mirror of https://github.com/mongodb/mongo
SERVER-106946 Reject x.509 certificates with mismatched client|serverAuth EKU (#42831)
GitOrigin-RevId: 1ca4451393cb9cd18be4948020cdbbad1d597288
This commit is contained in:
Varun Ravichandran
MongoDB Bot
parent
2dc2b7d6af
commit
1c88e8299b
|
|
@ -927,6 +927,10 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
|
||||||
/jstests/libs/**/replicated_ident_utils.js @10gen/server-storage-engine-integration @svc-auto-approve-bot
|
/jstests/libs/**/replicated_ident_utils.js @10gen/server-storage-engine-integration @svc-auto-approve-bot
|
||||||
/jstests/libs/**/replicated_record_ids_utils.js @10gen/server-storage-engine-integration @svc-auto-approve-bot
|
/jstests/libs/**/replicated_record_ids_utils.js @10gen/server-storage-engine-integration @svc-auto-approve-bot
|
||||||
/jstests/libs/**/host_ipaddr.js @10gen/server-networking-and-observability @svc-auto-approve-bot
|
/jstests/libs/**/host_ipaddr.js @10gen/server-networking-and-observability @svc-auto-approve-bot
|
||||||
|
/jstests/libs/**/*.pem @10gen/server-security @svc-auto-approve-bot
|
||||||
|
/jstests/libs/**/*.sha1 @10gen/server-security @svc-auto-approve-bot
|
||||||
|
/jstests/libs/**/*.sha256 @10gen/server-security @svc-auto-approve-bot
|
||||||
|
/jstests/libs/**/*.pfx @10gen/server-security @svc-auto-approve-bot
|
||||||
|
|
||||||
# The following patterns are parsed from ./jstests/libs/clustered_collections/OWNERS.yml
|
# The following patterns are parsed from ./jstests/libs/clustered_collections/OWNERS.yml
|
||||||
/jstests/libs/clustered_collections/**/* @10gen/server-collection-write-path @svc-auto-approve-bot
|
/jstests/libs/clustered_collections/**/* @10gen/server-collection-write-path @svc-auto-approve-bot
|
||||||
|
|
|
||||||
|
|
@ -96,3 +96,15 @@ filters:
|
||||||
- "host_ipaddr.js":
|
- "host_ipaddr.js":
|
||||||
approvers:
|
approvers:
|
||||||
- 10gen/server-networking-and-observability
|
- 10gen/server-networking-and-observability
|
||||||
|
- "*.pem":
|
||||||
|
approvers:
|
||||||
|
- 10gen/server-security
|
||||||
|
- "*.sha1":
|
||||||
|
approvers:
|
||||||
|
- 10gen/server-security
|
||||||
|
- "*.sha256":
|
||||||
|
approvers:
|
||||||
|
- 10gen/server-security
|
||||||
|
- "*.pfx":
|
||||||
|
approvers:
|
||||||
|
- 10gen/server-security
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Autogenerated file, do not edit.
|
||||||
|
# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml client_with_serverAuth_and_clientAuth_eku.pem
|
||||||
|
#
|
||||||
|
# Client certificate configured with both serverAuth and clientAuth EKUs
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDujCCAqKgAwIBAgIEeckgojANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
|
||||||
|
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||||
|
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
|
||||||
|
IFRlc3QgQ0EwHhcNMjUxMDA5MDAxMTA3WhcNMjgwMTExMDAxMTA3WjBwMQswCQYD
|
||||||
|
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
|
||||||
|
dHkxEDAOBgNVBAoMB01vbmdvREIxEzARBgNVBAsMCktlcm5lbFVzZXIxDzANBgNV
|
||||||
|
BAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFdsu4T
|
||||||
|
kXv2LNQn0ztQ37rYRxEz9DTt4ChhBYrTm/4t4hgEWZipENdhtERelSlXL9oEmBXB
|
||||||
|
hMQXT7Hkf/YOrz2i9kERfHUc1OOYqlHckHm+3mWtjSKXqCB9eRtVaTd9TDr3jL8H
|
||||||
|
S7rgbHVXRJOwGqyhssQtnFWsv01G7xE8MrVfbJQA2EYn58C5FK285oMS5b7DvxUP
|
||||||
|
sqWbLoClLSWv7o3B1eicFAqgeNOdRul4tgw7xnhsVIClsDbDdhp7BWZzF6A4eler
|
||||||
|
JFLzNF4m2qVtP1UbmnfauXUsNt4u7SS4k/D+Q0cJjuVvOf0L+sVky3yBp7I2iCKG
|
||||||
|
Mw7s2Y11Vcrq6l8CAwEAAaNYMFYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYD
|
||||||
|
VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSyoo+bNEX+HOQy
|
||||||
|
L1QEnCAIp49XMDANBgkqhkiG9w0BAQsFAAOCAQEAI0Pnx2HtIQJpLwL7X0ccyFpg
|
||||||
|
L4eX/Eywp3tt6pmZw/J5CH/WHQcRPbbBcJICQdCC7VfdzoleUYG6QGqfxIOI3yn9
|
||||||
|
jd3X+KWbuRm2KTvkRitXaVaRdSRAeuiUq72K1IU2oE/zhTO46QdXuMcfgpKJ9ajm
|
||||||
|
2ZbBYXWr5o9scOBFrMNLP1i5lUxv4bbZMeupHfeMuH5a+N0rHGmsXssU+0xAFIAW
|
||||||
|
+lg4sPkSCyGQnaWI1JJbtNL+hOhWg87j0MRlPwaUzEjlVB1eWab5221H3krI+nv3
|
||||||
|
kirpgULZoIZ+t0dcbtCfzQFg5X/Yr4mNXp+mJshSAfICjBrbWDOt06krlh1a7A==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBXbLuE5F79izU
|
||||||
|
J9M7UN+62EcRM/Q07eAoYQWK05v+LeIYBFmYqRDXYbREXpUpVy/aBJgVwYTEF0+x
|
||||||
|
5H/2Dq89ovZBEXx1HNTjmKpR3JB5vt5lrY0il6ggfXkbVWk3fUw694y/B0u64Gx1
|
||||||
|
V0STsBqsobLELZxVrL9NRu8RPDK1X2yUANhGJ+fAuRStvOaDEuW+w78VD7Klmy6A
|
||||||
|
pS0lr+6NwdXonBQKoHjTnUbpeLYMO8Z4bFSApbA2w3YaewVmcxegOHpXqyRS8zRe
|
||||||
|
JtqlbT9VG5p32rl1LDbeLu0kuJPw/kNHCY7lbzn9C/rFZMt8gaeyNogihjMO7NmN
|
||||||
|
dVXK6upfAgMBAAECggEAB4SRFFiGa39itszllYTLbgRCnxSaBgTJlkhPYtpfUj6O
|
||||||
|
b8ibgyfvk7AkxhO3UOgm4B8VmqLveoA9hPkRUIu5nHfdgyIe6J66WC7zUEN3CoS1
|
||||||
|
ONbKifHDg5/dOYbUlGe2swQ04Khz9UwMa3N9IxDRuKyAusfbMCmLNoHvgYgJoKuH
|
||||||
|
wRxUhOnOkvz0RKMQTIODNmmfUvmJh0/Rbx03aehcQPOfnt8ChwCrbtUMzNi0jdlI
|
||||||
|
zWJ/uTUkm5NBbjfoKkwtxew4UfSpuN7snOnER5/ucJzxTnfCwwQW/9Q2klu7RefS
|
||||||
|
pet1FjBX1THlem6Hiy2ryzd0ubMy7OTHrHcjcW+mAQKBgQDu0d1BF7XJ4k+gvCIb
|
||||||
|
IDxt0zX7f57Sd1EabnqXCZ9UEPlRk7CS0fp4UrlbaNuTqYyvV4s/Lafx1gUkjovF
|
||||||
|
NSUw6JNAWuV7MDeQmPCPkkw68O+g/HfeugeCXEMr50ceN/wed7M6dVPUhPYqM3su
|
||||||
|
CkbtSuwwrft1S1GyR0raf+/SnwKBgQDPRsCQOXb9o2HkT7ZuMQXrET8437PwkqAB
|
||||||
|
sQvKCmeYWKBFYx+b8f9gmo/2kIm0A0C1M9aF4ZKpAYK9GngNvFJQmoJwbMyGa2iz
|
||||||
|
3K8j88LE1sVNIg+KeidQ2TV11FHy8iqtrV4QwYu4gSehhD9rcObWcjd1evrN1IPJ
|
||||||
|
gpFfgVOQQQKBgHyiNY+06gBUBS5jQIFbj23ZXkDEV4SLFF5w7bVJJkdfHF5Ab1QQ
|
||||||
|
FWEZ+vYDgSRMxcj0LQ1prE3/XWu4oKTomWIu3joltcFWZokl59Vlijbwan5fg8dO
|
||||||
|
2oBj2gJdjrXsjbzwxy5o8LjmMvnPKCfc4SsRgLXe9m4+QoKBxkTFo8kNAoGBAMxO
|
||||||
|
ewQuAEGlx5nZkIIwxBqd12lh5uVcQWcpcetmMhKSWPfL6p41/HjmILzyXykWg7OY
|
||||||
|
Mv2oCH2ZxZpL+sXfOGvGwIe8ViSwvnV7Mw8G+JY49CVBS3w9R3+DehR4gYYseTDT
|
||||||
|
0AJIJEZq1/t2dWSb1ozN7ChaXdiAfp4jmtM+kHWBAoGAPKijKxOhqQUUdSRYIWM/
|
||||||
|
LWDeQiaOJNohGusRUreE09SwhUf0SgwyUDDCOILHGpNeQenk1U7I6Fp36t1O9V2v
|
||||||
|
ImGYgBfU/cgiceiKIPc0dtwgKpEIKfSQvxgFTLHFhVXNZ9bha0aWiy89CnLbaYig
|
||||||
|
zTkOdu0heK6kCVlp4pz2UX4=
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
07131F475923243E2773CF4445C6FCB6371317AE
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
E220B02E555A5CDBCB661CF7B8757CF5B5194F7670052AD49CE28131D7760D44
|
||||||
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Autogenerated file, do not edit.
