SERVER-36619 Test that ECDSA certificates can be loaded by OpenSSL on Linux

5 files changed, 152 insertions, 0 deletions

diff --git a/jstests/libs/README.ssl b/jstests/libs/README.ssl
index 1e230e730ff..662f64aed18 100644
--- a/jstests/libs/README.ssl
+++ b/jstests/libs/README.ssl
@@ -17,7 +17,24 @@ cat client-multivalue-rdn.rsa >> client-multivalue-rdn.pem
 rm ca.srl client-multivalue-rdn.key client-multivalue-rdn.rsa client-multivalue-rdn.csr
 
 ---------------------------
+ecdsa-*.pem are ECDSA signed certificates:
 
+generate an ec-key (from a well known curve)
+opensl ecparam -name prime256v1 -genkey -out mykey.key
+
+create certificate request
+openssl req -new -key mykey.key -out mycsr.csr
+
+sign key and generate certificate
+openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256
+
+to include SANs in the certificate, instead run
+openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")
+
+combine key and certificate
+cat mycrt.crt mykey.key > mycrt.pem
+
+---------------------------
 The other ceriticates in this directory come from x509gen.
 How to generate a certificate with a custom extension:
 
diff --git a/jstests/libs/ecdsa-ca.pem b/jstests/libs/ecdsa-ca.pem
new file mode 100644
index 00000000000..52a4b6fd176
--- /dev/null
+++ b/jstests/libs/ecdsa-ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIB4jCCAYoCCQCsa1DpTT4oazAKBggqhkjOPQQDAjB6MQswCQYDVQQGEwJVUzER
+MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV
+BAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UEAwwUS2VybmVsIFRl
+c3QgRUNEU0EgQ0EwHhcNMTgxMDMxMTkxNzAxWhcNMjgxMDI4MTkxNzAxWjB6MQsw
+CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr
+IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UE
+AwwUS2VybmVsIFRlc3QgRUNEU0EgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AAQ6oidKXV99mLZ2vY8ln0AK+jiV/DCCUqRci/zy6Cp8+J0tSOZkfDwYCJIcCJrX
+5JrLjN8+zJUAQ9zb57yIDc4fMAoGCCqGSM49BAMCA0YAMEMCIBrf28a9pQli4V+0
+i/whVysZAdRNOT/GKdbmfGLT2mghAh9AVLX2O+c3QxC83EGLa5C3byFMGBt08wuF
+Xj2SuG+L
+-----END CERTIFICATE-----
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICDkg88rvrXbLraE9onHxLqiM/lZfPQmF9imdRxn0PEmoAoGCCqGSM49
+AwEHoUQDQgAEOqInSl1ffZi2dr2PJZ9ACvo4lfwwglKkXIv88ugqfPidLUjmZHw8
+GAiSHAia1+Say4zfPsyVAEPc2+e8iA3OHw==
+-----END EC PRIVATE KEY-----
diff --git a/jstests/libs/ecdsa-client.pem b/jstests/libs/ecdsa-client.pem
new file mode 100644
index 00000000000..85a7d307a75
--- /dev/null
+++ b/jstests/libs/ecdsa-client.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIB2jCCAYACCQDUHZcp0QFLGDAKBggqhkjOPQQDAjB6MQswCQYDVQQGEwJVUzER
+MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV
+BAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UEAwwUS2VybmVsIFRl
+c3QgRUNEU0EgQ0EwHhcNMTgxMDMxMTkxODU1WhcNMjgwOTA4MTkxODU1WjBwMQsw
+CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr
+IENpdHkxEDAOBgNVBAoMB01vbmdvREIxEzARBgNVBAsMCktlcm5lbFVzZXIxDzAN
+BgNVBAMMBmNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAxWH+JnRAse
+/tFcLWtvvVafhUdfAGhekDe7YYb41EvLAJ4cYfOmzo3Xupe0KV4imdex5NF1h9NF
+Z1Rj94MoJ2swCgYIKoZIzj0EAwIDSAAwRQIhAJjhlitdry0Dpp4/+hPlXSTpPQxD
+Nc8W/lq7lYTp3t17AiALAaCGpv8ypXKdsZ78VbBwoJTBG3Im3VDWSXXg9OgKOw==
+-----END CERTIFICATE-----
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICsg94elnhBB3tNjafmNHSA4mz+HBnMA9+YCRiFxTwygoAoGCCqGSM49
+AwEHoUQDQgAEDFYf4mdECx7+0Vwta2+9Vp+FR18AaF6QN7thhvjUS8sAnhxh86bO
+jde6l7QpXiKZ17Hk0XWH00VnVGP3gygnaw==
+-----END EC PRIVATE KEY-----
diff --git a/jstests/libs/ecdsa-server.pem b/jstests/libs/ecdsa-server.pem
new file mode 100644
index 00000000000..0936054e087
--- /dev/null
+++ b/jstests/libs/ecdsa-server.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIICADCCAaagAwIBAgIJANQdlynRAUsbMAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT
+AlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQ
+MA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMR0wGwYDVQQDDBRLZXJu
