1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
// certificate to the login keychain of the evergreen user. See,
// https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
// for details.
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
// security add-trusted-cert -d jstests/libs/trusted-ca.pem
(function() {
'use strict';
const HOST_TYPE = getBuildInfo().buildEnvironment.target_os;
if (HOST_TYPE == "windows") {
// OpenSSL backed imports Root CA and intermediate CA
runProgram(
"certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");
// SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
// Current User.
runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
}
function testWithCerts(prefix) {
jsTest.log(`Testing with SSL certs $ {
clientPem connecting to serverPem
}`);
// allowSSL to get a non-SSL control connection.
const conn = MongoRunner.runMongod(
{sslMode: 'allowSSL', sslPEMKeyFile: 'jstests/libs/' + prefix + 'server.pem'});
let argv = [
'./mongo',
'--ssl',
'--port',
conn.port,
'--sslPEMKeyFile',
'jstests/libs/' + prefix + 'client.pem',
'--eval',
';'
];
if (HOST_TYPE == "linux") {
// On Linux we override the default path to the system CA store to point to our
// "trusted" CA. On Windows, this CA will have been added to the user's trusted CA list
argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem");
}
const exitCode = runMongoProgram.apply(null, argv);
MongoRunner.stopMongod(conn);
return exitCode;
}
assert.neq(0, testWithCerts(''), 'Certs signed with untrusted CA');
assert.eq(0, testWithCerts('trusted-'), 'Certs signed with trusted CA');
})();
|