|
||||||
|
# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml client_with_serverAuth_eku.pem
|
||||||
|
#
|
||||||
|
# Client certificate configured with serverAuth EKU
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDsDCCApigAwIBAgIEEHynczANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
|
||||||
|
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||||
|
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
|
||||||
|
IFRlc3QgQ0EwHhcNMjUxMDA4MDcwOTA2WhcNMjgwMTEwMDcwOTA2WjBwMQswCQYD
|
||||||
|
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
|
||||||
|
dHkxEDAOBgNVBAoMB01vbmdvREIxEzARBgNVBAsMCktlcm5lbFVzZXIxDzANBgNV
|
||||||
|
BAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMU7Zt9
|
||||||
|
pzSWR9otRBIx4iSWGXwQVVmDPrxlOk9FHPxoj8FP9PLHCXvCNAGmwibJKHlJPU/0
|
||||||
|
j+LELisj3tDW6TpkXxUdSSPw5LTCd4ClJZoUKTG2iK9bmcPIIzOTcMJJPPtRS2Cn
|
||||||
|
H+SkTkMffefBxY8opTMwBRNzk6N24T1YVlLCZA/hh8Hrlw5erTqizInYd2EwQSMb
|
||||||
|
Wp4hN9WaOPb9YdCTvPeASxHK7LMQxL3CDHEFD4MzQkjzvDSDIlax44tVmy49RRG1
|
||||||
|
xym04Y2jD4jvLLsGmVt4z2GpMnobfi/i3Mhu+HnUur1TT7jKffkir3jeDF/HHHjf
|
||||||
|
vMdc1rxqRqdH0JMCAwEAAaNOMEwwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEwYD
|
||||||
|
VR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFNZ1N4or6l9W+RHVfTuJ6wP8D7cl
|
||||||
|
MA0GCSqGSIb3DQEBCwUAA4IBAQAK1dJh3oshM2CuPQcXRpUWoDrnvuioV/mTCxlA
|
||||||
|
GkmNj7UUHIAlWiVrHlGaSFWeVKrgLSiNtvpd9S564Cyzh38aIzdbC+oYo8xqzaDn
|
||||||
|
FtPvtA5dOtxW3AWMoPuFYcGrbhOhdYUuhKxFYksmdqDe5aS94CMenOJfBuG53jJG
|
||||||
|
wog42eBS1PuLX8iSk4CQVQITLux15G0Bj82X3skqzu66RvIekVP43hsfEskXcEEU
|
||||||
|
DHeIkIUHmrT6S3HdqMvQ0HG7AMkiQwAokRI+jP+2rVleAX6UVJeeWIy5n7IWqXol
|
||||||
|
basYt5sxPTo3Rbir8p7i57e+SBD3y/8I9uKWzKbKH4VRe2eI
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzFO2bfac0lkfa
|
||||||
|
LUQSMeIklhl8EFVZgz68ZTpPRRz8aI/BT/Tyxwl7wjQBpsImySh5ST1P9I/ixC4r
|
||||||
|
I97Q1uk6ZF8VHUkj8OS0wneApSWaFCkxtoivW5nDyCMzk3DCSTz7UUtgpx/kpE5D
|
||||||
|
H33nwcWPKKUzMAUTc5OjduE9WFZSwmQP4YfB65cOXq06osyJ2HdhMEEjG1qeITfV
|
||||||
|
mjj2/WHQk7z3gEsRyuyzEMS9wgxxBQ+DM0JI87w0gyJWseOLVZsuPUURtccptOGN
|
||||||
|
ow+I7yy7BplbeM9hqTJ6G34v4tzIbvh51Lq9U0+4yn35Iq943gxfxxx437zHXNa8
|
||||||
|
akanR9CTAgMBAAECggEAPlPe3NrPSqCxUlCl2/VLoXMyXHks03I38AcFU9iYnYrg
|
||||||
|
2aWz+ZlnhhDR2+9HrIsfkJL6iWzzdTfVX8Nkxee+lcmgRC+EqMMrPnRedkJEQ4uX
|
||||||
|
yMsgaHPnoPnzsnwy5xPpawjgxLt2ALRk3rzDq9lHoqtBT/77DUmRDXgPLbQkmzmh
|
||||||
|
HmENWndOxgYV28BKMocT7mN54yDRtGflesx2tl06jJuCWn0z2+77X/PHKCE5qgUW
|
||||||
|
kHKtwVspxWBSgTkDGW1ib+fBo8XDxf+CPskgB8We4bdQKd8lGL//OQF7NwrmeF4m
|
||||||
|
3qeRuTiXVm5jpsSp6QB65h6h7WalITW+UYG12ZNF+QKBgQD5rwhU2hqW7dawFDIn
|
||||||
|
Fk4qLt7H+qjgkb9hCKwEUOBWiRe3IUkeK9JCNb3chSYflwpw4OT4ZtaWCBjnoZJS
|
||||||
|
G7CJhTxtoO8qpy4+711dhfcU7FZpCRseZOvS4gjhXZ6uTHU7M8MRKkEupMAwh4aa
|
||||||
|
WqOnLaAVJS75K+E+hQ6kvC3jSQKBgQC3nKw9rgZ9DnreuyGpiHgCBFwICUcJ2edh
|
||||||
|
xDGXPiKOQ4FPOJDEkGrN7wsNwNFIlUiK8TE8DM7+W6oWDpiUq0wdJ8Ckq9K7a/gm
|
||||||
|
yYjGJzO/zQwktBWo89aqZ04FaXG0GfRk9BDiPPeOopvEmz1FV9g5stKcgJVPswrI
|
||||||
|
RxIDpgI4+wKBgQDd30D7DdkE95KIY1nxy+tnpsDHWiHJdRpoYqlhKHFB1I8jZ8uu
|
||||||
|
qOgtd84gcJ1hAvn/Nomhhtj293kSFEyO9BYbDi+Vh6Yf8/GvcUs5OTtH94AN1E6p
|
||||||
|
4qqAeeXERkokvsKJ+kREM5U6mqJCPZxJ+3NjsrKHN8SXHPwKb3iEwMfSKQKBgHFb
|
||||||
|
k+c8oprgrrEGHUE6lMTCBkOb3rTRSA3O/8LdRJ5KRPIw/QeuFZJwa4WhLlQ+fhvx
|
||||||
|
zrDBQ6Y712Vou4DFxOcXHNNNlXvKq9jegce8ejGHGWEroVe+uyBXSQ8ES4OipoUR
|
||||||
|
Pb8/XqM79ylJomlGU6NDqM2ggQ5EfnqpjhCclDCzAoGBAI/1ImAjw7UAAEPMjxSH
|
||||||
|
Gn8LsK09m7yftZy9rBqCzvN8Y8lTnZ6JPT/UlahZaPQkkF53gHZze5EXKyTv5og2
|
||||||
|
O5eeuK0ic59blGKsh/lx5MpycCSOA+lSMo+LwTI1qjLC5RX6+22TsaRxriaA7Jwu
|
||||||
|
pHj9p7JeBRL7FDrpqXbvU5m3
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
46E58AA553BEB2FFBE780E3843EC03D52CDBFC37
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
91A33587DA130B10CA6D9C6EB7245DE0EC8464DD2B40E353ACA722B3C639585B
|
||||||
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Autogenerated file, do not edit.
