From 128fe164fb93ef1233158019e59f43570f6e0df0 Mon Sep 17 00:00:00 2001 From: auto-revert-processor Date: Sat, 1 Apr 2023 21:54:57 +0000 Subject: Revert "SERVER-74999 Determine cluster membership based on X.509 extension" This reverts commit 2dcf180fa810ec81054db8249337255495e41647. --- jstests/ssl/cluster_member.js | 116 --------------------- jstests/ssl/libs/cluster-member-bar.pem | 58 ----------- .../ssl/libs/cluster-member-bar.pem.digest.sha1 | 1 - .../ssl/libs/cluster-member-bar.pem.digest.sha256 | 1 - jstests/ssl/libs/cluster-member-foo-alt-rdn.pem | 58 ----------- .../cluster-member-foo-alt-rdn.pem.digest.sha1 | 1 - .../cluster-member-foo-alt-rdn.pem.digest.sha256 | 1 - jstests/ssl/libs/cluster-member-foo.pem | 58 ----------- .../ssl/libs/cluster-member-foo.pem.digest.sha1 | 1 - .../ssl/libs/cluster-member-foo.pem.digest.sha256 | 1 - jstests/ssl/x509/README | 1 - jstests/ssl/x509/certs.yml | 32 +----- jstests/ssl/x509/mkcert.py | 25 +---- 13 files changed, 5 insertions(+), 349 deletions(-) delete mode 100644 jstests/ssl/cluster_member.js delete mode 100644 jstests/ssl/libs/cluster-member-bar.pem delete mode 100644 jstests/ssl/libs/cluster-member-bar.pem.digest.sha1 delete mode 100644 jstests/ssl/libs/cluster-member-bar.pem.digest.sha256 delete mode 100644 jstests/ssl/libs/cluster-member-foo-alt-rdn.pem delete mode 100644 jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha1 delete mode 100644 jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha256 delete mode 100644 jstests/ssl/libs/cluster-member-foo.pem delete mode 100644 jstests/ssl/libs/cluster-member-foo.pem.digest.sha1 delete mode 100644 jstests/ssl/libs/cluster-member-foo.pem.digest.sha256 (limited to 'jstests/ssl') diff --git a/jstests/ssl/cluster_member.js b/jstests/ssl/cluster_member.js deleted file mode 100644 index 670bbedd97c..00000000000 --- a/jstests/ssl/cluster_member.js +++ /dev/null @@ -1,116 +0,0 @@ -// Test configuration parameter tlsClusterAuthX509ExtensionValue -// aka: net.tls.clusterAuthX509.extensionValue -// @tags: [ featureFlagConfigurableX509ClusterAuthn ] - -(function() { -'use strict'; - -load('jstests/ssl/libs/ssl_helpers.js'); -if (determineSSLProvider() !== "openssl") { - jsTest.log('Test requires openssl based TLS support'); - return; -} - -// Fails when used without clusterAuthMode == 'X509' -{ - const opts = {auth: '', tlsClusterAuthX509ExtensionValue: 'foo'}; - const errmsg = - 'net.tls.clusterAuthX509.extensionValue requires a clusterAuthMode which allows for usage of X509'; - - jsTest.log('No clusterAuthMode set'); - clearRawMongoProgramOutput(); - assert.throws(() => MongoRunner.runMongod(opts)); - assert(rawMongoProgramOutput().includes(errmsg)); - - jsTest.log('clusterAuthMode == keyFile'); - clearRawMongoProgramOutput(); - opts.clusterAuthMode = 'keyFile'; - assert.throws(() => MongoRunner.runMongod(opts)); - assert(rawMongoProgramOutput().includes(errmsg)); -} - -function