From 3390cf27165d49ad7739b447b50927e874ec2c1e Mon Sep 17 00:00:00 2001 From: Shreyas Kalyan Date: Mon, 27 Apr 2020 21:29:56 -0700 Subject: SERVER-47811 Search the intermediate certificates for the issuer of the peer certificate --- jstests/ocsp/ocsp_basic_ca_responder.js | 88 ++++++++++++++++++--------------- 1 file changed, 49 insertions(+), 39 deletions(-) (limited to 'jstests/ocsp/ocsp_basic_ca_responder.js') diff --git a/jstests/ocsp/ocsp_basic_ca_responder.js b/jstests/ocsp/ocsp_basic_ca_responder.js index 0a13d0acad7..f3a7ca3d9fe 100644 --- a/jstests/ocsp/ocsp_basic_ca_responder.js +++ b/jstests/ocsp/ocsp_basic_ca_responder.js @@ -9,44 +9,54 @@ load("jstests/ocsp/lib/mock_ocsp.js"); if (determineSSLProvider() === "apple") { return; } +function test(serverCert, caCert, responderCertPair) { + clearOCSPCache(); + + const ocsp_options = { + sslMode: "requireSSL", + sslPEMKeyFile: serverCert, + sslCAFile: caCert, + sslAllowInvalidHostnames: "", + setParameter: { + "failpoint.disableStapling": "{'mode':'alwaysOn'}", + "ocspEnabled": "true", + }, + }; + + // This is to test what happens when the responder is down, + // making sure that we soft fail. + let conn = null; + + let mock_ocsp = new MockOCSPServer("", 1, responderCertPair); + mock_ocsp.start(); + + assert.doesNotThrow(() => { + conn = MongoRunner.runMongod(ocsp_options); + }); + + mock_ocsp.stop(); + mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, responderCertPair); + mock_ocsp.start(); + + assert.throws(() => { + new Mongo(conn.host); + }); + + MongoRunner.stopMongod(conn); + + // The mongoRunner spawns a new Mongo Object to validate the collections which races + // with the shutdown logic of the mock_ocsp responder on some platforms. We need this + // sleep to make sure that the threads don't interfere with each other. + sleep(1000); + mock_ocsp.stop(); +} + +test(OCSP_SERVER_CERT, OCSP_CA_PEM, OCSP_CA_RESPONDER); + +// TODO: SERVER-47963 - remove this platform check. +if (determineSSLProvider() === "windows") { + return; +} -clearOCSPCache(); - -const ocsp_options = { - sslMode: "requireSSL", - sslPEMKeyFile: OCSP_SERVER_CERT, - sslCAFile: OCSP_CA_PEM, - sslAllowInvalidHostnames: "", - setParameter: { - "failpoint.disableStapling": "{'mode':'alwaysOn'}", - "ocspEnabled": "true", - }, -}; - -// This is to test what happens when the responder is down, -// making sure that we soft fail. -let conn = null; - -let mock_ocsp = new MockOCSPServer("", 1, true); -mock_ocsp.start(); - -assert.doesNotThrow(() => { - conn = MongoRunner.runMongod(ocsp_options); -}); - -mock_ocsp.stop(); -mock_ocsp = new MockOCSPServer(FAULT_REVOKED, 1, true); -mock_ocsp.start(); - -assert.throws(() => { - new Mongo(conn.host); -}); - -MongoRunner.stopMongod(conn); - -// The mongoRunner spawns a new Mongo Object to validate the collections which races -// with the shutdown logic of the mock_ocsp responder on some platforms. We need this -// sleep to make sure that the threads don't interfere with each other. -sleep(1000); -mock_ocsp.stop(); +test(OCSP_SERVER_INTERMEDIATE_CA_CERT, OCSP_INTERMEDIATE_CA_PEM, OCSP_INTERMEDIATE_RESPONDER); }()); \ No newline at end of file -- cgit v1.2.1