|
||||||
|
# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml client_without_eku.pem
|
||||||
|
#
|
||||||
|
# Client certificate configured with no EKUs
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDmzCCAoOgAwIBAgIEVu0RgzANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
|
||||||
|
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||||
|
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
|
||||||
|
IFRlc3QgQ0EwHhcNMjUxMDA5MDAxMDIwWhcNMjgwMTExMDAxMDIwWjBwMQswCQYD
|
||||||
|
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
|
||||||
|
dHkxEDAOBgNVBAoMB01vbmdvREIxEzARBgNVBAsMCktlcm5lbFVzZXIxDzANBgNV
|
||||||
|
BAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmG7czL
|
||||||
|
X055NjhHKNAyfttzWt+RzJmsLjNFekaPhQlmzlGmcBQc3uX18tc9bOaBVa8k/a7e
|
||||||
|
b6ZCvziwSh9lE7RCNgms3+NoZqYj4tLQuf+ueiGxRoLGDidpOkWW+N1sNGpVoiYb
|
||||||
|
OB+EjO5NFyGPmgoaUYct8yZ6j++WebsMrynrg1e7GvFB+EiAPLvzj9ExYLEs+NUY
|
||||||
|
C4tycM/KOP4y45qjChH4X1AOHoIOv7L50XgVMbH78OM1tihJYR/1ScuRASGxaBsJ
|
||||||
|
CPMe+92SDZnicNATZ7M7P2Y8A6Ho4vFiCQF1DNGXVbPi831W6Hdf1k9iF4Mlv7lp
|
||||||
|
RVxrbZRi9KRuEVsCAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYD
|
||||||
|
VR0OBBYEFFtXNM0ZVW9+/VY9bw9343IJtNMlMA0GCSqGSIb3DQEBCwUAA4IBAQA8
|
||||||
|
2AcuB+sUnRbT60NdGSGRWn06MT/OErAA1H3cfJYi3dZUwEzqPy8ngVqGnTJkGw18
|
||||||
|
Evjg84fOYlC8C5NSHEZlR8dBJFygpvLdrwyzQ06/4DNPZZ3fG5owderdGrp12B4V
|
||||||
|
RQwRve40kJ38wycuLh3+NroE8RLc8LxRWmEH//Zl6z8HSAiBkDI8S/wWRp+xWHXn
|
||||||
|
yEWwrUj5qI6zJdCTIsnsHVJwyNUr97IYxd4pYCAyVGMrKBC5DC+wxAw3yjaEf3b4
|
||||||
|
TafTjoL21Zx/2nQ8QIDypJ1FQkjmyLBz3Vuibpooi6skKSYJeH3Da/lGbzUcJs2o
|
||||||
|
Vnx3CgvHCCHdt9RM00/d
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5hu3My19OeTY4
|
||||||
|
RyjQMn7bc1rfkcyZrC4zRXpGj4UJZs5RpnAUHN7l9fLXPWzmgVWvJP2u3m+mQr84
|
||||||
|
sEofZRO0QjYJrN/jaGamI+LS0Ln/rnohsUaCxg4naTpFlvjdbDRqVaImGzgfhIzu
|
||||||
|
TRchj5oKGlGHLfMmeo/vlnm7DK8p64NXuxrxQfhIgDy784/RMWCxLPjVGAuLcnDP
|
||||||
|
yjj+MuOaowoR+F9QDh6CDr+y+dF4FTGx+/DjNbYoSWEf9UnLkQEhsWgbCQjzHvvd
|
||||||
|
kg2Z4nDQE2ezOz9mPAOh6OLxYgkBdQzRl1Wz4vN9Vuh3X9ZPYheDJb+5aUVca22U
|
||||||
|
YvSkbhFbAgMBAAECggEANDlXFx7oZR6ZtJ3TT0fnjb6bBfP0tA1Ts/sKwHIF8O+P
|
||||||
|
hExloEPAOttQ0GXqEbi2debjwiW7KAIB8eMt+khpk4RP0cln/IuW2Y2ge9dlhCOJ
|
||||||
|
HZLZVlaKBW4JiS1GQI4E8ynHyxI+aiDVyv7IVBooMk/WQ0cb+ujlO3wQKCcZ56J4
|
||||||
|
V0gF3uVvc3c5IKbJ0BJE/aT96xC+ARh/TfRESQ7hVP2XX137OnBYKnA/v8VurCFj
|
||||||
|
ZWtY6OTIfv1DXqSlMeX/2rmy50STBbhSDi/0nzxb6NW23hjgKlPkXq9FrM2QYlTA
|
||||||
|
/3ktJZLDmJumOyF5uzPGnvi3tVIhWoJdQrOnDkpgAQKBgQD3b5VyspIIULAVmIc9
|
||||||
|
GtZ2IU+NtsPx7z1SxFgoj1M3SPtdkoknpl+qNJd2bUkR0iNz931XLW6K+SIhnGRg
|
||||||
|
qcS9Z9OV5+s3kqr77CCKYdFeTij4PU31RWGzUGidYWQSKt3vs/HVkN7e8cqkUWci
|
||||||
|
I7bX/XFeoOp893rkhb26+4wnAQKBgQC/8syps/vk9w3soqWu+z0YFEcqgdD6DnZj
|
||||||
|
c05JT002JUOWx/a6/Mgsb/xcz3+zow6cjTfL1HM45c28y51Kgx0PGFGIB0Xcx4oY
|
||||||
|
RqzBZgNfs6C5yaK2NlVWDizzPnZX3diQ9N+4GwYsXdH/5CTR9/h9NVbP6mYLfmvg
|
||||||
|
PpdS8bA0WwKBgQCl7xC8IIDKTsInWWioU80q31/oW37ASn5HeSDd4nAeDTV1JQYR
|
||||||
|
rwNMs4Q3iUaNSu03oetOgUs2q6h1/dla8b7cfjpot2UImbVMyKdx5fNwWN4ky4fy
|
||||||
|
ShshE3V0xZFElbbMP1KYtFSiEmihFW4ieOzvoCldGnDmaVji08XPFU6CAQKBgGDB
|
||||||
|
N88XLZMFwZwVhGTGuc4IcrMHitpxLdYFimHDuozfjclUdJde0lwr+s6hvaJEQBpD
|
||||||
|
yOtS5N26YNGY5Wlo293/CSIDYIDgiEiiX3SBQpQcDJl5/S3SB4QAU0ItqyOxbPfs
|
||||||
|
p1S7MopspG1TiAfa8gPTPjZB1jxW9nOruUWTFJnfAoGACoDxll5nSmcyVwv0Cbin
|
||||||
|
flxufIOFTC3RFCnneYtgMSr8V4djG6YxymDOoiLeu47GYmOTktguEoC/xrJsoa/o
|
||||||
|
yqoPXEfYnNIk1CtvPEJame5kW0alOJHGrdwfjmdlAi+WkqgPmimjy/N8MiQRbCeu
|
||||||
|
Od082bTXuNRQa7JDjJ0b200=
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
05C8D9D227BDAA8745EC19BCC6C85CDF774E6737
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
9713AF48C3DC788C33D8DDFA3D38C4C9FC55F2167BFA5FB3A480AD3E8C2A6EF8
|
||||||
|
|
@ -0,0 +1,58 @@
|
||||||
|
# Autogenerated file, do not edit.
|
||||||
|
# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml server_with_clientAuth_eku.pem
|
||||||
|
#
|
||||||
|
# General purpose server certificate file with clientAuth EKU (should be disallowed when received on egress connections)
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEWDCCA0CgAwIBAgIEWrZp7TANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
|
||||||
|
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||||
|
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
|
||||||
|
IFRlc3QgQ0EwHhcNMjUxMDA5MDM0ODQxWhcNMjgwMTExMDM0ODQxWjBsMQswCQYD
|
||||||
|
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
|
||||||
|
dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UEAwwG
|
||||||
|
c2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6v7UdJfLFwp0
|
||||||
|
7Jt0i0aZzBW/WsYXEcXLkAV7xxf7BNFyLhpTTKZ/R9PVphjD7e8wSnb+w0CJK+2e
|
||||||
|
TbQ/UkfDBIOFp3yz9Lijag51FAFDoTm5aAPNrxU5cqCDH0k5Dmm6WjlS+l7FsOez
|
||||||
|
m8AXM7UjxBQ1IIMqDBK4egAAl8y6f5IpcWqlbBNtQFr2XB0lX/UCsQYGo2Awp7rA
|
||||||
|
9EzMWJbw8TjloQi9hhYrE8XSoxZe5ucJZpijMuXSbdv6CKFqsT/w3/AjQ9QrtE5a
|
||||||
|
UqpiF5LUHjc/4831kQcPgSbgOCDKFe/gI8sf4elC+QrMMz66Ha6RI1rDglDGZTHQ
|
||||||
|
tfG1tbw33wIDAQABo4H5MIH2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMBMGA1Ud
|
||||||
|
JQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBTgK2BSjHLxfwRnDFnG4wqoY2geCzCB
|
||||||
|
iwYDVR0jBIGDMIGAoXikdjB0MQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlv
|
||||||
|
cmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzAN
|
||||||
|
BgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVsIFRlc3QgQ0GCBCBp1p8wGgYD
|
||||||
|
VR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQA8/HBX
|
||||||
|
bHk1WvqcoEXMJ+tnXoj3DME/eqtCD0VXKBqzSnUKjsscXN8iY0tyyLDXSG6BI3RL
|
||||||
|
QGaNLv2sax5IM3z86yGvJymTi6RknwT9esH0wHC7nN8E49aOCMyHAcCPN5pcRV6v
|
||||||
|
HZWRm2E908owjQU/HrQ8RFgJPRWvNkV7AppsyRtDNurzOjjBadAjGySP2ib3o5Qe
|
||||||
|
A02njuo1YMxS/e0uJwQuZlKUWSyet1ERlCzvLAe85diDZSi95nn+NclQWDtzk7KS
|
||||||
|
xCQkdTGvhjj7prV8qf1g8QobSYQHmGgX9Z4+lRYy5qNVfD2XFdQ55f6/f8/bglYo
|
||||||
|
RUczzWNx3911l+IF
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDq/tR0l8sXCnTs
|
||||||
|
m3SLRpnMFb9axhcRxcuQBXvHF/sE0XIuGlNMpn9H09WmGMPt7zBKdv7DQIkr7Z5N
|
||||||
|
tD9SR8MEg4WnfLP0uKNqDnUUAUOhObloA82vFTlyoIMfSTkOabpaOVL6XsWw57Ob
|
||||||
|
wBcztSPEFDUggyoMErh6AACXzLp/kilxaqVsE21AWvZcHSVf9QKxBgajYDCnusD0
|
||||||
|
TMxYlvDxOOWhCL2GFisTxdKjFl7m5wlmmKMy5dJt2/oIoWqxP/Df8CND1Cu0TlpS
|
||||||
|
qmIXktQeNz/jzfWRBw+BJuA4IMoV7+Ajyx/h6UL5CswzProdrpEjWsOCUMZlMdC1
|
||||||
|
8bW1vDffAgMBAAECggEAF6iMLyjRE4LD/sYv143GEhvmZfcnf2yQb/F9Yq/xX6zO
|
||||||
|
eAHCfScODWcwTUaVAzFfhT+xqmqm5LtJgr0w2tHKunubSx9s5qhoG1dVRixSaLrt
|
||||||
|
BaHMZWIXpIiwasfubJsMXeUDi51a/dJ17KpMK7KC5Uy7hIhwBUMlO3MgnCfKZulY
|
||||||
|
wlbUGyTEFvFRuaMApTXac1452HXpV1OvGXqVwKA2sEbpd7k6S6YnPkJpsGfmpi3v
|
||||||
|
pg7hYlOqGrA8Gfj5iuSZLpoXtTJRog/g/1u80/Vh+1xvAOOx/5RKPFPg7NdHtzJ/
|
||||||
|
WZOMakN+a33PqU+EarNOtAoGi0Icg8/QwVpREa7AcQKBgQD+6LqcGRxBOZ7egIGq
|
||||||
|
qPzlTKgG9cL8i0dxOb0HrzajfE53zN3kdwg4EP6Oa6squX7tDiBzmqRR1b381pFo
|
||||||
|
z9fgEkqKbjiO+4VOxsojIrsYqZoiPy0DMR2xL4qLL+oRrKXA1MKI0RgNxW1UvX5n
|
||||||
|
jsMbyjsex/QbrBj0sQ2U9liYwwKBgQDsAEi8CUo7opO3Nav/Pvs7YCaLt93Z+GeT
|
||||||
|
0NhGl+rr5Temc5tduDQX7p2s3brbenCnP53/l3Bu40w1IvdtXFF7ORKIzIcYAyT1
|
||||||
|
iay2eJkcqJbQ7HVhDzJ5YIFbSipIasFy4VnWPSFDhO4gCicm8GUoPWRzjs2pBNI4
|
||||||
|
3DAA7pOStQKBgDY5YYDVIpqJXE8ufObFvc41KUUZwFmicxcV1i0tS20pgzOew9DW
|
||||||
|
tUvf6ZZ4NtgGz4YzzBlrWusBkcGYDySBmgVTPsIFwkhAHtJsHRGuUKhlY6FHWRbl
|
||||||
|
utA3Mbx7+8m4tSW43IzoFbrQNXqiOKJkzwI5WawpkrbUPBbJFv+KC7yrAoGARoXP
|
||||||
|
NmGQTUHH4nenbh7j9FpHKnlHUltomENQXcgH63YTqyngw6DH8F7dv0qDDBMKlu/r
|
||||||
|
xvT6JCjIHRjV11g/AROM9lQoCoTmBnmdoulm16mJZ+VBLj/cVWkBPsZq3DkKlcnB
|
||||||
|
jsO1rPeMMQbXrEsp71xpKB8EVf2a1GL39U9VygECgYAU7PY/0OLnaykdN6+MHW5h
|
||||||
|
1qustoZDIAM8vwsBFyIcc39aTyRG/Omcptn/AzkRneQ6jAsglvdCNNwbyaYL7a6F
|
||||||
|
qVqnm5Om6zt+BToUSZHvuSC2QyGyzCNhhuwuIWFmO3IvpnYVSvEiecEpiwbPCpyP
|
||||||
|
HU2aE0VZ3JoLmWmtdeTuGQ==
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
64BBE42B67A5B34F570EE010EFAFC8D5DB85AA3C
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
0405C3147FED62C7608AEFB037A60D8B858162AFDD2B1EAD1505DF9D9EA28B0C
|
||||||
|
|
@ -0,0 +1,58 @@
|
||||||
|
# Autogenerated file, do not edit.
|
||||||
|
# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml server_with_serverAuth_eku.pem
|
||||||
|
#
|
||||||
|
# General purpose server certificate file with serverAuth EKU only
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEWDCCA0CgAwIBAgIED6TZCjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
|
||||||
|
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||||
|
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
|
||||||
|
IFRlc3QgQ0EwHhcNMjUxMDA5MDQwNDE5WhcNMjgwMTExMDQwNDE5WjBsMQswCQYD
|
||||||
|
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
|
||||||
|
dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UEAwwG
|
||||||
|
c2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9n51QGb+KGx
|
||||||
|
C45ncv9ClimIM+fy33aWKXRxEWdBQhjkarAU1SNHFjh9BPWBR0wZ6ag9CCQjCcoq
|
||||||
|
g1kN3kigtyYMx7cIgXgc4kjP4hxz1U9c7xZFxmP4MTaR0r68UFGEGIQHH5w8fUse
|
||||||
|
A2roVXmMo+4sBx9pXNcjxWH0UwyxxfDiDIVev35C0WL4LxOBAWxb6HEm3g+PmNqk
|
||||||
|
HWwBUNKCA4SuBp2D0Mc7gvnH16vPBuQhqd/NyW/H0eG2FVcJgGUGw5EbJ1PWfubA
|
||||||
|
bzuDxJA0ctwC9aOvy1m+nL63xeyW2x8wftKUGmtDikmTKTtZllXRVVhEokGqXZcR
|
||||||
|
KoDG6eyecwIDAQABo4H5MIH2MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMBMGA1Ud
|
||||||
|
JQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQY8AsDvmFFQL5yKJiFQE+idKI/9DCB
|
||||||
|
iwYDVR0jBIGDMIGAoXikdjB0MQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlv
|
||||||
|
cmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzAN
|
||||||
|
BgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVsIFRlc3QgQ0GCBCBp1p8wGgYD
|
||||||
|
VR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBJahE4
|
||||||
|
kdGcrdVlZz9km5oDZKvfGRzg8CeOBkWHPksdHwX4anAebdkD0JI8MpwawybhxXSi
|
||||||
|
TILdWc8t1PZzzVCw/g1j5gE61sz+fRgkx9qVIf0j/r3YM0C/I0Tbb1mJB52FMy4x
|
||||||
|
sFu0xmZgzW8BR2c/BW0982DybxGxh4GIzmQ4J3Wkyz6hYb9m5Gc7gzqmTvnawWmu
|
||||||
|
522n0/FR0WbxADnjdvCO5yb1naUzETihKZZaAtY60w/iaEXC/QaBiDzFuyHgjNrs
|
||||||
|
x/6Q39IBljnS6pF512DJ7334eooVjtjanx19ep82fKM20/M7Qqszq2LDddF/CGej
|
||||||
|
u3Kd03McYYDz2vUf
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDD2fnVAZv4obEL
|
||||||
|
jmdy/0KWKYgz5/LfdpYpdHERZ0FCGORqsBTVI0cWOH0E9YFHTBnpqD0IJCMJyiqD
|
||||||
|
WQ3eSKC3JgzHtwiBeBziSM/iHHPVT1zvFkXGY/gxNpHSvrxQUYQYhAcfnDx9Sx4D
|
||||||
|
auhVeYyj7iwHH2lc1yPFYfRTDLHF8OIMhV6/fkLRYvgvE4EBbFvocSbeD4+Y2qQd
|
||||||
|
bAFQ0oIDhK4GnYPQxzuC+cfXq88G5CGp383Jb8fR4bYVVwmAZQbDkRsnU9Z+5sBv
|
||||||
|
O4PEkDRy3AL1o6/LWb6cvrfF7JbbHzB+0pQaa0OKSZMpO1mWVdFVWESiQapdlxEq
|
||||||
|
gMbp7J5zAgMBAAECggEAVoLxpZKJaAFcaENmFNkGe7gqzurVULpcSEGENHDM1bqT
|
||||||
|
I0FWYnOr0ffv2YHssia+h4TmOLNlusxPjSeIRbkFLQGkwY9rNW1uLNKG6VUyIXZm
|
||||||
|
EcJf3euI1YxKS7IvErd/RykC0Ia9/YZx4oaVzDPd2Qe68QaCDx2FUoobV5gS6uDf
|
||||||
|
nBguBweNZ9K8YZUKrh68QaQ5qe8vXVU5qvaZ5PwCfTjsx9EtgpaxR72Go9Q7TdNk
|
||||||
|
NgINKRD+0AH0RrBOMZs8XG+DrjMZT7An8DgZjcsxL2O1UidIvmwGfmiB2VAU5tXq
|
||||||
|
BNfFkIaqEh2Fmsar/s2bdbTnj+jNZ7RiHCWYFqYOOQKBgQDrCmbgXapCPNYbyrBz
|
||||||
|
gPggV2WMjcHHbvLjJLbYrUznnTj+nNV/LPeBsbfmUuQ9tjvqseMqKT2dBNZJG46H
|
||||||
|
s6IjdUf6oIvY2YOGrmTP+qSbOKh/4MGbVNbJmUBBS3y8KDVu5txAtKxCe4OWBYL2
|
||||||
|
V5BrPKr5+5EOjniXWFHcYxgDlwKBgQDVUPLekS2SEHM/1tlIfi+/gv+HefTTfLdP
|
||||||
|
ot1sPUdDfvtl+SWKTlT1LXUma9fR9TjDqxftdwVcLlbCA7V8ifle6wgIHPUT05a/
|
||||||
|
wAHQiep5xGTVMPs0RjihmfE6DgDD0EYiB7lAX4uII3qRdDnKlPf6r1NNLE50s0GV
|
||||||
|
suGUrydnhQKBgBk+mcQZa1MH87sybvdI792RZX/OLfT8rqvE4rqtCmiKE3gNYkTx
|
||||||
|
kHfmnajoWElkjFTt3EdH/K0jutxJUGq02YJTc3Kw0bRt0Fmj24IXGpztXfO2MTU8
|
||||||
|
zIEEq8kXkYMoEm0h8KAmh6XwXDa9ys4oo4NRFdAZu//DP6KJwukX35lrAoGALfWK
|
||||||
|
3jkZQGca7Z40olHNp81pkJ7OCOLN+/JzEmcBe6FYONg9JldKJqjsnKKPlUToPgAW
|
||||||
|
36rNFNdHCfYSnAp+F907lcPnaaYkzJtpyKxuQF33+5baCKE4gljQiFmMAKRW9+4C
|
||||||
|
E8SCI4rBVaVc7jC6XOB5ah8pqCsW7lHkGEzEiKECgYEApK/sG4vRXijPuJ23C6XG
|
||||||
|
D3ci9okqhSHdIXBRLsBnV5Ymh3h9uYs6ow2zSpKK0LlPAD53F3rf2+H3UTdwNkSx
|
||||||
|
QKS7nWlxL1AwPM1VxPApL8yDopAMaMckcrelV7MYJIB/TneCZB1OMHVNgEQwsda+
|
||||||
|
Q/1K4OpKFULqbFXZWxVpVho=
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
74E0F9984EF326186FB48CD3BBE72163375B9151
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
82B4428B137FD51730E2B7CAA2F41D6F96055C9696E2F59C41C03EC7BEBBF8EE
|
||||||
|
|
@ -0,0 +1,57 @@
|
||||||
|
# Autogenerated file, do not edit.
|
||||||
|
# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml server_without_eku.pem
|
||||||
|
#
|
||||||
|
# General purpose server certificate file without any EKUs
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIEQzCCAyugAwIBAgIEBbY+XjANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
|
||||||
|
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||||
|
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
|
||||||
|
IFRlc3QgQ0EwHhcNMjUxMDA5MDgwODM3WhcNMjgwMTExMDgwODM3WjBsMQswCQYD
|
||||||
|
VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
|
||||||
|
dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEPMA0GA1UEAwwG
|
||||||
|
c2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwVasCwZMM5AK
|
||||||
|
zXpDuzQFvzslfnndfMjCuwcDFZ0SpdLTk1v7Z3rrl55gNzTpzB8ydUgCHSVVtOuo
|
||||||
|
rzV3zAc0NsihzwP4y842JCsrjM4vz9Mb+Q/I5NZwSYvjdzGZ3VoggrGyMtGjqcAz
|
||||||
|
gsmOZcR4tB9A3XYGAMDo3LYfv4vCxwcshIuWjIBwnYZj2qYSn8LiFgZNuUzjJAhW
|
||||||
|
ZrdF66+2tikOFGdo4pUcDTFoDU/PcAuflzpNiE8GVt0T+ApAB4mXJhi1pQkVdsMX
|
||||||
|
7drYs3zpJAQa498eKhf2NIfMGr701MTzfOUiwx2Aa19rDflugMszQGQUFkciM3TP
|
||||||
|
DZm/DtG8sQIDAQABo4HkMIHhMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMB0GA1Ud
|
||||||
|
DgQWBBRxQ8UJdALXGLzMJkVgjjcJWFaoejCBiwYDVR0jBIGDMIGAoXikdjB0MQsw
|
||||||
|
CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3Jr
|
||||||
|
IENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UE
|
||||||
|
AwwOS2VybmVsIFRlc3QgQ0GCBCBp1p8wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/
|
||||||
|
AAABMA0GCSqGSIb3DQEBCwUAA4IBAQDFehyIdRiknLXi6Jujk5moe0oqYVxZXoks
|
||||||
|
grUnRt+M+ZF5NRWzLUN8vcyN4oX2NJuwsqJMN/PSCbjyJcJ2zgwIegZPirU65hpJ
|
||||||
|
+9dMs/c1yVe47gbEuVIfndy7pxHRZXNQ1DVnmMDhQxznBg7gStod6hxlAcoxGikV
|
||||||
|
iiAQQX0aamHngKqcaQfjuMYE3d54/C0nWnGYXkrGa5SumJIaOPVs/FKHmWrAbzZj
|
||||||
|
V3bE9fsULJ6KOJbsjBcjCYIK0+HnCqJwyFSd8wF6fjX5BxAx2WxvSStkp3k8SrKP
|
||||||
|
CRL+r7h1ZqdMiq6oy9fK2Abx+P9pxIUO6fRlVqGNsp0eavAcnbYI
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBVqwLBkwzkArN
|
||||||
|
ekO7NAW/OyV+ed18yMK7BwMVnRKl0tOTW/tneuuXnmA3NOnMHzJ1SAIdJVW066iv
|
||||||
|
NXfMBzQ2yKHPA/jLzjYkKyuMzi/P0xv5D8jk1nBJi+N3MZndWiCCsbIy0aOpwDOC
|
||||||
|
yY5lxHi0H0DddgYAwOjcth+/i8LHByyEi5aMgHCdhmPaphKfwuIWBk25TOMkCFZm
|
||||||
|
t0Xrr7a2KQ4UZ2jilRwNMWgNT89wC5+XOk2ITwZW3RP4CkAHiZcmGLWlCRV2wxft
|
||||||
|
2tizfOkkBBrj3x4qF/Y0h8wavvTUxPN85SLDHYBrX2sN+W6AyzNAZBQWRyIzdM8N
|
||||||
|
mb8O0byxAgMBAAECggEAAPyewy2kjOzSyUqy9s0krF2yastXcJAbwlWeU+lp03PY
|
||||||
|
hZuGFHihpDP4PL/l45dTLBsSe7CZl+NOCJrmwiFVSGRMwyA7kFq8lwGrZrwUrWRf
|
||||||
|
86z7cwOPLijrH8weg2021kPu62h7g93JxYSe1/EhRpYUQC0eiblyVtINJm6hr19d
|
||||||
|
OR61/pLs4+1lahQbnL8Il0apSy66OC6SX3ZaiyLRj3k/iv9DOJQfv/QnK7UO/AhH
|
||||||
|
+GJuTH6juSUBpLpmYHpkUHY5Vz/0vfHeaqUNCfLn4RJAGE+IoFl/0tgM3HtyYOru
|
||||||
|
MWVWCkPGn22iqAnu9oyR6EI721FTe4mZbufcTRh8GQKBgQDwq234YadS+ig37DPZ
|
||||||
|
wepeweoL7snMlN7wg3Mlg/aY0nXIsRpnSfTT9cUa/ZtaD+RdnBBRipDg/bTvyvAR
|
||||||
|
nNJXXpNjmntCI4cluBcDx7JEgoMGoLjdEFiZnCgnXpRWzhafVjgvq9ETQ2ww+ISx
|
||||||
|
QrQMMhcESeoe+xsoORdVjowwHQKBgQDNp2uX06mxdTq0j4eBTRag8Gzx7zs5EW0W
|
||||||
|
RKvSu6GfxTveQ7BUwU6GBeUgZaDLyZB8yLp9YzHs4TVQYqQ90RAvb9y32VikVXIB
|
||||||
|
44SNXRn8RxjeQqsV8wCqAzuELxyQvJdIzeBGbxGVLeAHcHXiwbNPv79jj8NV+q3c
|
||||||
|
BB3/J6iCpQKBgHhepU/XN6LOrxLZNk2xKRFflzmEorWJt78/X3Xh/JIOoQ5RVc1X
|
||||||
|
NfZVM9H+CZcP373Z8md2EGQXQEm2jD+i2akNClaEyyUXM97vpcMkO8r8I6BK/mrC
|
||||||
|
ZC3f5k1ahoKr7LCgpNVi79zcmd4cTfGCVR7MZqqkdU4tdTW26C7IbuEZAoGAS6gh
|
||||||
|
7vMRZJWKCU8cPLdNcdvBWKf4E6CTjzOoOpiIdyyqP7SLNEMBTlDw4CBDLXVz0FRQ
|
||||||
|
Nzy86zZW1MHVRmCZIbp3arNs5tgAXy2CYDc2Dhdh0LKaGjMRtXoG9TQXwC+BQGls
|
||||||
|
7ryBrW35EwOOeuNjwhz6nfgPlpvoRh7Fok7GsXkCgYEA5FHEKNudaKZYgiuG0xy7
|
||||||
|
vvkci//4sUyeejmmrZQThKVLlZG1hVfRe1Qwt984ec1JT7TmCl0PK43+sIOKW/WR
|
||||||
|
qNGsj+fpXzS2nGvgjKHdqtElfOxhkmLDHcSNuY7yyMiu+P37b8y26Cq0PQzf/AUa
|
||||||
|
Nr6W0Q9vZM7uzwAP4owhc1I=
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
92983FF22349BE923C82F4FC770DB516850D32AA
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
569B0E81E9B97795A5CEBF280C057DA1CD4C6686AB95004A503D340B014EDDA5
|
||||||
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Autogenerated file, do not edit.
