diff options
| -rw-r--r-- | jstests/libs/ocsp/intermediate_ca_ocsp.crt | 22 | ||||
| -rw-r--r-- | jstests/libs/ocsp/intermediate_ca_ocsp.key | 28 | ||||
| -rw-r--r-- | jstests/libs/ocsp/intermediate_ca_ocsp.pem | 71 | ||||
| -rw-r--r-- | jstests/libs/ocsp/server_intermediate_ca_ocsp.pem | 53 | ||||
| -rw-r--r-- | jstests/ocsp/lib/mock_ocsp.js | 35 | ||||
| -rw-r--r-- | jstests/ocsp/lib/ocsp_helpers.js | 4 | ||||
| -rw-r--r-- | jstests/ocsp/ocsp_basic_ca_responder.js | 88 | ||||
| -rw-r--r-- | jstests/ocsp/ocsp_stapling.js | 19 | ||||
| -rw-r--r-- | jstests/ssl/x509/certs.yml | 33 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 47 |
10 files changed, 331 insertions, 69 deletions
diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.crt b/jstests/libs/ocsp/intermediate_ca_ocsp.crt new file mode 100644 index 00000000000..d7600f9148d --- /dev/null +++ b/jstests/libs/ocsp/intermediate_ca_ocsp.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIEF39OgDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwNDIxMTkxNDUyWhcNNDAwNDIzMTkxNDUyWjB+MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY +SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAptgUN3L3jVBEbkqNL9d1tdTqgbg1dIYaRdt6dHBdl24mfyW5M/Tg +oHJbsXOfjJrw8Beq5YNPbCZRsZN5u6cedElgUz1+hiTvaHuiUXVejtI0Qsx3p6Fm +xykeu4BW1505KlV5JVNfDd/KTKBu2m3w+jRdBSaCxzyQx7V9MFyg6Xk9oWB5AVHm +D5G71Qta6e5GiT58X50br2Xa5AHpnHjrjseNmIeSYVkIKDTYsh6MSogxT26sJ7aM +3wwbYOK0BXmmyHuscS/B9cHmYTntcDTXfj6dZFwQd0Dr8Pa3TMk/dbm5DBwMRXvx +lot90K46hflTvBfC+zHKwAHRjKcuaW2jOwIDAQABozIwMDAPBgNVHRMBAf8EBTAD +AQH/MB0GA1UdDgQWBBT/JWQaaKfjeSROC1wPOpepb+D8YTANBgkqhkiG9w0BAQsF +AAOCAQEAcRPq5CjP8bXEMOX83/ZiGx0ueZGQKP7d+0Q2/hZyZIVk+kxjmQXuUsIK +vpMlfxcUkcoPeO75bKWq2OxOaem0PcTeGf9XYDEfjoOrCQVQAnM+5oFbSjLgdW2n +Otqe8A7i5IjXHMZMT0XmYu5LWCAM+wJAKDU0pEx4PyZjZIhmSHKl1uyB5ox/vjMU +RjnPj58fawLKOCFbqnLZ24FdwrELqbqwcn/5pCoYxmOfjzMIAqTqgcewOQDoWV6c +IXeG8yIqTdnxuFjEXe9lWrqsPVwhPlU9druF5plSSuHoJ6gDvSWDw5FuYU9afp5U +xdj+V3ksSRqr2ad6DSqEPOohTy9Vvg== +-----END CERTIFICATE----- diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.key b/jstests/libs/ocsp/intermediate_ca_ocsp.key new file mode 100644 index 00000000000..efe6f04e3c8 --- /dev/null +++ b/jstests/libs/ocsp/intermediate_ca_ocsp.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm2BQ3cveNUERu +So0v13W11OqBuDV0hhpF23p0cF2XbiZ/Jbkz9OCgcluxc5+MmvDwF6rlg09sJlGx +k3m7px50SWBTPX6GJO9oe6JRdV6O0jRCzHenoWbHKR67gFbXnTkqVXklU18N38pM +oG7abfD6NF0FJoLHPJDHtX0wXKDpeT2hYHkBUeYPkbvVC1rp7kaJPnxfnRuvZdrk +AemceOuOx42Yh5JhWQgoNNiyHoxKiDFPbqwntozfDBtg4rQFeabIe6xxL8H1weZh +Oe1wNNd+Pp1kXBB3QOvw9rdMyT91ubkMHAxFe/GWi33QrjqF+VO8F8L7McrAAdGM +py5pbaM7AgMBAAECggEAaw76If52lMntryvNXuaNlKjT9XsDagrm7u5/rBmyJIo8 +z5egOJOoU6wt5DcCKRH/CsDVG0LgAtCv2Rd9pIj/BLVUxvUNq/wlV1EF/eknTNPb +TwWuvfTWY3OiUcRvdRlg5iZEf0v5EYkJYZQMrcKgP5y8F6L3her6J/vwIck+Q7FM +LlFZfW+ztVK8d2H64wmpO0ErV1UTJkC0DMwGyhT2zfxfhiDD9riHZ9WU/RPmJe91 +6BfL8Vu9L8fH/hS/YLgThBRrP00ZOjETDDGlb94PRSLHU+AQD+nQ0X9PuuxZX+6U +pNe1QkOAszU0ansfwCBlKwjTU6t8nloFWdWZUXgW+QKBgQDS/Wjff7O2MdowiNj9 +RVES62IsdLI4uIMQjLR3c2U78FsWfhIzzKXlmtROzaFPccwkW10i1YWosEv+dkzp +o7Kiafb6pWxfucvts8hbw7dmUT22+N7zUqBK+Tpj6E//5JxmT9aZPPxbxMITlcpc +7NHYtBFOizTEcU9TMXk4jCdY1QKBgQDKb8Z8hMhDZqEmOBlYI8efyXUNKh9BQKfi +ptRzwsVbrYadQdGgNTUURMVZgr3z/3KeDAM+G71e3KqA5jKUMAufVUWQh3b+bU4C +F+R64PxvC0D5kT3KnT2u6yI0qTtqSaDuwcW1G5J4E9M+GOApuLxOr92B+rA6deKR +njpqJHETzwKBgDclJojrzqO7CeUPj28688K3JNSrt30dtJvZur1Rus7ctmH9l3JU +dbO6MO1bz2J9Qrbp7kDRf/qkAWjDsLyMHX9XpMbD/7xRSlyZVa+uSrwCVdgB2fvM +x7pww3MjX+1o6fvPuC4bA3ZUycjmqJp7BynVfoSB28vQNcRvtNgzwYD1AoGAa/D3 +1DN1GUNjEB7/nJjPe6sPB+r66W9RVbCBPgyP8ZdwXO/Yl+VnHRyiYl0tbio6cn2T +SQ2/hxKAs+SK+as4t0ffpPYmg/nCi6kzwjWvRIKqrag9W4lGd7uW7J+EN+N0tXqL +Mku2aOKhU84t0PFZL1fk88a5KyLqoZzOJwSxas8CgYEArqFmKddOAjdC+Y8n8nWT +WrEPFts/YAp0KJGW0nDqN7ROKXyBuqrrKpOgXpxZTHRoFQ+RCsWHZOtZYD68Nmod +yr/aGaixsHqIqSC8xu78DwXuOIIVuvEU06pAmCh2ALskKQZhA5sBL6qkw1PlgSDh +WBzMfq3dw8n/557/q+IVnlE= +-----END PRIVATE KEY----- diff --git a/jstests/libs/ocsp/intermediate_ca_ocsp.pem b/jstests/libs/ocsp/intermediate_ca_ocsp.pem new file mode 100644 index 00000000000..c6abc40d1d1 --- /dev/null +++ b/jstests/libs/ocsp/intermediate_ca_ocsp.pem @@ -0,0 +1,71 @@ +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIEF39OgDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwNDIxMTkxNDUyWhcNNDAwNDIzMTkxNDUyWjB+MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwY +SW50ZXJtZWRpYXRlIENBIGZvciBPQ1NQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAptgUN3L3jVBEbkqNL9d1tdTqgbg1dIYaRdt6dHBdl24mfyW5M/Tg +oHJbsXOfjJrw8Beq5YNPbCZRsZN5u6cedElgUz1+hiTvaHuiUXVejtI0Qsx3p6Fm +xykeu4BW1505KlV5JVNfDd/KTKBu2m3w+jRdBSaCxzyQx7V9MFyg6Xk9oWB5AVHm +D5G71Qta6e5GiT58X50br2Xa5AHpnHjrjseNmIeSYVkIKDTYsh6MSogxT26sJ7aM +3wwbYOK0BXmmyHuscS/B9cHmYTntcDTXfj6dZFwQd0Dr8Pa3TMk/dbm5DBwMRXvx +lot90K46hflTvBfC+zHKwAHRjKcuaW2jOwIDAQABozIwMDAPBgNVHRMBAf8EBTAD +AQH/MB0GA1UdDgQWBBT/JWQaaKfjeSROC1wPOpepb+D8YTANBgkqhkiG9w0BAQsF +AAOCAQEAcRPq5CjP8bXEMOX83/ZiGx0ueZGQKP7d+0Q2/hZyZIVk+kxjmQXuUsIK +vpMlfxcUkcoPeO75bKWq2OxOaem0PcTeGf9XYDEfjoOrCQVQAnM+5oFbSjLgdW2n +Otqe8A7i5IjXHMZMT0XmYu5LWCAM+wJAKDU0pEx4PyZjZIhmSHKl1uyB5ox/vjMU +RjnPj58fawLKOCFbqnLZ24FdwrELqbqwcn/5pCoYxmOfjzMIAqTqgcewOQDoWV6c +IXeG8yIqTdnxuFjEXe9lWrqsPVwhPlU9druF5plSSuHoJ6gDvSWDw5FuYU9afp5U +xdj+V3ksSRqr2ad6DSqEPOohTy9Vvg== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCm2BQ3cveNUERu +So0v13W11OqBuDV0hhpF23p0cF2XbiZ/Jbkz9OCgcluxc5+MmvDwF6rlg09sJlGx +k3m7px50SWBTPX6GJO9oe6JRdV6O0jRCzHenoWbHKR67gFbXnTkqVXklU18N38pM +oG7abfD6NF0FJoLHPJDHtX0wXKDpeT2hYHkBUeYPkbvVC1rp7kaJPnxfnRuvZdrk +AemceOuOx42Yh5JhWQgoNNiyHoxKiDFPbqwntozfDBtg4rQFeabIe6xxL8H1weZh +Oe1wNNd+Pp1kXBB3QOvw9rdMyT91ubkMHAxFe/GWi33QrjqF+VO8F8L7McrAAdGM +py5pbaM7AgMBAAECggEAaw76If52lMntryvNXuaNlKjT9XsDagrm7u5/rBmyJIo8 +z5egOJOoU6wt5DcCKRH/CsDVG0LgAtCv2Rd9pIj/BLVUxvUNq/wlV1EF/eknTNPb +TwWuvfTWY3OiUcRvdRlg5iZEf0v5EYkJYZQMrcKgP5y8F6L3her6J/vwIck+Q7FM +LlFZfW+ztVK8d2H64wmpO0ErV1UTJkC0DMwGyhT2zfxfhiDD9riHZ9WU/RPmJe91 +6BfL8Vu9L8fH/hS/YLgThBRrP00ZOjETDDGlb94PRSLHU+AQD+nQ0X9PuuxZX+6U +pNe1QkOAszU0ansfwCBlKwjTU6t8nloFWdWZUXgW+QKBgQDS/Wjff7O2MdowiNj9 +RVES62IsdLI4uIMQjLR3c2U78FsWfhIzzKXlmtROzaFPccwkW10i1YWosEv+dkzp +o7Kiafb6pWxfucvts8hbw7dmUT22+N7zUqBK+Tpj6E//5JxmT9aZPPxbxMITlcpc +7NHYtBFOizTEcU9TMXk4jCdY1QKBgQDKb8Z8hMhDZqEmOBlYI8efyXUNKh9BQKfi +ptRzwsVbrYadQdGgNTUURMVZgr3z/3KeDAM+G71e3KqA5jKUMAufVUWQh3b+bU4C +F+R64PxvC0D5kT3KnT2u6yI0qTtqSaDuwcW1G5J4E9M+GOApuLxOr92B+rA6deKR +njpqJHETzwKBgDclJojrzqO7CeUPj28688K3JNSrt30dtJvZur1Rus7ctmH9l3JU +dbO6MO1bz2J9Qrbp7kDRf/qkAWjDsLyMHX9XpMbD/7xRSlyZVa+uSrwCVdgB2fvM +x7pww3MjX+1o6fvPuC4bA3ZUycjmqJp7BynVfoSB28vQNcRvtNgzwYD1AoGAa/D3 +1DN1GUNjEB7/nJjPe6sPB+r66W9RVbCBPgyP8ZdwXO/Yl+VnHRyiYl0tbio6cn2T +SQ2/hxKAs+SK+as4t0ffpPYmg/nCi6kzwjWvRIKqrag9W4lGd7uW7J+EN+N0tXqL +Mku2aOKhU84t0PFZL1fk88a5KyLqoZzOJwSxas8CgYEArqFmKddOAjdC+Y8n8nWT +WrEPFts/YAp0KJGW0nDqN7ROKXyBuqrrKpOgXpxZTHRoFQ+RCsWHZOtZYD68Nmod +yr/aGaixsHqIqSC8xu78DwXuOIIVuvEU06pAmCh2ALskKQZhA5sBL6qkw1PlgSDh +WBzMfq3dw8n/557/q+IVnlE= +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIEBdhiWzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwMzIzMjIxMzA5WhcNNDAwMzI1MjIxMzA5WjB0MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO +S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg +H42hLFFnWFETIDs4Q3rjzJLB4mxqn7BiFDbhzivKGN8SMrIaoyg8CkNJWpJVYEBN +BjaQHMzivBiQEjDbx2bWz7+rMjont9zJbNmMMuEZcqQw42SBlQ/xXBnIbvICGoXy +7EkEH/kYzX7NjUhAHOJUdfyTW0okChPxOQr8CI07HVYmeelBZh6FPnzdQ5mgsbmk +vsdesE1gvcfFtm/7Q6+GXp+1GDVGRUmPmHTYPIkjouJWQM++WU2KofSe5k9Rn1Oz +ZE3jJAaB9gGA83/xcLkVLBe4dyE5foVbbXL7t37yB8R06/7ffV62B7sn0M5X/rfA +UY5sJ6WOWdQz8k+WjXlXAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAsY/vktUSwXC1MCC8cYtcrlI0EgGcvkcRxEjRv7t5YVZii6 +eqKSfaX5HDxKl8dH7Z95Z3sDqr7iwPFtzmzQHEwvSSKbiqeS9Be0yf6mJv10LC5d +M9qoMvbp90ob3Jhib5IGzeijcQFfzbZa+MGnWiCGX04U/hUrayMdmna83exKbeNW +S0LT1F82rG2QklFOFSZSInXsBiR4olRWqXrYpNjP4B5gueQ2+XUlMZdphvkOksCo +/UBdqKotBFgyYXdMygl4hscxo+O4FRpX6RKVyobJXKax+mzbc9YUKTFtKu6KlZls +jvqjtuXgmZvXOgduG5D8Sqoqp/q1nYzYpcgEss4= +-----END CERTIFICATE----- diff --git a/jstests/libs/ocsp/server_intermediate_ca_ocsp.pem b/jstests/libs/ocsp/server_intermediate_ca_ocsp.pem new file mode 100644 index 00000000000..3aa49df8d1b --- /dev/null +++ b/jstests/libs/ocsp/server_intermediate_ca_ocsp.pem @@ -0,0 +1,53 @@ +-----BEGIN CERTIFICATE----- +MIIELzCCAxegAwIBAgIEc3NuKDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEhMB8GA1UEAwwYSW50ZXJt +ZWRpYXRlIENBIGZvciBPQ1NQMB4XDTIwMDQyMTE5MTQ1MloXDTQwMDQyMzE5MTQ1 +MlowgYIxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEWMBQGA1UEBwwN +TmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9uZ29EQjEPMA0GA1UECwwGS2VybmVs +MSUwIwYDVQQDDBxTZXJ2ZXIgT0NTUCBWaWEgSW50ZXJtZWRpYXRlMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8o7m7QpIMUZ2r6HOmhuqNF25x0odb9Bg +rSLm7Hvb3WBu6jwWPrrnPerR/nODVEY4Qo7mOclgCsooJx3HaPYPgRYffRQMJ+I5 +lpvsRsBjW7CnS0amz9QcbGnIhMeFU45gCn51CTLPoBJ7hB9F4Z02bOJEMkkXkhtm +kkiVysUs6po+t2+w8tojOScZdeDUtwfStKJ7Xb9B79Ko3BCcITXJUxDBcqUEJF+E +v3YQuQg/QKNTO+L39aFFo8WNfuP09txdjT/+T8PZq826ccohRdSrJ5lq1hXmmKXp +3p6Ut35aE4tjj6KSjDonMkYcvdNHQ0aL2p8x4JjwgwAuNwawTUbYIwIDAQABo4Gv +MIGsMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDAjAdBgNVHQ4EFgQUyC6Gv0rfoato44VsaVig1SmminYwOAYIKwYB +BQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vbG9jYWxob3N0OjgxMDAvc3Rh +dHVzMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC +AQEAogdunlFL04lqVbZyqPvN/5TtrEtM87invrzTYZ8UmT5Q4Kr8mHRsumBuVwDu +bE+umrPtQVvu0XYqsjmjmOk7hTIK6PFuF6rLQCUBHVXBZggTNKFFBWphQ8odUbPG +FmOqSlkZAkcNo3dLpxRbfDru2ARxeE2+sRCPWwUZc7utqpLoZ0deuKdDSlA/VcGJ +5wf0sjmcjvJRRUSYeJcUox4ySL+4WtFu33LhYZKgnrMNegaJ6UyIlwB4ihMyi9sV +yDlsY+vGqivqqMUw8V6tdUekCYPUlHWXeICqsRIBII+xMzqTv1rXPzNyAvyVYrBi +hG10rdLfnQWn2vpYKU5b3Vo1yg== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDyjubtCkgxRnav +oc6aG6o0XbnHSh1v0GCtIubse9vdYG7qPBY+uuc96tH+c4NURjhCjuY5yWAKyign +Hcdo9g+BFh99FAwn4jmWm+xGwGNbsKdLRqbP1BxsaciEx4VTjmAKfnUJMs+gEnuE +H0XhnTZs4kQySReSG2aSSJXKxSzqmj63b7Dy2iM5Jxl14NS3B9K0ontdv0Hv0qjc +EJwhNclTEMFypQQkX4S/dhC5CD9Ao1M74vf1oUWjxY1+4/T23F2NP/5Pw9mrzbpx +yiFF1KsnmWrWFeaYpenenpS3floTi2OPopKMOicyRhy900dDRovanzHgmPCDAC43 +BrBNRtgjAgMBAAECggEBAPIQ4y0U4c8rPy8wD/uEOGxiTREySgZYsuKWvlarlVRs +9MQWiyy3YidMvZ1uslXcbjEeY2ywJ4UdEs1WzrdVOUveRDaTVz5Gaqp/mWFShtXu +ikZ5j+hBCsy3FUJNzCUDJZ3TbgFsEADz8Qh+HUN3neU0OlLk1v0dE1RR1Au0k4rb +yvMFRDcHLQ2u6AoZm1vkaV+/E8REObb5lutgs2719JJapAlbPT49ttlkfXvgt5kv +Bnvt80S5+PEuyLNVRsdsRLaZZ4tZpmYenObb4kjiIbCHGRBkHXwXdsnLuqmxXSMb +52cUsBFGaPUtvIUQh41kGSUNdnKjf1SndJKqE4m6nUECgYEA+gxQx8SGMuy7jEqD +A/qU+aFF8brqeCb29YifY1eMjox+PvC4+2kG06Y3C/dvbA7eRxdU1PN5R/nPZMrX ++WxNbsnSJGtvvxZplygpj9DNzwKCH+4Z9dLk/+f7HqKv55c0eLt22PjnQ9GwVNEG +UnEWDo6Wl5F6qw2HAdRGuQbvBjsCgYEA+FTyQuxOgWpjCw9FrtV3+nRqISGaKZMM +pqvzPQQuA7Xer2UR4aW2lGtaA8y8Xgt2rBAPIlMggCIUXmWdkH6pwHSvIWhzCMhx +cyFTAFFsFcQkhCIArVbGvhbBgR0Srtb8ncFx+qbqg1N4Uwm60trBQWgAapZpFhDi +hXqRmSoDDzkCgYEAlGE+hmz+XbXRTVziBjhqsv+aq+mJPaeRoP5j5uWLCQQh3mOm +wbn/TRUzUSyRuAPSr0kPFBcu/yEkiuE77EzyXi3xP59pfnFkU0iH8Ums94y7fwsh +6JgvQBR/FhzgWYOGpaZIzlRVmA8UniAzqjRlLFo8ztCLhHnQhatcFGwi5wUCgYEA +047KtOjMGMShjBJ+sut5Qw1aPM97nl+AL53douWkrdSK2bGpAitC2D58eTA6aYQq +nXsw6XUYAxEFeUXobej6hNLjP/rTxW+99u803th+1Cw9T7QID6QVvGt2fqBeAkV1 +AJCEoZ0BvM+nelaXqnpimW4YrLVm4T2RPVWmJG3+HUECgYB+q+DztAUDCiVgVtxR +wkwnl8WPgZI01b+bCP3d9HgL6zLt/AOYBDfsKuhQ23CPhNJvVmq3gi9xvufBM6jA +lWhttgN+G72VmQmA84yXgi7b3T73E8ft0u0thJjPaddzAJOuLyYKzLI0KgOYe4Hk +Glm8Afrwqqz3QQPj1mqrK5Rvlg== +-----END PRIVATE KEY----- diff --git a/jstests/ocsp/lib/mock_ocsp.js b/jstests/ocsp/lib/mock_ocsp.js index 1d8691bd26e..2827ece5e4c 100644 --- a/jstests/ocsp/lib/mock_ocsp.js +++ b/jstests/ocsp/lib/mock_ocsp.js @@ -11,15 +11,35 @@ const FAULT_UNKNOWN = "unknown"; const OCSP_PROGRAM = "jstests/ocsp/lib/ocsp_mock.py"; +class ResponderCertSet { + /** + * Set of certificates for the OCSP responder.' + * @param {string} cafile + * @param {string} certfile + * @param {string} keyfile + */ + constructor(cafile, certfile, keyfile) { + this.cafile = cafile; + this.certfile = certfile; + this.keyfile = keyfile; + } +} + +const OCSP_DELEGATE_RESPONDER = + new ResponderCertSet(OCSP_CA_PEM, OCSP_RESPONDER_CERT, OCSP_RESPONDER_KEY); +const OCSP_CA_RESPONDER = new ResponderCertSet(OCSP_CA_PEM, OCSP_CA_CERT, OCSP_CA_KEY); +const OCSP_INTERMEDIATE_RESPONDER = new ResponderCertSet( + OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_KEY); + class MockOCSPServer { /** * Create a new OCSP Server. * * @param {string} fault_type * @param {number} next_update_secs - * @param {boolean} responder_is_ca + * @param {object} responder_certificate_set */ - constructor(fault_type, next_update_secs, responder_is_ca = false) { + constructor(fault_type, next_update_secs, responder_certificate_set = OCSP_DELEGATE_RESPONDER) { this.python = "python3"; this.fault_type = fault_type; @@ -27,16 +47,11 @@ class MockOCSPServer { this.python = "python.exe"; } - if (responder_is_ca) { - this.ocsp_cert_file = OCSP_CA_CERT; - this.ocsp_cert_key = OCSP_CA_KEY; - } else { - this.ocsp_cert_file = OCSP_RESPONDER_CERT; - this.ocsp_cert_key = OCSP_RESPONDER_KEY; - } + this.ca_file = responder_certificate_set.cafile; + this.ocsp_cert_file = responder_certificate_set.certfile; + this.ocsp_cert_key = responder_certificate_set.keyfile; print("Using python interpreter: " + this.python); - this.ca_file = OCSP_CA_PEM; // The port must be hard coded to match the port of the // responder in the certificates. this.port = 8100; diff --git a/jstests/ocsp/lib/ocsp_helpers.js b/jstests/ocsp/lib/ocsp_helpers.js index 9855c9405ad..073a13e6564 100644 --- a/jstests/ocsp/lib/ocsp_helpers.js +++ b/jstests/ocsp/lib/ocsp_helpers.js @@ -13,6 +13,10 @@ const OCSP_SERVER_MUSTSTAPLE_CERT = "jstests/libs/ocsp/server_ocsp_mustStaple.pe const OCSP_SERVER_CERT_REVOKED = "jstests/libs/ocsp/server_ocsp_revoked.pem"; const OCSP_RESPONDER_CERT = "jstests/libs/ocsp/ocsp_responder.crt"; const OCSP_RESPONDER_KEY = "jstests/libs/ocsp/ocsp_responder.key"; +const OCSP_INTERMEDIATE_CA_PEM = "jstests/libs/ocsp/intermediate_ca_ocsp.pem"; +const OCSP_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/intermediate_ca_ocsp.crt"; +const OCSP_INTERMEDIATE_CA_KEY = "jstests/libs/ocsp/intermediate_ca_ocsp.key"; +const OCSP_SERVER_INTERMEDIATE_CA_CERT = "jstests/libs/ocsp/server_intermediate_ca_ocsp.pem"; var clearOCSPCache = function() { let provider = determineSSLProvider(); diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js index 0a13d0acad7..f3a7ca3d9fe 100644 --- a/jstests/ocsp/ocsp_basic_ca_responder.js +++ b/jstests/ocsp/ocsp_basic_ca_responder.js @@ -9,44 +9,54 @@ load("jstests/ocsp/lib/mock_ocsp.js"); if (determineSSLProvider() === "apple") { return; } +function test(serverCert, caCert, responderCertPair) { + clearOCSPCache(); + + const ocsp_options = { + sslMode: "requireSSL", + sslPEMKeyFile: serverCert, + sslCAFile: caCert, + sslAllowInvalidHostnames: "", + setParameter: { + "failpoint.disableStapling": "{'mode':'alwaysOn'}", + "ocspEnabled": "true", + }, + }; + + // This is to test what happens when the responder is down, + // making sure that we soft fail. + let conn = null; + + let mock_ocsp = new MockOCSPServer("", 1, responderCertPair); + mock_ocsp.start(); + + assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); + }); + + mock_ocsp.stop(); + mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, responderCertPair); + mock_ocsp.start(); + + assert.throws(() => { + new Mongo(conn.host); + }); + + MongoRunner.stopMongod(conn); + + // The mongoRunner spawns a new Mongo Object to validate the collections which races + // with the shutdown logic of the mock_ocsp responder on some platforms. We need this + // sleep to make sure that