+ZWwgVGVzdCBFQ0RTQSBDQTAeFw0xODEwMzExOTIzNDdaFw0yODA5MDgxOTIzNDda
+MGwxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3
+IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVsMQ8w
+DQYDVQQDDAZzZXJ2ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASUry4X6RZ/
+Ma+z6LZNQtlKvjByH6qDC29RZixK04tOvpKx7N2Z1REfGnWr46f67PiZBL8xwuP0
+nyA4opJks9Q6oyMwITAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTAK
+BggqhkjOPQQDAgNIADBFAiEA64nw9l6XJg6v/0SmjznCWzyzSIDTdJ1LvsDEpRBF
+8nACIDuqC8iPYZzykFZbFOJ4kHoApQQB+a7dPuekXUanG+v5
+-----END CERTIFICATE-----
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKeM/3L3DVhJeF24lRBuit+0raA77L3QF/AyaD8YWmXKoAoGCCqGSM49
+AwEHoUQDQgAElK8uF+kWfzGvs+i2TULZSr4wch+qgwtvUWYsStOLTr6SsezdmdUR
+Hxp1q+On+uz4mQS/McLj9J8gOKKSZLPUOg==
+-----END EC PRIVATE KEY-----
diff --git a/jstests/sslSpecial/ssl_ecdsa_cert.js b/jstests/sslSpecial/ssl_ecdsa_cert.js
new file mode 100644
index 00000000000..000b042b319
--- /dev/null
+++ b/jstests/sslSpecial/ssl_ecdsa_cert.js
@@ -0,0 +1,73 @@
+load('jstests/ssl/libs/ssl_helpers.js');
+
+const test = () => {
+    "use strict";
+
+    const ECDSA_CA_CERT = 'jstests/libs/ecdsa-ca.pem';
+    const ECDSA_CLIENT_CERT = 'jstests/libs/ecdsa-client.pem';
+    const ECDSA_SERVER_CERT = 'jstests/libs/ecdsa-server.pem';
+
+    const CLIENT_USER = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';
+
+    print('Testing if platform supports usage of ECDSA certificates');
+    const tlsOptions = {
+        tlsMode: 'preferTLS',
+        tlsPEMKeyFile: ECDSA_SERVER_CERT,
+        tlsCAFile: ECDSA_CA_CERT,
+        ipv6: '',
+        bind_ip_all: '',
+        waitForConnect: true,
+        tlsAllowConnectionsWithoutCertificates: "",
+    };
+
+    let mongod = MongoRunner.runMongod(tlsOptions);
+
+    // Verify we can connect
+    assert.eq(0,
+              runMongoProgram('mongo',
+                              '--tls',
+                              '--tlsCAFile',
+                              ECDSA_CA_CERT,
+                              '--port',
+                              mongod.port,
+                              '--eval',
+                              'db.isMaster()'),
+              "mongo did not initialize properly");
+
+    // Add an X509 user
+    const addUserCmd = {createUser: CLIENT_USER, roles: [{role: 'root', db: 'admin'}]};
+    assert.commandWorked(mongod.getDB('$external').runCommand(addUserCmd),
+                         'Failed to create X509 user using ECDSA certificates');
+
+    const command = function() {
+        assert(db.getSiblingDB('$external').auth({mechanism: 'MONGODB-X509', user: "CLIENT_USER"}));
+
+        const connStatus = db.getSiblingDB('admin').runCommand({connectionStatus: 1});
+        assert(connStatus.authInfo.authenticatedUsers[0].user === "CLIENT_USER");
+    };
+
+    // Verify we can authenticate via X509
+    assert.eq(
+        0,
+        runMongoProgram('mongo',
+                        '--tls',
+                        '--tlsPEMKeyFile',
+                        ECDSA_CLIENT_CERT,
+                        '--tlsCAFile',
+                        ECDSA_CA_CERT,
+                        '--port',
+                        mongod.port,
+                        '--eval',
+                        '(' + command.toString().replace(/CLIENT_USER/g, CLIENT_USER) + ')();'),
+        "ECDSA X509 authentication failed");
+    MongoRunner.stopMongod(mongod);
+};
+
+const EXCLUDED_BUILDS = ['amazon', 'amzn64'];
+if (EXCLUDED_BUILDS.includes(buildInfo().buildEnvironment.distmod)) {
+    print("*****************************************************");
+    print("Skipping test because Amazon Linux does not support ECDSA certificates");
+    print("*****************************************************");
+} else {
+    requireSSLProvider('openssl', test);
+}