|
||||||
|
# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml trusted-cluster-server.pem
|
||||||
|
#
|
||||||
|
# Server cluster certificate for trusted chain.
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDwDCCAqigAwIBAgIEM3DEYjANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJV
|
||||||
|
UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
|
||||||
|
BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEfMB0GA1UEAwwWVHJ1c3Rl
|
||||||
|
ZCBLZXJuZWwgVGVzdCBDQTAeFw0yNTEwMDgwNzEwMDdaFw0yODAxMTAwNzEwMDda
|
||||||
|
MIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5l
|
||||||
|
dyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEr
|
||||||
|
MCkGA1UEAwwiVHJ1c3RlZCBLZXJuZWwgVGVzdCBDbHVzdGVyIFNlcnZlcjCCASIw
|
||||||
|
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJXIXWF/E05pGH+AvEtLz9cVxNRD
|
||||||
|
uO/7+kFehQ0TMbOV2N9lgsF7UB66ogmy+LGnHz46NxUmdD8Ry+c5Rx3BSvXJ7gTw
|
||||||
|
kaUCT4W7q4rv1EXHusNS/lIqU5yaG3VNhPa0jiPfr+RZnlq+vlEhZStc8VXsKC9A
|
||||||
|
5Ux6lV3oM78QvrPrllX0uCXDPfOqSsOKbCjdCY0LroNpKAqIva+hn78JO+JRw2W1
|
||||||
|
dRV7B437CNONXCGzDnYt0AnLbste4gc0eiTRHHKW/WJ12RjuoO23/nFB+ZRS2k6u
|
||||||
|
demZiMs0nXXTVXcVoecFEgwFpQgMejyR6W7fpTVqb/qTl+LmL6yeBtF+EUUCAwEA
|
||||||
|
AaM9MDswHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBoGA1UdEQQTMBGC
|
||||||
|
CWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEABuZSd6LMKMEwPTFX
|
||||||
|
YFAR6bqV9uoGL7TwTw//LiG6UhGkpj6sPlzzusOHF+V6Ze3p+v1W3dTi9kLz2sIz
|
||||||
|
eVMwmVmwpaROOap4bSLPAtAEYZ9Bd4t4deXyY1vyciy4YOKHxfzxNWpuDNbsQeVB
|
||||||
|
devGZ7lxGrOgKHOuUtvj6Z0K5k+wlLXB9kNNPIIqcCtVBQ9jBbTM28z6NcoPfQwy
|
||||||
|
S1TYFpHHa0g8kl6W3Qt9fPY+3n6wG+XMxy5kMigUxSbtrfLyrlLbw4pgzoGKQSiv
|
||||||
|
C2YCefIJPHE6pC/MSrXQwMEQKcIYCeWhhynJkYafkdgkIAOa4oLd0WqRWYIVBy06
|
||||||
|
4UwTFg==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCVyF1hfxNOaRh/
|
||||||
|
gLxLS8/XFcTUQ7jv+/pBXoUNEzGzldjfZYLBe1AeuqIJsvixpx8+OjcVJnQ/Ecvn
|
||||||
|
OUcdwUr1ye4E8JGlAk+Fu6uK79RFx7rDUv5SKlOcmht1TYT2tI4j36/kWZ5avr5R
|
||||||
|
IWUrXPFV7CgvQOVMepVd6DO/EL6z65ZV9Lglwz3zqkrDimwo3QmNC66DaSgKiL2v
|
||||||
|
oZ+/CTviUcNltXUVeweN+wjTjVwhsw52LdAJy27LXuIHNHok0Rxylv1iddkY7qDt
|
||||||
|
t/5xQfmUUtpOrnXpmYjLNJ1101V3FaHnBRIMBaUIDHo8kelu36U1am/6k5fi5i+s
|
||||||
|
ngbRfhFFAgMBAAECggEAHBGn2kD/o7aTNjWwU6X55ZM5RxQH4MVGQSDO60PZEQ/4
|
||||||
|
S+kQh2St/4w3GH03GMe6VaWANBD4QOd7YDH+L0fNXeFBHyDcEmGr+GJSg99s1sTW
|
||||||
|
rYrsiQZQk+zXT3S/AaKVboiZREA9KkFLlhWdiXJJ8bGnWC+fqOTh/+6nX9tp+XpX
|
||||||
|
nhrQ/otRKdUsHmvD14Teo2DD5+YbtMQKOya5zT1+1VVY/s//sJ3uQJ+WCXzC+bSJ
|
||||||
|
C3GD7Mz97fUBiPv43KwLZWOOERfbHfTJAEjc+dL9+Qa966tdV2CI6KO2jqkBXpjk
|
||||||
|
BM4Y3yuESVh3XuthOi8Lq18uMZmlu9SuPuNX/DzKUQKBgQDTgjJQaC6qiFtG801Y
|
||||||
|
uCp7t4naxdDji0xdPiuVoDKKvh5KHK3QGaE6TpBTJ0TWaQarpYU2j6HX85JfPjSF
|
||||||
|
L7Pr8qVLjpF7UgJk4EKyloc2+PcbhB9apMmgAn/AB3T2TMAnTOKcVMVqPd4k46yR
|
||||||
|
GubQNYCKJ7UQlAiaQNXDsZfG3QKBgQC1SjV2ywdnMdrG/4Ft9ht931utD3tIAwzq
|
||||||
|
CGgLJH3fY2BlnYMdsOmtbXx548vHsci6p1VZkn1TnvfTW/Z8frL8a+npApMZprMP
|
||||||
|
NFielO7QEmq5GkMLlBCisPOqOBwGBbch373vKPA4L+Vs/LTbpWpn1DzIssMHIvVt
|
||||||
|
k1p6RERpiQKBgQCLQJD3t1/iDtxpng4ydy4hPfmY+9xHs5KXYTM407vy9LDkgnU9
|
||||||
|
KWKpDMigtp3vvD4UDGnkPjSEBW09H6tcdMe0dJC3aioGUzwYRj4jbk+ftdKbXyV1
|
||||||
|
fEDzBDIvr7kl3+oy9b/MxVMkW49CIlOfRWLpehAi5XmkbJItXLpgmTAgUQKBgHUC
|
||||||
|
3Nc73B9jMk5XA/cxbjUkQUvGPlAQh/lWS7FFcGkK/2EW9VXopirmC/2wZgsSWPkA
|
||||||
|
oDocLwAWDudA6Csaq/P4wxU+MCvSSKh7pOdWQX3TJUcsCDIk80fO5rbrWEsazUTz
|
||||||
|
4OfIiKP7Zh2eTi2m6rLxbfosR20Hx1leTnu0LGPhAn8/YcQs2mWlVlf+gtEZeugw
|
||||||
|
rBitANiDj9RNpwV8/DcUv1hLAR+5UAznmdFAceiMAnUtvSNQE828FgnAx8T/mj/7
|
||||||
|
gUz8RbQmivyrDgFpMiOGfaxcwdIsUoLpaDt7rAtIhjPc+RWPgWvAKUkqh5kCqJ0z
|
||||||
|
EfYAkbt/bh/xvHqg/oaq
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
8BB1CDC8CE7C1122B33BE5C1079759F71ED6CD9E
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
20FED02617F3F23B3F4D30AD86459A4E92E4477CCB70E77F4787CF721FFF43B1
|
||||||
Binary file not shown.
