From 8f9d4f3cc029f18ad848c9929069c061523478a1 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 3 Mar 2020 16:34:06 -0500 Subject: [PATCH] CDRIVER-3408 OCSP initial evergreen testing --- .evergreen/compile-windows.sh | 2 +- .evergreen/config.yml | 261 ++++++++ .evergreen/integration-tests.sh | 121 ++-- .evergreen/ocsp/README.md | 34 + .evergreen/ocsp/README.txt | 1 + .evergreen/ocsp/certs.yml | 112 ++++ .evergreen/ocsp/ecdsa/ca.crt | 13 + .evergreen/ocsp/ecdsa/ca.key | 5 + .evergreen/ocsp/ecdsa/ca.pem | 18 + .../ocsp/ecdsa/mock-delegate-revoked.sh | 8 + .evergreen/ocsp/ecdsa/mock-delegate-valid.sh | 7 + .evergreen/ocsp/ecdsa/mock-revoked.sh | 10 + .evergreen/ocsp/ecdsa/mock-valid.sh | 7 + .evergreen/ocsp/ecdsa/ocsp-responder.crt | 22 + .evergreen/ocsp/ecdsa/ocsp-responder.key | 5 + .evergreen/ocsp/ecdsa/rename.sh | 8 + .evergreen/ocsp/ecdsa/server-mustStaple.pem | 22 + .evergreen/ocsp/ecdsa/server.pem | 22 + .evergreen/ocsp/mock_ocsp_responder.py | 614 ++++++++++++++++++ .evergreen/ocsp/ocsp_mock.py | 47 ++ .evergreen/ocsp/rsa/ca.crt | 21 + .evergreen/ocsp/rsa/ca.key | 28 + .evergreen/ocsp/rsa/ca.pem | 49 ++ .evergreen/ocsp/rsa/mock-delegate-revoked.sh | 8 + .evergreen/ocsp/rsa/mock-delegate-valid.sh | 7 + .evergreen/ocsp/rsa/mock-revoked.sh | 8 + .evergreen/ocsp/rsa/mock-valid.sh | 7 + .evergreen/ocsp/rsa/ocsp-responder.crt | 21 + .evergreen/ocsp/rsa/ocsp-responder.key | 28 + .evergreen/ocsp/rsa/responder.logs | 1 + .evergreen/ocsp/rsa/server-mustStaple.pem | 53 ++ .evergreen/ocsp/rsa/server.pem | 53 ++ .evergreen/run-ocsp-test.sh | 187 ++++++ build/evergreen_config_lib/functions.py | 1 + build/evergreen_config_lib/tasks.py | 70 ++ build/evergreen_config_lib/variants.py | 8 + .../ecdsa-basic-tls-ocsp-disableStapling.json | 19 + ...c-tls-ocsp-mustStaple-disableStapling.json | 19 + .../ecdsa-basic-tls-ocsp-mustStaple.json | 19 + .../rsa-basic-tls-ocsp-disableStapling.json | 19 + ...c-tls-ocsp-mustStaple-disableStapling.json | 19 + .../rsa-basic-tls-ocsp-mustStaple.json | 19 + 42 files changed, 1955 insertions(+), 48 deletions(-) create mode 100644 .evergreen/ocsp/README.md create mode 100644 .evergreen/ocsp/README.txt create mode 100644 .evergreen/ocsp/certs.yml create mode 100644 .evergreen/ocsp/ecdsa/ca.crt create mode 100644 .evergreen/ocsp/ecdsa/ca.key create mode 100644 .evergreen/ocsp/ecdsa/ca.pem create mode 100755 .evergreen/ocsp/ecdsa/mock-delegate-revoked.sh create mode 100755 .evergreen/ocsp/ecdsa/mock-delegate-valid.sh create mode 100755 .evergreen/ocsp/ecdsa/mock-revoked.sh create mode 100755 .evergreen/ocsp/ecdsa/mock-valid.sh create mode 100644 .evergreen/ocsp/ecdsa/ocsp-responder.crt create mode 100644 .evergreen/ocsp/ecdsa/ocsp-responder.key create mode 100755 .evergreen/ocsp/ecdsa/rename.sh create mode 100644 .evergreen/ocsp/ecdsa/server-mustStaple.pem create mode 100644 .evergreen/ocsp/ecdsa/server.pem create mode 100644 .evergreen/ocsp/mock_ocsp_responder.py create mode 100755 .evergreen/ocsp/ocsp_mock.py create mode 100644 .evergreen/ocsp/rsa/ca.crt create mode 100644 .evergreen/ocsp/rsa/ca.key create mode 100644 .evergreen/ocsp/rsa/ca.pem create mode 100755 .evergreen/ocsp/rsa/mock-delegate-revoked.sh create mode 100755 .evergreen/ocsp/rsa/mock-delegate-valid.sh create mode 100755 .evergreen/ocsp/rsa/mock-revoked.sh create mode 100755 .evergreen/ocsp/rsa/mock-valid.sh create mode 100644 .evergreen/ocsp/rsa/ocsp-responder.crt create mode 100644 .evergreen/ocsp/rsa/ocsp-responder.key create mode 100644 .evergreen/ocsp/rsa/responder.logs create mode 100644 .evergreen/ocsp/rsa/server-mustStaple.pem create mode 100644 .evergreen/ocsp/rsa/server.pem create mode 100755 .evergreen/run-ocsp-test.sh create mode 100644 orchestration_configs/servers/ecdsa-basic-tls-ocsp-disableStapling.json create mode 100644 orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple-disableStapling.json create mode 100644 orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple.json create mode 100644 orchestration_configs/servers/rsa-basic-tls-ocsp-disableStapling.json create mode 100644 orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple-disableStapling.json create mode 100644 orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple.json diff --git a/.evergreen/compile-windows.sh b/.evergreen/compile-windows.sh index bc1a1ecc95..16d934d26c 100755 --- a/.evergreen/compile-windows.sh +++ b/.evergreen/compile-windows.sh @@ -21,7 +21,7 @@ CONFIGURE_FLAGS="\ -DENABLE_BSON=ON" BUILD_FLAGS="/m" # Number of concurrent processes. No value=# of cpus CMAKE="/cygdrive/c/cmake/bin/cmake" -CC=${CC:-"Visual Studio 14 2015 Win64"} +CC=${CC:-"Visual Studio 15 2017 Win64"} SSL=${SSL:-WINDOWS} SASL=${SASL:-SSPI} diff --git a/.evergreen/config.yml b/.evergreen/config.yml index e55f0977cd..99c6bf380c 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -408,6 +408,7 @@ functions: export AUTHSOURCE=${AUTHSOURCE} export SSL=${SSL} export ORCHESTRATION_FILE=${ORCHESTRATION_FILE} + export OCSP=${OCSP} sh .evergreen/integration-tests.sh run tests: - command: shell.exec @@ -12514,6 +12515,256 @@ tasks: - func: run aws tests vars: TESTCASE: ASSUME_ROLE +- name: ocsp-openssl-test_1-rsa-delegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: rsa-basic-tls-ocsp-mustStaple + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_1 CERT_TYPE=rsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-test_1-ecdsa-delegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: ecdsa-basic-tls-ocsp-mustStaple + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_1 CERT_TYPE=ecdsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-test_1-rsa-nodelegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: rsa-basic-tls-ocsp-mustStaple + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_1 CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-test_1-ecdsa-nodelegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: ecdsa-basic-tls-ocsp-mustStaple + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_1 CERT_TYPE=ecdsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-test_3-rsa-delegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_3 CERT_TYPE=rsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-test_3-ecdsa-delegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: ecdsa-basic-tls-ocsp-disableStapling + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_3 CERT_TYPE=ecdsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-test_3-rsa-nodelegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_3 CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-test_3-ecdsa-nodelegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: ecdsa-basic-tls-ocsp-disableStapling + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=TEST_3 CERT_TYPE=ecdsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-soft_fail_test-rsa-nodelegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=SOFT_FAIL_TEST CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh +- name: ocsp-openssl-soft_fail_test-ecdsa-nodelegate + tags: + - ocsp-openssl + depends_on: + name: debug-compile-nosasl-openssl + commands: + - func: fetch build + vars: + BUILD_NAME: debug-compile-nosasl-openssl + - func: bootstrap mongo-orchestration + vars: + OCSP: 'on' + ORCHESTRATION_FILE: ecdsa-basic-tls-ocsp-disableStapling + SSL: ssl + TOPOLOGY: server + VERSION: latest + - command: shell.exec + type: test + params: + working_dir: mongoc + shell: bash + script: |- + set -o errexit + set -o xtrace + TEST_COLUMN=SOFT_FAIL_TEST CERT_TYPE=ecdsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh buildvariants: - name: releng display_name: '**Release Archive Creator' @@ -13188,3 +13439,13 @@ buildvariants: - test-latest-server-auth-sasl-openssl - test-latest-replica-set-auth-sasl-openssl batchtime: 1440 +- name: ocsp + display_name: OCSP tests + run_on: ubuntu1804-test + tasks: + - name: debug-compile-nosasl-openssl + distros: + - ubuntu1804-test + - name: .ocsp-openssl + distros: + - ubuntu1804-test diff --git a/.evergreen/integration-tests.sh b/.evergreen/integration-tests.sh index 7c2f96c565..1c51d0d3f7 100755 --- a/.evergreen/integration-tests.sh +++ b/.evergreen/integration-tests.sh @@ -1,4 +1,21 @@ -#!/bin/sh +#! /bin/sh +# Start up mongo-orchestration (a server to spawn mongodb clusters) and set up a cluster. +# +# Specify the following environment variables: +# +# MONGODB_VERSION: latest, 4.2, 4.0, 3.6, 3.4, 3.2, 3.0, 2.6, 2.4 +# TOPOLOGY: server, replica_set, sharded_cluster +# AUTH: auth, noauth +# AUTHSOURCE +# IPV4_ONLY: off, on +# SSL: openssl, darwinssl, winssl, nossl +# ORCHESTRATION_FILE: +# If this is not set, the file name is constructed from other options. +# OCSP: off, on +# +# This script may be run locally. +# + set -o xtrace # Write all commands first to stderr set -o errexit # Exit the script with error if any of the commands fail @@ -9,7 +26,7 @@ DIR=$(dirname $0) get_distro GENERIC_LINUX_URL=$(get_mongodb_download_url_for "linux-x86_64" "$MONGODB_VERSION") get_mongodb_download_url_for "$DISTRO" "$MONGODB_VERSION" -if [ "$MONGODB_DOWNLOAD_URL" = $GENERIC_LINUX_URL -a ! "$SSL" = "nossl" ]; then +if [ "$MONGODB_DOWNLOAD_URL" = "$GENERIC_LINUX_URL" -a ! "$SSL" = "nossl" ]; then echo "Requested a version of MongoDB with SSL, but only generic (non-SSL) Linux version available" exit 1; fi @@ -21,45 +38,51 @@ OS=$(uname -s | tr '[:upper:]' '[:lower:]') AUTH=${AUTH:-noauth} SSL=${SSL:-nossl} TOPOLOGY=${TOPOLOGY:-server} +OCSP=${OCSP:-off} + +# If caller of script specifies an ORCHESTRATION_FILE, do not attempt to modify it. Otherwise construct it. +if [ -z "$ORCHESTRATION_FILE" ]; then + ORCHESTRATION_FILE="basic" + + if [ "$AUTH" = "auth" ]; then + ORCHESTRATION_FILE="auth" + fi + if [ "$IPV4_ONLY" = "on" ]; then + ORCHESTRATION_FILE="${ORCHESTRATION_FILE}-ipv4-only" + fi + + if [ -n "$AUTHSOURCE" ]; then + ORCHESTRATION_FILE="${ORCHESTRATION_FILE}-${AUTHSOURCE}" + fi + + if [ "$SSL" != "nossl" ]; then + ORCHESTRATION_FILE="${ORCHESTRATION_FILE}-ssl" + fi +fi + +# Set up mongo orchestration home. case "$OS" in cygwin*) export MONGO_ORCHESTRATION_HOME="c:/data/MO" + FULL_PATH=$(cygpath -m -a .) ;; *) export MONGO_ORCHESTRATION_HOME=$(pwd)"/MO" + FULL_PATH=$(pwd) ;; esac -rm -rf $MONGO_ORCHESTRATION_HOME -mkdir -p $MONGO_ORCHESTRATION_HOME/lib -mkdir -p $MONGO_ORCHESTRATION_HOME/db - -if [ "$AUTH" = "auth" ]; then - if [ -z $ORCHESTRATION_FILE ]; then - ORCHESTRATION_FILE="auth" - fi - MONGO_SHELL_CONNECTION_FLAGS="-ubob -ppwd123" -fi - -if [ -z "$ORCHESTRATION_FILE" ]; then - ORCHESTRATION_FILE="basic" -fi - -if [ "$IPV4_ONLY" = "on" ]; then - ORCHESTRATION_FILE="${ORCHESTRATION_FILE}-ipv4-only" -fi +rm -rf "$MONGO_ORCHESTRATION_HOME" +mkdir -p "$MONGO_ORCHESTRATION_HOME/lib" +mkdir -p "$MONGO_ORCHESTRATION_HOME/db" -if [ ! -z "$AUTHSOURCE" ]; then - ORCHESTRATION_FILE="${ORCHESTRATION_FILE}-${AUTHSOURCE}" - MONGO_SHELL_CONNECTION_FLAGS="${MONGO_SHELL_CONNECTION_FLAGS} --authenticationDatabase ${AUTHSOURCE}" -fi +# Replace ABSOLUTE_PATH_REPLACEMENT_TOKEN with path to mongo-c-driver. +find orchestration_configs -name \*.json | xargs perl -p -i -e "s|ABSOLUTE_PATH_REPLACEMENT_TOKEN|$FULL_PATH|g" -if [ "$SSL" != "nossl" ]; then - cp -f src/libmongoc/tests/x509gen/* $MONGO_ORCHESTRATION_HOME/lib/ - # find print0 and xargs -0 not available on Solaris. Lets hope for good paths - find orchestration_configs -name \*.json | xargs perl -p -i -e "s|/tmp/orchestration-home|$MONGO_ORCHESTRATION_HOME/lib|g" - ORCHESTRATION_FILE="${ORCHESTRATION_FILE}-ssl" -fi +# mongo-orchestration expects client.pem to be in MONGO_ORCHESTRATION_HOME. So always copy it. +cp -f src/libmongoc/tests/x509gen/* $MONGO_ORCHESTRATION_HOME/lib/ +# find print0 and xargs -0 not available on Solaris. Lets hope for good paths +find orchestration_configs -name \*.json | xargs perl -p -i -e "s|/tmp/orchestration-home|$MONGO_ORCHESTRATION_HOME/lib|g" export ORCHESTRATION_FILE="orchestration_configs/${TOPOLOGY}s/${ORCHESTRATION_FILE}.json" export ORCHESTRATION_URL="http://localhost:8889/v1/${TOPOLOGY}s" @@ -67,16 +90,16 @@ export ORCHESTRATION_URL="http://localhost:8889/v1/${TOPOLOGY}s" export TMPDIR=$MONGO_ORCHESTRATION_HOME/db echo From shell `date` > $MONGO_ORCHESTRATION_HOME/server.log - case "$OS" in cygwin*) + PYTHON=python.exe # Python has problems with unix style paths in cygwin. Must use c:\\ paths rm -rf /cygdrive/c/mongodb cp -r mongodb /cygdrive/c/mongodb echo "{ \"releases\": { \"default\": \"c:\\\\mongodb\\\\bin\" }}" > orchestration.config # Make sure MO is running latest version - python.exe -m virtualenv venv + $PYTHON -m virtualenv venv cd venv . Scripts/activate rm -rf mongo-orchestration @@ -86,9 +109,6 @@ case "$OS" in cd ../.. ls `pwd`/mongodb/bin/mongo* || true nohup mongo-orchestration -f orchestration.config -e default --socket-timeout-ms=60000 --bind=127.0.0.1 --enable-majority-read-concern -s wsgiref start > $MONGO_ORCHESTRATION_HOME/out.log 2> $MONGO_ORCHESTRATION_HOME/err.log < /dev/null & - if [ "$SSL" != "nossl" ]; then - export MONGO_SHELL_CONNECTION_FLAGS="$MONGO_SHELL_CONNECTION_FLAGS --host localhost --ssl --sslCAFile=$MONGO_ORCHESTRATION_HOME/lib/ca.pem --sslPEMKeyFile=$MONGO_ORCHESTRATION_HOME/lib/client.pem" - fi ;; *) echo "{ \"releases\": { \"default\": \"`pwd`/mongodb/bin\" } }" > orchestration.config @@ -99,13 +119,6 @@ case "$OS" in PYTHON=python fi - PYTHON_MAJ=$(python -c 'import sys; print (sys.version_info[0])') - PYTHON_MIN=$(python -c 'import sys; print (sys.version_info[1])') - if [ "$PYTHON_MAJ" -ge "3" -a "$PYTHON_MIN" -ge "8" ]; then - # mongo-orchestration currently does not run with python 3.8 per PYTHON-2067. Explicitly use python 2. - PYTHON=python2 - fi - $PYTHON -m virtualenv venv cd venv . bin/activate @@ -121,21 +134,35 @@ case "$OS" in pip $PIP_PARAM install . cd ../.. mongo-orchestration -f orchestration.config -e default --socket-timeout-ms=60000 --bind=127.0.0.1 --enable-majority-read-concern start > $MONGO_ORCHESTRATION_HOME/out.log 2> $MONGO_ORCHESTRATION_HOME/err.log < /dev/null & - if [ "$SSL" != "nossl" ]; then - export MONGO_SHELL_CONNECTION_FLAGS="$MONGO_SHELL_CONNECTION_FLAGS --host localhost --ssl --sslCAFile=$MONGO_ORCHESTRATION_HOME/lib/ca.pem --sslPEMKeyFile=$MONGO_ORCHESTRATION_HOME/lib/client.pem" - fi ;; esac sleep 15 -curl http://localhost:8889/ -sS --max-time 120 --fail +echo "Checking that mongo-orchestration is running" +curl http://localhost:8889/ -sS --max-time 120 --fail | python -m json.tool sleep 5 pwd -curl -sS --data @"$ORCHESTRATION_FILE" "$ORCHESTRATION_URL" --max-time 300 --fail +curl -sS --data @"$ORCHESTRATION_FILE" "$ORCHESTRATION_URL" --max-time 300 --fail | python -m json.tool sleep 15 +if [ "$AUTH" = "auth" ]; then + MONGO_SHELL_CONNECTION_FLAGS="-ubob -ppwd123" +fi + +if [ -n "$AUTHSOURCE" ]; then + MONGO_SHELL_CONNECTION_FLAGS="${MONGO_SHELL_CONNECTION_FLAGS} --authenticationDatabase ${AUTHSOURCE}" +fi + +if [ "$OCSP" != "off" ]; then + MONGO_SHELL_CONNECTION_FLAGS="${MONGO_SHELL_CONNECTION_FLAGS} --host localhost --tls --tlsAllowInvalidCertificates" +elif [ "$SSL" != "nossl" ]; then + MONGO_SHELL_CONNECTION_FLAGS="${MONGO_SHELL_CONNECTION_FLAGS} --host localhost --ssl --sslCAFile=$MONGO_ORCHESTRATION_HOME/lib/ca.pem --sslPEMKeyFile=$MONGO_ORCHESTRATION_HOME/lib/client.pem" +fi + +echo $MONGO_SHELL_CONNECTION_FLAGS + `pwd`/mongodb/bin/mongo $MONGO_SHELL_CONNECTION_FLAGS --eval 'printjson(db.serverBuildInfo())' admin `pwd`/mongodb/bin/mongo $MONGO_SHELL_CONNECTION_FLAGS --eval 'printjson(db.isMaster())' admin diff --git a/.evergreen/ocsp/README.md b/.evergreen/ocsp/README.md new file mode 100644 index 0000000000..2eac12ef42 --- /dev/null +++ b/.evergreen/ocsp/README.md @@ -0,0 +1,34 @@ +# Generating Test Certificates + +The test certificates here were generating using a fork of the server +team's [`mkcert.py`] +(https://github.com/mongodb/mongo/blob/master/jstests/ssl/x509/mkcert.py) +tool. + +In order to generate a fresh set of certificates, clone this branch of +a fork of the [`mongo` repository] +(https://github.com/vincentkam/mongo/tree/mkcert-ecdsa) and +run the following command from the root of the `mongo` repository: + +`python3 jstests/ssl/x509/mkcert.py --config ../drivers-evergreen-tools/.evergreen/ocsp/certs.yml` + +Passing a certificate ID as the final parameter will limit certificate +generation to that certificate and all its leaves. Note: if +regenerating ECDSA leaf certificates, ``ecsda/ca.pem`` will need to be +temporarily renamed back to ``ecdsa-ca-ocsp.pem``. + +The ECDSA certificates will be output into the folder specified by the +`global.output_path` option in the `certs.yml` file, which defaults to +`ecsda` directory contained in this directory. The RSA certificate +definitions override this value on a per certificate basis and are +output into the `rsa` directory. The default configuration also +assumes that the `mongo` repository and the `driver-evergreen-tools` +repository have the same parent directory. + +After generating the RSA root certificate, one must manually split the +`rsa/ca.pem` file, which contains both the private key and the public +certificate, into two files. `rsa/ca.crt` should contain the public +certificate, and `ras/ca.key` should contain the private certificate. + +When generating ECDSA certificates, one must normalize the ECDSA +certificate names by running `ecdsa/rename.sh`. diff --git a/.evergreen/ocsp/README.txt b/.evergreen/ocsp/README.txt new file mode 100644 index 0000000000..f98a7c4871 --- /dev/null +++ b/.evergreen/ocsp/README.txt @@ -0,0 +1 @@ +Copied from drivers-evergreen-tools/.evergreen/ocsp. \ No newline at end of file diff --git a/.evergreen/ocsp/certs.yml b/.evergreen/ocsp/certs.yml new file mode 100644 index 0000000000..046ad8048f --- /dev/null +++ b/.evergreen/ocsp/certs.yml @@ -0,0 +1,112 @@ + +global: + # All subject names will have these elements automatically, + # unless `explicit_subject: true` is specified. + output_path: '../drivers-evergreen-tools/.evergreen/ocsp/ecdsa/' # See README.md if customizing this path + Subject: + C: 'US' + ST: 'New York' + L: 'New York City' + O: 'MongoDB' + OU: 'Kernel' + +certs: + +### +# OCSP Tree +### +- name: 'ca.pem' + description: >- + Primary Root Certificate Authority + Most Certificates are issued by this CA. + Subject: {CN: 'Kernel Test CA'} + Issuer: self + include_header: false + output_path: '../drivers-evergreen-tools/.evergreen/ocsp/rsa' + extensions: + basicConstraints: + critical: true + CA: true + +- name: 'server.pem' + description: >- + Certificate with OCSP for the mongodb server. + Subject: + CN: 'localhost' + C: US + ST: NY + L: OCSP-1 + Issuer: 'ca.pem' + include_header: false + output_path: '../drivers-evergreen-tools/.evergreen/ocsp/rsa' + extensions: + basicConstraints: {CA: false} + subjectAltName: + DNS: localhost + IP: 127.0.0.1 + authorityInfoAccess: 'OCSP;URI:http://localhost:9001/power/level/,OCSP;URI:http://localhost:8100/status/' + subjectKeyIdentifier: hash + keyUsage: [digitalSignature, keyEncipherment] + extendedKeyUsage: [serverAuth, clientAuth] + +- name: 'server-mustStaple.pem' + description: >- + Certficiate with Must Staple OCSP for the mongodb server. + Subject: + CN: 'localhost' + C: US + ST: NY + L: OCSP-1 + Issuer: 'ca.pem' + include_header: false + output_path: '../drivers-evergreen-tools/.evergreen/ocsp/rsa' + extensions: + basicConstraints: {CA: false} + subjectAltName: + DNS: localhost + IP: 127.0.0.1 + authorityInfoAccess: 'OCSP;URI:http://localhost:9001/power/level/,OCSP;URI:http://localhost:8100/status/' + mustStaple: true + subjectKeyIdentifier: hash + keyUsage: [digitalSignature, keyEncipherment] + extendedKeyUsage: [serverAuth, clientAuth] + +- name: 'ocsp-responder.crt' + description: Certificate and key for the OCSP responder + Subject: + CN: 'localhost' + C: US + ST: NY + L: OCSP-3 + Issuer: 'ca.pem' + include_header: false + keyfile: 'ocsp-responder.key' + output_path: '../drivers-evergreen-tools/.evergreen/ocsp/rsa' + extensions: + basicConstraints: {CA: false} + keyUsage: [nonRepudiation, digitalSignature, keyEncipherment] + extendedKeyUsage: [OCSPSigning] + #noCheck: true + +### +# ECDSA tree +### + +# These are all special cases handled internally by mkcert.py +# Do NOT change the names + +- name: 'ecdsa-ca-ocsp.pem' + description: Root of ECDSA tree for OCSP testing + Issuer: self + +- name: 'ecdsa-server-ocsp.pem' + description: ECDSA server certificate w/OCSP + Issuer: 'ecdsa-ca-ocsp.pem' + +- name: 'ecdsa-server-ocsp-mustStaple.pem' + description: ECDSA server certificate w/OCSP + must-staple + Issuer: 'ecdsa-ca-ocsp.pem' + +- name: 'ecdsa-ocsp-responder.crt' + description: ECDSA certificate and key for OCSP responder + Issuer: 'ecdsa-ca-ocsp.pem' diff --git a/.evergreen/ocsp/ecdsa/ca.crt b/.evergreen/ocsp/ecdsa/ca.crt new file mode 100644 index 0000000000..cb015eabd4 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/ca.