From 4090443517771d0f71dcd705d02bb53bd86715ad Mon Sep 17 00:00:00 2001
From: Shreyas Kalyan <shreyas.kalyan@mongodb.com>
Date: Sat, 18 Jan 2020 01:11:19 +0000
Subject: SERVER-45568 Expand OCSP+CRL features in test cert generator

---
 jstests/libs/ocsp/server_ocsp_mustStaple.pem | 52 ++++++++++++++++++++++++++++
 jstests/ssl/x509/certs.yml                   | 22 ++++++++++++
 jstests/ssl/x509/mkcert.py                   | 29 ++++++++++++++++
 3 files changed, 103 insertions(+)
 create mode 100644 jstests/libs/ocsp/server_ocsp_mustStaple.pem

diff --git a/jstests/libs/ocsp/server_ocsp_mustStaple.pem b/jstests/libs/ocsp/server_ocsp_mustStaple.pem
new file mode 100644
index 00000000000..eb71cbe861a
--- /dev/null
+++ b/jstests/libs/ocsp/server_ocsp_mustStaple.pem
@@ -0,0 +1,52 @@
+-----BEGIN CERTIFICATE-----
+MIIEGDCCAwCgAwIBAgIEYp3+gDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjAwMTA3MjEzNTUxWhcNNDAwMTA5MjEzNTUxWjBiMRAwDgYD
+VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z
+dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTEwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5/sdIfinLeBXTGTqOlrD4hVJS
+xWOEulhUPqofx5glGxtnSTyWzo2IiC1jGcTIV9xchRvI9sE8MvxvqTsQBWK0F3rt
+UTp74bEy/1vaVut0Z+Q6FrxRrDyrOb3D0rp6yu40MlB+m2dNtKABpSpUtgHidaNC
+96ppLk+mr6r8Mg18qwGXYkxEDFIflwq0Dpfm0SWYPyVy6JOzasIpj+/5ysnMtyfv
+E8w21jzLouSHAjlXJoW7zzhAJ2OOO9QYN9Q3Zec+WmgDPF9H4fCuUZTTdfC+bLCQ
+mut6sVzrsHljnXL3Axhp+3u3CnZ+wEy5Z4xupaX8p6oyJxHjaaOLxMOkvO53AgMB
+AAGjgcMwgcAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQr1IxBj9v86aeQ4QDwyzuN0zQGHzA5
+BggrBgEFBQcBAQQtMCswKQYIKwYBBQUHMAGGHWh0dHA6Ly9sb2NhbGhvc3Q6ODEw
+MC9zdGF0dXMvMBEGCCsGAQUFBwEYBAUwAwIBBTAaBgNVHREEEzARgglsb2NhbGhv
+c3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAEdkbnvw4MQZYye/NrWK2gpNH4ud
+B1FGz9kr6xL6GZrI0jge1LI8Lhp8CWsmlbTbmEfqNJbpi27eK/U5W72ykQZQmXh0
+ht3JEtgaOiQoGYNA2ji59nBSc3parwD6XgZoVsRoNvozik5OinTCt57JbG5+OUI9
+RYwQbM/f67qnKfyH7y0ekVEXO9p9s0nexEscx5FqdmjhGRHBN8Y6t2r/v6DI8tFW
+qH62pR++LxcDdxBTNrXNgyGy9R0GgQ1Xf7Bq2bL57TudOPGn/s0RYojqnVD+IP7C
+cYEDO4ShYyopHskCB4jW5D1YTB5nZKcXt7HW+mmB7xc3a7GCNxsBYk7gHPw=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC5/sdIfinLeBXT
+GTqOlrD4hVJSxWOEulhUPqofx5glGxtnSTyWzo2IiC1jGcTIV9xchRvI9sE8Mvxv
+qTsQBWK0F3rtUTp74bEy/1vaVut0Z+Q6FrxRrDyrOb3D0rp6yu40MlB+m2dNtKAB
+pSpUtgHidaNC96ppLk+mr6r8Mg18qwGXYkxEDFIflwq0Dpfm0SWYPyVy6JOzasIp
+j+/5ysnMtyfvE8w21jzLouSHAjlXJoW7zzhAJ2OOO9QYN9Q3Zec+WmgDPF9H4fCu
+UZTTdfC+bLCQmut6sVzrsHljnXL3Axhp+3u3CnZ+wEy5Z4xupaX8p6oyJxHjaaOL
+xMOkvO53AgMBAAECggEAXvInauM0lLB9e6CiWs2kE4mDZ8tprQSvOHowwD5UdYSr
+7YLeUiGo8GyLts4dvSPU0soEUAdex0tDwACErP4Cz+o4j1Lq5vhkS6M9kWzTjz3F
+rL2UbqDc649zRraZCTv0c2LH4omUJ3+wOobE4C91MNRafkINlNnWQUHlqA4pAl0t
+AXUF+5Tt+kQ6wvhIUJSyugYdnypXR5HP5V5NbO2kG6acGtqzac2lmqgRkoOujhR7
+MxpZXiMhYANcsEgZ0vZY5YOCgN1WyACYKLb5+bu1XL3kyIFZAQRmvctQMXA4dwF/
+VRs+EGvVqWAJQy36ivA/cDyJIv9gk3u6QsHluhTTMQKBgQD1jQMWlhjJQm0uqX3g
++DkiBKWUP7Bp9LRLXKhkD9kncZ00hGQ7+mZ48ir1Ulzy/ZM4BqG02ElzplMwhlDx
+WzFKRQud1S7Jf4Ui0RkHRDy1obwwNaDe+eyleUc1nEQLZYO8fo+E/XVaioaAv1AN
+HbOCPIDuw5vCudu9yY2r4zop2QKBgQDB6Pph9Rfgr2r4hU/SphsLsJwt460o6V1c
+G82vInI+BQprRH7swN7Y1jgHu9UxCHaTVkuqoGOTnPladQZMD3M7LH88IbQuVuEj
+SCZfv63LTeH12ZBervX7grWtrXd+RTLxYgRKzvaOw5ljo6jpZ7Zdz5ARVHJZ99Yi
+juwTatbYzwKBgG+ia0wCc0RUqdS0A+GamEbp++k5R1f0g19bwca0GdK/6Wut4PAP
+uDS2TGd5yX5DYIHxKeVRC5vDe0CtX/FKt07/svdPq1S6X+njTFCsajldTXRRfVDC
+KR9V0tUBtUHFJi41D8Szgn3mSp4P3DIKVckY/rkOPys5WjifgIQr6w6JAoGBAL/r
++M21iMGQvZ5mTAAg+YnTbnEY9E0W1JmSxzw9Krdpw8sxizKHHsmdFO3KohKa3smr
+Us75WjVC26YFR4tGi3WY8AGzFiP7R2/lPF3uWHRtjGUJxhOAteQOlgTlOOzYTriM
+m9TzDSN2Qz5UQJ1rUht9kYklfNzBKMchkFUTnLwPAoGBAKOo804nymog5vczqatn
+0Pqjpp0m9/pp0iuGdvWnFPNnT8UxV11WntxDEo8vLy1wm3+xDI7TTcPpnPeQ7Md5
+zXr9OJ25Pg3VgO+4G49X161tzrDqr5oqx5gbu8tqsw9GmZviYR9FeT8pnsNY+WFO
+SlXgKU57i/Gll9ichgWGjrVT
+-----END PRIVATE KEY-----
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index 46d0f3a96c2..4ee6e9a01e6 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -361,6 +361,28 @@ certs:
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [serverAuth, clientAuth]
 
