1 files changed, 35 insertions, 8 deletions

diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py
index f46bd12dd63..61defb35539 100755
--- a/jstests/ssl/x509/mkcert.py
+++ b/jstests/ssl/x509/mkcert.py
@@ -155,7 +155,7 @@ def set_general_dict_extension(x509, exts, cert, name, typed_values):
         else:
             value.append(key + ':' + val)
 
-    exts.append(OpenSSL.crypto.X509Extension(b'basicConstraints', critical, ','.join(value).encode('utf-8'), subject=x509))
+    exts.append(OpenSSL.crypto.X509Extension(bytes(name, 'utf-8'), critical, ','.join(value).encode('utf-8'), subject=x509))
 
 def set_general_list_extension(x509, exts, cert, name, values):
     """Set value elements for a given extension."""
@@ -177,6 +177,13 @@ def set_general_list_extension(x509, exts, cert, name, values):
 
     exts.append(OpenSSL.crypto.X509Extension(name.encode('utf-8'), critical, ','.join(tags).encode('utf-8'), subject=x509))
 
+def set_ocsp_extension(x509, exts, cert):
+    """Set the OCSP extension"""
+    ocsp = cert.get('extensions', {}).get('authorityInfoAccess')
+    if not ocsp:
+        return
+    exts.append(OpenSSL.crypto.X509Extension(b'authorityInfoAccess', False, ocsp.encode('utf-8'), subject=x509))
+
 def set_san_extension(x509, exts, cert):
     """Set the Subject Alternate Name extension."""
     san = cert.get('extensions', {}).get('subjectAltName')
@@ -288,9 +295,10 @@ def set_extensions(x509, cert):
         'keyAgreement', 'keyCertSign', 'cRLSign', 'encipherOnly', 'decipherOnly'])
     set_general_list_extension(x509, exts, cert, 'extendedKeyUsage', [
         'serverAuth', 'clientAuth', 'codeSigning', 'emailProtection', 'timeStamping',
-        'msCodeInd', 'msCodeCom', 'msCTLSign', 'msSGC', 'msEFS', 'nsSGC'])
+        'msCodeInd', 'msCodeCom', 'msCTLSign', 'msSGC', 'msEFS', 'nsSGC', 'OCSPSigning'])
     enable_subject_key_identifier_extension(x509, exts, cert)
     enable_authority_key_identifier_extension(x509, exts, cert)
+    set_ocsp_extension(x509, exts, cert)
     set_san_extension(x509, exts, cert)
     set_mongo_roles_extension(exts, cert)
 
@@ -321,11 +329,14 @@ def sign_cert(x509, cert, key):
     x509.sign(signing_key, sig)
 
 def get_header_comment(cert):
+    if not cert.get('include_header', True):
+        return ''
     """Header comment for every generated file."""
     comment = "# Autogenerated file, do not edit.\n"
     comment = comment + '# Generate using jstests/ssl/x509/mkcert.py --config ' + CONFIGFILE
     comment = comment + ' '  + cert['name'] + "\n#\n"
     comment = comment + "# " + cert.get('description', '').replace("\n", "\n# ")
+    comment = comment + "\n"
     return comment
 
 def convert_cert_to_pkcs1(cert):
@@ -380,10 +391,25 @@ def create_cert(cert):
         passphrase = passphrase.encode('utf-8')
         cipher = 'aes256'
 
-    open(make_filename(cert), 'wt').write(
-        get_header_comment(cert) + "\n" +
-        OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii') +
-        OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
+    header = get_header_comment(cert)
+    # The OCSP responder certificate needs to have the key and the pem file separated.
+    if cert.get('keyfile', False):
+        keyfile = cert['keyfile']
+        key_path_dict = {'output_path': cert['output_path'], 'name': keyfile}
+        open(make_filename(cert), 'wt').write(
+            header +
+            OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii'))
+
+        open(make_filename(key_path_dict), 'wt').write(
+            header +
+            OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
+
+    else:
+        # OCSP certificates cannot have comments because the Mock OCSP responder cannot process comments in Certificates
+        open(make_filename(cert), 'wt').write(
+            header +
+            OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii') +
+            OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key, cipher=cipher, passphrase=passphrase).decode('ascii'))
 
     if cert.get('pkcs1'):
         convert_cert_to_pkcs1(cert)
@@ -513,8 +539,9 @@ def process_cert(cert):
         x509 = load_authority_file(append_cert)[0]
         if not x509:
             raise ValueError("Unable to find certificate '" + append_cert + "' to append")
+        header = "# Certificate from " + append_cert + "\n" if cert.get('include_header', True) else ""
         open(make_filename(cert), 'at').write(
-            "# Certificate from " + append_cert + "\n" +
+            header +
             OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, x509).decode('ascii'))
 
 def parse_command_line():
@@ -537,7 +564,7 @@ def validate_config():
     if not CONFIG.get('certs'):
         raise ValueError('No certificates defined')
 
-    permissible = ['name', 'description', 'Subject', 'Issuer', 'append_cert', 'extensions', 'passphrase', 'output_path', 'hash', 'key_type', 'explicit_subject', 'serial', 'not_before', 'not_after', 'pkcs1', 'pkcs12']
+    permissible = ['name', 'description', 'Subject', 'Issuer', 'append_cert', 'extensions', 'passphrase', 'output_path', 'hash', 'include_header', 'key_type', 'keyfile', 'explicit_subject', 'serial', 'not_before', 'not_after', 'pkcs1', 'pkcs12']
     for cert in CONFIG.get('certs', []):
         keys = cert.keys()
         if not 'name' in keys: