jstests/sslSpecial/ssl_ecdsa_cert.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

load('jstests/ssl/libs/ssl_helpers.js');

const test = () => {
    "use strict";

    const ECDSA_CA_CERT = 'jstests/libs/ecdsa-ca.pem';
    const ECDSA_CLIENT_CERT = 'jstests/libs/ecdsa-client.pem';
    const ECDSA_SERVER_CERT = 'jstests/libs/ecdsa-server.pem';

    const CLIENT_USER = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';

    print('Testing if platform supports usage of ECDSA certificates');
    const tlsOptions = {
        tlsMode: 'preferTLS',
        tlsCertificateKeyFile: ECDSA_SERVER_CERT,
        tlsCAFile: ECDSA_CA_CERT,
        ipv6: '',
        bind_ip_all: '',
        waitForConnect: true,
        tlsAllowConnectionsWithoutCertificates: "",
    };

    let mongod = MongoRunner.runMongod(tlsOptions);

    // Verify we can connect
    assert.eq(0,
              runMongoProgram('mongo',
                              '--tls',
                              '--tlsCAFile',
                              ECDSA_CA_CERT,
                              '--port',
                              mongod.port,
                              '--eval',
                              'db.hello()'),
              "mongo did not initialize properly");

    // Add an X509 user
    const addUserCmd = {createUser: CLIENT_USER, roles: [{role: 'root', db: 'admin'}]};
    assert.commandWorked(mongod.getDB('$external').runCommand(addUserCmd),
                         'Failed to create X509 user using ECDSA certificates');

    const command = function() {
        assert(db.getSiblingDB('$external').auth({mechanism: 'MONGODB-X509', user: "CLIENT_USER"}));

        const connStatus = db.getSiblingDB('admin').runCommand({connectionStatus: 1});
        assert(connStatus.authInfo.authenticatedUsers[0].user === "CLIENT_USER");
    };

    // Verify we can authenticate via X509
    assert.eq(
        0,
        runMongoProgram('mongo',
                        '--tls',
                        '--tlsCertificateKeyFile',
                        ECDSA_CLIENT_CERT,
                        '--tlsCAFile',
                        ECDSA_CA_CERT,
                        '--port',
                        mongod.port,
                        '--eval',
                        '(' + command.toString().replace(/CLIENT_USER/g, CLIENT_USER) + ')();'),
        "ECDSA X509 authentication failed");
    MongoRunner.stopMongod(mongod);
};

const EXCLUDED_BUILDS = ['amazon', 'amzn64'];
if (EXCLUDED_BUILDS.includes(buildInfo().buildEnvironment.distmod)) {
    print("*****************************************************");
    print("Skipping test because Amazon Linux does not support ECDSA certificates");
    print("*****************************************************");
} else {
    requireSSLProvider('openssl', test);
}