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB9zCCAZygAwIBAgIEZciS3TAKBggqhkjOPQQDAjB6MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UEAwwUS2VybmVsIFRl +c3QgRVNDREEgQ0EwHhcNMjAwMjE5MjAyOTI3WhcNNDAwMjE0MjAyOTI3WjB6MQsw +CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr +IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UE +AwwUS2VybmVsIFRlc3QgRVNDREEgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAQhBCbWBOsw2pY7pUEFEdlxU0eMYQ5sUjm8Qgoj0FcXtbl+lA53Z8tETjMQ6Vgk +17bqjNdcYRUXjHRav0H0+DlUoxAwDjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMC +A0kAMEYCIQCM4BhBUzL2zuZ393ofghp1i6kn6tkZViFXYqLqbyuRbAIhAJ5lVur6 +j+u1ArO3+Q4EivAOkKn5WigaHBuZQ5XMSpMI +-----END CERTIFICATE----- diff --git a/.evergreen/ocsp/ecdsa/ca.key b/.evergreen/ocsp/ecdsa/ca.key new file mode 100644 index 0000000000..8a29aa471c --- /dev/null +++ b/.evergreen/ocsp/ecdsa/ca.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmcHLo8thu0pQjmzM +IkYdR0DdGbBWUpUU0epeYOahItehRANCAAQhBCbWBOsw2pY7pUEFEdlxU0eMYQ5s +Ujm8Qgoj0FcXtbl+lA53Z8tETjMQ6Vgk17bqjNdcYRUXjHRav0H0+DlU +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/ecdsa/ca.pem b/.evergreen/ocsp/ecdsa/ca.pem new file mode 100644 index 0000000000..e31390481a --- /dev/null +++ b/.evergreen/ocsp/ecdsa/ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIB9zCCAZygAwIBAgIEZciS3TAKBggqhkjOPQQDAjB6MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UEAwwUS2VybmVsIFRl +c3QgRVNDREEgQ0EwHhcNMjAwMjE5MjAyOTI3WhcNNDAwMjE0MjAyOTI3WjB6MQsw +CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr +IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UE +AwwUS2VybmVsIFRlc3QgRVNDREEgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC +AAQhBCbWBOsw2pY7pUEFEdlxU0eMYQ5sUjm8Qgoj0FcXtbl+lA53Z8tETjMQ6Vgk +17bqjNdcYRUXjHRav0H0+DlUoxAwDjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMC +A0kAMEYCIQCM4BhBUzL2zuZ393ofghp1i6kn6tkZViFXYqLqbyuRbAIhAJ5lVur6 +j+u1ArO3+Q4EivAOkKn5WigaHBuZQ5XMSpMI +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmcHLo8thu0pQjmzM +IkYdR0DdGbBWUpUU0epeYOahItehRANCAAQhBCbWBOsw2pY7pUEFEdlxU0eMYQ5s +Ujm8Qgoj0FcXtbl+lA53Z8tETjMQ6Vgk17bqjNdcYRUXjHRav0H0+DlU +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/ecdsa/mock-delegate-revoked.sh b/.evergreen/ocsp/ecdsa/mock-delegate-revoked.sh new file mode 100755 index 0000000000..1e40fba5a7 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/mock-delegate-revoked.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env sh +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ocsp-responder.crt \ + --ocsp_responder_key ocsp-responder.key \ + -p 8100 \ + -v \ + --fault revoked diff --git a/.evergreen/ocsp/ecdsa/mock-delegate-valid.sh b/.evergreen/ocsp/ecdsa/mock-delegate-valid.sh new file mode 100755 index 0000000000..5074a7ecab --- /dev/null +++ b/.evergreen/ocsp/ecdsa/mock-delegate-valid.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env sh +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ocsp-responder.crt \ + --ocsp_responder_key ocsp-responder.key \ + -p 8100 \ + -v diff --git a/.evergreen/ocsp/ecdsa/mock-revoked.sh b/.evergreen/ocsp/ecdsa/mock-revoked.sh new file mode 100755 index 0000000000..a6bf2ef025 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/mock-revoked.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env sh +# Use the CA as the OCSP responder +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ca.crt \ + --ocsp_responder_key ca.key \ + -p 8100 \ + -v \ + --fault revoked + diff --git a/.evergreen/ocsp/ecdsa/mock-valid.sh b/.evergreen/ocsp/ecdsa/mock-valid.sh new file mode 100755 index 0000000000..c89ce9e954 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/mock-valid.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env sh +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ca.crt \ + --ocsp_responder_key ca.key \ + -p 8100 \ + -v diff --git a/.evergreen/ocsp/ecdsa/ocsp-responder.crt b/.evergreen/ocsp/ecdsa/ocsp-responder.crt new file mode 100644 index 0000000000..fb1e5cd0ed --- /dev/null +++ b/.evergreen/ocsp/ecdsa/ocsp-responder.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIICwjCCAmmgAwIBAgIEehPOjDAKBggqhkjOPQQDAjB6MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UEAwwUS2VybmVsIFRl +c3QgRVNDREEgQ0EwHhcNMjAwMjE5MjAyOTI3WhcNNDAwMjE0MjAyOTI3WjBsMQsw +CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr +IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UE +AwwGc2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEW7/21dgNh3hXUfm6 +PHY3vdTMLo/2pBtVPx3i6WIVjztShy/vOe7QPARDhvA8xaRVMgLIbrVPA1dEWm/F +SQTLnKOB6jCB5zAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATAdBgNVHQ4EFgQUXAVhlYGqvzyoiWSjg8ZlSVpfMU4wCwYDVR0PBAQDAgXgMCcG +A1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwkwaQYIKwYBBQUH +AQEEXTBbMC4GCCsGAQUFBzABhiJodHRwOi8vbG9jYWxob3N0OjkwMDEvcG93ZXIv +bGV2ZWwvMCkGCCsGAQUFBzABhh1odHRwOi8vbG9jYWxob3N0OjgxMDAvc3RhdHVz +LzAKBggqhkjOPQQDAgNHADBEAiB6B68twsBy6RuxvGsRkJydPs9miCBAgX4Ndvki +0fRlDAIgOE33/gJE7eD1ZiteFGmJSpifxSoNzC/kX66akXRbYmg= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgEpRrLclJnnb0CT4e +49Ubxx50pTtarNDD8rHBPRVmKrahRANCAARbv/bV2A2HeFdR+bo8dje91Mwuj/ak +G1U/HeLpYhWPO1KHL+857tA8BEOG8DzFpFUyAshutU8DV0Rab8VJBMuc +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/ecdsa/ocsp-responder.key b/.evergreen/ocsp/ecdsa/ocsp-responder.key new file mode 100644 index 0000000000..24130f2ca9 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/ocsp-responder.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgEpRrLclJnnb0CT4e +49Ubxx50pTtarNDD8rHBPRVmKrahRANCAARbv/bV2A2HeFdR+bo8dje91Mwuj/ak +G1U/HeLpYhWPO1KHL+857tA8BEOG8DzFpFUyAshutU8DV0Rab8VJBMuc +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/ecdsa/rename.sh b/.evergreen/ocsp/ecdsa/rename.sh new file mode 100755 index 0000000000..9c7df02758 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/rename.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +[ ! -f ecdsa-ca-ocsp.pem ] || mv ecdsa-ca-ocsp.pem ca.pem +[ ! -f ecdsa-ca-ocsp.crt ] || mv ecdsa-ca-ocsp.crt ca.crt +[ ! -f ecdsa-ca-ocsp.key ] || mv ecdsa-ca-ocsp.key ca.key +[ ! -f ecdsa-server-ocsp.pem ] || mv ecdsa-server-ocsp.pem server.pem +[ ! -f ecdsa-server-ocsp-mustStaple.pem ] || mv ecdsa-server-ocsp-mustStaple.pem server-mustStaple.pem +[ ! -f ecdsa-ocsp-responder.crt ] || mv ecdsa-ocsp-responder.crt ocsp-responder.crt +[ ! -f ecdsa-ocsp-responder.key ] || mv ecdsa-ocsp-responder.key ocsp-responder.key diff --git a/.evergreen/ocsp/ecdsa/server-mustStaple.pem b/.evergreen/ocsp/ecdsa/server-mustStaple.pem new file mode 100644 index 0000000000..5e753192c0 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/server-mustStaple.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIICyzCCAnKgAwIBAgIEGRNDGzAKBggqhkjOPQQDAjB6MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UEAwwUS2VybmVsIFRl +c3QgRVNDREEgQ0EwHhcNMjAwMjE5MjAyOTI3WhcNNDAwMjE0MjAyOTI3WjBsMQsw +CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr +IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UE +AwwGc2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1tnJ3r6DT9GE0LaR +/4IHJvOIew+5W19D79HXFM4ymtztjymzDE22GAo+QH38Nwjv715EghnHA40tIHkZ +vVcE76OB8zCB8DAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATAdBgNVHQ4EFgQUKLXfmdd2R1p/1ZlAiYOQ4A5I0ewwCwYDVR0PBAQDAgWgMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBpBggrBgEFBQcBAQRdMFswLgYI +KwYBBQUHMAGGImh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS9wb3dlci9sZXZlbC8wKQYI +KwYBBQUHMAGGHWh0dHA6Ly9sb2NhbGhvc3Q6ODEwMC9zdGF0dXMvMBEGCCsGAQUF +BwEYBAUwAwIBBTAKBggqhkjOPQQDAgNHADBEAiBvND5zOM2ZmdgSEVWloh6pyRMN +M2g9qD4aLPYcC+GlaAIgEhvdqF3Sii/ZjKEWUeUVtqWgo0229YrL7t1wYE1Sf9o= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtxohdEzsJP96dCPC +Vj19qJgAINp+8E8JKaOArrh6YByhRANCAATW2cnevoNP0YTQtpH/ggcm84h7D7lb +X0Pv0dcUzjKa3O2PKbMMTbYYCj5Affw3CO/vXkSCGccDjS0geRm9VwTv +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/ecdsa/server.pem b/.evergreen/ocsp/ecdsa/server.pem new file mode 100644 index 0000000000..84b6a6cc00 --- /dev/null +++ b/.evergreen/ocsp/ecdsa/server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAl+gAwIBAgIEQNNJfzAKBggqhkjOPQQDAjB6MQswCQYDVQQGEwJVUzER +MA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNV +BAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEdMBsGA1UEAwwUS2VybmVsIFRl +c3QgRVNDREEgQ0EwHhcNMjAwMjE5MjAyOTI3WhcNNDAwMjE0MjAyOTI3WjBsMQsw +CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr +IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UE +AwwGc2VydmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGp90gJXEN018bcms +N0dyayTF4M/eEelsAEntcri22JdLTvjkyAUZw+RkYMW1reE0NFfSk1xkErsOVNCA +YJsnoKOB4DCB3TAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATAdBgNVHQ4EFgQUaNchrip1M/Y3suBIwGwuppXrv7owCwYDVR0PBAQDAgWgMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBpBggrBgEFBQcBAQRdMFswLgYI +KwYBBQUHMAGGImh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS9wb3dlci9sZXZlbC8wKQYI +KwYBBQUHMAGGHWh0dHA6Ly9sb2NhbGhvc3Q6ODEwMC9zdGF0dXMvMAoGCCqGSM49 +BAMCA0cAMEQCIDz6L0G9Rnidq1E3ALtQU4VqpFmaOjjSflw15bA/kAYaAiALZiPC +e/DoRQ67DGrawaQLAmPBcILk/nzbTnrXHQrLIA== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUnYUVRWUB6HPieMU +WVpOkPDTHGB98u96E5mpTa2G03ihRANCAAQan3SAlcQ3TXxtyaw3R3JrJMXgz94R +6WwASe1yuLbYl0tO+OTIBRnD5GRgxbWt4TQ0V9KTXGQSuw5U0IBgmyeg +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/mock_ocsp_responder.py b/.evergreen/ocsp/mock_ocsp_responder.py new file mode 100644 index 0000000000..28b78e9049 --- /dev/null +++ b/.evergreen/ocsp/mock_ocsp_responder.py @@ -0,0 +1,614 @@ +# +# This file has been modified in 2019 by MongoDB Inc. +# + +# OCSPBuilder is derived from https://github.com/wbond/ocspbuilder +# OCSPResponder is derived from https://github.com/threema-ch/ocspresponder + +# Copyright (c) 2015-2018 Will Bond + +# Permission is hereby granted, free of charge, to any person obtaining a copy of +# this software and associated documentation files (the "Software"), to deal in +# the Software without restriction, including without limitation the rights to +# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +# of the Software, and to permit persons to whom the Software is furnished to do +# so, subject to the following conditions: + +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +# Copyright 2016 Threema GmbH + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import unicode_literals, division, absolute_import, print_function + +import logging +import base64 +import inspect +import re +import enum +import sys +import textwrap +from datetime import datetime, timezone, timedelta +from typing import Callable, Tuple, Optional + +from asn1crypto import x509, keys, core, ocsp +from asn1crypto.ocsp import OCSPRequest, OCSPResponse +from oscrypto import asymmetric +from bottle import Bottle, HTTPResponse, request + +__version__ = '0.10.2' +__version_info__ = (0, 10, 2) + +logger = logging.getLogger(__name__) + +if sys.version_info < (3,): + byte_cls = str +else: + byte_cls = bytes + +def _pretty_message(string, *params): + """ + Takes a multi-line string and does the following: + - dedents + - converts newlines with text before and after into a single line + - strips leading and trailing whitespace + :param string: + The string to format + :param *params: + Params to interpolate into the string + :return: + The formatted string + """ + + output = textwrap.dedent(string) + + # Unwrap lines, taking into account bulleted lists, ordered lists and + # underlines consisting of = signs + if output.find('\n') != -1: + output = re.sub('(?