. @@ -282,7 +291,8 @@ certs: extendedKeyUsage: [serverAuth, clientAuth] authorityKeyIdentifier: issuer subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 - name: 'server_no_subject.pem' description: Server certificate with empty Subject, but critical SAN. @@ -295,7 +305,7 @@ certs: authorityKeyIdentifier: issuer subjectAltName: critical: true - DNS: 'localhost' + DNS: localhost IP: ['127.0.0.1', '::1'] - name: 'server_no_subject_no_SAN.pem' @@ -312,20 +322,25 @@ certs: description: General purpose server certificate with good SANs. Subject: {CN: 'Kernel Client Peer Role'} extensions: + extendedKeyUsage: [serverAuth, clientAuth] subjectAltName: - DNS: 'localhost' + DNS: localhost IP: ['127.0.0.1', '::1'] - name: 'server_SAN2.pem' description: General purpose server certificate with bad SANs. Subject: {CN: 'Kernel Client Peer Role'} extensions: + extendedKeyUsage: [serverAuth] subjectAltName: - DNS: ['localhost', '127.0.0.1', '::1'] + DNS: localhost + IP: ['127.0.0.1', '::1'] - name: 'server_no_SAN.pem' description: General purpose server certificate with missing SAN. Subject: {CN: localhost, title: 'Server no SAN attribute'} + extensions: + extendedKeyUsage: [serverAuth] # For tenant migration testing. - name: 'rs0.pem' @@ -337,6 +352,9 @@ certs: subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [serverAuth] + subjectAltName: + DNS: localhost + IP: 127.0.0.1 authorityKeyIdentifier: issuer - name: 'rs1.pem' @@ -348,6 +366,9 @@ certs: subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [serverAuth] + subjectAltName: + DNS: localhost + IP: 127.0.0.1 authorityKeyIdentifier: issuer - name: 'rs2.pem' @@ -359,6 +380,9 @@ certs: subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [serverAuth] + subjectAltName: + DNS: localhost + IP: 127.0.0.1 authorityKeyIdentifier: issuer - name: 'tenant_migration_donor.pem' @@ -677,8 +701,10 @@ certs: CN: 'server' Issuer: 'rollover_ca.pem' extensions: + extendedKeyUsage: [serverAuth, clientAuth] subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 ### # Intermediate @@ -696,13 +722,20 @@ certs: Subject: {CN: 'Server Via Intermediate'} Issuer: 'intermediate-ca.pem' append_cert: 'intermediate-ca.pem' + extensions: + extendedKeyUsage: [serverAuth, clientAuth] + subjectAltName: + DNS: localhost + IP: 127.0.0.1 - name: 'server-intermediate-leaf.pem' description: Server certificate signed by intermediate CA. Subject: {CN: 'Server Leaf Via Intermediate'} extensions: + extendedKeyUsage: [serverAuth] subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 Issuer: 'intermediate-ca.pem' - name: 'intermediate-ca-chain.pem' @@ -729,12 +762,13 @@ certs: Subject: {O: 'MongoDB, Inc. (Splithorizon)', CN: 'server'} Issuer: 'splithorizon-ca.pem' extensions: + extendedKeyUsage: [serverAuth, clientAuth] subjectAltName: DNS: - 'localhost' - - '127.0.0.1' - 'splithorizon1' - 'splithorizon2' + IP: 127.0.0.1 ### # Trusted CA @@ -747,7 +781,8 @@ certs: extensions: basicConstraints: {CA: true} subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 # trusted-client.pfx created by mkspecial.sh - name: 'trusted-client.pem' @@ -758,8 +793,10 @@ certs: passphrase: 'qwerty' name: 'trusted-client.pfx' extensions: + extendedKeyUsage: [clientAuth] subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 # trusted-server.pfx created by mkspecial.sh - name: 'trusted-server.pem' @@ -770,8 +807,10 @@ certs: passphrase: 'qwerty' name: 'trusted-server.pfx' extensions: + extendedKeyUsage: [serverAuth] subjectAltName: - DNS: ['localhost', '127.0.0.1'] + DNS: localhost + IP: 127.0.0.1 - name: 'trusted-client-testdb-roles.pem' description: Client certificate with X509 role grants via trusted chain. diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py index 269120a9af2..45ac802e51c 100755 --- a/jstests/ssl/x509/mkcert.py +++ b/jstests/ssl/x509/mkcert.py @@ -17,6 +17,8 @@ import OpenSSL import re import shutil +import mkdigest + # pylint: disable=protected-access OpenSSL._util.lib.OBJ_create(b'1.2.3.45', b'DummyOID45', b'Dummy OID 45') OpenSSL._util.lib.OBJ_create(b'1.2.3.56', b'DummyOID56', b'Dummy OID 56') @@ -37,6 +39,9 @@ MUST_STAPLE_KEY = bytes(MUST_STAPLE_KEY_STR, "utf-8") MUST_STAPLE_VALUE_STR = 'DER:30:03:02:01:05' # ASN.1 value: SEQUENCE { INTEGER 0x05 (5 decimal) } MUST_STAPLE_VALUE = str(MUST_STAPLE_VALUE_STR).encode('utf-8') +# <= 825 in order to abide by https://support.apple.com/en-us/HT210176. +MAX_VALIDITY_PERIOD_DAYS = 824 + def glbl(key, default=None): """Fetch a key from the global dict.""" return CONFIG.get('global', {}).get(key, default) @@ -138,8 +143,7 @@ def set_validity(x509, cert): # TODO: Parse human readable dates and/or datedeltas not_after = int(not_after) else: - # Default 20 years hence. - not_after = 20 * 365 * 24 * 60 * 60 + not_after = not_before + MAX_VALIDITY_PERIOD_DAYS * 24 * 60 * 60 x509.gmtime_adj_notAfter(not_after) def set_general_dict_extension(x509, exts, cert, name, typed_values): @@ -507,7 +511,7 @@ def process_client_multivalue_rdn(cert): subject = '/CN=client+OU=KernelUser+O=MongoDB/L=New York City+ST=New York+C=US' subprocess.check_call(['openssl', 'req', '-new', '-nodes', '-multivalue-rdn', '-subj', subject, '-keyout', key, '-out', csr]) subprocess.check_call(['openssl', 'rsa', '-in', key, '-out', rsa]) - subprocess.check_call(['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', '3650', '-sha256', '-set_serial', serial]) + subprocess.check_call(['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', str(MAX_VALIDITY_PERIOD_DAYS), '-sha256', '-set_serial', serial]) open(dest, 'wt').write(get_header_comment(cert) + "\n" + open(pem, 'rt').read() + open(rsa, 'rt').read()) os.remove(key) @@ -567,7 +571,7 @@ def process_ecdsa_ca(cert): subject = '/C=US/ST=New York/L=New York City/O=MongoDB/OU=Kernel/CN=Kernel Test ESCDA CA/' reqargs = ['openssl', 'req', '-new', '-key', key, '-out', csr, '-subj', subject] - x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-signkey', key, '-days', '7300', '-sha256', '-set_serial', serial] + x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-signkey', key, '-days', str(MAX_VALIDITY_PERIOD_DAYS), '-sha256', '-set_serial', serial] ecparamargs = (['openssl', 'ecparam', '-name', 'prime256v1', '-genkey', '-out', key, '-noout'] if "ocsp" in cert.get('tags', []) else ['openssl', 'ecparam', '-name', 'prime256v1', '-genkey', '-out', key]) @@ -611,7 +615,7 @@ def process_ecdsa_leaf(cert): subject = '/C=US/ST=New York/L=New York City/O=MongoDB/OU=' + ou + '/CN=' + mode reqargs = ['openssl', 'req', '-new', '-key', key, '-out', csr, '-subj', subject] - x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', '7300', '-sha256', '-set_serial', serial] + x509args = ['openssl', 'x509', '-in', csr, '-out', pem, '-req', '-CA', ca, '-CAkey', ca, '-days', str(MAX_VALIDITY_PERIOD_DAYS), '-sha256', '-set_serial', serial] if mode == 'server': reqargs = reqargs + ['-reqexts', 'v3_req'] extfile = tempfile.mkstemp()[1] @@ -789,6 +793,9 @@ def main(): items = sort_items(items) for item in items: process_cert(item) + filename = make_filename(item) + mkdigest.make_digest(filename, 'cert', 'sha256') + mkdigest.make_digest(filename, 'cert', 'sha1') if __name__ == '__main__': main() diff --git a/jstests/ssl/x509/mkcrl.sh b/jstests/ssl/x509/mkcrl.sh index e8c55b3e4c2..89fddb90e2c 100755 --- a/jstests/ssl/x509/mkcrl.sh +++ b/jstests/ssl/x509/mkcrl.sh @@ -16,15 +16,18 @@ crl() { echo -e "[ CA_default ]\ndatabase = ${CADB}/index.txt\n" >> "$CONFIG" echo -e "certificate = $CA\nprivate_key = $CA\ndefault_md = sha256" >> "$CONFIG" - DAYS="3651" - CRLDAYS="3650" + VALIDITY_OPTIONS="-days 824 -crldays 823" if [ "$2" = "expired" ]; then - DAYS="1" - CRLDAYS="1" + # -enddate 010101000000Z = expires on 0:00:00, Jan 1, 2000. + # -crlsec 1 = valid for 1 second from now. + # i.e. this certificate will be completely invalid very soon. + VALIDITY_OPTIONS="-enddate 010101000000Z -crlsec 1" elif [ "$2" = "revoked" ]; then openssl ca -config "$CADB/config" -revoke "jstests/libs/client_revoked.pem" fi - openssl ca -config "$CADB/config" -gencrl -out "$DEST" -md sha256 -days "$DAYS" -crldays "$CRLDAYS" + openssl ca -config "$CADB/config" -gencrl -out "$DEST" -md sha256 $VALIDITY_OPTIONS + jstests/ssl/x509/mkdigest.py crl sha256 "$DEST" + jstests/ssl/x509/mkdigest.py crl sha1 "$DEST" } crl crl.pem empty crl crl_expired.pem expired diff --git a/jstests/ssl/x509/mkdigest.py b/jstests/ssl/x509/mkdigest.py new file mode 100755 index 00000000000..b9926b48dfa --- /dev/null +++ b/jstests/ssl/x509/mkdigest.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python3 +""" +This script calculates and writes out digests for x509 certificates/CRLs. +Invoke as `mkdigest.py <cert|crl> <sha256|sha1> <filename1> [filename2 ...]` +""" +import argparse +import OpenSSL +import cryptography.hazmat.primitives.hashes as hashes + +DIGEST_NAME_TO_HASH = {'sha256': hashes.SHA256(), 'sha1': hashes.SHA1()} + +def make_digest(filename, item_type, digest_type): + """Calculate the given digest of the certificate/CRL passed in and write it out to <filename>.digest.