diff options
-rw-r--r-- | jstests/libs/README.ssl | 23 | ||||
-rw-r--r-- | jstests/libs/client_SAN.pem | 49 | ||||
-rw-r--r-- | jstests/libs/openssl_SAN.cfg | 31 | ||||
-rw-r--r-- | jstests/libs/openssl_SAN2.cfg | 30 | ||||
-rw-r--r-- | jstests/libs/server_SAN.pem | 49 | ||||
-rw-r--r-- | jstests/libs/server_SAN2.pem | 49 | ||||
-rw-r--r-- | jstests/ssl/ssl_x509_SAN.js | 79 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 38 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 23 |
9 files changed, 364 insertions, 7 deletions
diff --git a/jstests/libs/README.ssl b/jstests/libs/README.ssl index 1e230e730ff..d86cb9f77a7 100644 --- a/jstests/libs/README.ssl +++ b/jstests/libs/README.ssl @@ -51,3 +51,26 @@ cat roles.pem roles2.key > roles_final.pem Example Commands for UTF-8 -------------------------- openssl req -new -utf8 -nameopt multiline,utf8 -config .\jstests\libs\client_utf8.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr + + +openssl x509 -req -sha256 -in CSR.csr -days 3650 -out roles.pem -extfile openssl.cnf -CA jstests/libs/ca.pem -CAcreateserial + +openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout privateKey.key -out roles.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=KernelUser/CN=client/emailAddress=example@mongodb.com" + +-------------------------- + +Example of Extension: To sign certificate with SAN + +Copy or use the ca.pem file from jstests/libs/ca.pem +Copy the openssl_SAN.cfg from jstests/libs/openssl_SAN.cfg or create your own + +#Create the client certificate +openssl genrsa -out client.key 2048 #Creates the client key +openssl req -new -key client.key -out client.csr -config openssl_SAN.cfg -extensions v3_req #Creates the unsigned client certificate (change v3_req to whatever extensions in the cfg file) +openssl x509 -req -days 3650 -in client.csr -CA ca.pem -set_serial 01 -out client.crt -extfile openssl_SAN.cfg -extensions v3_req #Creates the signed client certificate +cat client.crt client.key > client.pem #Joins the signed cert with the key for the client pem + +openssl genrsa -out server.key 2048 +openssl req -new -key server.key -out server.csr -config openssl_SAN.cfg -extensions v3_req #Creates the unsigned server certificate (change v3_req to whatever extensions in the cfg file) +openssl x509 -req -days 3650 -in server.csr -CA ca.pem -set_serial 01 -out server.crt -extfile openssl_SAN.cfg -extensions v3_req #Creates the signed server certificate +cat server.crt server.key > server.pem #Joins the signed cert with the key for the server pem diff --git a/jstests/libs/client_SAN.pem b/jstests/libs/client_SAN.pem new file mode 100644 index 00000000000..4aa340e32ed --- /dev/null +++ b/jstests/libs/client_SAN.