diff options
author | Jonathan Reams <jbreams@mongodb.com> | 2019-05-10 10:43:42 -0400 |
---|---|---|
committer | Jonathan Reams <jbreams@mongodb.com> | 2019-05-20 15:59:18 -0400 |
commit | fae0c3f0fa4d5dfbe2f4fb03715b60e9ce3e2d93 (patch) | |
tree | 53ba77cbc82b4b87017f22102e6cd6cc94331867 /src/mongo | |
parent | 31967340abb31476910730163c04782f2e915d01 (diff) | |
download | mongo-fae0c3f0fa4d5dfbe2f4fb03715b60e9ce3e2d93.tar.gz |
SERVER-40841 Re-issue invalid test certificates
Diffstat (limited to 'src/mongo')
-rw-r--r-- | src/mongo/shell/shell_options.cpp | 2 | ||||
-rw-r--r-- | src/mongo/util/SConscript | 4 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 12 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.h | 9 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 30 | ||||
-rw-r--r-- | src/mongo/util/password.cpp | 6 | ||||
-rw-r--r-- | src/mongo/util/password_params.idl | 41 |
7 files changed, 95 insertions, 9 deletions
diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp index bd20f6bd632..325584765db 100644 --- a/src/mongo/shell/shell_options.cpp +++ b/src/mongo/shell/shell_options.cpp @@ -61,7 +61,7 @@ using std::vector; // SERVER-36807: Limit --setShellParameter to SetParameters we know we want to expose. const std::set<std::string> kSetShellParameterWhitelist = { - "disabledSecureAllocatorDomains", + "disabledSecureAllocatorDomains", "newLineAfterPasswordPromptForTest", }; std::string getMongoShellHelp(StringData name, const moe::OptionSection& options) { diff --git a/src/mongo/util/SConscript b/src/mongo/util/SConscript index 2b51a005942..016a799b15c 100644 --- a/src/mongo/util/SConscript +++ b/src/mongo/util/SConscript @@ -661,10 +661,14 @@ env.Library( target='password', source=[ 'password.cpp', + env.Idlc('password_params.idl')[0], ], LIBDEPS=[ '$BUILD_DIR/mongo/base', ], + LIBDEPS_PRIVATE=[ + '$BUILD_DIR/mongo/idl/server_parameter', + ] ) env.CppUnitTest( diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 3e69faa8437..56b5911e3f6 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -285,13 +285,6 @@ std::pair<std::string, RFC4514Parser::ValueTerminator> RFC4514Parser::extractVal const auto getTLSVersionCounts = ServiceContext::declareDecoration<TLSVersionCounts>(); -// These represent the ASN.1 type bytes for strings used in an X509 DirectoryString -constexpr int kASN1UTF8String = 12; -constexpr int kASN1PrintableString = 19; -constexpr int kASN1TeletexString = 20; -constexpr int kASN1UniversalString = 28; -constexpr int kASN1BMPString = 30; -constexpr int kASN1OctetString = 4; void canonicalizeClusterDN(std::vector<std::string>* dn) { // remove all RDNs we don't care about @@ -584,6 +577,7 @@ Status SSLX509Name::normalizeStrings() { case kASN1TeletexString: case kASN1UniversalString: case kASN1BMPString: + case kASN1IA5String: case kASN1OctetString: { // Technically https://tools.ietf.org/html/rfc5280#section-4.1.2.4 requires // that DN component values must be at least 1 code point long, but we've @@ -602,6 +596,10 @@ Status SSLX509Name::normalizeStrings() { entry.type = kASN1UTF8String; break; } + default: + LOG(1) << "Certificate subject name contains unknown string type: " + << entry.type << " (string value is \"" << entry.value << "\")"; + break; } } } diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h index 4a58c388a66..859f671d24b 100644 --- a/src/mongo/util/net/ssl_manager.h +++ b/src/mongo/util/net/ssl_manager.h @@ -137,6 +137,15 @@ private: std::vector<SSLX509Name::Entry> _canonicalServerSubjectName; }; +// These represent the ASN.1 type bytes for strings used in an X509 DirectoryString +constexpr int kASN1BMPString = 30; +constexpr int kASN1IA5String = 22; +constexpr int kASN1OctetString = 4; +constexpr int kASN1PrintableString = 19; +constexpr int kASN1TeletexString = 20; +constexpr