1 files changed, 71 insertions, 0 deletions

diff --git a/jstests/ssl/crl_x509_rotate.js b/jstests/ssl/crl_x509_rotate.js
new file mode 100644
index 00000000000..8781c5c75c1
--- /dev/null
+++ b/jstests/ssl/crl_x509_rotate.js
@@ -0,0 +1,71 @@
+// Check that rotation works for the CRL
+
+(function() {
+"use strict";
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+if (determineSSLProvider() === "openssl" || determineSSLProvider() === "apple") {
+    return;
+}
+
+const dbPath = MongoRunner.toRealDir("$dataDir/cluster_x509_rotate_test/");
+mkdir(dbPath);
+
+copyCertificateFile("jstests/libs/crl.pem", dbPath + "/crl-test.pem");
+
+const mongod = MongoRunner.runMongod({
+    sslMode: "requireSSL",
+    sslPEMKeyFile: "jstests/libs/server.pem",
+    sslCAFile: "jstests/libs/ca.pem",
+    sslCRLFile: dbPath + "/crl-test.pem"
+});
+
+const host = "localhost:" + mongod.port;
+
+// Make sure that client-revoked can connect at first
+let out = runMongoProgram("mongo",
+                          "--host",
+                          host,
+                          "--ssl",
+                          "--sslPEMKeyFile",
+                          "jstests/libs/client_revoked.pem",
+                          "--sslCAFile",
+                          "jstests/libs/ca.pem",
+                          "--eval",
+                          ";");
+assert.eq(out, 0, "Initial mongo invocation failed");
+
+// Rotate in new CRL
+copyCertificateFile("jstests/libs/crl_client_revoked.pem", dbPath + "/crl-test.pem");
+
+assert.commandWorked(mongod.adminCommand({rotateCertificates: 1}));
+
+// Make sure client-revoked can't connect
+out = runMongoProgram("mongo",
+                      "--host",
+                      host,
+                      "--ssl",
+                      "--sslPEMKeyFile",
+                      "jstests/libs/client_revoked.pem",
+                      "--sslCAFile",
+                      "jstests/libs/ca.pem",
+                      "--eval",
+                      ";");
+assert.neq(out, 0, "Mongo invocation did not fail");
+
+// Make sure client can still connect
+out = runMongoProgram("mongo",
+                      "--host",
+                      host,
+                      "--ssl",
+                      "--sslPEMKeyFile",
+                      "jstests/libs/client.pem",
+                      "--sslCAFile",
+                      "jstests/libs/ca.pem",
+                      "--eval",
+                      ";");
+assert.eq(out, 0, "Mongo invocation failed");
+
+MongoRunner.stopMongod(mongod);
+}());
\ No newline at end of file