|
|
@ -142,6 +142,32 @@ certs:
|
||||||
keyUsage: [digitalSignature, keyEncipherment]
|
keyUsage: [digitalSignature, keyEncipherment]
|
||||||
extendedKeyUsage: [clientAuth]
|
extendedKeyUsage: [clientAuth]
|
||||||
|
|
||||||
|
- name: "client_with_serverAuth_eku.pem"
|
||||||
|
description: Client certificate configured with serverAuth EKU (should be disallowed when received on ingress connections)
|
||||||
|
Subject: {OU: "KernelUser", CN: "client"}
|
||||||
|
extensions:
|
||||||
|
basicConstraints: {CA: false}
|
||||||
|
subjectKeyIdentifier: hash
|
||||||
|
keyUsage: [digitalSignature, keyEncipherment]
|
||||||
|
extendedKeyUsage: [serverAuth]
|
||||||
|
|
||||||
|
- name: "client_without_eku.pem"
|
||||||
|
description: Client certificate configured with no EKUs
|
||||||
|
Subject: {OU: "KernelUser", CN: "client"}
|
||||||
|
extensions:
|
||||||
|
basicConstraints: {CA: false}
|
||||||
|
subjectKeyIdentifier: hash
|
||||||
|
keyUsage: [digitalSignature, keyEncipherment]
|
||||||
|
|
||||||
|
- name: "client_with_serverAuth_and_clientAuth_eku.pem"
|
||||||
|
description: Client certificate configured with both serverAuth and clientAuth EKUs
|
||||||
|
Subject: {OU: "KernelUser", CN: "client"}
|
||||||
|
extensions:
|
||||||
|
basicConstraints: {CA: false}
|
||||||
|
subjectKeyIdentifier: hash
|
||||||
|
keyUsage: [digitalSignature, keyEncipherment]
|
||||||
|
extendedKeyUsage: [clientAuth, serverAuth]
|
||||||
|
|
||||||
# Special case certificate, see mkcert.py
|
# Special case certificate, see mkcert.py
|
||||||
- name: "client-multivalue-rdn.pem"
|
- name: "client-multivalue-rdn.pem"
|
||||||
description: Client certificate containing multivalue RDNs
|
description: Client certificate containing multivalue RDNs
|
||||||
|
|
@ -289,6 +315,44 @@ certs:
|
||||||
DNS: localhost
|
DNS: localhost
|
||||||
IP: 127.0.0.1
|
IP: 127.0.0.1
|
||||||
|
|
||||||
|
- name: "server_with_clientAuth_eku.pem"
|
||||||
|
description: General purpose server certificate file with clientAuth EKU (should be disallowed when received on egress connections)
|
||||||
|
Subject: {CN: "server"}
|
||||||
|
extensions:
|
||||||
|
basicConstraints: {CA: false}
|
||||||
|
subjectKeyIdentifier: hash
|
||||||
|
keyUsage: [digitalSignature, keyEncipherment]
|
||||||
|
extendedKeyUsage: [clientAuth]
|
||||||
|
authorityKeyIdentifier: issuer
|
||||||
|
subjectAltName:
|
||||||
|
DNS: localhost
|
||||||
|
IP: 127.0.0.1
|
||||||
|
|
||||||
|
- name: "server_with_serverAuth_eku.pem"
|
||||||
|
description: General purpose server certificate file with serverAuth EKU only
|
||||||
|
Subject: {CN: "server"}
|
||||||
|
extensions:
|
||||||
|
basicConstraints: {CA: false}
|
||||||
|
subjectKeyIdentifier: hash
|
||||||
|
keyUsage: [digitalSignature, keyEncipherment]
|
||||||
|
extendedKeyUsage: [serverAuth]
|
||||||
|
authorityKeyIdentifier: issuer
|
||||||
|
subjectAltName:
|
||||||
|
DNS: localhost
|
||||||
|
IP: 127.0.0.1
|
||||||
|
|
||||||
|
- name: "server_without_eku.pem"
|
||||||
|
description: General purpose server certificate file without any EKUs
|
||||||
|
Subject: {CN: "server"}
|
||||||
|
extensions:
|
||||||
|
basicConstraints: {CA: false}
|
||||||
|
subjectKeyIdentifier: hash
|
||||||
|
keyUsage: [digitalSignature, keyEncipherment]
|
||||||
|
authorityKeyIdentifier: issuer
|
||||||
|
subjectAltName:
|
||||||
|
DNS: localhost
|
||||||
|
IP: 127.0.0.1
|
||||||
|
|
||||||
- name: "server_no_subject.pem"
|
- name: "server_no_subject.pem"
|
||||||
description: Server certificate with empty Subject, but critical SAN.
|
description: Server certificate with empty Subject, but critical SAN.
|
||||||
explicit_subject: true
|
explicit_subject: true
|
||||||
|
|
@ -881,6 +945,20 @@ certs:
|
||||||
DNS: localhost
|
DNS: localhost
|
||||||
IP: 127.0.0.1
|
IP: 127.0.0.1
|
||||||
|
|
||||||
|
# trusted-cluster-server.pfx created by mkspecial.sh
|
||||||
|
- name: "trusted-cluster-server.pem"
|
||||||
|
description: Server cluster certificate for trusted chain.
|
||||||
|
Subject: {CN: "Trusted Kernel Test Cluster Server"}
|
||||||
|
Issuer: "trusted-ca.pem"
|
||||||
|
pkcs12:
|
||||||
|
passphrase: "qwerty"
|
||||||
|
name: "trusted-cluster-server.pfx"
|
||||||
|
extensions:
|
||||||
|
extendedKeyUsage: [clientAuth, serverAuth]
|
||||||
|
subjectAltName:
|
||||||
|
DNS: localhost
|
||||||
|
IP: 127.0.0.1
|
||||||
|
|
||||||
- name: "trusted-client-testdb-roles.pem"
|
- name: "trusted-client-testdb-roles.pem"
|
||||||
description: Client certificate with X509 role grants via trusted chain.
|
description: Client certificate with X509 role grants via trusted chain.
|
||||||
Subject: {OU: "Kernel Users", CN: "Trusted Kernel Test Client With Roles"}
|
Subject: {OU: "Kernel Users", CN: "Trusted Kernel Test Client With Roles"}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,120 @@
|
||||||
|
// Test server's adherence to serverAuth and clientAuth EKUs on X.509 certs.