the threads don't interfere with each other. + sleep(1000); + mock_ocsp.stop(); +} + +test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER); + +// TODO: SERVER-47963 - remove this platform check. +if (determineSSLProvider() === "windows") { + return; +} -clearOCSPCache(); - -const ocsp_options = { - sslMode: "requireSSL", - sslPEMKeyFile: OCSP_SERVER_CERT, - sslCAFile: OCSP_CA_PEM, - sslAllowInvalidHostnames: "", - setParameter: { - "failpoint.disableStapling": "{'mode':'alwaysOn'}", - "ocspEnabled": "true", - }, -}; - -// This is to test what happens when the responder is down, -// making sure that we soft fail. -let conn = null; - -let mock_ocsp = new MockOCSPServer("", 1, true); -mock_ocsp.start(); - -assert.doesNotThrow(() => { - conn = MongoRunner.runMongod(ocsp_options); -}); - -mock_ocsp.stop(); -mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, true); -mock_ocsp.start(); - -assert.throws(() => { - new Mongo(conn.host); -}); - -MongoRunner.stopMongod(conn); - -// The mongoRunner spawns a new Mongo Object to validate the collections which races -// with the shutdown logic of the mock_ocsp responder on some platforms. We need this -// sleep to make sure that the threads don't interfere with each other. -sleep(1000); -mock_ocsp.stop(); +test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER); }());
\ No newline at end of file diff --git a/jstests/ocsp/ocsp_stapling.js b/jstests/ocsp/ocsp_stapling.js index 02671770fb6..d3e72e72af3 100644 --- a/jstests/ocsp/ocsp_stapling.js +++ b/jstests/ocsp/ocsp_stapling.js @@ -14,11 +14,11 @@ if (!supportsStapling()) { return; } -var test = function(responderCA) { +function test(serverCert, caCert, responderCertPair) { const ocsp_options = { sslMode: "requireSSL", - sslPEMKeyFile: OCSP_SERVER_CERT, - sslCAFile: OCSP_CA_PEM, + sslPEMKeyFile: serverCert, + sslCAFile: caCert, sslAllowInvalidHostnames: "", setParameter: { "ocspEnabled": "true", @@ -35,7 +35,7 @@ var test = function(responderCA) { MongoRunner.stopMongod(conn); - let mock_ocsp = new MockOCSPServer("", 1000, responderCA); + let mock_ocsp = new MockOCSPServer("", 1000, responderCertPair); mock_ocsp.start(); // In this scenario, the Mongod has the ocsp response stapled @@ -48,7 +48,7 @@ var test = function(responderCA) { }); mock_ocsp.stop(); - mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000, responderCA); + mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1000, responderCertPair); mock_ocsp.start(); assert.doesNotThrow(() => { new Mongo(conn.host); @@ -70,7 +70,7 @@ var test = function(responderCA) { }); mock_ocsp.stop(); - mock_ocsp = new MockOCSPServer("", 1000, responderCA); + mock_ocsp = new MockOCSPServer("", 1000, responderCertPair); mock_ocsp.start(); assert.throws(() => { @@ -84,8 +84,9 @@ var test = function(responderCA) { // sleep to make sure that the threads don't interfere with each other. sleep(1000); mock_ocsp.stop(); -}; +} -test(false); -test(true); +test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_DELEGATE_RESPONDER); +test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER); +test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER); }());
