From 03048e3ab4989342876e265eb3bde5d18aacb2a5 Mon Sep 17 00:00:00 2001
From: Stuart Larsen <stuart.larsen@10gen.com>
Date: Fri, 25 Jul 2014 18:31:38 -0400
Subject: SERVER-14516 Brand new testing certificates

New testing certificates generated for MongoDB using x509gen. Test were also updated slightly to accommodate for new subject alternative names and such.

All instances of "sslAllowInvalidCertificates" were removed from src/mongo/shell.

Closes #724

Signed-off-by: Benety Goh <benety@mongodb.com>
---
 jstests/ssl/disable_x509.js            |  2 +-
 jstests/ssl/initial_sync1_x509.js      | 10 +++++-----
 jstests/ssl/sharding_with_x509.js      |  2 +-
 jstests/ssl/ssl_hostname_validation.js |  9 +++++++--
 jstests/ssl/x509_client.js             |  4 ++--
 5 files changed, 16 insertions(+), 11 deletions(-)

(limited to 'jstests/ssl')

diff --git a/jstests/ssl/disable_x509.js b/jstests/ssl/disable_x509.js
index 93218556688..703fd0d029d 100644
--- a/jstests/ssl/disable_x509.js
+++ b/jstests/ssl/disable_x509.js
@@ -1,7 +1,7 @@
 // Test enabling and disabling the MONGODB-X509 auth mech
 
 TestData.useX509 = false;
-var CLIENT_USER = "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US"
+var CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US"
 
 var conn = MongoRunner.runMongod({ smallfiles: "", auth: "" });
 
diff --git a/jstests/ssl/initial_sync1_x509.js b/jstests/ssl/initial_sync1_x509.js
index 0d70bd17cf7..e0ccdc5e01e 100644
--- a/jstests/ssl/initial_sync1_x509.js
+++ b/jstests/ssl/initial_sync1_x509.js
@@ -56,14 +56,14 @@ function runInitialSyncTest() {
 
 // Standard case, clusterAuthMode: x509
 var x509_options1 = Object.merge(common_options, 
-                             {sslClusterFile: "jstests/libs/cluster-cert.pem",
+                             {sslClusterFile: "jstests/libs/cluster_cert.pem",
                               clusterAuthMode: "x509"});
 var x509_options2 = x509_options1;
 runInitialSyncTest();
 
 // Mixed clusterAuthMode: sendX509 and sendKeyFile and try adding --auth 
 x509_options1 = Object.merge(common_options, 
-                             {sslClusterFile: "jstests/libs/cluster-cert.pem",
+                             {sslClusterFile: "jstests/libs/cluster_cert.pem",
                               clusterAuthMode: "sendX509",
                               auth: ""});
 x509_options2 = Object.merge(common_options, {clusterAuthMode: "sendKeyFile"});
@@ -76,9 +76,9 @@ runInitialSyncTest();
 
 // verify that replset initiate fails if using a self-signed cert
 x509_options1 = Object.merge(common_options, {clusterAuthMode: "x509"});
-x509_options2 = Object.merge(common_options, 
-                             {sslClusterFile: "jstests/libs/smoke.pem",
-                              clusterAuthMode: "x509"});
+x509_options2 = Object.merge(common_options,
+                            {sslClusterFile: "jstests/libs/smoke.pem",
+                             clusterAuthMode: "x509"});
 var replTest = new ReplSetTest({nodes : {node0 : x509_options1, node1 : x509_options2}});
 var conns = replTest.startSet();
 assert.throws( function() { replTest.initiate() } );
diff --git a/jstests/ssl/sharding_with_x509.js b/jstests/ssl/sharding_with_x509.js
index f27b30c7b71..1a1e41f6cae 100644
--- a/jstests/ssl/sharding_with_x509.js
+++ b/jstests/ssl/sharding_with_x509.js
@@ -4,7 +4,7 @@
 var x509_options = {sslMode : "requireSSL",
                     sslPEMKeyFile : "jstests/libs/server.pem",
                     sslCAFile: "jstests/libs/ca.pem",
-                    sslClusterFile: "jstests/libs/cluster-cert.pem",
+                    sslClusterFile: "jstests/libs/cluster_cert.pem",
                     clusterAuthMode: "x509"};
 
 // Start ShardingTest with enableBalancer because ShardingTest attempts to turn
diff --git a/jstests/ssl/ssl_hostname_validation.js b/jstests/ssl/ssl_hostname_validation.js
index 1dded65693f..f7e16a752a0 100644
--- a/jstests/ssl/ssl_hostname_validation.js
+++ b/jstests/ssl/ssl_hostname_validation.js
@@ -58,14 +58,18 @@ function testCombination(certPath, allowInvalidHost, allowInvalidCert, shouldSuc
 // and allowInvalidCertificates
 testCombination(CN_CERT, false, false, true);
 testCombination(SAN_CERT, false, false, true);
-testCombination(SERVER_CERT, false, false, false);
+
+// SERVER_CERT has SAN=localhost
+testCombination(SERVER_CERT, false, false, true);
 testCombination(SERVER_CERT, false, true, true);
 testCombination(SERVER_CERT, true, false, true);
 testCombination(SERVER_CERT, true, true, true);
 
+
 // 2. Initiate ReplSetTest with invalid certs
 ssl_options = {sslMode : "requireSSL",
-               sslPEMKeyFile : SERVER_CERT,
+               // SERVER_CERT has SAN=localhost. CLIENT_CERT is exact same except no SANS
+               sslPEMKeyFile : CLIENT_CERT,
                sslCAFile: CA_CERT};
 
 replTest = new ReplSetTest({nodes : {node0 : ssl_options, node1 : ssl_options}});
@@ -86,6 +90,7 @@ replTest.stopSet();
 
 // 4. Initiate ReplSetTest with invalid certs but set allowInvalidCertificates
 ssl_options = {sslMode : "requireSSL",
+               // SERVER_CERT has SAN=localhost. CLIENT_CERT is exact same except no SANS
                sslPEMKeyFile : SERVER_CERT,
                sslCAFile: CA_CERT,
                sslAllowInvalidCertificates: ""};
diff --git a/jstests/ssl/x509_client.js b/jstests/ssl/x509_client.js
index b049d428383..c2329554e3f 100644
--- a/jstests/ssl/x509_client.js
+++ b/jstests/ssl/x509_client.js
@@ -18,8 +18,8 @@ MongoRunner.stopMongod(conn);
 var SERVER_CERT = "jstests/libs/server.pem"
 var CA_CERT = "jstests/libs/ca.pem" 
 
-var CLIENT_USER = "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US"
-var INVALID_CLIENT_USER = "CN=invalidclient,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US"
+var CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=client"
+var INVALID_CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=KernelUser,CN=invalid"
 
 port = allocatePorts(1)[0];
 
-- 
cgit v1.2.1