authAndDo(port, cert, cmd = ';') { - jsTest.log('Connecting to localhost using cert: ' + cert); - function x509auth(db) { - const ext = db.getSiblingDB('$external'); - assert.commandWorked(ext.runCommand({authenticate: 1, mechanism: 'MONGODB-X509'})); - return ext.adminCommand({connectionStatus: 1}); - } - clearRawMongoProgramOutput(); - const shell = runMongoProgram('mongo', - '--host', - 'localhost', - '--port', - port, - '--tls', - '--tlsCAFile', - 'jstests/libs/ca.pem', - '--tlsCertificateKeyFile', - cert, - '--eval', - x509auth + ' x509auth(db); ' + cmd); - assert.eq(shell, 0); -} - -function runTest(conn) { - const SERVER_RDN = 'CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US'; - const SERVER = 'jstests/libs/server.pem'; - const FOO_MEMBER = 'jstests/ssl/libs/cluster-member-foo.pem'; - const BAR_MEMBER = 'jstests/ssl/libs/cluster-member-bar.pem'; - const FOO_MEMBER_ALT = 'jstests/ssl/libs/cluster-member-foo-alt-rdn.pem'; - const FOO_MEMBER_ALT_RDN = 'CN=Doer,OU=Business,O=Company,L=Fakesville,ST=Example,C=ZZ'; - - const admin = conn.getDB('admin'); - const ext = conn.getDB('$external'); - - // Ensure no localhost auth bypass available. - assert.commandWorked(admin.runCommand({createUser: 'admin', pwd: 'admin', roles: ['root']})); - assert(admin.auth('admin', 'admin')); - - // Connect using server.pem which has the same RDN, but no custom extension. - // This will result in an unknown user condition because we are - // not recognized as a cluster member. - assert.throws(() => authAndDo(conn.port, SERVER)); - - const insertCmd = 'assert.writeOK(db.getSiblingDB("test").mycoll.insert({x:1}));'; - // Connect using same RDN WITH custom extension. - authAndDo(conn.port, FOO_MEMBER, insertCmd); - - // Connect using cert with membership extension, but wrong value. - assert.throws(() => authAndDo(conn.port, BAR_MEMBER)); - - // Connect using cert with right membership, but different RDN (allowed). - authAndDo(conn.port, FOO_MEMBER_ALT, insertCmd); - - // Create a user who would have been a cluster member under name based rules. - // We should have basic privs, testing with read but not write. - const readCmd = 'db.getSiblingDB("test").mycoll.find({});'; - const readRoles = [{db: 'admin', role: 'readAnyDatabase'}]; - assert.commandWorked(ext.runCommand({createUser: SERVER_RDN, roles: readRoles})); - authAndDo(conn.port, SERVER, readCmd); - assert.throws(() => authAndDo(conn.port, SERVER, insertCmd)); - - // Create a user with FOO_MEMBER_ALT's RDN to validate enforceUserClusterSeparation. - authAndDo(conn.port, FOO_MEMBER_ALT); - assert.commandWorked(ext.runCommand({createUser: FOO_MEMBER_ALT_RDN, roles: readRoles})); - assert.throws(() => authAndDo(conn.port, FOO_MEMBER_ALT)); -} - -{ - const opts = { - auth: '', - tlsMode: 'requireTLS', - tlsCertificateKeyFile: 'jstests/ssl/libs/cluster-member-foo.pem', - tlsCAFile: 'jstests/libs/ca.pem', - clusterAuthMode: 