\ No newline at end of file diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml index ff36cd9d6ad..c07d4307e0a 100644 --- a/jstests/ssl/x509/certs.yml +++ b/jstests/ssl/x509/certs.yml @@ -427,6 +427,39 @@ certs: keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [clientAuth] +# Intermediate OCSP tree +- name: 'intermediate_ca_ocsp.pem' + description: CA issued by the primary OCSP CA, which then issues its own server OCSP cert. + Subject: {CN: 'Intermediate CA for OCSP'} + Issuer: 'ca_ocsp.pem' + include_header: false + append_cert: 'ca_ocsp.pem' + output_path: 'jstests/libs/ocsp/' + keyfile: 'intermediate_ca_ocsp.key' + crtfile: 'intermediate_ca_ocsp.crt' + extensions: + subjectKeyIdentifier: hash + basicConstraints: + critical: true + CA: true + +- name: 'server_intermediate_ca_ocsp.pem' + description: Server OCSP certificate signed by intermediate CA. + Subject: {CN: 'Server OCSP Via Intermediate'} + Issuer: 'intermediate_ca_ocsp.pem' + include_header: false + output_path: 'jstests/libs/ocsp/' + extensions: + basicConstraints: {CA: false} + subjectAltName: + DNS: localhost + IP: 127.0.0.1 + authorityInfoAccess: 'OCSP;URI:http://localhost:8100/status' + subjectKeyIdentifier: hash + keyUsage: [digitalSignature, keyEncipherment] + extendedKeyUsage: [serverAuth, clientAuth] + +# OCSP Responder Certificate - name: 'ocsp_responder.pem' description: Certificate and key for the OCSP responder Subject: diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 28a5adf1969..03d728ab5d3 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -281,6 +281,10 @@ inline void X509_OBJECT_free(X509_OBJECT* a) { OPENSSL_free(a); } +void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX* ctx, STACK_OF(X509) * sk) { + X509_STORE_CTX_set_chain(ctx, sk); +} + X509_OBJECT* X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX* vs, int type, X509_NAME* name) { X509_OBJECT* ret; ret = (X509_OBJECT*)OPENSSL_malloc(sizeof(X509_OBJECT)); @@ -460,18 +464,32 @@ struct X509_OBJECTFree { using UniqueX509Object = std::unique_ptr<X509_OBJECT, X509_OBJECTFree>; -StatusWith<UniqueCertId> getCertIdForCert(SSL_CTX* context, X509* cert) { - // Look in the certificate store for the certificate that issued cert +StatusWith<UniqueCertId> getCertIdForCert(SSL_CTX* context, + X509* cert, + STACK_OF(X509) * intermediateCerts) { + // First search the intermediate certificates for the issuer. + for (int i = 0; i < sk_X509_num(intermediateCerts); i++) { + if (X509_NAME_cmp(X509_get_issuer_name(cert), + X509_get_subject_name(sk_X509_value(intermediateCerts, i))) == 0) { + return UniqueCertId( + OCSP_cert_to_id(nullptr, cert, sk_X509_value(intermediateCerts, i))); + } + } + UniqueX509StoreCtx storeCtx(X509_STORE_CTX_new()); + if (!storeCtx) { return getSSLFailure("Could not create X509 store."); } + + // Look in the certificate store for the certificate that issued cert if (X509_STORE_CTX_init(storeCtx.get(), SSL_CTX_get_cert_store(context), NULL, NULL) == 0) { - return getSSLFailure("Could not initialize the X509 Store Context."); + return getSSLFailure("Could not initialize