SERVER-40841 Re-issue invalid test certificates

6 files changed, 94 insertions, 8 deletions

diff --git a/src/mongo/util/SConscript b/src/mongo/util/SConscript
index 2b51a005942..016a799b15c 100644
--- a/src/mongo/util/SConscript
+++ b/src/mongo/util/SConscript
@@ -661,10 +661,14 @@ env.Library(
     target='password',
     source=[
         'password.cpp',
+        env.Idlc('password_params.idl')[0],
     ],
     LIBDEPS=[
         '$BUILD_DIR/mongo/base',
     ],
+    LIBDEPS_PRIVATE=[
+        '$BUILD_DIR/mongo/idl/server_parameter',
+    ]
 )
 
 env.CppUnitTest(
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 3e69faa8437..56b5911e3f6 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -285,13 +285,6 @@ std::pair<std::string, RFC4514Parser::ValueTerminator> RFC4514Parser::extractVal
 
 const auto getTLSVersionCounts = ServiceContext::declareDecoration<TLSVersionCounts>();
 
-// These represent the ASN.1 type bytes for strings used in an X509 DirectoryString
-constexpr int kASN1UTF8String = 12;
-constexpr int kASN1PrintableString = 19;
-constexpr int kASN1TeletexString = 20;
-constexpr int kASN1UniversalString = 28;
-constexpr int kASN1BMPString = 30;
-constexpr int kASN1OctetString = 4;
 
 void canonicalizeClusterDN(std::vector<std::string>* dn) {
     // remove all RDNs we don't care about
@@ -584,6 +577,7 @@ Status SSLX509Name::normalizeStrings() {
                 case kASN1TeletexString:
                 case kASN1UniversalString:
                 case kASN1BMPString:
+                case kASN1IA5String:
                 case kASN1OctetString: {
                     // Technically https://tools.ietf.org/html/rfc5280#section-4.1.2.4 requires
                     // that DN component values must be at least 1 code point long, but we've
@@ -602,6 +596,10 @@ Status SSLX509Name::normalizeStrings() {
                     entry.type = kASN1UTF8String;
                     break;
                 }
+                default:
+                    LOG(1) << "Certificate subject name contains unknown string type: "
+                           << entry.type << " (string value is \"" << entry.value << "\")";
+                    break;
             }
         }
     }
diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h
index 4a58c388a66..859f671d24b 100644
--- a/src/mongo/util/net/ssl_manager.h
+++ b/src/mongo/util/net/ssl_manager.h
@@ -137,6 +137,15 @@ private:
     std::vector<SSLX509Name::Entry> _canonicalServerSubjectName;
 };
 
+// These represent the ASN.1 type bytes for strings used in an X509 DirectoryString
+constexpr int kASN1BMPString = 30;
+constexpr int kASN1IA5String = 22;
+constexpr int kASN1OctetString = 4;
+constexpr int kASN1PrintableString = 19;
+constexpr int kASN1TeletexString = 20;
+constexpr int kASN1UTF8String = 12;
+constexpr int kASN1UniversalString = 28;
+
 /**
  * Stores information about a globally unique OID.
  */
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 79610013d7f..db9816d2683 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1468,7 +1468,35 @@ StatusWith<SSLX509Name> getCertificateSubjectName(PCCERT_CONTEXT cert) {
                                                  const_cast<wchar_t*>(wstr.data()),
                                                  needed);
             invariant(needed == converted);
-            rdn.emplace_back(rdnAttribute.pszObjId, rdnAttribute.dwValueType, toUtf8String(wstr));
+
+            // The value of rdnAttribute.dwValueType is not actually the asn1 type id, it's
+            // a Microsoft-specific value. We convert the types for a valid directory string
+            // here so other non-windows parts of the SSL stack can safely compare SSLX509Name's
+            // later.
+            int asn1Type = rdnAttribute.dwValueType & CERT_RDN_TYPE_MASK;
+            switch (asn1Type) {
+                case CERT_RDN_UTF8_STRING:
+                case CERT_RDN_UNICODE_STRING:  // This is the same value as CERT_RDN_BMP_STRING
+                    asn1Type = kASN1UTF8String;
+                    break;
+                case CERT_RDN_PRINTABLE_STRING:
+                    asn1Type = kASN1PrintableString;
+                    break;
+                case CERT_RDN_TELETEX_STRING:
+                    asn1Type = kASN1TeletexString;
+                    break;
+                case CERT_RDN_UNIVERSAL_STRING:
+                    asn1Type = kASN1UniversalString;
+                    break;
+                case CERT_RDN_OCTET_STRING:
+                    asn1Type = kASN1OctetString;
+                    break;
+                case CERT_RDN_IA5_STRING:
+                    asn1Type = kASN1IA5String;
+                    break;
+            }
+
+            rdn.emplace_back(rdnAttribute.pszObjId, asn1Type, toUtf8String(wstr));
         }
         entries.push_back(std::move(rdn));
     }
diff --git a/src/mongo/util/password.cpp b/src/mongo/util/password.cpp
index bdf7150768e..a9d32b75495 100644
--- a/src/mongo/util/password.cpp
+++ b/src/mongo/util/password.cpp
@@ -40,12 +40,18 @@
 #endif
 
 #include "mongo/util/log.h"
+#include "mongo/util/password_params_gen.h"
 
 namespace mongo {
 
 std::string askPassword() {
     std::string password;
     std::cerr << "Enter password: ";
+
+    if (newLineAfterPasswordPromptForTest) {
+        std::cerr << "\n";
+    }
+
 #ifndef _WIN32
     const int stdinfd = 0;
     termios termio;
diff --git a/src/mongo/util/password_params.idl b/src/mongo/util/password_params.idl
new file mode 100644
index 00000000000..1723680321a
--- /dev/null
+++ b/src/mongo/util/password_params.idl
@@ -0,0 +1,41 @@
+# Copyright (C) 2019-present MongoDB, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the Server Side Public License, version 1,
+# as published by MongoDB, Inc.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# Server Side Public License for more details.
+#
+# You should have received a copy of the Server Side Public License
+# along with this program. If not, see
+# <http://www.mongodb.com/licensing/server-side-public-license>.
+#
+# As a special exception, the copyright holders give permission to link the
+# code of portions of this program with the OpenSSL library under certain
+# conditions as described in each individual source file and distribute
+# linked combinations including the program with the OpenSSL library. You
+# must comply with the Server Side Public License in all respects for
+# all of the code used other than as permitted herein. If you modify file(s)
+# with this exception, you may extend this exception to your version of the
+# file(s), but you are not obligated to do so. If you do not wish to do so,
+# delete this exception statement from your version. If you delete this
+# exception statement from all source files in the program, then also delete
+# it in the license file.
+
+global:
+  cpp_namespace: mongo
+
+server_parameters:
+  newLineAfterPasswordPromptForTest:
+    description: >
+      The askPassword function will print a new line after the "Enter password:" prompt
+      so that tests see the prompt in log output immediately.
+    set_at:
+      - startup
+    cpp_vartype: bool
+    cpp_varname: newLineAfterPasswordPromptForTest
+    default: false
+