'x509', - tlsClusterAuthX509ExtensionValue: 'foo', - setParameter: { - enforceUserClusterSeparation: 'true', - }, - }; - - const mongod = MongoRunner.runMongod(opts); - runTest(mongod); - MongoRunner.stopMongod(mongod); -} -})(); diff --git a/jstests/ssl/libs/cluster-member-bar.pem b/jstests/ssl/libs/cluster-member-bar.pem deleted file mode 100644 index 27b9f533afd..00000000000 --- a/jstests/ssl/libs/cluster-member-bar.pem +++ /dev/null @@ -1,58 +0,0 @@ -# Autogenerated file, do not edit. -# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml cluster-member-bar.pem -# -# A server certificate with the mongoClusterMembership extension with a value of bar ------BEGIN CERTIFICATE----- -MIIEejCCA2KgAwIBAgIEWTZe1DANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV -UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO -BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs -IFRlc3QgQ0EwHhcNMjMwMzE1MTU0MTU2WhcNMjUwNjE2MTU0MTU2WjBsMQswCQYD -VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp -dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UEAwwG -c2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu9lxe3kPI/Hk -ZTloS7DbcXxJOfvz6+SXkEmsQeWh8asKYl1vMj9trkwZonpUvdGy3u32aQ2OttBw -ajE6TWpNxBpLPlksrpYcvOZBHROvVek5jkQIjCFY2a/xoD6bNSUKfjXiBVl3ahDy -b7cg6oGC6X3xe+Sa9Zj7HhiOY0LaoRZr0PSuIkxBxboMpghEv/Mq0YFoxhyuS/XI -9HGcIiipp9sVZNhiP4yZPfqruSB4ACYNVjDJTbNAgYhlCT8W1lHnO2pc2BRTbIj5 -NTbjcGeIjLzRf5ARzPF1XCknnECmszJFLHCONRG/k8Z8i87vIBqf83jo0y5W0GK7 -t5hTfDci3wIDAQABo4IBGjCCARYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYD -VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQKCntdQt8iZZ8C -mEjgcbjEJZhO/DCBiwYDVR0jBIGDMIGAoXikdjB0MQswCQYDVQQGEwJVUzERMA8G -A1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoM -B01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVsIFRlc3Qg -Q0GCBHvUrJMwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMBQGCysGAQQBgo4p -AgECBAUMA2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAjY+PUCpyNisWgM82A+eN+ipq -xGUJE97j7ikoGTzFYeGJ4ANYXxL9MlDakZjv+fNXy+ngSDqBGvZzN/mIIa72Phkz -Q/L+jLSH2HUZL8/ptTnf6M2mdYwuABSBE7+KG6emb1ywUudHFztzxZZDlSE+JVCO -F39amF2TMnzNqb1hBOz07RdZKBqEpo3PrL8MFlZxuN9i6YHp5b5Og+Li/ktWMaBv -6kZ+drMK3E+ku5QRPTARXuGXf7vFT+eC5Rk/jTi3prwveg7n4WKmecS6BuzVlLjt -kUIe0RqTS3HqkFqtb/mb4Dc1Bbi5MD86CZ1JNkWT1m8LozsAnKhfnrHbUViPdg== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC72XF7eQ8j8eRl -OWhLsNtxfEk5+/Pr5JeQSaxB5aHxqwpiXW8yP22uTBmielS90bLe7fZpDY620HBq -MTpNak3EGks+WSyulhy85kEdE69V6TmORAiMIVjZr/GgPps1JQp+NeIFWXdqEPJv -tyDqgYLpffF75Jr1mPseGI5jQtqhFmvQ9K4iTEHFugymCES/8yrRgWjGHK5L9cj0 -cZwiKKmn2xVk2GI/jJk9+qu5IHgAJg1WMMlNs0CBiGUJPxbWUec7alzYFFNsiPk1 -NuNwZ4iMvNF/kBHM8XVcKSecQKazMkUscI41Eb+TxnyLzu8gGp/zeOjTLlbQYru3 -mFN8NyLfAgMBAAECggEAJDf8pW3l+Ww+OTYkYdOru+nWxJNLqIPepTdPOzVnUA1G -Z0jUk7+fCigqGSW1CRRRhKIlDIRMq/rscc0kDKEedV0MfOz8rHzM9a7/hvewqsPZ -EREVBM+5Ld+6msb3bfvCVitVdOqXF6BE3j1U32IxN4vM77JYHlpssJTTf1f4h25S -qgZb+b8D+J54nuxiB6Q54WYSnzCMMCGmtIVceS/Itc6CVxLUl86WJUpoZwiQTUxX -sXJoYDOahJLPnuwOT+tNzlXHiFLQ4kB1M7mYFjNhurj9X9YSOR4fxWLqy4IJGQTH -oehCLuGBPVI578gPXim1QrAf3hG8to8ViFVgeNWygQKBgQDVCljM8t9dVZEm+F1r -e4lDb6rauycK9zAwQLKzgRAAxAT7OMs0WyuCMWHD3ZZDjtpSmb5m1kP22OXy0BRB -G08xFUtNAzsQkH5RBQHScec8RJ6bFgLQ99hd++Gc7jgp0XxuxoEvMKm1bEtbfoUu -6AoCuRf/kTqL3PY1HP5Yt7L9UQKBgQDhuqzwLNpCXnGk+0gf7qEkIMPqZqFzqrdb -eWWVmC1JO4kc5TNGJnEtVlS32ow+iN1qjZBptQY0/Ykohj3F2PZHF93zQ2sbDFAy -7BQWbYjO9DAzemtBqMNVtFe+5oABzbyhqzmZtNVG4C2XKkJkw0RUCtyvmE5/0obH -xT/t//RRLwKBgBO8JKO/r+9eeNbKVSUayYlks8gVZDWA1obxx1wXjZr0jZ2UEkbk -VzB1UKArS7swZYsXUOsH2D3qs8p9ehLZ68kZNuOIdBVBvWHV++g5wvjzRloJfPNM -sk9qgOjfrHY7QLKmUttDP8VdpdFw8/d3aU39RXrYQjsomeorqGghhEQxAoGAfqIZ -LswazazqGGIX/kIDCJ+RCUj2PkuBfcHG6XtrvG+35gv3Dd23FHYgJNxoXRSvEn3E -jGjPyJ6Leb6FnR6wWwXasAQcbBomS8sBIevlGiUHfXmp/jXND6GSsDfjjB99OT0z -nTVDiPVu3iUJBjo9dOB7Gc9aCn9yuVPBH6W9zGUCgYB6ew5VTrbwWO0KKYpiM6aN -ZXiYTMMcaJOjlmyBYtWYNdRusshh4i+ICF/eV9CXtW1cQcXGCM5gB0Py3r9ugSWk -xQDVotkSUP3GswftggX17jEyjTQKMVtDDATyIxU3XohAWeNQYuRV98+A41lFqE0v -GXbb4Dhv87TuIEAIsHCV5Q== ------END PRIVATE KEY----- diff --git a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha1 b/jstests/ssl/libs/cluster-member-bar.pem.digest.sha1 deleted file mode 100644 index 53b59e4aa35..00000000000 --- a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha1 +++ /dev/null @@ -1 +0,0 @@ -D498E0A2F8CF71D5349BB91E11E6D05350C88A3C \ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha256 b/jstests/ssl/libs/cluster-member-bar.pem.digest.sha256 deleted file mode 100644 index a0ce1bd86a8..00000000000 --- a/jstests/ssl/libs/cluster-member-bar.pem.digest.sha256 +++ /dev/null @@ -1 +0,0 @@ -F957FEBEEC5C9C08C2500C17432B47635C12101E4DD42183FD333542ACD0AE5D \ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem b/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem deleted file mode 100644 index 9b4a86dfd17..00000000000 --- a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem +++ /dev/null @@ -1,58 +0,0 @@ -# Autogenerated file, do not edit. -# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml cluster-member-foo-alt-rdn.pem -# -# A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN ------BEGIN CERTIFICATE----- -MIIEdjCCA16gAwIBAgIEGs/cgTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV -UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO -BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs -IFRlc3QgQ0EwHhcNMjMwMzE1MTU0MjEwWhcNMjUwNjE2MTU0MjEwWjBoMQswCQYD -VQQGEwJaWjEQMA4GA1UECAwHRXhhbXBsZTETMBEGA1UEBwwKRmFrZXN2aWxsZTEQ -MA4GA1UECgwHQ29tcGFueTERMA8GA1UECwwIQnVzaW5lc3MxDTALBgNVBAMMBERv -ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKB1iyc78amtXCaOfh -3wZ7jidmiLI0IMGk1KuGnUzyoRlX6PlFKm+I5/rbyVgVK0MEKIJU1rxrxBwwJyW/ -/D1NOH1FTcKk+FnkBs7T1iwct+2OocMArQVcavFayqcqubxvWFztjBNxCoh578OH -u7BBqG3iXu8HvWivm+FAkqYWNk8M0us5Ui/yQShRXcPRTYqAFyTatlcesijGMKEA -J1AE4xgVNmJI88qoUmS7ftbFW0B53ru7aJKtQ9xGcu1EtDEUSXpJAVmmSDmuAF0L -ZaGYUd/zerCweOgkmy0rEoFQPKKb9Ib9PJ4vo4VN6RKYt3DzDxpqu58pZMVJxxn+ -UjmnAgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAdBgNVHSUE -FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFOHQkRJH13hAyapsryfr -spM9JebhMIGLBgNVHSMEgYMwgYCheKR2MHQxCzAJBgNVBAYTAlVTMREwDwYDVQQI -DAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9u -Z29EQjEPMA0GA1UECwwGS2VybmVsMRcwFQYDVQQDDA5LZXJuZWwgVGVzdCBDQYIE -e9SskzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8AAAEwFAYLKwYBBAGCjikCAQIE -BQwDZm9vMA0GCSqGSIb3DQEBCwUAA4IBAQBYpHCMUlGWm803moqfVGTkU/xGlPQd -hpMtmcf8GsSlDKmGXW335+95f5emZV7WmfKqaolAI0rjA7/sI98QuiqcloCEhSE9 -eS3jEuEEeDvySwnqKgz45eTXyjqjpH746uIXju427xQtr4z6gYYQZBls1ozEFrYp -MfQXZJqVm6Kodg72LNrjToWeuNGkeGtGikyqXAlCM3/s7FsapuN89KjNsQv1p8e0 -LTXnJAm/5yxcuQyxWq87pta11IS89RylDDwmMMBIJWwAE07O+zH/1OC6yevapKn7 -rZw/gYz4uhbmlzsQVJrHdsaZ8Dr6+Enpz5X9CmNRqijk5dbzaSS9wvbu ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCKB1iyc78amtXC -aOfh3wZ7jidmiLI0IMGk1KuGnUzyoRlX6PlFKm+I5/rbyVgVK0MEKIJU1rxrxBww -JyW//D1NOH1FTcKk+FnkBs7T1iwct+2OocMArQVcavFayqcqubxvWFztjBNxCoh5 -78OHu7BBqG3iXu8HvWivm+FAkqYWNk8M0us5Ui/yQShRXcPRTYqAFyTatlcesijG -MKEAJ1AE4xgVNmJI88qoUmS7ftbFW0B53ru7aJKtQ9xGcu1EtDEUSXpJAVmmSDmu -AF0LZaGYUd/zerCweOgkmy0rEoFQPKKb9Ib9PJ4vo4VN6RKYt3DzDxpqu58pZMVJ -xxn+UjmnAgMBAAECggEAKHROwr653ApVbE1i6Qh81emsEpkt4alYF/9c5m9kBhjB -XMqjhGoTloSnOZOhhVLQqX9V85ecUdmAiXxvy/0Z2nAcBxvrWH6RmguEwwGanDAs -KAmxJZmQYK3XX0zWAee+GsRDODw91nvH1DU5kaao2hWLXzWDyTjyXcXKFyrkEs4Z -1sQiJHCFQW1l5j6x7kAXrbOHUCziCww+vvCUCW7ujut/Nl1MLzPrsIvtghQKwvhe -uJVB7uZxtBHjQEfycZOLWCNUEE6WOJ/muUeCtHbmVbr50omOlRSJHP/MqUQaxnpM -KS38BoUbJpbaVOKvgokjLHXF8KojNQ+Embx1Ql0AgQKBgQC/6lS/3eQKAr1FmjlN -PicKDb6t08aE7THupy/sDL9jqEIYGfJPCbu8Guyd7nCwBCdJ8KcHQehukcZ8i1O4 -2Z/gMtuurHvD2S4+6sYjHZ9SyRiTkW8XY/jmwCYqAraS9fNNWj+maifyTcAreO+f -KVI5/2QCNPMqjqzFGaS2w5XueQKBgQC4HpMpbikIzUEK3QnpcpqIyufpYiZGhOb8 -qgwTZCw3Bqn7KKB7kfTYpghLdzQmqUch6yaBWN5+YgabFzNtOkXvstpH4m5BJ1Q0 -N1zTTiPHOxup0TUPWQo2Qa+h52p8BOvKSBNGcgNFDJ3tdDOAX5tNeywunx/w1HjA -aUUNoKLhHwKBgB+xjDNvaoR4tVc0Q/hMplfTs0Szr5ouLcvS0mgyJr1HgTrHtit1 -WQqUi7T9NqDq3q4oTv001jTEYDobLEVfszZsT7lGBN5wFGIRlY0hDDm4uhVMtELx -oJ5C50qSziHw+jAxEkfiShyK2IyVWUU4prqrQZHXuryxeTjHplsEa9NJAoGAURLV -hjbFxuRqsZfnV25pcba3K+NWK1M2SyetrZQ8i/ZZPwkCsabxg7yIhoJ06lk7w0nC -aM5zGn+bnQs4T+6LASNmTqT8G6BvyZZfP4R26LG0WrCOhrWUc5O0/Lvj/bxE/4uB -QVHO8sa9e+PhEbQHtLR6HgVfkTJeAYvZJkkHr80CgYBAo06hacP0ATWy9GetJztU -9OZfhobBuk3kBdU3tNFNe8UFRLg0MnUwv3FdXM6XsVhH/r18ApACityAzA+cMw5o -9nPyi+C8GqWum1eg3XaSPpKxNCVsAQuTJpSjL3JqeZSo07XUOAS2om5AQBLsbGHB -2hpwDA/Ccom2Sc8E/VysmQ== ------END PRIVATE KEY----- diff --git a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha1 b/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha1 deleted file mode 100644 index 773e4493989..00000000000 --- a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha1 +++ /dev/null @@ -1 +0,0 @@ -94F9962116E92EBDB4FC7007304957CCE1A41F26 \ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha256 b/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha256 deleted file mode 100644 index 02ea263cddb..00000000000 --- a/jstests/ssl/libs/cluster-member-foo-alt-rdn.pem.digest.sha256 +++ /dev/null @@ -1 +0,0 @@ -215C9A1DB0D815E937668EBE8230496B9FDB3DBE2F9700820B9F631B87C28CB5 \ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo.pem b/jstests/ssl/libs/cluster-member-foo.pem deleted file mode 100644 index a80d90767d7..00000000000 --- a/jstests/ssl/libs/cluster-member-foo.pem +++ /dev/null @@ -1,58 +0,0 @@ -# Autogenerated file, do not edit. -# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml cluster-member-foo.pem -# -# A server certificate with the mongoClusterMembership extension with a value of foo ------BEGIN CERTIFICATE----- -MIIEejCCA2KgAwIBAgIEU7DfoTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV -UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO -BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs -IFRlc3QgQ0EwHhcNMjMwMzE1MTU0MTUzWhcNMjUwNjE2MTU0MTUzWjBsMQswCQYD -VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp -dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UEAwwG -c2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoj7sGnUpd3gu -MWBZD3gwilIw5IoVySUak0g9F7VESbU0nvCS6Df594TnE7v+pYUczq6U2o8fgAUi -8J1iH6Zj/osIbeQuoDbFpWyVmYGNFwDsvWcxXQEuWpdn0Fk2U6Ropaxbbp9Md9je -Xp/1kfpV2Fmg0IKvC+l3hkoalnBBJseftbVV5qs0Gw1yftyL0t8Fu4JVl/mQQKYD -19pyPxuDapgMRhGCmcjhjuNeFY0w6T17TBT/tQ9B8wM5hNlXElvWQqKnQybXF1S7 -ZRfXOHRFgBxUxJaEREPHHjt9QozFY6NS/BN9oBQyihj1PFqB54yFNoNRx/eQAM2C -LUXk+wyfZwIDAQABo4IBGjCCARYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYD -VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRS6fOGvmeuH1/U -CQikWX+BkLLLgzCBiwYDVR0jBIGDMIGAoXikdjB0MQswCQYDVQQGEwJVUzERMA8G -A1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoM -B01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVsIFRlc3Qg -Q0GCBHvUrJMwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMBQGCysGAQQBgo4p -AgECBAUMA2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAPNCV4cJ+4rirKCT5Rw3p0ZUW -OBmb4ZRKVJn0VuLTBth8516ftP3N1IXtuSy7UjpqW3wSrqN3YNI9tibNlrs5CGkA -9EZiX1y0sxxUTM73EqzV9kx6dJ2g0BDolgc68sYdofIdIDNMzvfqg4cyIsH94KxJ -h4FXD8bE3fnrusaZoD0TDUwJ7/YX6Jv191R06vZHR5YXnnPzZD+Kig+tKLh5ePCN -KcgoPPMf3TPPbvpZVcyQHeceBSZ4+1lN/s4EUhSvit7TMO0TlfleLv2gC48MQt3R -YKu70fqITRKchyXu2kAgIjAhUWjtllmYrIiWjiWwCaPJYcYIxXXIn3f9itzjjA== ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCiPuwadSl3eC4x -YFkPeDCKUjDkihXJJRqTSD0XtURJtTSe8JLoN/n3hOcTu/6lhRzOrpTajx+ABSLw -nWIfpmP+iwht5C6gNsWlbJWZgY0XAOy9ZzFdAS5al2fQWTZTpGilrFtun0x32N5e -n/WR+lXYWaDQgq8L6XeGShqWcEEmx5+1tVXmqzQbDXJ+3IvS3wW7glWX+ZBApgPX -2nI/G4NqmAxGEYKZyOGO414VjTDpPXtMFP+1D0HzAzmE2VcSW9ZCoqdDJtcXVLtl -F9c4dEWAHFTEloREQ8ceO31CjMVjo1L8E32gFDKKGPU8WoHnjIU2g1HH95AAzYIt -ReT7DJ9nAgMBAAECggEAD9NUY1ZHR6x00QMlXMFr9qoCs+AWNOsGFxSmROA8+3WN -3uz3X2hKXQ7dHUsqkQmVYEGeKl1ohKu7lz26uvyXZ1Y3acSmmaEOEU8wnmsJEJPa -A7WDlp9NXq/DBAsXpfv06ygPORCXvF7ufctbgDQrWHGRopUErwREUNh8lGz5pecO -FawUQoIrWfOx8bq/PFXAFiaJHfk1SaadZdHS1TX4ZUm07iYuYUTqxarffmyub8ZN -lO7G/3fdivgfuBnMETUDFOu7xSphk56AFlxLBuEVk+u8/I5XHWiRcVKTA4vtbyUX -xjM/sxO7qCZ6cY1Z/xaHOJUj0FoT5wqjjn4UltWerQKBgQDOPdiL6TLlQkF6rr6t -Jo2anm/Xs+dr70NIwsfYxNNLGoLCENxAwYIjKjD93UuS/eTEkKga141bS/05pEiM -rjv+jBxJd3El3RavBjYV+npjRiC7qlVg/hPhx6ZXCEOg2gx/6zIj9fzGmf8JEeLh -VvIDqXw2b7mJUSv80AfWb+SHLQKBgQDJY8CZRP8hsGhV3b64PquME38CGwCSIdqW -3MxAQHE0KFo98HFoElUecUklZh+AoHL9hpGuDRvSJ7AC3ynNnV5IxKYYjwM2pNL+ -nr3RNsNhrPcEMj/elW7BZoVG+zGyLjiTx7GO6e3S0rivUDhAQSEhp3G8ZM0kxsvi -/RqxLXVdYwKBgCp+RaK2Hp1r5E/htzm3ys9Du6mG0LTFbGiOcVyxWRONV8miba8N -78FNDSEROmQD2eHCKFC3ftGDu53nwmbx8zyEI8PjTzXM8sKHFhe7LwJLTa088DB2 -ySPo3dXqxvxaUN7+V6tfIIDO8+QrgkKJhn3IquYQaPro9ZY2SpcdIMnVAoGAFF08 -5YK/lcWD12Lz3SehKynxhuH6HczEkMrE8J5TlCWccnT00sQ/zTNBZUG9X8FZv18z -LflvXcHbn363eG44UX1pGkSj24uxNkQRB63U9fSKiecW5EgSCgZ25aWS8eSQngjs -YHoxLUdXm4quFXlAg2muK5G52MUtaseTQmVJX+cCgYBRFJ1zUDYHpniXEsGUx/OV -FBEZg359fRTKZUnXAtOW4gbaWMmLZ8N47pRvJakbkvqrMWUFagZKWDbA7+BxopVB -prIvNrSaIM3Q9o+H7gsA85O1qPkQQV+1Ue6OCPlxLz8AVnWb5zu1eFUNkrLeKwz0 -WREDb3ONFYMUxgzcvCDXgQ== ------END PRIVATE KEY----- diff --git a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha1 b/jstests/ssl/libs/cluster-member-foo.pem.digest.sha1 deleted file mode 100644 index 21209a1dc30..00000000000 --- a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha1 +++ /dev/null @@ -1 +0,0 @@ -5A081EAA0D42DED66771504EC405C5F9AE4885EA \ No newline at end of file diff --git a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha256 b/jstests/ssl/libs/cluster-member-foo.pem.digest.sha256 deleted file mode 100644 index 4ef362e70f5..00000000000 --- a/jstests/ssl/libs/cluster-member-foo.pem.digest.sha256 +++ /dev/null @@ -1 +0,0 @@ -D0298CCEA9CEEBF3E739E331AD7A4C5A485DCB8FC66AD236F281BB5040136076 \ No newline at end of file diff --git a/jstests/ssl/x509/README b/jstests/ssl/x509/README index e85e25ecb4f..346e06f750d 100644 --- a/jstests/ssl/x509/README +++ b/jstests/ssl/x509/README @@ -64,4 +64,3 @@ certs: - mongoRoles: - {role: readWrite, db: test1} - {role: read, db: test2} - - mongoClusterMembership: clusterName diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml index ebedbaba66d..b2f50d283ba 100644 --- a/jstests/ssl/x509/certs.yml +++ b/jstests/ssl/x509/certs.yml @@ -284,7 +284,7 @@ certs: - name: 'server.pem' description: General purpose server certificate file. Subject: {CN: 'server'} - extensions: &server_pem_extensions + extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] @@ -342,36 +342,6 @@ certs: extensions: extendedKeyUsage: [serverAuth] -- name: 'cluster-member-foo.pem' - output_path: 'jstests/ssl/libs/' - description: A server certificate with the mongoClusterMembership extension with a value of foo - Subject: {CN: 'server'} - extensions: - <<: *server_pem_extensions - mongoClusterMembership: foo - -- name: 'cluster-member-bar.pem' - output_path: 'jstests/ssl/libs/' - description: A server certificate with the mongoClusterMembership extension with a value of bar - Subject: {CN: 'server'} - extensions: - <<: *server_pem_extensions - mongoClusterMembership: bar - -- name: 'cluster-member-foo-alt-rdn.pem' - output_path: 'jstests/ssl/libs/' - description: A server certificate with the mongoClusterMembership extension with a value of foo, but an unrelated RDN - Subject: - C: 'ZZ' - ST: 'Example' - L: 'Fakesville' - O: 'Company' - OU: 'Business' - CN: 'Doer' - extensions: - <<: *server_pem_extensions - mongoClusterMembership: foo - # For tenant migration testing. - name: 'rs0.pem' description: General purpose server certificate file. diff --git a/jstests/ssl/x509/mkcert.py b/jstests/ssl/x509/mkcert.py index 58848ceaaa6..45ac802e51c 100755 --- a/jstests/ssl/x509/mkcert.py +++ b/jstests/ssl/x509/mkcert.py @@ -20,17 +20,10 @@ import shutil import mkdigest # pylint: disable=protected-access -try: - # Newer versions of PyOpenSSL hide OBJ_create, but also seem okay without it. - OBJ_create = OpenSSL._util.lib.OBJ_create - OBJ_create(b'1.2.3.45', b'DummyOID45', b'Dummy OID 45') - OBJ_create(b'1.2.3.56', b'DummyOID56', b'Dummy OID 56') - OBJ_create(b'1.3.6.1.4.1.34601.2.1.1', b'mongoRoles', - b'Sequence of MongoDB Database Roles') - OBJ_create(b'1.3.6.1.4.1.34601.2.1.2', b'mongoClusterMembership', - b'Name of MongoDB cluster this cert is a member of') -except: - pass +OpenSSL._util.lib.OBJ_create(b'1.2.3.45', b'DummyOID45', b'Dummy OID 45') +OpenSSL._util.lib.OBJ_create(b'1.2.3.56', b'DummyOID56', b'Dummy OID 56') +OpenSSL._util.lib.OBJ_create(b'1.3.6.1.4.1.34601.2.1.1', b'mongoRoles', + b'Sequence of MongoDB Database Roles') # pylint: enable=protected-access CONFIGFILE = 'jstests/ssl/x509/certs.yml' @@ -326,15 +319,6 @@ def set_mongo_roles_extension(exts, cert): exts.append(OpenSSL.crypto.X509Extension(b'1.3.6.1.4.1.34601.2.1.1', False, value)) -def set_mongo_cluster_membership_extension(exts, cert): - """Encode a symbolic name to a mongodbClusterMembership extension.""" - name = cert.get('extensions', {}).get('mongoClusterMembership') - if not name: - return - - value = b'DER:' + binascii.hexlify(to_der_utf8_string(name)) - exts.append(OpenSSL.crypto.X509Extension(b'1.3.6.1.4.1.34601.2.1.2', False, value)) - def set_crl_distribution_point_extension(exts, cert): """Specify URI(s) for CRL distribution point(s).""" uris = cert.get('extensions', {}).get('crlDistributionPoints') @@ -361,7 +345,6 @@ def set_extensions(x509, cert): set_crl_distribution_point_extension(exts, cert) set_san_extension(x509, exts, cert) set_mongo_roles_extension(exts, cert) - set_mongo_cluster_membership_extension(exts, cert) ns_comment = cert.get('extensions', {}).get('nsComment') if ns_comment: -- cgit v1.2.1