the X509 Store Context for the SSL Context."); } UniqueX509Object obj(X509_STORE_CTX_get_obj_by_subject( storeCtx.get(), X509_LU_X509, X509_get_issuer_name(cert))); + if (obj == nullptr) { return getSSLFailure("Could not get X509 Object from store."); } @@ -595,7 +613,8 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap( SSL_CTX* context, X509* cert, std::map<std::string, OCSPRequestAndIDs>& ocspRequestMap, - OCSPCertIDSet& uniqueCertIds) { + OCSPCertIDSet& uniqueCertIds, + STACK_OF(X509) * intermediateCerts) { UniqueOpenSSLStringStack aiaOCSP(X509_get1_ocsp(cert)); std::vector<std::string> responders; @@ -627,7 +646,7 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap( HostAndPort hostAndPort(str::stream() << host << ":" << port); - auto swCertId = getCertIdForCert(context, cert); + auto swCertId = getCertIdForCert(context, cert, intermediateCerts); if (!swCertId.isOK()) { return swCertId.getStatus(); } @@ -637,7 +656,7 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap( return getSSLFailure("Could not get certificate ID for Map."); } - swCertId = getCertIdForCert(context, cert); + swCertId = getCertIdForCert(context, cert, intermediateCerts); if (!swCertId.isOK()) { return swCertId.getStatus(); } @@ -658,7 +677,7 @@ StatusWith<std::vector<std::string>> addOCSPUrlToMap( mapIter->second.certIDs.insert(std::move(certIDForArray)); } - auto swCertId = getCertIdForCert(context, cert); + auto swCertId = getCertIdForCert(context, cert, intermediateCerts); if (!swCertId.isOK()) { return swCertId.getStatus(); } @@ -894,7 +913,8 @@ StatusWith<OCSPValidationContext> extractOcspUris(SSL_CTX* context, std::map<std::string, OCSPRequestAndIDs> ocspRequestMap; OCSPCertIDSet uniqueCertIds; - auto swLeafResponders = addOCSPUrlToMap(context, peerCert, ocspRequestMap, uniqueCertIds); + auto swLeafResponders = + addOCSPUrlToMap(context, peerCert, ocspRequestMap, uniqueCertIds, intermediateCerts); if (!swLeafResponders.isOK()) { return swLeafResponders.getStatus(); } @@ -1477,7 +1497,7 @@ StatusWith<bool> verifyStapledResponse(SSL* conn, X509* peerCert, OCSP_RESPONSE* auto intermediateCerts = SSLgetVerifiedChain(conn); OCSPCertIDSet emptyCertIDSet{}; - auto swCertId = getCertIdForCert(SSL_get_SSL_CTX(conn), peerCert); + auto swCertId = getCertIdForCert(SSL_get_SSL_CTX(conn), peerCert, intermediateCerts.get()); if (!swCertId.isOK()) { return swCertId.getStatus(); } @@ -1545,12 +1565,17 @@ int ocspClientCallback(SSL* ssl, void* arg) { if (swStapleOK.getStatus() == ErrorCodes::OCSPCertificateStatusRevoked) { LOGV2_DEBUG(23225, 1, - "Stapled Certificate validation failed: {error}", - "Stapled Certificate validation failed", + "Stapled OCSP Response validation failed: {error}", + "Stapled OCSP Response validation failed", "error"_attr = swStapleOK.getStatus()); return OCSP_CLIENT_RESPONSE_NOT_ACCEPTABLE; } + LOGV2_ERROR(4781101, + "Stapled OCSP Response validation threw an error: {error}", + "Stapled OCSP Response validation threw an error", + "error"_attr = swStapleOK.getStatus()); + return OCSP_CLIENT_RESPONSE_ERROR; } else if (!swStapleOK.getValue()) { LOGV2_DEBUG(23226, |