jstests/ssl/ssl_x509_SAN.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

load('jstests/ssl/libs/ssl_helpers.js');

(function() {
    "use strict";

    const SERVER1_CERT = "jstests/libs/server_SAN.pem";
    const SERVER2_CERT = "jstests/libs/server_SAN2.pem";
    const CA_CERT = "jstests/libs/ca.pem";
    const CLIENT_CERT = "jstests/libs/client_SAN.pem";

    const CLIENT_USER = "C=US,ST=New York,L=New York City,O=MongoDB,OU=Kernel Users,CN=KernelUser";
    function authAndTest(port) {
        const mongo_localhost = runMongoProgram("mongo",
                                      "--host",
                                      "localhost",
                                      "--port",
                                      port,
                                      "--ssl",
                                      "--sslCAFile",
                                      CA_CERT,
                                      "--sslPEMKeyFile",
                                      CLIENT_CERT,
                                      "--eval",
                                      ";");
        
        assert.eq(0, mongo_localhost, "Connection succeeded");

        const mongo_IPv4 = runMongoProgram("mongo",
                                      "--host",
                                      "127.0.0.1",
                                      "--port",
                                      port,
                                      "--ssl",
                                      "--sslCAFile",
                                      CA_CERT,
                                      "--sslPEMKeyFile",
                                      CLIENT_CERT,
                                      "--eval",
                                      ";");
        
        assert.eq(0, mongo_IPv4, "Connection succeeded");

        const mongo_IPv6 = runMongoProgram("mongo",
                                      "--host",
                                      "::1",
                                      "--port",
                                      port,
                                      "--ssl",
                                      "--sslCAFile",
                                      CA_CERT,
                                      "--sslPEMKeyFile",
                                      CLIENT_CERT,
                                      "--ipv6",
                                      "--eval",
                                      ";");
        
        assert.eq(0, mongo_IPv6, "Connection succeeded");
    
    }
    const x509_options = {sslMode: "requireSSL", sslPEMKeyFile: SERVER1_CERT, sslCAFile: CA_CERT, ipv6: "", bind_ip_all: ""};

    print("1. Testing x.509 auth to mongod");
    {
        let mongo = MongoRunner.runMongod(x509_options);
        authAndTest(mongo.port);
        MongoRunner.stopMongod(mongo);
    }
    
    const x509_options2 = {sslMode: "requireSSL", sslPEMKeyFile: SERVER2_CERT, sslCAFile: CA_CERT, ipv6: "", bind_ip_all: ""};

    print("2. Testing IPv6 in DNS Name field");
    {
        let mongo = MongoRunner.runMongod(Object.merge(x509_options2, {auth: ""}));
        authAndTest(mongo.port);
        MongoRunner.stopMongod(mongo);
    }

}());