SERVER-35418 Allow specifying CAs for incoming and outgoing connections separately

1 files changed, 82 insertions, 0 deletions

diff --git a/jstests/ssl/ssl_cluster_ca.js b/jstests/ssl/ssl_cluster_ca.js
new file mode 100644
index 00000000000..38b9026455d
--- /dev/null
+++ b/jstests/ssl/ssl_cluster_ca.js
@@ -0,0 +1,82 @@
+// Verify certificates and CAs between intra-cluster
+// and client->server communication using different CAs.
+
+(function() {
+    "use strict";
+
+    function testRS(opts, succeed) {
+        const origSkipCheck = TestData.skipCheckDBHashes;
+        const rsOpts = {
+            // Use localhost so that SAN matches.
+            useHostName: false,
+            nodes: {node0: opts, node1: opts},
+        };
+        const rs = new ReplSetTest(rsOpts);
+        rs.startSet();
+        if (succeed) {
+            rs.initiate();
+            assert.commandWorked(rs.getPrimary().getDB('admin').runCommand({isMaster: 1}));
+        } else {
+            assert.throws(function() {
+                rs.initiate();
+            });
+            TestData.skipCheckDBHashes = true;
+        }
+        rs.stopSet();
+        TestData.skipCheckDBHashes = origSkipCheck;
+    }
+
+    // The name "trusted" in these certificates is misleading.
+    // They're just a separate trust chain from the ones without the name.
+    // ca.pem signed client.pem and server.pem
+    // trusted-ca.pem signed trusted-client.pem and trusted-server.pem
+    const valid_options = {
+        tlsMode: 'requireTLS',
+        // Servers present trusted-server.pem to clients and each other for inbound connections.
+        // Peers validate trusted-server.pem using trusted-ca.pem when making those connections.
+        tlsPEMKeyFile: 'jstests/libs/trusted-server.pem',
+        tlsCAFile: 'jstests/libs/trusted-ca.pem',
+        // Servers making outbound connections to other servers present server.pem to their peers
+        // which their peers validate using ca.pem.
+        tlsClusterFile: 'jstests/libs/server.pem',
+        tlsClusterCAFile: 'jstests/libs/ca.pem',
+        // SERVER-36895: IP based hostname validation with SubjectAlternateName
+        tlsAllowInvalidHostnames: '',
+    };
+
+    testRS(valid_options, true);
+
+    const wrong_cluster_file =
+        Object.assign({}, valid_options, {tlsClusterFile: valid_options.tlsPEMKeyFile});
+    testRS(wrong_cluster_file, false);
+
+    const wrong_key_file =
+        Object.assign({}, valid_options, {tlsPEMKeyFile: valid_options.tlsClusterFile});
+    testRS(wrong_key_file, false);
+
+    const mongod = MongoRunner.runMongod(valid_options);
+    assert(mongod, "Failed starting standalone mongod with alternate CA");
+
+    function testConnect(cert, succeed) {
+        const mongo = runMongoProgram("mongo",
+                                      "--host",
+                                      "localhost",
+                                      "--port",
+                                      mongod.port,
+                                      "--tls",
+                                      "--tlsCAFile",
+                                      valid_options.tlsCAFile,
+                                      "--tlsPEMKeyFile",
+                                      cert,
+                                      "--eval",
+                                      ";");
+
+        // runMongoProgram returns 0 on success
+        assert.eq(mongo === 0, succeed);
+    }
+
+    testConnect('jstests/libs/client.pem', true);
+    testConnect('jstests/libs/trusted-client.pem', false);
+
+    MongoRunner.stopMongod(mongod);
+}());