<=\\S)\n(?=[^ \n\t\\d\\*\\-=])', ' ', output) + + if params: + output = output % params + + output = output.strip() + + return output + + +def _type_name(value): + """ + :param value: + A value to get the object name of + :return: + A unicode string of the object name + """ + + if inspect.isclass(value): + cls = value + else: + cls = value.__class__ + if cls.__module__ in set(['builtins', '__builtin__']): + return cls.__name__ + return '%s.%s' % (cls.__module__, cls.__name__) + +def _writer(func): + """ + Decorator for a custom writer, but a default reader + """ + + name = func.__name__ + return property(fget=lambda self: getattr(self, '_%s' % name), fset=func) + + +class OCSPResponseBuilder(object): + + _response_status = None + _certificate = None + _certificate_status = None + _revocation_date = None + _certificate_issuer = None + _hash_algo = None + _key_hash_algo = None + _nonce = None + _this_update = None + _next_update = None + _response_data_extensions = None + _single_response_extensions = None + + def __init__(self, response_status, certificate_status_list=[], revocation_date=None): + """ + Unless changed, responses will use SHA-256 for the signature, + and will be valid from the moment created for one week. + :param response_status: + A unicode string of OCSP response type: + - "successful" - when the response includes information about the certificate + - "malformed_request" - when the request could not be understood + - "internal_error" - when an internal error occured with the OCSP responder + - "try_later" - when the OCSP responder is temporarily unavailable + - "sign_required" - when the OCSP request must be signed + - "unauthorized" - when the responder is not the correct responder for the certificate + :param certificate_list: + A list of tuples with certificate serial number and certificate status objects. + certificate_status: + A unicode string of the status of the certificate. Only required if + the response_status is "successful". + - "good" - when the certificate is in good standing + - "revoked" - when the certificate is revoked without a reason code + - "key_compromise" - when a private key is compromised + - "ca_compromise" - when the CA issuing the certificate is compromised + - "affiliation_changed" - when the certificate subject name changed + - "superseded" - when the certificate was replaced with a new one + - "cessation_of_operation" - when the certificate is no longer needed + - "certificate_hold" - when the certificate is temporarily invalid + - "remove_from_crl" - only delta CRLs - when temporary hold is removed + - "privilege_withdrawn" - one of the usages for a certificate was removed + - "unknown" - the responder doesn't know about the certificate being requested + :param revocation_date: + A datetime.datetime object of when the certificate was revoked, if + the response_status is "successful" and the certificate status is + not "good" or "unknown". + """ + self._response_status = response_status + self._certificate_status_list = certificate_status_list + self._revocation_date = revocation_date + + self._key_hash_algo = 'sha1' + self._hash_algo = 'sha256' + self._response_data_extensions = {} + self._single_response_extensions = {} + + @_writer + def nonce(self, value): + """ + The nonce that was provided during the request. + """ + + if not isinstance(value, byte_cls): + raise TypeError(_pretty_message( + ''' + nonce must be a byte string, not %s + ''', + _type_name(value) + )) + + self._nonce = value + + @_writer + def certificate_issuer(self, value): + """ + An asn1crypto.x509.Certificate object of the issuer of the certificate. + This should only be set if the OCSP responder is not the issuer of + the certificate, but instead a special certificate only for OCSP + responses. + """ + + if value is not None: + is_oscrypto = isinstance(value, asymmetric.Certificate) + if not is_oscrypto and not isinstance(value, x509.Certificate): + raise TypeError(_pretty_message( + ''' + certificate_issuer must be an instance of + asn1crypto.x509.Certificate or + oscrypto.asymmetric.Certificate, not %s + ''', + _type_name(value) + )) + + if is_oscrypto: + value = value.asn1 + + self._certificate_issuer = value + + @_writer + def next_update(self, value): + """ + A datetime.datetime object of when the response may next change. This + should only be set if responses are cached. If responses are generated + fresh on every request, this should not be set. + """ + + if not isinstance(value, datetime): + raise TypeError(_pretty_message( + ''' + next_update must be an instance of datetime.datetime, not %s + ''', + _type_name(value) + )) + + self._next_update = value + + def build(self, responder_private_key=None, responder_certificate=None): + """ + Validates the request information, constructs the ASN.1 structure and + signs it. + The responder_private_key and responder_certificate parameters are onlystr + required if the response_status is "successful". + :param responder_private_key: + An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey + object for the private key to sign the response with + :param responder_certificate: + An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate + object of the certificate associated with the private key + :return: + An asn1crypto.ocsp.OCSPResponse object of the response + """ + if self._response_status != 'successful': + return ocsp.OCSPResponse({ + 'response_status': self._response_status + }) + + is_oscrypto = isinstance(responder_private_key, asymmetric.PrivateKey) + if not isinstance(responder_private_key, keys.PrivateKeyInfo) and not is_oscrypto: + raise TypeError(_pretty_message( + ''' + responder_private_key must be an instance ofthe c + asn1crypto.keys.PrivateKeyInfo or + oscrypto.asymmetric.PrivateKey, not %s + ''', + _type_name(responder_private_key) + )) + + cert_is_oscrypto = isinstance(responder_certificate, asymmetric.Certificate) + if not isinstance(responder_certificate, x509.Certificate) and not cert_is_oscrypto: + raise TypeError(_pretty_message( + ''' + responder_certificate must be an instance of + asn1crypto.x509.Certificate or + oscrypto.asymmetric.Certificate, not %s + ''', + _type_name(responder_certificate) + )) + + if cert_is_oscrypto: + responder_certificate = responder_certificate.asn1 + + if self._certificate_status_list is None: + raise ValueError(_pretty_message( + ''' + certificate_status_list must be set if the response_status is + "successful" + ''' + )) + + def _make_extension(name, value): + return { + 'extn_id': name, + 'critical': False, + 'extn_value': value + } + + responses = [] + for serial, status in self._certificate_status_list: + response_data_extensions = [] + single_response_extensions = [] + for name, value in self._response_data_extensions.items(): + response_data_extensions.append(_make_extension(name, value)) + if self._nonce: + response_data_extensions.append( + _make_extension('nonce', self._nonce) + ) + + if not response_data_extensions: + response_data_extensions = None + + for name, value in self._single_response_extensions.items(): + single_response_extensions.append(_make_extension(name, value)) + + if self._certificate_issuer: + single_response_extensions.append( + _make_extension( + 'certificate_issuer', + [ + x509.GeneralName( + name='directory_name', + value=self._certificate_issuer.subject + ) + ] + ) + ) + + if not single_response_extensions: + single_response_extensions = None + + responder_key_hash = getattr(responder_certificate.public_key, self._key_hash_algo) + + if status == 'good': + cert_status = ocsp.CertStatus( + name='good', + value=core.Null() + ) + elif status == 'unknown': + cert_status = ocsp.CertStatus( + name='unknown', + value=core.Null() + ) + else: + reason = status if status != 'revoked' else 'unspecified' + cert_status = ocsp.CertStatus( + name='revoked', + value={ + 'revocation_time': self._revocation_date, + 'revocation_reason': reason, + } + ) + + issuer = self._certificate_issuer if self._certificate_issuer else responder_certificate + + produced_at = datetime.now(timezone.utc).replace(microsecond=0) + + if self._this_update is None: + self._this_update = produced_at + + if self._next_update is None: + self._next_update = (self._this_update + timedelta(days=7)).replace(microsecond=0) + + response = { + 'cert_id': { + 'hash_algorithm': { + 'algorithm': self._key_hash_algo + }, + 'issuer_name_hash': getattr(issuer.subject, self._key_hash_algo), + 'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo), + 'serial_number': serial, + }, + 'cert_status': cert_status, + 'this_update': self._this_update, + 'next_update': self._next_update, + 'single_extensions': single_response_extensions + } + responses.append(response) + + response_data = ocsp.ResponseData({ + 'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash), + 'produced_at': produced_at, + 'responses': responses, + 'response_extensions': response_data_extensions + }) + + signature_algo = responder_private_key.algorithm + if signature_algo == 'ec': + signature_algo = 'ecdsa' + + signature_algorithm_id = '%s_%s' % (self._hash_algo, signature_algo) + + if responder_private_key.algorithm == 'rsa': + sign_func = asymmetric.rsa_pkcs1v15_sign + elif responder_private_key.algorithm == 'dsa': + sign_func = asymmetric.dsa_sign + elif responder_private_key.algorithm == 'ec': + sign_func = asymmetric.ecdsa_sign + + if not is_oscrypto: + responder_private_key = asymmetric.load_private_key(responder_private_key) + signature_bytes = sign_func(responder_private_key, response_data.dump(), self._hash_algo) + + certs = None + if self._certificate_issuer: + certs = [responder_certificate] + + return ocsp.OCSPResponse({ + 'response_status': self._response_status, + 'response_bytes': { + 