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu +ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw +FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE +BhMCVVMwHhcNMTgwOTEyMTkxMDI5WhcNMjgwOTA5MTkxMDI5WjCBgzELMAkGA1UE +BhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5 +MRAwDgYDVQQKDAdNb25nb0RCMRUwEwYDVQQLDAxLZXJuZWwgVXNlcnMxIDAeBgNV +BAMMF0tlcm5lbCBDbGllbnQgUGVlciBSb2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAxE+R+vp8wuzGAMwqCHN5xJAAgoXLUZQLR9mvzcE12Ek33RC9 ++JBMVa0w6RdPsucnsZDRc/iZBXXEPIPc9tYvt2iObkRNGOxATzNpd05Ocfd4pE7t +MudZFrqFUec7A96GpC0SvK7fvBIg2Ez17w+7pDqewCd7prpTO5IJLVODOR8rN/Fh +vPzFWR6etUKgtmuxOpg6b75bmUxW7Fe0pItWLdnv+hievXN4C66mUJcDMFaWDHji +nJHxV+hODoFyT1+AxBlurp66LqeFwt/eZF8pQHJy8GK1Pw7dy6sBPmETseNgY3V4 +ZcuGj2cH1I7vNKZonFKNSRVeAkLdsnu3xHH5+wIDAQABozAwLjAsBgNVHREEJTAj +gglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEF +BQADggEBACXw8iijEpGrPzrqVhtz/qfictU4TlgCrE+KVbbYm7tC0DyqS1QKw3TJ +yh5wYX4xVmipP9sN7LPXR82qZ1ckXapYRjfwhCJHNNblXj7xlaWyL4c/K990/aWD +vvvlzuMV4TVXDkZ2ILPxp1DRbBNHUQAyJ9Et6x4AULJAVhi5+pUzFavN2GQ2/WXi +Njw2j20Mw3gfjxhMynJIDCe1IfEBonHQGX6kkor4jMo91DK/nKlannmewVCOoOed +3KXX9OzSGZIWW2EytNeB0GkyYaX/RZsZDKhTVff6Xckwy2W5tNcz/ylzz4bw/a00 +I3XxO2bSzxLGp3OCvcCHpBSuUO7mqZM= +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAxE+R+vp8wuzGAMwqCHN5xJAAgoXLUZQLR9mvzcE12Ek33RC9 ++JBMVa0w6RdPsucnsZDRc/iZBXXEPIPc9tYvt2iObkRNGOxATzNpd05Ocfd4pE7t +MudZFrqFUec7A96GpC0SvK7fvBIg2Ez17w+7pDqewCd7prpTO5IJLVODOR8rN/Fh +vPzFWR6etUKgtmuxOpg6b75bmUxW7Fe0pItWLdnv+hievXN4C66mUJcDMFaWDHji +nJHxV+hODoFyT1+AxBlurp66LqeFwt/eZF8pQHJy8GK1Pw7dy6sBPmETseNgY3V4 +ZcuGj2cH1I7vNKZonFKNSRVeAkLdsnu3xHH5+wIDAQABAoIBAQC5zMXR0Xp70zWk +U5gE36aET/brkk5ZK9Fxc6tdBl08FDB3Xv0uYQSeookEVDfuj7GV8gcLyGKsNEZD +MFrWlOocoS0NWD/QMuq7C2HqtYaxfxQED1+ZKjW7uVWtqzjD9L1ibfap9qlzi4Ti +tBSg6zchvQm7vKLfrsJQQ2vEJqKwUBNviBhelK4vHSYewXk1ANuaf+dObsycg+AG +hCwhBHlbSBJy31OnIooCRoEY35RN0HpPaEu9bR3v4EQbOeXcV0yNHaoV7CKVwEPv +NSzAnL5i+xkE/HLnYky069Xv7jaUc0+Qtf2Cl53ojJxot+eojM0TgmRRtz8jupGO +Tn/MIz7hAoGBAOEs1QizQTIyXkbGdUTX8oGndN8yIPm0f1Qn50uL+5Wsei2s0rAq +NkxxeuFOwmoJrA/HrLGusPsUdwcL5FGhZcwnxA/3Oq3BFvSJML9dWSEbw3muH4z7 +eg+RZmrxxq9iaLAtqPxqxqT8g+ahJm1z+IBs2McI688Zk/u35c0fTSjdAoGBAN8v +M1x+aWQ30vXOP658FvTsDkzmyXbpgPg5lXYqeJBiMyU55rMRVvPACbl8lg779Hdg +3j0WyKF8wGMTuZnC78e1odMvz/rrxzyvxBqYgiGzKensA9SZRdgemN5cTV5W/9jj +LtV0hKw3kT4ikW4nrM+JZo8ceO2sRVZk959rspS3AoGBANmPsJHEaHSwl8h4Tavj +nirJejGAxL2fOPs9xsuGh+FYkX/6IGMXlfkMF/cDWvKLP9TLTz8qE1O0tUB4q/R3 +Jd04esYWUHq7Oouw1gm/jrNfmOHDbDaSb6AFE1i3HAou4gl/RGwGWsHkPSkjgPZ1 ++59SC61bIEOsaf/m8cDbwnh9AoGBAICbjWg+O/MRLBKTECU2wm/OWws7blqEgdoI +LLVUEfd5bumDrQoA8u8w+SmWvk3SKHRmMIpZR7Gu1poBMtGFAHE/nAm7IokANuYk +jseYnFxZBs0SQL7Qt+uq7gIshDTZw0Ky3zkHlLA8sQhyGQW1/SH2lk/fY1vqCmaX +dg26nMSPAoGBAIgSXaH1PvBia8LZFJ6Og2I7vHcbdJC/sDNGGkI3Vg3caOIGmjE1 +j6SglyXS225hWlUDzhEj5BrqVgOHEW5VrP1k2VlEASudeN3lUWW3BR8+toPAdbt+ +tX4VmK74SmHrrfq/g0jCnF77y1N9ASnEt5FwJ6Q+s9kv9EGECi5u6axE +-----END RSA PRIVATE KEY----- diff --git a/jstests/libs/openssl_SAN.cfg b/jstests/libs/openssl_SAN.cfg new file mode 100644 index 00000000000..ce2930fda92 --- /dev/null +++ b/jstests/libs/openssl_SAN.cfg @@ -0,0 +1,31 @@ +[ ca ] + +default_ca = CA_default + +[ CA_default ] +dir = . +certificate = $dir/ca.pem + + +[ req ] +default_bits = 4096 +default_keyfile = privateKey.pem +distinguished_name = req_distinguished_name +prompt = no +req_extensions = v3_req + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = New York +localityName = New York City +organizationName = MongoDB +organizationalUnitName = Kernel Users +commonName = Kernel Client Peer Role + +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = localhost +IP.1 = 127.0.0.1 +IP.2 = ::1 diff --git a/jstests/libs/openssl_SAN2.cfg b/jstests/libs/openssl_SAN2.cfg new file mode 100644 index 00000000000..6241781de54 --- /dev/null +++ b/jstests/libs/openssl_SAN2.cfg @@ -0,0 +1,30 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = . +certificate = $dir/ca.pem + + +[ req ] +default_bits = 4096 +default_keyfile = privateKey.pem +distinguished_name = req_distinguished_name +prompt = no +req_extensions = v3_req + +[ req_distinguished_name ] +countryName = US +stateOrProvinceName = New York +localityName = New York City +organizationName = MongoDB +organizationalUnitName = Kernel Users +commonName = Kernel Users + +[ v3_req ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = localhost +DNS.2 = 127.0.0.1 +DNS.3 = ::1 diff --git a/jstests/libs/server_SAN.pem b/jstests/libs/server_SAN.pem new file mode 100644 index 00000000000..d7bccc7dd76 --- /dev/null +++ b/jstests/libs/server_SAN.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu +ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw +FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE +BhMCVVMwHhcNMTgwOTEyMTgyOTMxWhcNMjgwOTA5MTgyOTMxWjCBgzELMAkGA1UE +BhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5 +MRAwDgYDVQQKDAdNb25nb0RCMRUwEwYDVQQLDAxLZXJuZWwgVXNlcnMxIDAeBgNV +BAMMF0tlcm5lbCBDbGllbnQgUGVlciBSb2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAx1rjAuUCMIASFj7G9Yfop/YSi5kLpVap/VE8tzJzIk1jXyH5 +v6AdFYADm38tlhMOmIKJVGWwVsiYvusE3SM2rLsBht2n2qsWyXz+FTbpW3wHb3cT +3Lr9C3+5MxN85rFEO9eaoirZTZfxngf6dympsJhh7k+avz2XDQY/UAuzA7nQcTal +G/H6juf76lP5+moIp+GaJJ3Pgf/IPguZQ+Kp4Fu71c1rvwyNdIlrxmzERgDlnr/v +GDxOaHYLXp+g1L5tHoHzBAmDSNHzVGsZdkpbogBDOulxF2/jpRubwNA8n/QEt8FX +qBOh+JRC5eHMZbHcD7XZ/c8FHoDAGkSa69Cb6QIDAQABozAwLjAsBgNVHREEJTAj +gglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEF +BQADggEBAH3X1zh8Mtplmtznyby7QIojvIwAKI++57ctEqeZ1fEmi+HaS2OLTO/j +EgsEWfmYDDnHyTYFDnBYziFW0JFEoORMtz380ESH+iWITVmQy86nB/GhbEc80H5+ +zZpFUtk6n7P6G1g7HGksISllVHMOiH6Pg2kjVJ4gtcX5gNCoU+GDStw9WZypei6G +SAg+Kl5q7Q15TM7Mys2/d0fMqapNzMpFDdu9IQvJBtq4jysJFkQV/Or/r54RAEcV +U14iadBkEYubwEYPlYqDYJejkWGsO9f5FursZr2HfnmvghzKccnFXQEeyP0wVXbx +URldTTLtXOOYWxHQqWwUs1UlbB47Ihc= +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAx1rjAuUCMIASFj7G9Yfop/YSi5kLpVap/VE8tzJzIk1jXyH5 +v6AdFYADm38tlhMOmIKJVGWwVsiYvusE3SM2rLsBht2n2qsWyXz+FTbpW3wHb3cT +3Lr9C3+5MxN85rFEO9eaoirZTZfxngf6dympsJhh7k+avz2XDQY/UAuzA7nQcTal +G/H6juf76lP5+moIp+GaJJ3Pgf/IPguZQ+Kp4Fu71c1rvwyNdIlrxmzERgDlnr/v +GDxOaHYLXp+g1L5tHoHzBAmDSNHzVGsZdkpbogBDOulxF2/jpRubwNA8n/QEt8FX +qBOh+JRC5eHMZbHcD7XZ/c8FHoDAGkSa69Cb6QIDAQABAoIBAFiTgnAjzrA8B01J +AV/QzkfqptzN2IXTFt6N/NstGEjyd6eqUeyZuLJ32aJ6hIe82exbe6c7M3mr0Wpq +xBN5dO6UfJ4u2EjpYcuOtNo6Nr9GQYt+Lh4SGyLD0kbmbsWVl8q7BmLthPXcACgG +RXwyz8m+Oy0Gw6wbMoU/9FudhyGs4hQEg6DxG5tYHujo+XFU48eAJBSbCgqWbBT8 +HBB/DNlqzsgPDDv/fr2lzPAsjgSM0HH3FH1l64MiIQillucYvitCbgAHZ9kNf5Go +0ZzaOaGQAqK2nzIIELuxxvuXSk/5bVCcOCwUojIE7WdfDNM9PFCakHcTPP4t1ZV6 +4BLtYwECgYEA6mh8f0TaZpuOjzeIounlA9/mOd+S+YeKVfeuSqPnG1Hu5G3Da98K +PPPzUfcpAtIG9JGotqEUiuz+ChMyjwdy8dWTAspIdZDwOIZji/deLjFqheGFtz3V +FUxXUW6dIPVNMeG2B4rqftNHuupXUSBIkr7f4O6DWRXb34ABIviUNqECgYEA2bfS +jCAboEE1lpJ1y6wk3W1MVzv362yTye5ym8herZhWEdYBORb8F6V2QvjBmr47HPU3 +lj/D5JB1DvVniOu+Mx2If1ass8twmFc3tdEJZW9N9IkyDgOidywXtP55xmv6sSoP +WaQqMtmzHZgI3dbJg23XD/t9rXIOR+ZrnVDYCEkCgYBQ3NqVzNrKqr7zCOVJzgYC +4Co7rLS2/9ro7RhjB0eiVRFkG7lebQLLJBy8Gdc78dgUZmsdFVRQ2JCKSTUXwioU +4uhj/gQhCm7UEQgmMJ98r+9fX/0QyXPIdR1qKg5qYDTREFwLHhDmz1vfTxfwFIL0 +nIP+xEjrYm8HGtFJjxcSAQKBgA1kKBgkVW6q9B/ZzFMFuJLCCUMIVjxtxj1SZEw+ +q8wjpY+dSR/40PKnY7nE0SuybbJfRtb//w2M8RZFc+PRFDbSpzWl4COC7N8B5lRR +kjFiAjp7Qc/o21JXLPIeAOF6fMXu31jVJx9PkpvMYSc78dMaq3K5Nka30DcN7iqT +8WW5AoGBAIhr9DyU4Cclw7JfAzgg0OZC1wWgefLDxE6qE2fAvKPhaasngErEVVn0 +OeztsXIMR8rD2VgK9sMbqoeBFAkNbw2AHLX2+ODFKv+3l0kiMUh4nA1AYD2nqgB+ +mCdony1vJ7p/njB4d8h7qHkHM8V+9Eqxum2YibR02hQIKxdOsfxj +-----END RSA PRIVATE KEY----- diff --git a/jstests/libs/server_SAN2.pem b/jstests/libs/server_SAN2.pem new file mode 100644 index 00000000000..e256620984d --- /dev/null +++ b/jstests/libs/server_SAN2.