int kASN1UTF8String = 12; +constexpr int kASN1UniversalString = 28; + /** * Stores information about a globally unique OID. */ diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 79610013d7f..db9816d2683 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1468,7 +1468,35 @@ StatusWith<SSLX509Name> getCertificateSubjectName(PCCERT_CONTEXT cert) { const_cast<wchar_t*>(wstr.data()), needed); invariant(needed == converted); - rdn.emplace_back(rdnAttribute.pszObjId, rdnAttribute.dwValueType, toUtf8String(wstr)); + + // The value of rdnAttribute.dwValueType is not actually the asn1 type id, it's + // a Microsoft-specific value. We convert the types for a valid directory string + // here so other non-windows parts of the SSL stack can safely compare SSLX509Name's + // later. + int asn1Type = rdnAttribute.dwValueType & CERT_RDN_TYPE_MASK; + switch (asn1Type) { + case CERT_RDN_UTF8_STRING: + case CERT_RDN_UNICODE_STRING: // This is the same value as CERT_RDN_BMP_STRING + asn1Type = kASN1UTF8String; + break; + case CERT_RDN_PRINTABLE_STRING: + asn1Type = kASN1PrintableString; + break; + case CERT_RDN_TELETEX_STRING: + asn1Type = kASN1TeletexString; + break; + case CERT_RDN_UNIVERSAL_STRING: + asn1Type = kASN1UniversalString; + break; + case CERT_RDN_OCTET_STRING: + asn1Type = kASN1OctetString; + break; + case CERT_RDN_IA5_STRING: + asn1Type = kASN1IA5String; + break; + } + + rdn.emplace_back(rdnAttribute.pszObjId, asn1Type, toUtf8String(wstr)); } entries.push_back(std::move(rdn)); } diff --git a/src/mongo/util/password.cpp b/src/mongo/util/password.cpp index bdf7150768e..a9d32b75495 100644 --- a/src/mongo/util/password.cpp +++ b/src/mongo/util/password.cpp @@ -40,12 +40,18 @@ #endif #include "mongo/util/log.h" +#include "mongo/util/password_params_gen.h" namespace mongo { std::string askPassword() { std::string password; std::cerr << "Enter password: "; + + if (newLineAfterPasswordPromptForTest) { + std::cerr << "\n"; + } + #ifndef _WIN32 const int stdinfd = 0; termios termio; diff --git a/src/mongo/util/password_params.idl b/src/mongo/util/password_params.idl new file mode 100644 index 00000000000..1723680321a --- /dev/null +++ b/src/mongo/util/password_params.idl @@ -0,0 +1,41 @@ +# Copyright (C) 2019-present MongoDB, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the Server Side Public License, version 1, +# as published by MongoDB, Inc. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# Server Side Public License for more details. +# +# You should have received a copy of the Server Side Public License +# along with this program. If not, see +# <http://www.mongodb.com/licensing/server-side-public-license>. +# +# As a special exception, the copyright holders give permission to link the +# code of portions of this program with the OpenSSL library under certain +# conditions as described in each individual source file and distribute +# linked combinations including the program with the OpenSSL library. You +# must comply with the Server Side Public License in all respects for +# all of the code used other than as permitted herein. If you modify file(s) +# with this exception, you may extend this exception to your version of the +# file(s), but you are not obligated to do so. If you do not wish to do so, +# delete this exception statement from your version. If you delete this +# exception statement from all source files in the program, then also delete +# it in the license file. + +global: + cpp_namespace: mongo + +server_parameters: + newLineAfterPasswordPromptForTest: + description: > + The askPassword function will print a new line after the "Enter password:" prompt + so that tests see the prompt in log output immediately. + set_at: + - startup + cpp_vartype: bool + cpp_varname: newLineAfterPasswordPromptForTest + default: false + |