'response_type': 'basic_ocsp_response', + 'response': { + 'tbs_response_data': response_data, + 'signature_algorithm': {'algorithm': signature_algorithm_id}, + 'signature': signature_bytes, + 'certs': certs + } + } + }) + +# Enums + +class ResponseStatus(enum.Enum): + successful = 'successful' + malformed_request = 'malformed_request' + internal_error = 'internal_error' + try_later = 'try_later' + sign_required = 'sign_required' + unauthorized = 'unauthorized' + + +class CertificateStatus(enum.Enum): + good = 'good' + revoked = 'revoked' + key_compromise = 'key_compromise' + ca_compromise = 'ca_compromise' + affiliation_changed = 'affiliation_changed' + superseded = 'superseded' + cessation_of_operation = 'cessation_of_operation' + certificate_hold = 'certificate_hold' + remove_from_crl = 'remove_from_crl' + privilege_withdrawn = 'privilege_withdrawn' + unknown = 'unknown' + + +# API endpoints +FAULT_REVOKED = "revoked" +FAULT_UNKNOWN = "unknown" + +class OCSPResponder: + + def __init__(self, issuer_cert: str, responder_cert: str, responder_key: str, + fault: str = None, next_update_days: int = 7): + """ + Create a new OCSPResponder instance. + + :param issuer_cert: Path to the issuer certificate. + :param responder_cert: Path to the certificate of the OCSP responder + with the `OCSP Signing` extension. + :param responder_key: Path to the private key belonging to the + responder cert. + :param validate_func: A function that - given a certificate serial - + will return the appropriate :class:`CertificateStatus` and - + depending on the status - a revocation datetime. + :param cert_retrieve_func: A function that - given a certificate serial - + will return the corresponding certificate as a string. + :param next_update_days: The ``nextUpdate`` value that will be written + into the response. Default: 7 days. + + """ + # Certs and keys + self._issuer_cert = asymmetric.load_certificate(issuer_cert) + self._responder_cert = asymmetric.load_certificate(responder_cert) + self._responder_key = asymmetric.load_private_key(responder_key) + + # Next update + self._next_update_days = next_update_days + + self._fault = fault + + # Bottle + self._app = Bottle() + + # Initialize routing + self._route() + + def _route(self): + self._app.get('/', callback=self._handle_root) + self._app.get('/status/', callback=self._handle_get) + self._app.post('/status/', callback=self._handle_post) + + def _handle_root(self): + return 'ocsp-responder' + + def _handle_get(self, request_data): + """ + An OCSP GET request contains the DER-in-base64 encoded OCSP request in the + HTTP request URL. + """ + print ("Hello!") + der = base64.b64decode(request_data) + ocsp_request = self._parse_ocsp_request(der) + return self._build_http_response(ocsp_request) + + def _handle_post(self): + """ + An OCSP POST request contains the DER encoded OCSP request in the HTTP + request body. + """ + der = request.body.read() + ocsp_request = self._parse_ocsp_request(der) + return self._build_http_response(ocsp_request) + + def _fail(self, status: ResponseStatus) -> OCSPResponse: + builder = OCSPResponseBuilder(response_status=status.value) + return builder.build() + + def _parse_ocsp_request(self, request_der: bytes) -> OCSPRequest: + """ + Parse the request bytes, return an ``OCSPRequest`` instance. + """ + return OCSPRequest.load(request_der) + + def validate(self): + time = datetime(2018, 1, 1, 1, 00, 00, 00, timezone.utc) + if self._fault == FAULT_REVOKED: + return (CertificateStatus.revoked, time) + elif self._fault == FAULT_UNKNOWN: + return (CertificateStatus.unknown, None) + elif self._fault != None: + raise NotImplemented('Fault type could not be found') + return (CertificateStatus.good, time) + + def _build_ocsp_response(self, ocsp_request: OCSPRequest) -> OCSPResponse: + """ + Create and return an OCSP response from an OCSP request. + """ + # Get the certificate serial + tbs_request = ocsp_request['tbs_request'] + request_list = tbs_request['request_list'] + if len(request_list) < 1: + logger.warning('Received OCSP request with no requests') + raise NotImplemented('Empty requests not supported') + + single_request = request_list[0] # TODO: Support more than one request + req_cert = single_request['req_cert'] + serial = req_cert['serial_number'].native + + # Check certificate status + try: + certificate_status, revocation_date = self.validate() + except Exception as e: + logger.exception('Could not determine certificate status: %s', e) + return self._fail(ResponseStatus.internal_error) + + certificate_status_list = [(serial, certificate_status.value)] + + # Build the response + builder = OCSPResponseBuilder(**{ + 'response_status': ResponseStatus.successful.value, + 'certificate_status_list': certificate_status_list, + 'revocation_date': revocation_date, + }) + + # Parse extensions + for extension in tbs_request['request_extensions']: + extn_id = extension['extn_id'].native + critical = extension['critical'].native + value = extension['extn_value'].parsed + + # This variable tracks whether any unknown extensions were encountered + unknown = False + + # Handle nonce extension + if extn_id == 'nonce': + builder.nonce = value.native + + # That's all we know + else: + unknown = True + + # If an unknown critical extension is encountered (which should not + # usually happen, according to RFC 6960 4.1.2), we should throw our + # hands up in despair and run. + if unknown is True and critical is True: + logger.warning('Could not parse unknown critical extension: %r', + dict(extension.native)) + return self._fail(ResponseStatus.internal_error) + + # If it's an unknown non-critical extension, we can safely ignore it. + elif unknown is True: + logger.info('Ignored unknown non-critical extension: %r', dict(extension.native)) + + # Set certificate issuer + builder.certificate_issuer = self._issuer_cert + + # Set next update date + now = datetime.now(timezone.utc) + builder.next_update = (now + timedelta(days=self._next_update_days)).replace(microsecond=0) + + return builder.build(self._responder_key, self._responder_cert) + + def _build_http_response(self, request_der: bytes) -> HTTPResponse: + response_der = self._build_ocsp_response(request_der).dump() + return HTTPResponse( + status=200, + body=response_der, + content_type='application/ocsp-response', + ) + + def serve(self, port=8080, debug=False): + logger.info('Launching %sserver on port %d', 'debug' if debug else '', port) + self._app.run(port=port, debug=debug) diff --git a/.evergreen/ocsp/ocsp_mock.py b/.evergreen/ocsp/ocsp_mock.py new file mode 100755 index 0000000000..73ca69fbf4 --- /dev/null +++ b/.evergreen/ocsp/ocsp_mock.py @@ -0,0 +1,47 @@ +#! /usr/bin/env python3 +# Taken from https://github.com/mongodb/mongo/blob/master/jstests/ocsp/lib/ocsp_mock.py +""" +Python script to interface as a mock OCSP responder. +""" + +import argparse +import logging +import sys +import os + +sys.path.append(os.path.join(os.getcwd() ,'src', 'third_party', 'mock_ocsp_responder')) + +import mock_ocsp_responder + +def main(): + """Main entry point""" + parser = argparse.ArgumentParser(description="MongoDB Mock OCSP Responder.") + + parser.add_argument('-p', '--port', type=int, default=8080, help="Port to listen on") + + parser.add_argument('--ca_file', type=str, required=True, help="CA file for OCSP responder") + + parser.add_argument('-v', '--verbose', action='count', help="Enable verbose tracing") + + parser.add_argument('--ocsp_responder_cert', type=str, required=True, help="OCSP Responder Certificate") + + parser.add_argument('--ocsp_responder_key', type=str, required=True, help="OCSP Responder Keyfile") + + parser.add_argument('--fault', choices=[mock_ocsp_responder.FAULT_REVOKED, mock_ocsp_responder.FAULT_UNKNOWN], type=str, help="Specify a specific fault to test") + + args = parser.parse_args() + if args.verbose: + logging.basicConfig(level=logging.DEBUG) + + print('Initializing OCSP Responder') + app = mock_ocsp_responder.OCSPResponder(args.ca_file, args.ocsp_responder_cert, args.ocsp_responder_key, args.fault) + + if args.verbose: + app.serve(args.port, debug=True) + else: + app.serve(args.port) + + print('Mock OCSP Responder is running on port %s' % (str(args.port))) + +if __name__ == '__main__': + main() diff --git a/.evergreen/ocsp/rsa/ca.crt b/.evergreen/ocsp/rsa/ca.crt new file mode 100644 index 0000000000..ee6dc5a65f --- /dev/null +++ b/.evergreen/ocsp/rsa/ca.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIEZLtwgzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwMjA2MjAxMzExWhcNNDAwMjA4MjAxMzExWjB0MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO +S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0 +D1mnIrh7RRrCUEocNYLMZ2azo6c6NUTqSAMQyDDvRUsezil2NCqKo0ptMRtmb8Ws +yuaRUkjFhh9M69kiuj89GKRALXxExHjWX7e8iS1NTGL+Uakc1J23Z5FvlUyVLucC +fcAZ6MvcC7n6qpzUxkqz1u/27Ze9nv2mleLYBVWbGpjSHAUDuZzMCBs5Q/QrUwL7 +4cIxNsS0iHpYI3aee67cmFoK4guN9LBOtviyXUTP22kJLXe41HDjdWh01+FxcuwH +rGmeGQwiSlw48wkdoC0M51SwpHEq+K91BqGsTboC5mshqKA88OPf5JK9ied/OsNX ++K6p5v3RVHn89VaWiTorAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAd1jj1GECUEJMH00IX3VFgb2RpJ4Qi8TKAZgMMHdE7Cyv4M +p4w/zvQC1F6i54n+TWucq3I+c33lEj63ybFdJO5HOWoGzC/f5qO7z0gYdP2Ltdxg +My2uVZNQS+B8hF9MhGUeFnOpzAbKW2If3KN1fn/m2NDYGEK/Z2t7ZkpOcpEW5Lib +vX+BBG/s4DeyhRXy+grs0ASU/z8VOhZYSJpgdbvXsY4RXXloTDcWIlNqra5K6+3T +nVEkBDm0Qw97Y6FsqBVxk4kgWC6xNxQ4Sp+Sg4wthMQ70iFGlMin0kYRo7kAIUF9 +M+v2vMwTFWkcl0BT5LobE39kWVbQKEVPH7nkItE= +-----END CERTIFICATE----- diff --git a/.evergreen/ocsp/rsa/ca.key b/.evergreen/ocsp/rsa/ca.key new file mode 100644 index 0000000000..9d10cb2db9 --- /dev/null +++ b/.evergreen/ocsp/rsa/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0D1mnIrh7RRrC +UEocNYLMZ2azo6c6NUTqSAMQyDDvRUsezil2NCqKo0ptMRtmb8WsyuaRUkjFhh9M +69kiuj89GKRALXxExHjWX7e8iS1NTGL+Uakc1J23Z5FvlUyVLucCfcAZ6MvcC7n6 +qpzUxkqz1u/27Ze9nv2mleLYBVWbGpjSHAUDuZzMCBs5Q/QrUwL74cIxNsS0iHpY +I3aee67cmFoK4guN9LBOtviyXUTP22kJLXe41HDjdWh01+FxcuwHrGmeGQwiSlw4 +8wkdoC0M51SwpHEq+K91BqGsTboC5mshqKA88OPf5JK9ied/OsNX+K6p5v3RVHn8 +9VaWiTorAgMBAAECggEBAJ7umazMGdg80/TGF9Q0a2JutplDj5zyXgUJUSNkAMWB +/V+Qi8pZG1/J6CzfVpche3McmU2WOsOWslQcLUnY6W7NLFW1kGXGof5e+HgDASik +jxB6FfJrvVagpR+/wZxAjQmG46Q69o4hD6SxKcMpz9BTnPXxG6n1B2EeFd+lPb2r +zf/C4uXBczWn5rFXkj0DZGq81ZXewcnUNnxjQnccVCuYW+hqYxznSxqWTCD6hsvg +sGceqv0Ppp6TqMSECCIIJ+kVlbiAC2i6mnoertheFVrNUdwDb8nRn6fs8T+F0ShW +PdxIfSvAaBKqvseJqqueVpuwVcdSl+moJYlCdMb4cUECgYEA30AIHvMQq/s33ipV +62xOKXcEZ7tKaJrAbJvG4cx934wNiQ0tLwRNlonGbuTjsUaPRvagVeJND/UPIsfH +ZwoY1Uw25fZNaveoQtU8LQBAG53R5yaMiUH48JWVvKRdfG09zr6EFCM/k2loHS1W +/CiDlaIl59B8REnihyn0wvkiaIsCgYEAznlZRhlruk+n2sWklierav4M8GEK22+/ +A/UP1eUnlcHgSaFZoM0sukSrisZnj6zu/BAfFEVN5czra3ARrLClLQteFREr2BMF +9XymrjNG99QkBAall7BGpfkDW/D2DFZa4G5R6AMG+pYZHCU84U4QT5ZKyfdhTUbQ +uTYx2F31COECgYAIUm+7D56AerXjbzqSsw/a1dfxMfcdHR+tLMVmJ2RNz/+1KyuT +BBsMUIh4G8otEo9GuuzRJsVuodj1l/Lj8WlpkhS9z8elBCRekWpT1x2Mqf5oGnTE +rRPli/3v8USW3c+fBFUSFxpImXZLGCSU88Gr80ZsdMYdGY/7L+Iy3myc7wKBgQC1 +uHeqCpWV1KWXFnxU63UjJZWdussjdqZXhUf6qUS9uXT9WNTZgbrr9aRE73oWKc3s +awPvg0+cAU7xsCDeLFoz2t1jDUnZUmTcOmk4yEidtkg8gt0bNDn5ucALG3hyQ06Y +WIAeAwwRYCmZa+y5H0ubwFryhpdMvBbX66rTE16mAQKBgC5PJd9zLEzyLj/jUfZ0 +xOwXubu9GejOuCiVwKMTn73nvdi57zFBOrDxSl9yVCRhve61L5fcJixRDiwx8qtd +VGclRMxbVPKVfKpAyKjpsmZXk3IPHjXjJb3fYLXAnzRHk6v+yjVn4fy2Z93pW/cF +wBgQNqXLNTGrBzrFi469oc1s +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/rsa/ca.pem b/.evergreen/ocsp/rsa/ca.pem new file mode 100644 index 0000000000..afa468f04b --- /dev/null +++ b/.evergreen/ocsp/rsa/ca.pem @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIEZLtwgzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwMjA2MjAxMzExWhcNNDAwMjA4MjAxMzExWjB0MQswCQYD +VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp +dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwO +S2VybmVsIFRlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0 +D1mnIrh7RRrCUEocNYLMZ2azo6c6NUTqSAMQyDDvRUsezil2NCqKo0ptMRtmb8Ws +yuaRUkjFhh9M69kiuj89GKRALXxExHjWX7e8iS1NTGL+Uakc1J23Z5FvlUyVLucC +fcAZ6MvcC7n6qpzUxkqz1u/27Ze9nv2mleLYBVWbGpjSHAUDuZzMCBs5Q/QrUwL7 +4cIxNsS0iHpYI3aee67cmFoK4guN9LBOtviyXUTP22kJLXe41HDjdWh01+FxcuwH +rGmeGQwiSlw48wkdoC0M51SwpHEq+K91BqGsTboC5mshqKA88OPf5JK9ied/OsNX ++K6p5v3RVHn89VaWiTorAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAd1jj1GECUEJMH00IX3VFgb2RpJ4Qi8TKAZgMMHdE7Cyv4M +p4w/zvQC1F6i54n+TWucq3I+c33lEj63ybFdJO5HOWoGzC/f5qO7z0gYdP2Ltdxg +My2uVZNQS+B8hF9MhGUeFnOpzAbKW2If3KN1fn/m2NDYGEK/Z2t7ZkpOcpEW5Lib +vX+BBG/s4DeyhRXy+grs0ASU/z8VOhZYSJpgdbvXsY4RXXloTDcWIlNqra5K6+3T +nVEkBDm0Qw97Y6FsqBVxk4kgWC6xNxQ4Sp+Sg4wthMQ70iFGlMin0kYRo7kAIUF9 +M+v2vMwTFWkcl0BT5LobE39kWVbQKEVPH7nkItE= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0D1mnIrh7RRrC +UEocNYLMZ2azo6c6NUTqSAMQyDDvRUsezil2NCqKo0ptMRtmb8WsyuaRUkjFhh9M +69kiuj89GKRALXxExHjWX7e8iS1NTGL+Uakc1J23Z5FvlUyVLucCfcAZ6MvcC7n6 +qpzUxkqz1u/27Ze9nv2mleLYBVWbGpjSHAUDuZzMCBs5Q/QrUwL74cIxNsS0iHpY +I3aee67cmFoK4guN9LBOtviyXUTP22kJLXe41HDjdWh01+FxcuwHrGmeGQwiSlw4 +8wkdoC0M51SwpHEq+K91BqGsTboC5mshqKA88OPf5JK9ied/OsNX+K6p5v3RVHn8 +9VaWiTorAgMBAAECggEBAJ7umazMGdg80/TGF9Q0a2JutplDj5zyXgUJUSNkAMWB +/V+Qi8pZG1/J6CzfVpche3McmU2WOsOWslQcLUnY6W7NLFW1kGXGof5e+HgDASik +jxB6FfJrvVagpR+/wZxAjQmG46Q69o4hD6SxKcMpz9BTnPXxG6n1B2EeFd+lPb2r +zf/C4uXBczWn5rFXkj0DZGq81ZXewcnUNnxjQnccVCuYW+hqYxznSxqWTCD6hsvg +sGceqv0Ppp6TqMSECCIIJ+kVlbiAC2i6mnoertheFVrNUdwDb8nRn6fs8T+F0ShW +PdxIfSvAaBKqvseJqqueVpuwVcdSl+moJYlCdMb4cUECgYEA30AIHvMQq/s33ipV +62xOKXcEZ7tKaJrAbJvG4cx934wNiQ0tLwRNlonGbuTjsUaPRvagVeJND/UPIsfH +ZwoY1Uw25fZNaveoQtU8LQBAG53R5yaMiUH48JWVvKRdfG09zr6EFCM/k2loHS1W +/CiDlaIl59B8REnihyn0wvkiaIsCgYEAznlZRhlruk+n2sWklierav4M8GEK22+/ +A/UP1eUnlcHgSaFZoM0sukSrisZnj6zu/BAfFEVN5czra3ARrLClLQteFREr2BMF +9XymrjNG99QkBAall7BGpfkDW/D2DFZa4G5R6AMG+pYZHCU84U4QT5ZKyfdhTUbQ +uTYx2F31COECgYAIUm+7D56AerXjbzqSsw/a1dfxMfcdHR+tLMVmJ2RNz/+1KyuT +BBsMUIh4G8otEo9GuuzRJsVuodj1l/Lj8WlpkhS9z8elBCRekWpT1x2Mqf5oGnTE +rRPli/3v8USW3c+fBFUSFxpImXZLGCSU88Gr80ZsdMYdGY/7L+Iy3myc7wKBgQC1 +uHeqCpWV1KWXFnxU63UjJZWdussjdqZXhUf6qUS9uXT9WNTZgbrr9aRE73oWKc3s +awPvg0+cAU7xsCDeLFoz2t1jDUnZUmTcOmk4yEidtkg8gt0bNDn5ucALG3hyQ06Y +WIAeAwwRYCmZa+y5H0ubwFryhpdMvBbX66rTE16mAQKBgC5PJd9zLEzyLj/jUfZ0 +xOwXubu9GejOuCiVwKMTn73nvdi57zFBOrDxSl9yVCRhve61L5fcJixRDiwx8qtd +VGclRMxbVPKVfKpAyKjpsmZXk3IPHjXjJb3fYLXAnzRHk6v+yjVn4fy2Z93pW/cF +wBgQNqXLNTGrBzrFi469oc1s +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/rsa/mock-delegate-revoked.sh b/.evergreen/ocsp/rsa/mock-delegate-revoked.sh new file mode 100755 index 0000000000..adf026ce1b --- /dev/null +++ b/.evergreen/ocsp/rsa/mock-delegate-revoked.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env sh +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ocsp_responder.crt \ + --ocsp_responder_key ocsp_responder.key \ + -p 8100 \ + -v \ + --fault revoked diff --git a/.evergreen/ocsp/rsa/mock-delegate-valid.sh b/.evergreen/ocsp/rsa/mock-delegate-valid.sh new file mode 100755 index 0000000000..5074a7ecab --- /dev/null +++ b/.evergreen/ocsp/rsa/mock-delegate-valid.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env sh +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ocsp-responder.crt \ + --ocsp_responder_key ocsp-responder.key \ + -p 8100 \ + -v diff --git a/.evergreen/ocsp/rsa/mock-revoked.sh b/.evergreen/ocsp/rsa/mock-revoked.sh new file mode 100755 index 0000000000..4a17926b92 --- /dev/null +++ b/.evergreen/ocsp/rsa/mock-revoked.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env sh +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ca.crt \ + --ocsp_responder_key ca.key \ + -p 8100 \ + -v \ + --fault revoked diff --git a/.evergreen/ocsp/rsa/mock-valid.sh b/.evergreen/ocsp/rsa/mock-valid.sh new file mode 100755 index 0000000000..c89ce9e954 --- /dev/null +++ b/.evergreen/ocsp/rsa/mock-valid.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env sh +python3 ../ocsp_mock.py \ + --ca_file ca.pem \ + --ocsp_responder_cert ca.crt \ + --ocsp_responder_key ca.key \ + -p 8100 \ + -v diff --git a/.evergreen/ocsp/rsa/ocsp-responder.crt b/.evergreen/ocsp/rsa/ocsp-responder.crt new file mode 100644 index 0000000000..58caba3580 --- /dev/null +++ b/.evergreen/ocsp/rsa/ocsp-responder.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmugAwIBAgIEA0v5yzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwMjA2MjMyMjU4WhcNNDAwMjA4MjMyMjU4WjBiMRAwDgYD +VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z +dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTMwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiHYXGCSOK3gxlEmNSLepoFJbv +hfYxxaqAWEceiTQdRpN97YRr/ywPm0+932EsE6/gIjqVs8IOtsiFKK1lQ9sL/9f+ +ckS5gj9AR+Cta+FLDRP5plE+aao5no0kA8qMx2HHd47XFnuxKtUztRmgmTBNYbYh +PdY1kjBSRyuXXBn1V6TRaYhk6dsK56Zvhgo6Y3YqpjpldePa4E0XpUlBhY020QXt +K3iWFauEYKcKR2JI2oVjY0tR60zf3GHkMLCe7SdbofCdwkBHcCctLSp4xYb44JGb +JX1npM1mhxR4pnp80tbEXNvXQ4S3kmd7/QFUYE4IdXVkXNhkK6PtIdDKbLa9AgMB +AAGjLzAtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUF +BwMJMA0GCSqGSIb3DQEBCwUAA4IBAQB5igUUQSzxzWvL+28TDYFuNnTB0hvqTnd7 +ZVyk8RVBiUkudxEmt5uFRWT6GOc7Y1H6w4igtuhhqxAeG9bUob+VQkCyc4GxaHSO +oBtl/Zu+ts+0gUUlm+Bs6wFnFsGhM0awV/vqigDADZT2jbqbHBm2lP99eq8fsi6L +kpohhbuTVWjLuViARYIOJLoBnNRpVXqwD5A8uNqwZI2OVGh1cQYNZcmfLJ1u2j5C +ycohoa+o8NGgkxEhG2QETdVodfHT2dUgzPDvO42CVa3MK7J0sovBU5DeuIDPV/hh +j+v5A8L8gMiNpkLClqt2TEiFH2GItWDNQjTgrLq9iFUgJnbwuj4F +-----END CERTIFICATE----- diff --git a/.evergreen/ocsp/rsa/ocsp-responder.key b/.evergreen/ocsp/rsa/ocsp-responder.key new file mode 100644 index 0000000000..ab3001e7f2 --- /dev/null +++ b/.evergreen/ocsp/rsa/ocsp-responder.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDiHYXGCSOK3gxl +EmNSLepoFJbvhfYxxaqAWEceiTQdRpN97YRr/ywPm0+932EsE6/gIjqVs8IOtsiF +KK1lQ9sL/9f+ckS5gj9AR+Cta+FLDRP5plE+aao5no0kA8qMx2HHd47XFnuxKtUz +tRmgmTBNYbYhPdY1kjBSRyuXXBn1V6TRaYhk6dsK56Zvhgo6Y3YqpjpldePa4E0X +pUlBhY020QXtK3iWFauEYKcKR2JI2oVjY0tR60zf3GHkMLCe7SdbofCdwkBHcCct +LSp4xYb44JGbJX1npM1mhxR4pnp80tbEXNvXQ4S3kmd7/QFUYE4IdXVkXNhkK6Pt +IdDKbLa9AgMBAAECggEBAMMYOe4OwI323LbwUKX9W/0Flt1/tlZneJ9Yi7R7KW4B +EQ1cPB96gafNl9X5wLvpGJzIq8ey28MaTpUl7cYr7/nAe7rdGRL+oFh0LBU1uaOp +2wxSRlMVlHw2owzqAH/LIECclbBbg8nvbRk6Lqx0wEpj/mNcGVELm4nCQohMPVGC +9/8GZ63r+tS35jry9SBG0X4R5jYKsNzgNgcjR+lgMv/2FfpuZDryk9TWIP9ApQoc +7/DpTfC6P34f/ermfo4f2GEmRJsTACphA0kkpQX/n88r35cUSGeO5M9jYICUeCFw +IK4L6KNQcTRVOknFYeVJembVrj0RYKtWT+oU84a4XPkCgYEA+k7fcXhU2K+NX8RN +7HUPbxBE/TfLTNHdLTuWCUI77j+J3LUPNQ4BUyue+pUaFxI7Huc6x1zvvD27EqJ8 +0ge5MkFNflTUdUotuU/FKg7GKOU7rfdEvthzU2MbAZrHc0SeF+9/YrpvWZ+ZMKQ5 +IBQhiloFLsVGpGFzzF/MjpFdYo8CgYEA50HQxDDmfzmvNnURRZZV0lQ203m9I4KF +DbL2x59q0DaJkUpFr3uyvghAoz4y/OD5vNIwbzHWbmDQEA06v7iFoJ6BcJFG1syc +7A7KTB3PNQK4+ASG6pC3tYJ78mWtJwK130hFpuVkS/VPhQZJ/21EcWj9V153SZpA +RUqv/L+lx/MCgYEAs7E7p3IDNyuQClgauM2wrsK3RDFxuUxPw9Eq/KqX64mhptg0 +epn7SYHfN3Uirb1gw+arw8NsN275hX8wrHbu9Kz8vNyZSTpfaNFjcbX5fBJUrab9 +qyQoZoyXLqe214FDHVvJz06X8Xcpukmq2OSaz3+giNsGw6tSPj3n09F3gPECgYBI +1NGK+FufdetYm0X1RIOC2kLqF00aAeElj1dpRyu8p3Br8ZhAzBRfBPpWbyBfw/rj +HM9kNa3y1Uqxw3jdKJ/tFf5uFVLaE1bYgU/06O55I4Jdmg9jkHBLGe0vShZeUtw0 +le5ZwaT0xy1kF7b2WtNTZF1lRrsK0ymqqPsD/teXQQKBgBTyYVxPEHKr86kEQqL5 +/OKByVpqAxA7LQ1lTLNV9lXMRawp848flv/Uc8pj43MitAIiYazfXkpeeC6gGntJ +kkRT9jraOzy51tVAIh2KXm3l6KY/gnYTO3UXrxZOZU4IA7OttP3BG7xKq/9HP+kV +5P1bAkqo+n3XNxKoSSeJteCd +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/rsa/responder.logs b/.evergreen/ocsp/rsa/responder.logs new file mode 100644 index 0000000000..4bbc88fa9c --- /dev/null +++ b/.evergreen/ocsp/rsa/responder.logs @@ -0,0 +1 @@ +INFO:mock_ocsp_responder:Launching debugserver on port 8100 diff --git a/.evergreen/ocsp/rsa/server-mustStaple.pem b/.evergreen/ocsp/rsa/server-mustStaple.pem new file mode 100644 index 0000000000..b0b30ed195 --- /dev/null +++ b/.evergreen/ocsp/rsa/server-mustStaple.pem @@ -0,0 +1,53 @@ +-----BEGIN CERTIFICATE----- +MIIESDCCAzCgAwIBAgIET+rEjTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwMjA2MjAxMzExWhcNNDAwMjA4MjAxMzExWjBiMRAwDgYD +VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z +dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTEwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYXCFeRfhcbEDMXNb5D5MIO4Vz +ejQFyGwWuWpIlYGTh1cZp/RrBASBg0hdy0TkhqrWaLvTUq+SaCGrP8Yg0nYXUXIw +Me34QhcaTMLndMpAgCXjjC+KDNLX4210QE2RjKbf+13d/duf8yQIRxYrbumA2q6+ +qZf8gsSteDYf/JeWQ6IWJ7ttWyT9XpcnWLucfviSkDwQuhaghYHDeaWafXgIViVX +fGtl7ivv+qx1JUfRyAADl/vcd/+Z+ZojpOUN7Li38I2O8qKTQ8JuMV80dgBOwH9g +f0Ku9R9HXFqbypDdvE22WTKk6cvksR/tK/QTdOCRZWpmKRcnhDkYXc7fr97vAgMB +AAGjgfMwgfAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB +BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7I+iGMVTuZpVlzy9dyvGNZ8akOzBp +BggrBgEFBQcBAQRdMFswLgYIKwYBBQUHMAGGImh0dHA6Ly9sb2NhbGhvc3Q6OTAw +MS9wb3dlci9sZXZlbC8wKQYIKwYBBQUHMAGGHWh0dHA6Ly9sb2NhbGhvc3Q6ODEw +MC9zdGF0dXMvMBEGCCsGAQUFBwEYBAUwAwIBBTAaBgNVHREEEzARgglsb2NhbGhv +c3SHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAJ6z1nkMhirDDFlDrkJPX23kAh1k +qMTbFu2wnnrARzw6JEFz2Tvhx0+ISBjEdsPK7BhAQ/wpGIFriTIatXILqWhUAsZN +7vwg2h+xH41rpbDVXIcGQ8jAx1GSZznxoeqH7arqbBWrV2AzhQofr/rSUtkqlZNT +HmPIOvMjpVPqDGaC9nnw0gC5Ow8ZqgAqD/TV6Uym14c/vtxUGgOUCo4JVDsa+x4u +uN1t2iPHIcfo37BZwa9J8Bw3mJGkxnJonm1OurReQjaNoT3Zgag9B7q0cKFd4YHX +a2vmmFszs2LhJI2khB+OB4tp9g581M/VUl6mAyaahHlEzTlA5HiHFNADOug= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDYXCFeRfhcbEDM +XNb5D5MIO4VzejQFyGwWuWpIlYGTh1cZp/RrBASBg0hdy0TkhqrWaLvTUq+SaCGr +P8Yg0nYXUXIwMe34QhcaTMLndMpAgCXjjC+KDNLX4210QE2RjKbf+13d/duf8yQI +RxYrbumA2q6+qZf8gsSteDYf/JeWQ6IWJ7ttWyT9XpcnWLucfviSkDwQuhaghYHD +eaWafXgIViVXfGtl7ivv+qx1JUfRyAADl/vcd/+Z+ZojpOUN7Li38I2O8qKTQ8Ju +MV80dgBOwH9gf0Ku9R9HXFqbypDdvE22WTKk6cvksR/tK/QTdOCRZWpmKRcnhDkY +Xc7fr97vAgMBAAECggEBAMntKmNe8E3p5owU9bmbVIFxc7pzygu/o0mOIOi/SCDV +RnA2dYJPTJlHWonXRWP3X4geVXYEDMKalxnJunM1mWtn4yeh4dQ6cm9kRt9X+885 +CqOVWWUBVOKSarv9q6d02uXeJxwhahGdDfr/xWwh5qIQ9tgRVj0gGsk/kVxHFX7x +xYp+vTnTvPLBejX3MwbWdTZFW98yVjBu0VAqWXDtSha+x4Kj1PLR/T+AJPGM3qGP +Awa9Sw70zjM8efLvEjn9NyZSYJQWkbn6Q9mAJdudk2esSRyVQ3urSMmRv7U3rrUd +tJqJ8IEjvMaw4n5glQl6OFxMxLNyrfDxsG/FVWnUILkCgYEA/71uRqIZYYUHXk3L +n5vQcwXKlSnRrDrxCIjHyDEhvC9B8zye0Eff9fOSuJAmEfHNn2gIYBdJHv8K0EaG +rvtJZD+5M84olPRF6JUGaA6ObSkKXI2vHlVALYD3RL6ZD4GQdTZbbFqnyMFLYR5M ++DbSk/2gdGyJpS5dbIAWyB7yWVsCgYEA2JRy7M7V5w1inWgIdzkqdaRvFsNKC/zZ +QvyPS42q9Ysmxx/WIv900NB9v5hUXJV5qDmfC4pR+bi78pxvzyH0aLDydZaWVtRt +OJPUDMZnjTt37eh0Ra3VlrFi10NdoMwkPOGvRNKgJGs1MJMVD8i7ODz55/lZZH1N +jNuN9bNtsP0CgYEAtbj8qFI9KM+nebpcC9FjYKhn2HB73h+P8NmI5NcMurT17wpP +a373RMTMqDs94hhpXXFGKknBmrXuECtdPu+uqf6h8o72xUmCd4+VmtFlIWo9Q6Em +I66+SNdQXVf2WU9ev/tdIXSVrxCzKJKobOQ/5AsgPjp14Js+pX+rMI7U9OsCgYEA +gXs2vibmMQ2KkIqazRRrMwwMsjIs+b+/8FFoJgZbWBNKKq/46NGK+DA9jac3gGaI +5i8Uy+R1H/P2wZQPMGmfYluviOdvmBfF+JZApyaS0BfmmmBn6ySDVmVUr1eCCVki +rRdMHrxBq6RAl3rHk7kxXOzvh2VGsVJMY9L7KxKLmM0CgYAFSEhITI+rHCLe990S +yZPKAw2aSvXROUohF4/cqye7VWKd+7YSHMtJclDMzyzfNiGJqgjwd4y2Yeoe1hIs +TNrJNc4MlQGN8oS9PySKMoE590t/45nNKCofhNQPQA/f+GRgJsbqm6vOPy4H3tH6 +itVldKJhfmeeoK1o4sAvOJ/DTg== +-----END PRIVATE KEY----- diff --git a/.evergreen/ocsp/rsa/server.pem b/.evergreen/ocsp/rsa/server.pem new file mode 100644 index 0000000000..d9f683d4e8 --- /dev/null +++ b/.evergreen/ocsp/rsa/server.pem @@ -0,0 +1,53 @@ +-----BEGIN CERTIFICATE----- +MIIENTCCAx2gAwIBAgIEDJoLezANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO +BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs +IFRlc3QgQ0EwHhcNMjAwMjA2MjAxMzExWhcNNDAwMjA4MjAxMzExWjBiMRAwDgYD +VQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxEjAQBgNVBAMMCWxvY2FsaG9z +dDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMQ8wDQYDVQQHDAZPQ1NQLTEwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7aHDTTzKZufCVBLd5y1N19xY3 +We0UBO6QfrQEdE4qZjvUEw5rwNzVTZAhLHqpabDeF4gLuqF441makrTyoIb4EQ8m +U8ISHHkvRbsqgspyp52VejCp+UH5cPOkBxST3RpuORkw2vExYS4xAfLGaVgz7E2M +9kHp/69tdAdwNES3QM+NTT8gJEdwlhVpOG/7DDVg1eZxLWp3/SHJIdoNatYBRWed +uyvE6wTQWQw34R9YsvR7IpaTE7ITMaESzWg+mBhdsJ3htiEipwGFVSHIUED32Qii +Q0Gmyx4OlziUe9B8X/gemhqsj9+n/0hOyIw5eZJrKVYxYGEPhQ4qVU1Kb0dnAgMB +AAGjgeAwgd0wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB +BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRiDp+8NUtZnE7usGMb5mr1vNfD9DBp +BggrBgEFBQcBAQRdMFswLgYIKwYBBQUHMAGGImh0dHA6Ly9sb2NhbGhvc3Q6OTAw +MS9wb3dlci9sZXZlbC8wKQYIKwYBBQUHMAGGHWh0dHA6Ly9sb2NhbGhvc3Q6ODEw +MC9zdGF0dXMvMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0B +AQsFAAOCAQEAA+7UgwzzBAXizXuP9DGyho4Hw6/Ob2UPUTbcR2oubLLU0uBQMwF+ +9YdX1TTw0hMrcQvN1pKIhG9gNcjfKItsAF9BmRH6UB6xr+riHfBaWpu+1VTiiZGT +Db5/dnrRzx2k881dZnoPKjFZzdKXsN4KekA0jHSe8POHMjgtgihZOkUKLWPWnYfW +oPzps7powaLzCwmjXlxkLE39eck63umTv/0P7ce5Wjy5KDuRGlUJGsAXJBElN8c8 +nE4ic8RZFve/U42MF4KxRtDYQFrjf0uD/w0T6LhEFIkesCB+QJiHoDsJ0PWGPTpm +IK35mFvpSOJO/C8i4nUIIn77T9lRVJ85WQ== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7aHDTTzKZufCV +BLd5y1N19xY3We0UBO6QfrQEdE4qZjvUEw5rwNzVTZAhLHqpabDeF4gLuqF441ma +krTyoIb4EQ8mU8ISHHkvRbsqgspyp52VejCp+UH5cPOkBxST3RpuORkw2vExYS4x +AfLGaVgz7E2M9kHp/69tdAdwNES3QM+NTT8gJEdwlhVpOG/7DDVg1eZxLWp3/SHJ +IdoNatYBRWeduyvE6wTQWQw34R9YsvR7IpaTE7ITMaESzWg+mBhdsJ3htiEipwGF +VSHIUED32QiiQ0Gmyx4OlziUe9B8X/gemhqsj9+n/0hOyIw5eZJrKVYxYGEPhQ4q +VU1Kb0dnAgMBAAECggEAPA9FkULhWYjQhEFlt3+k+Lo+AXEtXGwUNHSWppLLdiUb +aWTOC1RcsXNRDICfsulvSE3MSM3/76kUz0fS+6rcdmWpMERJftpnL/IuAHq3/LSg ++QWW0PJT5WgAfQHT42tJjCd6XkDcaVHWptgUAOhD3ygM1m8ZQq+xfedgduIZX4y2 +Tlyan51jYx8KZI8tc8RhfxRx17SWhfjZqccXy7mOWTLy0JV1+efZ+SIjvTm3jAmt +YFpB4l1zccMKuXPdpkm6VLkNzlhtAXVxrpYwCBhv0KI/cUihuzV7kIZzMv+3utIh +G0IZaDwM88C1TyVp0ZBRenBYQzHNnsOW+l7Thl8DCQKBgQDeh3krXbEnzoLUI8yh +BJL4RkHNO+vpi6143xrxWGQvszeE3rClZeh5oCIhqwlg1zrnPsz3zCnbZL3aXL+1 +1Zv839picTHSl3NqQzhDEknNnJxzqvhfBTNYBJax5Ujbes+WNQmQeKO7OhNnXvV8 +ZgniUbhhmeSVpm8ikFpMgl0ewwKBgQDXmJ5TNiIB7EZnok31RczG7a0JnecxyXih +b1BTs7rMWVNAbCFGQQDc9naBoyR/2LBVkDKJxKqnjqVao8mfICopPCWlxOinAtD4 +V1W/TBZSSZlJ2j7wrLG2x1d4wmW22WRCmENjpVIipvgElBVO2qmbtekBhHTGr8Db +uFUzcpvyjQKBgHv/05ZFrBz5Z0+c7z7eVKNCSxJ5DHlkWvLap6HK1nD6FbrVeGuC +AOwdPkeyjhRHesw243JFcyGM3noaar2BXV2ow4FNgCzQNgEFmglN3JBVb5zIrYQN +WtH2JJ7WnCWpJpmVzlGR1/LRZtSYRoTeOy3AydShM43sY0tIUvkFP6yPAoGBAJ+l +Kq/xaNNFs4iv/cw+qHkxrC1v2K/cQVBBThj9ALiq+GO+7hDIt6vncS9jr/ZfbYue +YF313GyAy17H49fKCI5KNJKAscph4n3SpfMmk2zRhQnT60Fqj5oKGHKaeJkidwR9 +HYGe/KgePY+eW/ztHCTqWiS+gX5SzJum7qhPGL1NAoGAIxm/fh98EEKevdwRgYTM +eSKsaXXvv/C/nZJEM3MuSm6Tr1bokXe+PwktX+96JRb+bNFWFu/WTeQH7uA4GagG +Du1hPWzyBPTW4Jlf8NWYUAIwICA6Zd+nEX+WjYArBZZnbIWEMR9Rm3BcEBGyTavS +l6GaDmApDeskA6uBS4IeF7g= +-----END PRIVATE KEY----- diff --git a/.evergreen/run-ocsp-test.sh b/.evergreen/run-ocsp-test.sh new file mode 100755 index 0000000000..8fe3cdf94a --- /dev/null +++ b/.evergreen/run-ocsp-test.sh @@ -0,0 +1,187 @@ +#! /bin/bash +# Test runner for OCSP revocation checking. +# +# Closely models the tests described in the specification: +# https://github.com/mongodb/specifications/tree/master/source/ocsp-support/tests#integration-tests-permutations-to-be-tested. +# Based on the test case, this may start a mock responder process. +# Precondition: mongod is running with the correct configuration. +# +# Environment variables: +# +# TEST_COLUMN +# Required. Corresponds to a column of the test matrix. Set to one of the following: +# TEST_1, TEST_2, TEST_3, TEST_4, SOFT_FAIL_TEST, MALICIOUS_SERVER_TEST_1, MALICIOUS_SERVER_TEST_2 +# CERT_TYPE +# Required. Set to either rsa or ecdsa. +# USE_DELEGATE +# Optional. May be ON or OFF. If a test requires use of a responder, this decides whether +# the responder uses a delegate certificate. Defaults to "OFF" +# CDRIVER_BUILD +# Optional. The path to the build of mongo-c-driver (e.g. mongo-c-driver/cmake-build). +# Defaults to $(pwd) +# CDRIVER_ROOT +# Optional. The path to mongo-c-driver source (may be same as CDRIVER_BUILD). +# Defaults to $(pwd) +# MONGODB_PORT +# Optional. A custom port to connect to. Defaults to 27017. +# SKIP_PIP_INSTALL +# Optional. Skip pip install for required packages for mock responder. +# +# Example: +# TEST_COLUMN=TEST_1 CERT_TYPE=rsa ./run-ocsp-test.sh +# + +# Fail on any command returning a non-zero exit status. +set -o errexit +set -o xtrace + +CDRIVER_ROOT=${CDRIVER_ROOT:-$(pwd)} +CDRIVER_BUILD=${CDRIVER_BUILD:-$(pwd)} +MONGODB_PORT=${MONGODB_PORT:-"27017"} +USE_DELEGATE=${USE_DELEGATE:-OFF} + +if [ -z "$TEST_COLUMN" -o -z "$CERT_TYPE" ]; then + echo "Required environment variable unset. See file comments for help." + exit 1; +fi +echo "TEST_COLUMN=$TEST_COLUMN" +echo "CERT_TYPE=$CERT_TYPE" +echo "USE_DELEGATE=$USE_DELEGATE" +echo "CDRIVER_ROOT=$CDRIVER_ROOT" +echo "CDRIVER_BUILD=$CDRIVER_BUILD" +echo "MONGODB_PORT=$MONGODB_PORT" +echo "SKIP_PIP_INSTALL=$SKIP_PIP_INSTALL" + +# Make paths absolute +CDRIVER_ROOT=$(cd "$CDRIVER_ROOT"; pwd) +CDRIVER_BUILD=$(cd "$CDRIVER_BUILD"; pwd) + +OS=$(uname -s | tr '[:upper:]' '[:lower:]') +case "$OS" in + cygwin*) OS="WINDOWS" ;; + darwin) OS="MACOS" ;; + *) OS="LINUX" ;; +esac + +on_exit () { + echo "Cleaning up" + if [ -n "$RESPONDER_REQUIRED" ]; then + echo "Responder logs:" + cat $CDRIVER_BUILD/responder.log + pkill -f "ocsp_mock" || true + fi +} +trap on_exit EXIT + +MONGOC_PING=$CDRIVER_BUILD/src/libmongoc/mongoc-ping +# Add libmongoc-1.0 and libbson-1.0 to library path, so mongoc-ping can find them at runtime. +if [ "$OS" = "WINDOWS" ]; then + export PATH=$PATH:$CDRIVER_BUILD/src/libmongoc/Debug:$CDRIVER_BUILD/src/libbson/Debug + chmod +x src/libmongoc/Debug/* src/libbson/Debug/* || true + MONGOC_PING=$CDRIVER_BUILD/src/libmongoc/Debug/mongoc-ping.exe +elif [ "$OS" = "MACOS" ]; then + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$CDRIVER_BUILD/src/libmongoc:$CDRIVER_BUILD/src/libbson +elif [ "$OS" = "LINUX" ]; then + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CDRIVER_BUILD/src/libmongoc:$CDRIVER_BUILD/src/libbson +fi + +expect_success () { + echo "Should succeed:" + if ! $MONGOC_PING $MONGODB_URI; then + echo "Unexpected failure" + exit 1 + fi +} + +expect_failure () { + echo "Should fail:" + if $MONGOC_PING $MONGODB_URI >output.txt 2>&1; then + echo "Unexpected - succeeded but it should not have" + exit 1 + else + echo "failed as expected" + fi + + # libmongoc really should give a better error message for a revocation failure... + # It is not at all obvious what went wrong. + if ! grep "No suitable servers found" output.txt >/dev/null; then + echo "Unexpected error, expecting TLS handshake failure" + cat output.txt + exit 1 + fi +} + +# Start a mock responder if necessary. +if curl localhost:8100 > /dev/null 2>&1; then + echo "Detected process listening on port 8100. Attempting to kill running mock responders."; + pkill -f "ocsp_mock" || true +fi + +# Same responder is used for both server and client. So even stapling tests require a responder. +if [ "TEST_1" = "$TEST_COLUMN" ]; then + RESPONDER_REQUIRED="valid" +elif [ "TEST_2" = "$TEST_COLUMN" ]; then + RESPONDER_REQUIRED="invalid" +elif [ "TEST_3" = "$TEST_COLUMN" ]; then + RESPONDER_REQUIRED="valid" +elif [ "TEST_4" = "$TEST_COLUMN" ]; then + RESPONDER_REQUIRED="invalid" +elif [ "MALICIOUS_SERVER_TEST_1" = "$TEST_COLUMN" ]; then + RESPONDER_REQUIRED="invalid" +else + RESPONDER_REQUIRED="" +fi + +if [ "ON" = "$USE_DELEGATE" ]; then + DELEGATE_TOKEN="delegate" +fi + +if [ -n "$RESPONDER_REQUIRED" ]; then + echo "Starting mock responder" + if [ -z "$SKIP_PIP_INSTALL" ]; then + echo "Installing python dependencies" + # Installing dependencies. + /opt/mongodbtoolchain/v3/bin/python3 -m venv ./venv + . ./venv/bin/activate + pip install oscrypto bottle asn1crypto + fi + cd "$CDRIVER_ROOT/.evergreen/ocsp/$CERT_TYPE" + ./mock-$DELEGATE_TOKEN$RESPONDER_REQUIRED.sh > $CDRIVER_BUILD/responder.log 2>&1 & + cd - +fi + +echo "Clearing OCSP cache for macOS/Windows" +if [ "$OS" = "MACOS" ]; then + find ~/profile/Library/Keychains -name 'ocspcache.sqlite3' -exec sqlite3 "{}" 'DELETE FROM responses' \; +elif [ "$OS" = "WINDOWS" ]; then + certutil -urlcache "*" delete +fi + +# Always add the tlsCAFile +BASE_URI="mongodb://localhost:$MONGODB_PORT/?tls=true&tlsCAFile=$CDRIVER_ROOT/.evergreen/ocsp/$CERT_TYPE/ca.pem" +MONGODB_URI="$BASE_URI" + +# Only a handful of cases are expected to fail. +if [ "TEST_1" = "$TEST_COLUMN" ]; then + expect_success +elif [ "TEST_2" = "$TEST_COLUMN" ]; then + expect_failure +elif [ "TEST_3" = "$TEST_COLUMN" ]; then + expect_success +elif [ "TEST_4" = "$TEST_COLUMN" ]; then + expect_failure +elif [ "SOFT_FAIL_TEST" = "$TEST_COLUMN" ]; then + expect_success +elif [ "MALICIOUS_SERVER_TEST_1" = "$TEST_COLUMN" ]; then + expect_failure +elif [ "MALICIOUS_SERVER_TEST_2" = "$TEST_COLUMN" ]; then + expect_failure +fi + +# With insecure options, connection should always succeed +MONGODB_URI="$BASE_URI&tlsInsecure=true" +expect_success + +# With insecure options, connection should always succeed +MONGODB_URI="$BASE_URI&tlsAllowInvalidCertificates=true" +expect_success \ No newline at end of file diff --git a/build/evergreen_config_lib/functions.py b/build/evergreen_config_lib/functions.py index 16f70d72ed..43c862903b 100644 --- a/build/evergreen_config_lib/functions.py +++ b/build/evergreen_config_lib/functions.py @@ -277,6 +277,7 @@ export AUTHSOURCE=${AUTHSOURCE} export SSL=${SSL} export ORCHESTRATION_FILE=${ORCHESTRATION_FILE} + export OCSP=${OCSP} sh .evergreen/integration-tests.sh ''', test=False), )), diff --git a/build/evergreen_config_lib/tasks.py b/build/evergreen_config_lib/tasks.py index 46d7ba5d6a..b9f79df185 100644 --- a/build/evergreen_config_lib/tasks.py +++ b/build/evergreen_config_lib/tasks.py @@ -895,4 +895,74 @@ def name(self): return '-'.join([self.name_prefix, self.testcase]) all_tasks = chain(all_tasks, AWSTestTask.matrix()) + + +class OCSPTask(MatrixTask): + axes = OD([('test', ['test_1', 'test_2', 'test_3', 'test_4', 'soft_fail_test', 'malicious_server_test_1', 'malicious_server_test_2']), + ('delegate', ['delegate', 'nodelegate']), + ('cert', ['rsa', 'ecdsa']), + ('ssl', ['openssl', 'darwinssl', 'winssl'])]) + + name_prefix = 'test-ocsp' + + def __init__(self, *args, **kwargs): + super(OCSPTask, self).__init__(*args, **kwargs) + self.add_dependency('debug-compile-nosasl-%s' % (self.display('ssl'))) + self.add_tags('ocsp-' + self.display('ssl')) + + @property + def name(self): + return 'ocsp-' + self.display('ssl') + '-' + self.display('test') + '-' + self.display('cert') + '-' + self.display ('delegate') + + def to_dict(self): + task = super(MatrixTask, self).to_dict() + commands = task['commands'] + commands.append( + func('fetch build', BUILD_NAME=self.depends_on['name'])) + + stapling = 'mustStaple' + if self.test in [ 'test_3', 'test_4', 'soft_fail_test']: + stapling = 'disableStapling' + if self.test in [ 'malicious_server_test_1', 'malicious_server_test_2' ]: + stapling = 'mustStaple-disableStapling' + + orchestration_file = '%s-basic-tls-ocsp-%s' % (self.cert, stapling) + orchestration = bootstrap(TOPOLOGY='server', SSL='ssl', OCSP='on', ORCHESTRATION_FILE=orchestration_file) + + commands.append(orchestration) + commands.append(shell_mongoc('TEST_COLUMN=%s CERT_TYPE=%s USE_DELEGATE=%s sh .evergreen/run-ocsp-test.sh' % (self.test.upper(), self.cert, 'on' if self.delegate == 'delegate' else 'off'))) + + return task + + # Testing in OCSP has a lot of exceptions. + def _check_allowed(self): + # Current latest macOS does not support the disableStapling failpoint. + # There are no tests that can run on macOS in current evergreen configuration. + # Removing windows for now too. + if self.ssl == 'darwinssl' or self.ssl == 'winssl': + # TODO: remove this when macOS latest download is updated + prohibit (True) + + # ECDSA certs can't be loaded (in the PEM format they're stored) on Windows/macOS. Skip them. + if self.ssl == 'darwinssl' or self.ssl == 'winssl': + prohibit (self.cert == 'ecdsa') + + # OCSP stapling is not supported on macOS or Windows. + if self.ssl == 'darwinssl' or self.ssl == 'winssl': + prohibit (self.test in ['test_1', 'test_2']) + if self.test == 'soft_fail_test' or self.test == 'malicious_server_test_2': + prohibit(self.delegate == 'delegate') + + # Until soft-fail is supported on Windows, skip test. + if self.ssl == 'winssl': + prohibit (self.test == 'soft_fail_test') + + # Until OCSP is supported in OpenSSL, skip tests that expect to be revoked. + if self.ssl == 'openssl': + prohibit (self.test in ['test_2', 'test_4', 'malicious_server_test_1', 'malicious_server_test_2']) + + +all_tasks = chain(all_tasks, OCSPTask.matrix()) + + all_tasks = list(all_tasks) \ No newline at end of file diff --git a/build/evergreen_config_lib/variants.py b/build/evergreen_config_lib/variants.py index 11fc45719f..a8a2fc96b3 100644 --- a/build/evergreen_config_lib/variants.py +++ b/build/evergreen_config_lib/variants.py @@ -613,4 +613,12 @@ ], { 'CC': 'gcc' }, batchtime=1440), + Variant ('ocsp', 'OCSP tests', 'ubuntu1804-test', [ + OD([('name', 'debug-compile-nosasl-openssl'), ('distros', ['ubuntu1804-test'])]), + #OD([('name', 'debug-compile-nosasl-darwinssl'), ('distros', ['macos-1014'])]), + #OD([('name', 'debug-compile-nosasl-winssl'), ('distros', ['windows-64-vs2017-test'])]), + OD([('name', '.ocsp-openssl'), ('distros', ['ubuntu1804-test'])]), + #OD([('name', '.ocsp-darwinssl'), ('distros', ['macos-1014'])]), + #OD([('name', '.ocsp-winssl'), ('distros', ['windows-64-vs2017-test'])]) + ]) ] diff --git a/orchestration_configs/servers/ecdsa-basic-tls-ocsp-disableStapling.json b/orchestration_configs/servers/ecdsa-basic-tls-ocsp-disableStapling.json new file mode 100644 index 0000000000..b885bf7ecc --- /dev/null +++ b/orchestration_configs/servers/ecdsa-basic-tls-ocsp-disableStapling.json @@ -0,0 +1,19 @@ +{ + "id" : "standalonenoauthssl", + "name": "mongod", + "procParams": { + "ipv6": true, + "bind_ip": "127.0.0.1,::1", + "logappend": true, + "journal": true, + "port": 27017, + "setParameter": {"failpoint.disableStapling":"{\"mode\":\"alwaysOn\"}}"} + }, + "sslParams": { + "sslOnNormalPorts": true, + "sslPEMKeyFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/ecdsa/server.pem", + "sslCAFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/ecdsa/ca.pem", + "sslWeakCertificateValidation" : true, + "sslAllowInvalidCertificates": true + } +} diff --git a/orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple-disableStapling.json b/orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple-disableStapling.json new file mode 100644 index 0000000000..0b2e4d37fc --- /dev/null +++ b/orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple-disableStapling.json @@ -0,0 +1,19 @@ +{ + "id" : "standalonenoauthssl", + "name": "mongod", + "procParams": { + "ipv6": true, + "bind_ip": "127.0.0.1,::1", + "logappend": true, + "journal": true, + "port": 27017, + "setParameter": {"failpoint.disableStapling":"{\"mode\":\"alwaysOn\"}}"} + }, + "sslParams": { + "sslOnNormalPorts": true, + "sslPEMKeyFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/ecdsa/server-mustStaple.pem", + "sslCAFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/ecdsa/ca.pem", + "sslWeakCertificateValidation" : true, + "sslAllowInvalidCertificates": true + } +} diff --git a/orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple.json b/orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple.json new file mode 100644 index 0000000000..8cbaa742cd --- /dev/null +++ b/orchestration_configs/servers/ecdsa-basic-tls-ocsp-mustStaple.json @@ -0,0 +1,19 @@ +{ + "id" : "standalonenoauthssl", + "name": "mongod", + "procParams": { + "ipv6": true, + "bind_ip": "127.0.0.1,::1", + "logappend": true, + "journal": true, + "port": 27017, + "setParameter": {"ocspEnabled": true} + }, + "sslParams": { + "sslOnNormalPorts": true, + "sslPEMKeyFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/ecdsa/server-mustStaple.pem", + "sslCAFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/ecdsa/ca.pem", + "sslWeakCertificateValidation" : true, + "sslAllowInvalidCertificates": true + } +} diff --git a/orchestration_configs/servers/rsa-basic-tls-ocsp-disableStapling.json b/orchestration_configs/servers/rsa-basic-tls-ocsp-disableStapling.json new file mode 100644 index 0000000000..b46b1e3d59 --- /dev/null +++ b/orchestration_configs/servers/rsa-basic-tls-ocsp-disableStapling.json @@ -0,0 +1,19 @@ +{ + "id" : "standalonenoauthssl", + "name": "mongod", + "procParams": { + "ipv6": true, + "bind_ip": "127.0.0.1,::1", + "logappend": true, + "journal": true, + "port": 27017, + "setParameter": {"failpoint.disableStapling":"{\"mode\":\"alwaysOn\"}}"} + }, + "sslParams": { + "sslOnNormalPorts": true, + "sslPEMKeyFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/rsa/server.pem", + "sslCAFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/rsa/ca.pem", + "sslWeakCertificateValidation" : true, + "sslAllowInvalidCertificates": true + } +} diff --git a/orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple-disableStapling.json b/orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple-disableStapling.json new file mode 100644 index 0000000000..4c76e7fc70 --- /dev/null +++ b/orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple-disableStapling.json @@ -0,0 +1,19 @@ +{ + "id" : "standalonenoauthssl", + "name": "mongod", + "procParams": { + "ipv6": true, + "bind_ip": "127.0.0.1,::1", + "logappend": true, + "journal": true, + "port": 27017, + "setParameter": {"failpoint.disableStapling":"{\"mode\":\"alwaysOn\"}}"} + }, + "sslParams": { + "sslOnNormalPorts": true, + "sslPEMKeyFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/rsa/server-mustStaple.pem", + "sslCAFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/rsa/ca.pem", + "sslWeakCertificateValidation" : true, + "sslAllowInvalidCertificates": true + } +} diff --git a/orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple.json b/orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple.json new file mode 100644 index 0000000000..fb7c264ea4 --- /dev/null +++ b/orchestration_configs/servers/rsa-basic-tls-ocsp-mustStaple.json @@ -0,0 +1,19 @@ +{ + "id" : "standalonenoauthssl", + "name": "mongod", + "procParams": { + "ipv6": true, + "bind_ip": "127.0.0.1,::1", + "logappend": true, + "journal": true, + "port": 27017, + "setParameter": {"ocspEnabled": true} + }, + "sslParams": { + "sslOnNormalPorts": true, + "sslPEMKeyFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/rsa/server-mustStaple.pem", + "sslCAFile": "ABSOLUTE_PATH_REPLACEMENT_TOKEN/.evergreen/ocsp/rsa/ca.pem", + "sslWeakCertificateValidation" : true, + "sslAllowInvalidCertificates": true + } +}