<digest_type>""" + assert item_type in {"cert", "crl"} + assert digest_type in {"sha256", "sha1"} + with open(filename, 'r') as f: + data = f.read() + + if item_type == 'cert': + cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, data) + rawdigest = cert.digest(digest_type) + digest = rawdigest.decode('utf8').replace(':', '') + elif item_type == 'crl': + crl = OpenSSL.crypto.load_crl(OpenSSL.crypto.FILETYPE_PEM, data) + rawdigest = crl.to_cryptography().fingerprint(DIGEST_NAME_TO_HASH[digest_type]) + digest = rawdigest.hex().upper() + + with open(filename + '.digest.' + digest_type, 'w') as f: + f.write(digest) + +def main(): + parser = argparse.ArgumentParser(description='X509 Digest Generator') + parser.add_argument('type', choices={"cert", "crl"}, help='Type of X509 object to generate digest for') + parser.add_argument('digest', choices={"sha1", "sha256"}, help='Algorithm for digest') + parser.add_argument('filename', nargs='+', help='Path of X509 file to generate digest for') + args = parser.parse_args() + + for fname in args.filename: + make_digest(fname, args.type, args.digest) + +if __name__ == '__main__': + main()
\ No newline at end of file diff --git a/jstests/ssl/x509/root-and-trusted-ca.pem b/jstests/ssl/x509/root-and-trusted-ca.pem index 219ecf6397d..18882c21d68 100644 --- a/jstests/ssl/x509/root-and-trusted-ca.pem +++ b/jstests/ssl/x509/root-and-trusted-ca.pem @@ -2,48 +2,49 @@ # Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml root-and-trusted-ca.pem # # Combined ca.pem and trusted-ca.pem + # Certificate from ca.pem -----BEGIN CERTIFICATE----- -MIIDdDCCAlwCBBmRIxIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCVVMxETAP -BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK -DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5lbCBUZXN0 -IENBMB4XDTE5MDkyNTIzMjczOVoXDTM5MDkyNzIzMjczOVowdDELMAkGA1UEBhMC -VVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAw -DgYDVQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxFzAVBgNVBAMMDktlcm5l -bCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAupVkx8+n -AqzsANKwNPeCYlf2q0WgF4kSUMNJdpmMelrr7hh7EOnAU0hTAQx9BKTEbExeCzH6 -OArFNGjewjWVXwaOpCjK8FMvK6/lGVEpmoHNF9XuiQVmaQ4bJD6rC73YjpgNIPeL -5PyoFLEZv+X2cRBPpTcSRcf87tk8HL7v0eyk1JBhkeKK68SYdWwZlHaa1jqwmliW -WvVMkHVH3lx0VOgQwWtOgs0K1zpcZ0sH5MGpYRQOiidIRZj3PkKeTPQe2D6VQQtv -2yDs9dWfCxJJP9QiWclL2rF/xqlFSNEIfNZpZhk6I1DHQpA2uyJfzRH62pFasJuB -CVh5Tr0EDoVreQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB -CwUAA4IBAQARdNCYYWxi2fyhJwzGHwIT261d/pTlOSYLlm84c72aEneFUnfp8/H5 -JjuFbnhiX+5+h3M7eDQhra9s+H3vKr7o38EIVf5OKXvpNLwv1UUmomBvKqccioYh -bxrfwCzfBRuUmW05kcAVn8iKovqyxL7npEZbckwtT+BqZ4kOL4Uzre+S1HMx0zOu -xulSYA/sBoJ2BB93ZIAqB+f/+InS9yggzyhhaQqS7QEl1L4nZE4Oy0jKcxdCzysm -TqiyH+OI5SVRTfXh4XvHmdWBBaQyaTmQzXYUxUi7jg1jEAiebCGrEJv9plwq4KfC -cze9NLBjaXR3GzonT8kICyVT/0UvhuJg +MIIDeTCCAmGgAwIBAgIEe9SskzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjIwMTI3MjE1OTQyWhcNMjQwNDMwMjE1OTQyWjB0MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO +S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf +vZIt82obTHnc3iHgUYSc+yVkCHyERF3kdcTTFszDbN9mVPL5ZkH9lIAC3A2rj24T +pItMW1N+zOaLHU5tJB9VnCnKSFz5CHd/KEcLA3Ql2K70z7n1FvINnBmqAQdgPcPu +Et2rFgGg3atR3T3bV7ZRlla0CcoAFl/YoDI16oHRXboxAtoAzaIwvS6HUrOYQPYq +BLGt00Wws4bpILk3b04lDLEHmzDe6N3/v3FgBurPzR2tL97/sJGePE94I833hYG4 +vBdU0Kdt9FbTDEFOgrfRCisHyZY6Vw6rIiWBSLUBCjtm2vipgoD0H3DvyZLbMQRr +qmctCX4KQtOZ8dV3JQkNAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAJnz4lK9GiCWhCXIPzghYRRheYWL8nhkZ+3+oC1B3/mGEf71 +2VOdND6fMPdHinD8jONH75mOpa7TanriVYX3KbrQ4WABFNJMX9uz09F+0A2D5tyc +iDkldnei+fiX4eSx80oCPgvaxdJWauiTsEi+fo2Do47PYkch9+BDXT9F/m3S3RRW +cia7URBAV8Itq6jj2BHcpS/dEqZcmN9kGWujVagcCorc0wBKSmkO/PZIjISid+TO +Db2g+AvqSBDU0lbdP7NXRSIxvZejDz4qMjcpSbhW9OS2BCYZcq5wgH2lwYkdPtmX +JkhxWKwsW11WJWDcmaXcffO3a6lDizxyjnTedoU= -----END CERTIFICATE----- # Certificate from trusted-ca.pem -----BEGIN CERTIFICATE----- -MIIDojCCAooCBG585gswDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxETAP -BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK -DAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxHzAdBgNVBAMMFlRydXN0ZWQgS2Vy -bmVsIFRlc3QgQ0EwHhcNMTkwOTI1MjMyNzQxWhcNMzkwOTI3MjMyNzQxWjB8MQsw -CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr -IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UE -AwwWVHJ1c3RlZCBLZXJuZWwgVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBANlRxtpMeCGhkotkjHQqgqvO6O6hoRoAGGJlDaTVtqrjmC8nwySz -1nAFndqUHttxS3A5j4enOabvffdOcV7+Z6vDQmREF6QZmQAk81pmazSc3wOnRiRs -AhXjld7i+rhB50CW01oYzQB50rlBFu+ONKYj32nBjD+1YN4AZ2tuRlbxfx2uf8Bo -Zowfr4n9nHVcWXBLFmaQLn+88WFO/wuwYUOn6Di1Bvtkvqum0or5QeAF0qkJxfhg -3a4vBnomPdwEXCgAGLvHlB41CWG09EuAjrnE3HPPi5vII8pjY2dKKMomOEYmA+KJ -AC1NlTWdN0TtsoaKnyhMMhLWs3eTyXL7kbkCAwEAAaMxMC8wDAYDVR0TBAUwAwEB -/zAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsF -AAOCAQEAQk56MO9xAhtO077COCqIYe6pYv3uzOplqjXpJ7Cph7GXwQqdFWfKls7B -cLfF/fhIUZIu5itStEkY+AIwht4mBr1F5+hZUp9KZOed30/ewoBXAUgobLipJV66 -FKg8NRtmJbiZrrC00BSO+pKfQThU8k0zZjBmNmpjxnbKZZSFWUKtbhHV1vujver6 -SXZC7R6692vLwRBMoZxhgy/FkYRdiN0U9wpluKd63eo/O02Nt6OEMyeiyl+Z3JWi -8g5iHNrBYGBbGSnDOnqV6tjEY3eq600JDWiodpA1OQheLi78pkc/VQZwof9dyBCm -6BoCskTjip/UB+vIhdPFT9sgUdgDTg== +MIIDojCCAoqgAwIBAgIEclbQATANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UEAwwWVHJ1c3Rl +ZCBLZXJuZWwgVGVzdCBDQTAeFw0yMjAxMjcyMTU5NDhaFw0yNDA0MzAyMTU5NDha +MHwxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3 +IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMR8w +HQYDVQQDDBZUcnVzdGVkIEtlcm5lbCBUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA8h+5axgTodw8KmHz/rcPcy2N/etFkipOVL0i3Ug6JcKk +DjuSIdyLULuIQlR8nXWQ3hW9CZ2gDCeSnmnUKY6GWDQPHoSUJPhmGkXPuPBXivcL +QpLVZeOHrqR4+SHzOA3317LF/QYm9kC3dEZIz+dWUlTHs4NFwR+Yo84XNosSGaUh +o0mK5YcBx0W7y82rNrijcygOkXF9QrANUZfUz5uQ/ZPDjgoISqFvgMzJtpL6LqSC +TbsUM4NbPSYECDFzIosO+rhYCUsgZ5pE6NWZjmKzq4+zeb/2iSIoEb7U/5f6i4H4 +880y+usrcsBuNCS1OVHaEB1ZrlinJbzplB3nV9Hj1wIDAQABoywwKjAMBgNVHRME +BTADAQH/MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsF +AAOCAQEArn+KmfD2JEXa0G81jY+v1+XBT4BCcFExbdpOYbIoo2m0Qvx+sla5+Qu7 +nG51R+3rnkVPr03ogKYtf3hYtQJk6DqfuF0V9ESYkz09XRwyW93mh3z4yumXnk3y +d6SG2quC6iJV0EqT/OnmmveGBpxaBjf80ezRq+8t0mVGeNwZSxv0OprAkmKIIDM8 +Qa1/LlGhStiU+hN62c3m4wHdY5jreRYH7NyIZCHJ/wKgo0cDWWdJ4MeAaQhuijUI +BaNg6mFHlxVMMRGIGSduUhu7vHzjbAES6kJxdIpDM8tZMlRZQ3ORml5s9onSMb2n +NmJkjwyB62odD+yrygWRLtFMJmKODQ== -----END CERTIFICATE----- diff --git a/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha1 b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha1 new file mode 100644 index 00000000000..dbe9e3898af --- /dev/null +++ b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha1 @@ -0,0 +1 @@ +F42B9419C2EF9D431D7C0E5061A82902D385203A
\ No newline at end of file diff --git a/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha256 b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha256 new file mode 100644 index 00000000000..2cffe1b5da9 --- /dev/null +++ b/jstests/ssl/x509/root-and-trusted-ca.pem.digest.sha256 @@ -0,0 +1 @@ +21A1C6A87B31AF590F5074EE716F193522B8F540081A5D571B25AE5DF72863E3
\ No newline at end of file diff --git a/jstests/ssl/x509/trusted-client-testdb-roles.pem b/jstests/ssl/x509/trusted-client-testdb-roles.pem index 858ae8a773a..6868581d6ca 100644 --- a/jstests/ssl/x509/trusted-client-testdb-roles.pem +++ b/jstests/ssl/x509/trusted-client-testdb-roles.pem @@ -3,53 +3,53 @@ # # Client certificate with X509 role grants via trusted chain. -----BEGIN CERTIFICATE----- -MIIDwzCCAqugAwIBAgIEQvQH6zANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV +MIIDwzCCAqugAwIBAgIEIEan5jANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UEAwwWVHJ1c3Rl -ZCBLZXJuZWwgVGVzdCBDQTAeFw0yMDAxMDcxNzMxNDhaFw00MDAxMDkxNzMxNDha +ZCBLZXJuZWwgVGVzdCBDQTAeFw0yMjAxMjcyMTU5NDhaFw0yNDA0MzAyMTU5NDha MIGRMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5l dyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdvREIxFTATBgNVBAsMDEtlcm5lbCBV c2VyczEuMCwGA1UEAwwlVHJ1c3RlZCBLZXJuZWwgVGVzdCBDbGllbnQgV2l0aCBS -b2xlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPgWO/0KXHIk0KH/ -jePx+uC8M34bx8ncAWvUXKZtaNGkv2+LI0k/1U5ybOTD8kg8tnIMYkquuuG2zeIB -99vq2Ve+3j62PlqR4HDzXTt3M3eYp6muRzNn78yxVRn+eiIrdwbnvr28l3ikUaVV -/u9fsHGZOXto+I6tWSWB7MNEVcPtIu2d8XU2gMrqKfpnG0paUKVWkaKyjUX1DsBL -FUybBbjQj0zK5cUeKoZjSmMtRfqV6ngKmOK4xTBsQ2VKi7AntpALq/knAYU8BaqS -wWbVuj5sJX86tdRGGhZ6QKIODTQENPprFaJhy34qrhRkD+YHy7tQ+7vc1JpGodiu -C7/5K+kCAwEAAaM3MDUwMwYLKwYBBAGCjikCAQEEJDEiMA8MBXJvbGUxDAZ0ZXN0 -REIwDwwFcm9sZTIMBnRlc3REQjANBgkqhkiG9w0BAQsFAAOCAQEAlYR0WB/0yHxM -gvS+hjxQWyRFOJdWcFn0xresIBd4PmQO8cnOz8iuFrg8DKnYroBRFp5tR9VSLFpq -EH5xoEUMYEAGryYNp8jjOqxy6lIFUZIOf5Li0CtnnV2qHqsiq0kLpSEt+SbpGXtt -zS1CkgKwj0VMXwl+3HY73Xj6EVUPqqMf+Frc68S0ey1S7+pgr1fHzFN309tcGt4r -uxDsSAvYJcYTYDj4KaycXovUsIq+kB+E+k5DnbwJYqHErx2r86QCasK9QIE2Eujl -t+sBpj8JIObPdpsxEiQ9r1+lurWhyEB4qrtI8fzys/0yHP+EYvra3+HftHXY/t32 -jZ79J4C3YQ== +b2xlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOpl8u+oSvvW1n2Q +6+XzknlDB1C0zd8ztNiTjOdSD0Nv4OHQX++ft+t3ZFCKq5GM61LcDKoa6tKr3QXf +lnHl1Ywz0swOXJ1L/FJuyM4FugSCpcWrD/zMPylrxTGWGW5YiiiwBvzh6ZZ40dVM +VlP3oXcbl96/7EufJNYRYJVOQxMw+T4elZCC4J/keMb33daluwckouOSmOrQu9lx +8croX81+uHUiHuTLH5XlIlLi/Z8BjuPwXt5JSxmHnc4cBhAC1fHjEDr/u85vfdTe +5tn2PIdA9o5dOsU+IqNbvdW5KZ74G44QlRyGr8roj1SwHfIHvNZDYxrC2uXhOKoK +1tRv11UCAwEAAaM3MDUwMwYLKwYBBAGCjikCAQEEJDEiMA8MBXJvbGUxDAZ0ZXN0 +REIwDwwFcm9sZTIMBnRlc3REQjANBgkqhkiG9w0BAQsFAAOCAQEAaEL9nJI66Qec +7KnKysAi/uaEKIajs86bnb/nkUQJxDSEOb/YDi41LQ2D2+MX52b26GD4rUAHvkjU +hHzCHprc2mgjWm0J7jCY8dlqj7ka9g5SWi56gDRfjSjuAOV93+Q4Ty/kAFLBIy8H +z0v7ed+a14i6NHqAmZAXVx61zI6nZgDhN8kcuvJICQKTWk8rVp9Cv/OhntIJgU7z +Lqqdn7eSOnwYllVG18dsQHOea6f6aCicbLDZgbSOnSPowhxMaPiIfq+WXXo1YiPl +kRHxE9OVYuGaT7qTQoda/SNfotRNJ6ApbGZLjtCr3mVA0LoK8e2HWFmNqRIUUx37 +zecLCwDx3g== -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQD4Fjv9ClxyJNCh -/43j8frgvDN+G8fJ3AFr1FymbWjRpL9viyNJP9VOcmzkw/JIPLZyDGJKrrrhts3i -Affb6tlXvt4+tj5akeBw8107dzN3mKeprkczZ+/MsVUZ/noiK3cG5769vJd4pFGl -Vf7vX7BxmTl7aPiOrVklgezDRFXD7SLtnfF1NoDK6in6ZxtKWlClVpGiso1F9Q7A -SxVMmwW40I9MyuXFHiqGY0pjLUX6lep4CpjiuMUwbENlSouwJ7aQC6v5JwGFPAWq -ksFm1bo+bCV/OrXURhoWekCiDg00BDT6axWiYct+Kq4UZA/mB8u7UPu73NSaRqHY -rgu/+SvpAgMBAAECggEALVaa5fajyHRz8HcsrjDF4ZZjbrOTApADbnpj6EJseou6 -NJ9f9n4E9I4y2mf4+jymNxeOSwm9u4xV+ezUKEu2JrQKF7nkkVbBhsLjEgAJ1tx+ -H6Nq/bkL+QObguGf3mjFGuz1TeWOZQzaovWhXovFSi1vdN9NNX32ocUpyNHPPrvW -nc3Gun/hws4qWwBFpR+8fzMHPJc/NCwZpDRoJl0yXEAkGTKtIEGEJ7tlWLSb5Bz2 -5N0Dkn2S3t8uozPIuv0rjdYd1t+FfOUUAZGI09LCIu9ndBYO6Vj+Vh99xedZ2oBa -9lHQp3vhLaCXg7O3bY3ac9BIOwdAqcbWAJV/oQl5gQKBgQD90geToF81xZYgLZoU -iU8RRUSmdurZtNirDkMU+/u5Fwu7yn8M53l++TPP76Hi1yGP9803LwIXNXfyg+sb -BRAPJg+bJ8N6m1vFdfg509oqlrzoxnmulwBshqt5HbpiOjYAc1cSOpYSXGJjHoFL -+Au4MRsfDh5RhT1zrUT11+6ZEQKBgQD6N5nGaPOsLHdYXk2//yZF1Ol9kl3L0VWM -XT0F9m/KSCg1kSf+2XCt1U/b1JsrjMTOZWVHNV3yebPs9/pR2ffmyeXtySFuEVeb -ZVNSxaCSVVbTJL9W+mpXdqzcTj9IL9tMN6J5PE8eQ6pjG299sBmdj5S92a3uoxQr -5RmGn36lWQKBgQCix4XQaXNmGteSv2wna3/nxZKnZ3BqOo8R9M2UsZ3YMC14O/+L -GRBUHCHcYwRhZDLED9nuYBlpJQNN5shqxa5s6K3thWzaPrR2SJfvDizGT3HLny3+ -iBzffOaPgD8+K7LiSxY2PJhuIg1/H9swC14IvIV2Pym2gkrM2vx05gzA4QKBgQCW -FmngEK4xVY7U6+Q5SYQcmSThVL18d3mYM4laHUNbE8NCtmpGPQmQzAYV98aH7e1T -XJDOkN1kh8n8V5bIKDXCMtL/ugiabD6fkLzVRoQVoqjtB/rZ4mWNRztS/oCI/WPO -qQSFMj7HCZGX1yoeO1ZyI2D2LC9fmGSOG+Me1Gb0KQKBgQCZazY6Wb7HPO50HnN3 -e3QrT9VE1PKLW6dWpokdYzq2ISnX8ZBeKvMBX+TpKASduNVXK5shsuNqjMAeXtVk -V90P2QkgswCoUlgiaxKby7jBqDIO9CsLt0erQ328WUsf9mgk18CmCc42EWBPuQv7 -WTykB3JVLPGKjKcZVI4PP91yAw== +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDqZfLvqEr71tZ9 +kOvl85J5QwdQtM3fM7TYk4znUg9Db+Dh0F/vn7frd2RQiquRjOtS3AyqGurSq90F +35Zx5dWMM9LMDlydS/xSbsjOBboEgqXFqw/8zD8pa8UxlhluWIoosAb84emWeNHV +TFZT96F3G5fev+xLnyTWEWCVTkMTMPk+HpWQguCf5HjG993WpbsHJKLjkpjq0LvZ +cfHK6F/Nfrh1Ih7kyx+V5SJS4v2fAY7j8F7eSUsZh53OHAYQAtXx4xA6/7vOb33U +3ubZ9jyHQPaOXTrFPiKjW73VuSme+BuOEJUchq/K6I9UsB3yB7zWQ2Mawtrl4Tiq +CtbUb9dVAgMBAAECggEAXvcfDenpN087Z3QnnuqoFWkKtbALGLsiMfzVwYKFnJTf +T53UwIi9QzED+32zNS0ayl9M4j41lVT8Hz0O/uZXNo5ogTPwYeo/OEaaJJ49V0Z3 +UzaTK6C0lluLcSOW+hX1I7btndcJhGU+3mQnNa3GRTNwvFaVra20huZTcypaEpOm +Xxo26QcJFloaMm2n7HAuO756HXd+63SqoQubMQxGFBga76H3ep3WTTgFR6VBejfb +brdXwT0/uS/0rQ9hkcs/RFfqZqsI8ADXhqhu7aO1+xu5cdzGN6Oa6NKnh3tLX52v +MQxurnWBIkZNKEczqfVwGWSnwdTlymS11ohleOGrAQKBgQD57xw9fU1VjZ5u4d7Q +IYQTcBGEf4EHzmJNcXmvz5U98UmrVCuH0TGgMlUUs4LcdvPBbOhW74cfYXPSDQVF +Afig77BGCn1o3/6T2VgYBJqf9OAMZC+mnMhEuWUcyCYTwmh8v/qHfuJbcADGtQ5B +05OXKBkjtrBWTbdekis90mk52QKBgQDwFk/Nq2jkff7q/6HwiBXnphHnvl/QLSJl +3dgNkICl+7HIVHCe+hhLEG5SlNx0drchFuYH2ZN/MMqeWju2oXgcBZmeULKct5VT +Hii7B3fOkILPCaVJTDtgYMUHsdZ4j+HG7PsjB8/V8DzdijmKMaYb0ZmJmy01ipBv +T8+XwvC/3QKBgQCJR4HOcG2yyTe1ldDJpy8hchPdIB+iRwUNnn+FRtKllEuvlGrY +jdnhMOQ0m6kMKTYYDxbK8YPZg7CXNlmnnr6OvzimMArUOPxe/yl4/8Zih6EsjTbz +H/iMbvyPw4vOnKDBrL0SAWqZaLq0aixrkafmhbrRN/5BWSyYAFdJ/LGZeQKBgDJt +LUPQfc6IHDO1j4javGcUPWyEUtGBuVjV+JwYvryeGeAuxBzQAKw7fkCAHbGkgaBE +k/oQG+e6EsShxSr9zSFtl69l2a4K7SUxD3MBBYvwVFkx+HJlvY7npFqSYq6d4dkL +S1A3QtL3i4EomB9LgE0Vf/8kBaHaQa3vgHWqrzBNAoGBAKgqghZTroNcX91Mqu0p +iriLMkiDqJkzehD9XQMhOjMfoGxyMoYFmrvo5UHSOEl6ztMFBwR5j6S8hwDHolXr +wiz0kqRQwivrHN2O613S0Ruis17cvhe0GfMJs+3fCpN8Hu3Wb3d3O1PZ6khjORTy +Mo9z1LS8fe+6pqKSMPvL24Jp -----END PRIVATE KEY----- diff --git a/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha1 b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha1 new file mode 100644 index 00000000000..dd30990811e --- /dev/null +++ b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha1 @@ -0,0 +1 @@ +80AA73D8FFE6C854A357A836C4657D7C03480011
\ No newline at end of file diff --git a/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha256 b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha256 new file mode 100644 index 00000000000..f209638b231 --- /dev/null +++ b/jstests/ssl/x509/trusted-client-testdb-roles.pem.digest.sha256 @@ -0,0 +1 @@ +C02BAD2324CEB0793749AAF4C01CC35B58525BFE00D683B558B4A6E5BF9C2406
\ No newline at end of file diff --git a/jstests/ssl/x509_expiring.js b/jstests/ssl/x509_expiring.js index 526ffb3ed6d..8b7782d1c5d 100644 --- a/jstests/ssl/x509_expiring.js +++ b/jstests/ssl/x509_expiring.js @@ -52,6 +52,9 @@ function test(expiration, expect) { MongoRunner.stopMongod(mongo); } -test(30, false); +assert.doesNotThrow( + () => test(100, false), + [], + "If this fails, the server.pem certificate is expiring soon (<= 100 days) -- this is bad! Please file a ticket with the server security team to renew testing certificates."); test(7300, true); // Work so long as certs expire no more than 20 years from now })(); diff --git a/jstests/ssl/x509_startup_certificate_info.js b/jstests/ssl/x509_startup_certificate_info.js index 1c66c74b60b..0fece9c4ce1 100644 --- a/jstests/ssl/x509_startup_certificate_info.js +++ b/jstests/ssl/x509_startup_certificate_info.js @@ -15,16 +15,16 @@ const SERVER_CERT_INFO = { "type": "Server", "subject": "CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US", "issuer": "CN=Kernel Test CA,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US", - "thumbprint": "BF2E341D28D7CEAADA534A11D75189D4ECABB551" + "thumbprint": cat(SERVER_CERT + ".digest.sha1") }; const CLUSTER_CERT_INFO = { "type": "Cluster", "subject": "CN=clustertest,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US", "issuer": "CN=Kernel Test CA,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US", - "thumbprint": "FD85F9F6F380EE53F46F497253453731DC885335" + "thumbprint": cat(CLUSTER_CERT + ".digest.sha1") }; const CRL_INFO = { - "thumbprint": "551FEF8D916CE363E5488AD7F4BD60E3D1EC2BD8" + "thumbprint": cat(CRL_FILE + ".digest.sha1") }; function runTest(checkMongos, |