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu +ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw +FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE +BhMCVVMwHhcNMTgwOTEyMTgzMDIyWhcNMjgwOTA5MTgzMDIyWjCBgzELMAkGA1UE +BhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5 +MRAwDgYDVQQKDAdNb25nb0RCMRUwEwYDVQQLDAxLZXJuZWwgVXNlcnMxIDAeBgNV +BAMMF0tlcm5lbCBDbGllbnQgUGVlciBSb2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAu3WYGDgUaagugfhvjKfZN5/0gFkTrnlm7ew1PKh2AwKBfeIZ +vNk1sm/SUXsfObEGsEvxj0W0UMHQrDnzcNBaO4N3lTQ9ityLAdZFcI4kH2+52TU2 +Jkh7MZfpAGPtP+RTJKVWcg5RLFpjDir/PHph0PSv8kelByZknYk/VJ7ZJob6zNRY +2X5+icoNPRNaFk+4sj0pemQXClgqWdO1/yZMU10rTOyJM8lbDHZ+qYIkAPI836EF +SLaR+n4Dc6kSTzDbdiTX/RXs03RsupeEYVU/BVq3CHKRE4V3MECUZKknjmQng8r1 +uV0dj7Ly7A8WtPFCswpDqRxBtLYGvdG+MhoA2wIDAQABozAwLjAsBgNVHREEJTAj +gglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEF +BQADggEBAEfftgjjMio80O5KeETWh2eS17R8USVFEg2mueuX0XcDkIW3AO+5APjy +6kpgChRqPRcQFH1F4o6jWwqjk95/sSksXetGhCG3RRd84pQ28V/N4PtIXmG5XcLg +by5aS2DofmUvgLJnUIxuCyYJWJF2ctwYOdtzHAipaFbGog8I635FoZFNOWOc4t8t +2KVPbjSTy739jumScuM1Ip447W0rmvNd7xE9IAqktrAfnf6BvrS/HpA8e4fi7Hda +PvHT1biUQ/z4b9DbnXCekgGVoiBRWNL5wfaLJxTXHCzN4mF2kQUXdzJ94cID+LvU +Jh1bi7PRj4TofHq3Y4dixeSL6gaXJhQ= +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAu3WYGDgUaagugfhvjKfZN5/0gFkTrnlm7ew1PKh2AwKBfeIZ +vNk1sm/SUXsfObEGsEvxj0W0UMHQrDnzcNBaO4N3lTQ9ityLAdZFcI4kH2+52TU2 +Jkh7MZfpAGPtP+RTJKVWcg5RLFpjDir/PHph0PSv8kelByZknYk/VJ7ZJob6zNRY +2X5+icoNPRNaFk+4sj0pemQXClgqWdO1/yZMU10rTOyJM8lbDHZ+qYIkAPI836EF +SLaR+n4Dc6kSTzDbdiTX/RXs03RsupeEYVU/BVq3CHKRE4V3MECUZKknjmQng8r1 +uV0dj7Ly7A8WtPFCswpDqRxBtLYGvdG+MhoA2wIDAQABAoIBAQCFLOrLsfOWiFva +DAQ7mfcwlFugXygjWK4uMxQzLr8ALmSOaPW9+1YxmU2Cg4TQeJp23s0S6wNKKBc2 +c8kmCW9BPonTHxTltP6wZGhaqTCygK44yJvaoL2cov5uP4+KR4xlyWxbhR5X8zLS +GuvPLGaXi24AIrP0G2t5m8q5NEyzGBR15dzV6V/r0a+tLiiWF4bY5zg8defKTBn0 +V9FmfOpP3HRwEgOpxfRAnbo4k2joLJFZh6G9kMV5RhLMjFDt3Li2fk+t0WL6f+Al +h7jhqjLiL0JTvQ1ny+f6CWJQBgkrsOoJxfeMJAFbCqivy691Qo1xPhatWBaY6sfr +zcktHLFpAoGBAOBHErgh6lCR9o2ewiS8M9PdsJbVWQP+PKsxP2btJxxlcMwRzM80 +MXDZvQ0KTULZ+2cCsQs6FTCOgNCmB0luJftj9Df4Zt+IEtwnbgDLoQOOoEikOM/s +ZqZsCTVHioIBCGB94EAnZ2MSjYRcHJIpH7aPnZR+IIEcLdlM0pizI6oVAoGBANX5 +W8KqXAlMVU64zc2to9j+zzfZ9B4BJlJZf/Xwhr2JUgTu74SfAVBDBZHwmI1FWetP +z2F7IKQLsrSqok9WAaEaKZjgCscA5/Vlk13vY1NoPqMugQ/9XSK3Bg3xsmpFGoNO +eUO21ai5J9pI0WeuC8hY09y22l3KIBw0yQltW2svAoGBALHUKOePHLcdxRytkMqH +36BR2z79k0MzRu+GcPsvdx9w32svgfGZNMqCGwBH9tLW/BvFapO4TizeEQ1fV8/F +YqBdtLrcXtVGk420ReijjNvBLx3p+JIEo6+5YeO5Af3qy7WWmUTE+Zj4kPUuBAlw +ShD69rtS9nro2QG/hAxHnjOxAoGAGclVT55sPQqf9T68Pp9AcbQzkM2JZ9xHnAEB +NMhp1ImqAsIwx1DKPbv1/eJ63/uNnJgfq+XEx0BJpxAxQ1JgG+QlQzEs21K2oZI+ +MkHZPIIBmnTORPkJsldQOXn5QGlXip94abqtAQpfTSUdZ1tIPDrIPX8jzc3AFOYf +nC07qS0CgYAWRPBVF86m1qD9VdvuzxQfni6aqPAfc4kzB4MCnrpTA7jfNJ6aT83p +LhNsM3XuLa/iwWt1VDySl2DuTHlYcWmCsnaXg7hg1MUVt/piQRTd6R+018z0BJNn +/u5F9Eusl5JfxNdriu7wUdt+ht+d8jsUY3MtVQFjzJ+lTb2SNm1ntw== +-----END RSA PRIVATE KEY----- diff --git a/jstests/ssl/ssl_x509_SAN.js b/jstests/ssl/ssl_x509_SAN.js new file mode 100644 index 00000000000..3d0a9886193 --- /dev/null +++ b/jstests/ssl/ssl_x509_SAN.js @@ -0,0 +1,79 @@ +load('jstests/ssl/libs/ssl_helpers.js'); + +(function() { + "use strict"; + + const SERVER1_CERT = "jstests/libs/server_SAN.pem"; + const SERVER2_CERT = "jstests/libs/server_SAN2.pem" + const CA_CERT = "jstests/libs/ca.pem"; + const CLIENT_CERT = "jstests/libs/client_SAN.pem"; + + const CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel Users,CN=KernelUser"; + function authAndTest(port) { + const mongo_localhost = runMongoProgram("mongo", + "--host", + "localhost", + "--port", + port, + "--ssl", + "--sslCAFile", + CA_CERT, + "--sslPEMKeyFile", + CLIENT_CERT, + "--eval", + ";"); + + assert.eq(0, mongo_localhost, "Connection succeeded"); + + const mongo_IPv4 = runMongoProgram("mongo", + "--host", + "127.0.0.1", + "--port", + port, + "--ssl", + "--sslCAFile", + CA_CERT, + "--sslPEMKeyFile", + CLIENT_CERT, + "--eval", + ";"); + + assert.eq(0, mongo_IPv4, "Connection succeeded"); + + const mongo_IPv6 = runMongoProgram("mongo", + "--host", + "::1", + "--port", + port, + "--ssl", + "--sslCAFile", + CA_CERT, + "--sslPEMKeyFile", + CLIENT_CERT, + "--ipv6", + "--eval", + ";"); + + assert.eq(0, mongo_IPv6, "Connection succeeded"); + + } + const x509_options = {sslMode: "requireSSL", sslPEMKeyFile: SERVER1_CERT, sslCAFile: CA_CERT, ipv6: "", bind_ip_all: ""}; + + print("1. Testing x.509 auth to mongod"); + { + let mongo = MongoRunner.runMongod(x509_options); + print("MMONGONSDOJNFOSNDF") + authAndTest(mongo.port); + MongoRunner.stopMongod(mongo); + } + + const x509_options2 = {sslMode: "requireSSL", sslPEMKeyFile: SERVER2_CERT, sslCAFile: CA_CERT, ipv6: "", bind_ip_all: ""}; + + print("2. Testing IPv6 in DNS Name field"); + { + let mongo = MongoRunner.runMongod(Object.merge(x509_options2, {auth: ""})); + authAndTest(mongo.port); + MongoRunner.stopMongod(mongo); + } + +}());