+- name: 'server_ocsp_mustStaple.pem'
+  description: >-
+    Must Staple OCSP certificate for the mongodb server.
+  Subject:
+    CN: 'localhost'
+    C: US
+    ST: NY
+    L: OCSP-1
+  Issuer: 'ca_ocsp.pem'
+  include_header: false
+  output_path: 'jstests/libs/ocsp/'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectAltName:
+      DNS: localhost
+      IP: 127.0.0.1
+    authorityInfoAccess: 'OCSP;URI:http://localhost:8100/status/'
+    mustStaple: true
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [serverAuth, clientAuth]
+
 - name: 'client_ocsp.pem'
   description: >-
     OCSP certificate for the mongodb client.
diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py
index dd0f471735d..a33767efd64 100755
--- a/jstests/ssl/x509/mkcert.py
+++ b/jstests/ssl/x509/mkcert.py
@@ -26,6 +26,9 @@ CONFIGFILE = 'jstests/ssl/x509/certs.yml'
 
 CONFIG = Dict[str, Any]
 
+MUST_STAPLE_KEY = b'1.3.6.1.5.5.7.1.24'
+MUST_STAPLE_VALUE = str('DER:30:03:02:01:05').encode('utf-8')
+
 def glbl(key, default=None):
     """Fetch a key from the global dict."""
     return CONFIG.get('global', {}).get(key, default)
@@ -184,6 +187,21 @@ def set_ocsp_extension(x509, exts, cert):
         return
     exts.append(OpenSSL.crypto.X509Extension(b'authorityInfoAccess', False, ocsp.encode('utf-8'), subject=x509))
 
+def set_no_check_extension(x509, exts, cert):
+    """Set the OCSP No Check extension"""
+    noCheck = cert.get('extensions', {}).get('noCheck')
+    if not noCheck:
+        return
+    # "The OCSP No Check extension is a string extension but its value is ignored." https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
+    exts.append(OpenSSL.crypto.X509Extension(b'noCheck', False, "this-value-ignored".encode('utf8'), subject=x509))
+
+def set_tls_feature_extension(x509, exts, cert):
+    """Set the OCSP Must Staple extension"""
+    mustStaple = cert.get('extensions', {}).get('mustStaple')
+    if not mustStaple:
+        return
+    exts.append(OpenSSL.crypto.X509Extension(MUST_STAPLE_KEY, False, MUST_STAPLE_VALUE, subject=x509))
+
 def set_san_extension(x509, exts, cert):
     """Set the Subject Alternate Name extension."""
     san = cert.get('extensions', {}).get('subjectAltName')
@@ -286,6 +304,14 @@ def set_mongo_roles_extension(exts, cert):
 
     exts.append(OpenSSL.crypto.X509Extension(b'1.3.6.1.4.1.34601.2.1.1', False, value))
 
+def set_crl_distribution_point_extension(exts, cert):
+    """Specify URI(s) for CRL distribution point(s)."""
+    uris = cert.get('extensions', {}).get('crlDistributionPoints')
+    if not uris:
+        return
+
+    exts.append(OpenSSL.crypto.X509Extension(b'crlDistributionPoints', False, (','.join(uris)).encode('utf-8')))
+
 def set_extensions(x509, cert):
     """Setup X509 extensions."""
     exts = []
@@ -299,6 +325,9 @@ def set_extensions(x509, cert):
     enable_subject_key_identifier_extension(x509, exts, cert)
     enable_authority_key_identifier_extension(x509, exts, cert)
     set_ocsp_extension(x509, exts, cert)
+    set_no_check_extension(x509, exts, cert)
+    set_tls_feature_extension(x509, exts, cert)
+    set_crl_distribution_point_extension(exts, cert)
     set_san_extension(x509, exts, cert)
     set_mongo_roles_extension(exts, cert)
 
-- 
cgit v1.2.1