\ No newline at end of file diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index 4f7cf85c3db..aa30764ae40 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -51,6 +51,7 @@ #include "mongo/util/net/ssl/apple.hpp" #include "mongo/util/net/ssl_manager.h" #include "mongo/util/net/ssl_options.h" +#include "mongo/util/net/cidr.h" using asio::ssl::apple::CFUniquePtr; @@ -486,11 +487,16 @@ StatusWith<std::vector<std::string>> extractSubjectAlternateNames(::CFDictionary if (!swLabel.isOK()) { return swLabel.getStatus(); } - if (::CFStringCompare(swLabel.getValue(), CFSTR("DNS Name"), ::kCFCompareCaseInsensitive) != - ::kCFCompareEqualTo) { + if ((::CFStringCompare(swLabel.getValue(), CFSTR("DNS Name"), ::kCFCompareCaseInsensitive) != ::kCFCompareEqualTo) + && (::CFStringCompare(swLabel.getValue(), CFSTR("IP Address"), ::kCFCompareCaseInsensitive) != ::kCFCompareEqualTo)) { // Skip other elements, e.g. 'Critical' continue; } + bool dnsFlag = false; + if (::CFStringCompare(swLabel.getValue(), CFSTR("DNS Name"), ::kCFCompareCaseInsensitive) == ::kCFCompareEqualTo) { + dnsFlag = true; + } + auto swName = extractDictionaryValue<::CFStringRef>(elem, ::kSecPropertyKeyValue); if (!swName.isOK()) { return swName.getStatus(); @@ -499,6 +505,13 @@ StatusWith<std::vector<std::string>> extractSubjectAlternateNames(::CFDictionary if (!swNameStr.isOK()) { return swNameStr.getStatus(); } + auto swCIDRValue = CIDR::parse(swNameStr.getValue()); + if (swCIDRValue.isOK()) { + swNameStr = swCIDRValue.getValue().toString(); + if (dnsFlag) { + warning() << "You have an IP Address in the DNS Name field on your certificate. We will not allow this in MongoDB version 4.2."; + } + } ret.push_back(swNameStr.getValue()); } return ret; @@ -1368,9 +1381,22 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe } } + bool ipv6 = false; + auto remoteHostName = remoteHost; + + if (!remoteHost.empty()) { + auto swCIDRRemoteHost = CIDR::parse(remoteHost); + if (swCIDRRemoteHost.isOK()) { + remoteHostName = swCIDRRemoteHost.getValue().toString(); + if (remoteHostName.find(':') != std::string::npos) { + ipv6 = true; + } + } + } + auto result = ::kSecTrustResultInvalid; uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed); - if ((result != ::kSecTrustResultProceed) && (result != ::kSecTrustResultUnspecified)) { + if ((result != ::kSecTrustResultProceed) && (result != ::kSecTrustResultUnspecified) && (!ipv6)) { return badCert(explainTrustFailure(cftrust.get(), result), _allowInvalidCertificates); } @@ -1431,7 +1457,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe if (!sans.empty()) { certErr << "SAN(s): "; for (auto& san : sans) { - if (hostNameMatchForX509Certificates(remoteHost, san)) { + if (hostNameMatchForX509Certificates(remoteHostName, san)) { sanMatch = true; break; } @@ -1442,7 +1468,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe auto swCN = peerSubjectName.getOID(kOID_CommonName); if (swCN.isOK()) { auto commonName = std::move(swCN.getValue()); - if (hostNameMatchForX509Certificates(remoteHost, commonName)) { + if (hostNameMatchForX509Certificates(remoteHostName, commonName)) { cnMatch = true; } certErr << "CN: " << commonName; @@ -1453,7 +1479,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe if (!sanMatch && !cnMatch) { const auto msg = certErr.str(); - if (_allowInvalidCertificates || _allowInvalidHostnames || isUnixDomainSocket(remoteHost)) { + if (_allowInvalidCertificates || _allowInvalidHostnames || isUnixDomainSocket(remoteHostName)) { warning() << msg; } else { error() << msg; diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 12d6f46d625..f2b2e759bb8 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1348,6 +1348,12 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer SSLPeerInfo(peerSubject, std::move(swPeerCertificateRoles.getValue()))); } + // This is to standardize the IPAddress format for comparison. + auto swCIDRRemoteHost = CIDR::parse(remoteHost); + if (swCIDRRemoteHost.isOK()) { + remoteHost = swCIDRRemoteHost.getValue().toString(); + } + // Try to match using the Subject Alternate Name, if it exists. // RFC-2818 requires the Subject Alternate Name to be used if present. // Otherwise, the most specific Common Name field in the subject field @@ -1366,12 +1372,27 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer for (int i = 0; i < sanNamesList; i++) { const GENERAL_NAME* currentName = sk_GENERAL_NAME_value(sanNames, i); if (currentName && currentName->type == GEN_DNS) { - char* dnsName = reinterpret_cast<char*>(ASN1_STRING_data(currentName->d.dNSName)); + std::string dnsName (reinterpret_cast<char*>(ASN1_STRING_data(currentName->d.dNSName))); + auto swCIDRDNSName = CIDR::parse(dnsName); + if (swCIDRDNSName.isOK()) { + dnsName = swCIDRDNSName.getValue().toString(); + warning() << "You have an IP Address in the DNS Name field on your certificate. We will not allow this in MongoDB version 4.2."; + } if (hostNameMatchForX509Certificates(remoteHost, dnsName)) { sanMatch = true; break; } certificateNames << std::string(dnsName) << " "; + } else if (currentName && currentName -> type == GEN_IPADD) { + std::string ipAddress (reinterpret_cast<char*>(ASN1_STRING_data(currentName->d.iPAddress))); + auto swCIDRIPAddress = CIDR::parse(ipAddress); + if (swCIDRIPAddress.isOK()) { + ipAddress = swCIDRIPAddress.getValue().toString(); + } + if (hostNameMatchForX509Certificates(remoteHost, ipAddress)) { + sanMatch = true; + break; + } } } sk_GENERAL_NAME_pop_free(sanNames, GENERAL_NAME_free); |