|
||||||
|
|
||||||
|
import {ReplSetTest} from "jstests/libs/replsettest.js";
|
||||||
|
import {isMacOS} from "jstests/ssl/libs/ssl_helpers.js";
|
||||||
|
|
||||||
|
const kServerAuthClientCert = "jstests/libs/client_with_serverAuth_eku.pem";
|
||||||
|
const kBothEKUsClientCert = "jstests/libs/client_with_serverAuth_and_clientAuth_eku.pem";
|
||||||
|
const kNoEKUsClientCert = "jstests/libs/client_without_eku.pem";
|
||||||
|
const kClientAuthClientCert = "jstests/libs/client.pem";
|
||||||
|
|
||||||
|
const kClientAuthServerCert = "jstests/libs/server_with_clientAuth_eku.pem";
|
||||||
|
const kBothEKUsServerCert = "jstests/libs/server.pem";
|
||||||
|
const kNoEKUsServerCert = "jstests/libs/server_without_eku.pem";
|
||||||
|
const kServerAuthServerCert = "jstests/libs/server_with_serverAuth_eku.pem";
|
||||||
|
|
||||||
|
const kCACert = "jstests/libs/ca.pem";
|
||||||
|
|
||||||
|
function testClientAuthEKU(conn, clientCert, shouldFail) {
|
||||||
|
clearRawMongoProgramOutput();
|
||||||
|
const exitCode = runMongoProgram(
|
||||||
|
"mongo",
|
||||||
|
"--tls",
|
||||||
|
"--tlsAllowInvalidHostnames",
|
||||||
|
"--tlsCertificateKeyFile",
|
||||||
|
clientCert,
|
||||||
|
"--tlsCAFile",
|
||||||
|
"jstests/libs/ca.pem",
|
||||||
|
"--port",
|
||||||
|
conn.port,
|
||||||
|
"--eval",
|
||||||
|
";",
|
||||||
|
);
|
||||||
|
|
||||||
|
let expectedFailureRegex = /unsuitable|unsupported certificate purpose/;
|
||||||
|
|
||||||
|
if (isMacOS()) {
|
||||||
|
expectedFailureRegex = /Certificate trust failure: Invalid Extended Key Usage for policy/;
|
||||||
|
} else if (_isWindows()) {
|
||||||
|
expectedFailureRegex = /The certificate is not valid for the requested usage./;
|
||||||
|
}
|
||||||
|
|
||||||
|
assert.soon(function () {
|
||||||
|
const output = rawMongoProgramOutput(".*");
|
||||||
|
clearRawMongoProgramOutput();
|
||||||
|
|
||||||
|
const isRegexPresent = expectedFailureRegex.test(output);
|
||||||
|
return (shouldFail && isRegexPresent) || (!shouldFail && !isRegexPresent);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
function testServerAuthEKU(serverCert, shouldFail) {
|
||||||
|
const origSkipCheck = TestData.skipCheckDBHashes;
|
||||||
|
const rst = new ReplSetTest({
|
||||||
|
nodes: 2,
|
||||||
|
});
|
||||||
|
rst.startSet({
|
||||||
|
tlsMode: "requireTLS",
|
||||||
|
tlsCertificateKeyFile: serverCert,
|
||||||
|
tlsCAFile: kCACert,
|
||||||
|
tlsClusterFile: kBothEKUsServerCert,
|
||||||
|
tlsAllowInvalidHostnames: "",
|
||||||
|
});
|
||||||
|
|
||||||
|
if (shouldFail) {
|
||||||
|
const oldTimeout = ReplSetTest.kDefaultTimeoutMS;
|
||||||
|
const shortTimeout = 5 * 1000;
|
||||||
|
ReplSetTest.kDefaultTimeoutMS = shortTimeout;
|
||||||
|
rst.timeoutMS = shortTimeout;
|
||||||
|
MongoRunner.runHangAnalyzer.disable();
|
||||||
|
try {
|
||||||
|
assert.throws(function () {
|
||||||
|
rst.initiate();
|
||||||
|
});
|
||||||
|
} finally {
|
||||||
|
ReplSetTest.kDefaultTimeoutMS = oldTimeout;
|
||||||
|
MongoRunner.runHangAnalyzer.enable();
|
||||||
|
}
|
||||||
|
TestData.skipCheckDBHashes = true;
|
||||||
|
} else {
|
||||||
|
rst.initiate();
|
||||||
|
assert.commandWorked(rst.getPrimary().getDB("admin").runCommand({hello: 1}));
|
||||||
|
}
|
||||||
|
|
||||||
|
rst.stopSet();
|
||||||
|
TestData.skipCheckDBHashes = origSkipCheck;
|
||||||
|
}
|
||||||
|
|
||||||
|
// clientAuth tests against standalone.
|
||||||
|
{
|
||||||
|
const mongod = MongoRunner.runMongod({
|
||||||
|
auth: "",
|
||||||
|
tlsMode: "requireTLS",
|
||||||
|
// Server PEM file is server.pem to match the shell's ca.pem.
|
||||||
|
tlsCertificateKeyFile: "jstests/libs/server.pem",
|
||||||
|
tlsCAFile: "jstests/libs/ca.pem",
|
||||||
|
tlsAllowInvalidCertificates: "",
|
||||||
|
});
|
||||||
|
testClientAuthEKU(mongod, kClientAuthClientCert, false /* shouldFail */);
|
||||||
|
testClientAuthEKU(mongod, kNoEKUsClientCert, false /* shouldFail */);
|
||||||
|
testClientAuthEKU(mongod, kBothEKUsClientCert, false /* shouldFail */);
|
||||||
|
testClientAuthEKU(mongod, kServerAuthClientCert, true /* shouldFail */);
|
||||||
|
MongoRunner.stopMongod(mongod);
|
||||||
|
}
|
||||||
|
|
||||||
|
// serverAuth tests via replica set setup.
|
||||||
|
{
|
||||||
|
testServerAuthEKU(kServerAuthServerCert, false /* shouldFail */);
|
||||||
|
testServerAuthEKU(kBothEKUsServerCert, false /* shouldFail */);
|
||||||
|
testServerAuthEKU(kClientAuthServerCert, true /* shouldFail */);
|
||||||
|
|
||||||
|
// MacOS/Secure Transport's standard SSL cert verification policy is stricter than
|
||||||
|
// Windows and OpenSSL in that it requires server certificates to include the serverAuth
|
||||||
|
// EKU extension. Windows and OpenSSL accept server certificates that omit the EKU extension
|
||||||
|
// entirely and only care that serverAuth is specified if any EKU exists.
|
||||||
|
let shouldFailNoEKUsServerCert = false;
|
||||||
|
if (isMacOS()) {
|
||||||
|
shouldFailNoEKUsServerCert = true;
|
||||||
|
}
|
||||||
|
testServerAuthEKU(kNoEKUsServerCert, shouldFailNoEKUsServerCert /* shouldFail */);
|
||||||
|
}
|
||||||
|
|
@ -33,6 +33,7 @@ try {
|
||||||
tlsMode: "requireTLS",
|
tlsMode: "requireTLS",
|
||||||
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
|
tlsCertificateKeyFile: "jstests/libs/trusted-server.pem",
|
||||||
tlsCAFile: "jstests/libs/trusted-ca.pem",
|
tlsCAFile: "jstests/libs/trusted-ca.pem",
|
||||||
|
tlsClusterFile: "jstests/libs/trusted-client.pem",
|
||||||
tlsAllowInvalidCertificates: "",
|
tlsAllowInvalidCertificates: "",
|
||||||
tlsWeakCertificateValidation: "",
|
tlsWeakCertificateValidation: "",
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -14,14 +14,20 @@ import {
|
||||||
|
|
||||||
const clientThumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1");
|
const clientThumbprint = cat("jstests/libs/trusted-client.pem.digest.sha1");
|
||||||
const serverThumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1");
|
const serverThumbprint = cat("jstests/libs/trusted-server.pem.digest.sha1");
|
||||||
|
const clusterServerThumbprint = cat("jstests/libs/trusted-cluster-server.pem.digest.sha1");
|
||||||
const CLIENT = "CN=Trusted Kernel Test Client,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
|
const CLIENT = "CN=Trusted Kernel Test Client,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
|
||||||
const SERVER = "CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
|
const SERVER = "CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
|
||||||
|
const CLUSTER_SERVER = "CN=Trusted Kernel Test Cluster Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US";
|
||||||
|
|
||||||
const testCases = [
|
const testCases = [
|
||||||
|
// Configure server with only a certificateSelector - we expect this to be used instead of
|
||||||
|
// the --tlsCertificateKeyFile by the server for both ingress (server) and egress (client)
|
||||||
|
// traffic for both cluster and other communication
|
||||||
|
//
|
||||||
{
|
{
|
||||||
selector: `thumbprint=${serverThumbprint}`,
|
selector: `thumbprint=${clusterServerThumbprint}`,
|
||||||
expectIngressKeyUsed: SERVER,
|
expectIngressKeyUsed: CLUSTER_SERVER,
|
||||||
expectEgressKeyUsed: SERVER,
|
expectEgressKeyUsed: CLUSTER_SERVER,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
selector: `thumbprint=${serverThumbprint}`,
|
selector: `thumbprint=${serverThumbprint}`,
|
||||||
|
|
@ -141,6 +147,7 @@ requireSSLProvider("windows", function () {
|
||||||
};
|
};
|
||||||
assert.eq(0, importPfx("jstests\\libs\\trusted-client.pfx"));
|
assert.eq(0, importPfx("jstests\\libs\\trusted-client.pfx"));
|
||||||
assert.eq(0, importPfx("jstests\\libs\\trusted-server.pfx"));
|
assert.eq(0, importPfx("jstests\\libs\\trusted-server.pfx"));
|
||||||
|
assert.eq(0, importPfx("jstests\\libs\\trusted-cluster-server.pfx"));
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
|
||||||
|
|
@ -1250,8 +1250,9 @@ CFUniquePtr<::CFArrayRef> CreateSecTrustPolicies(const std::string& remoteHost,
|
||||||
CFUniquePtr<::CFMutableArrayRef> policiesMutable(
|
CFUniquePtr<::CFMutableArrayRef> policiesMutable(
|
||||||
::CFArrayCreateMutable(nullptr, 2, &::kCFTypeArrayCallBacks));
|
::CFArrayCreateMutable(nullptr, 2, &::kCFTypeArrayCallBacks));
|
||||||
|
|
||||||
// Basic X509 policy.
|
// SSL certificate chain validation policy.
|
||||||
CFUniquePtr<::SecPolicyRef> cfX509Policy(::SecPolicyCreateBasicX509());
|
bool isValidatingServerCert = !remoteHost.empty();
|
||||||
|
CFUniquePtr<::SecPolicyRef> cfX509Policy(::SecPolicyCreateSSL(isValidatingServerCert, nullptr));
|
||||||
::CFArrayAppendValue(policiesMutable.get(), cfX509Policy.get());
|
::CFArrayAppendValue(policiesMutable.get(), cfX509Policy.get());
|
||||||
|
|
||||||
// Set Revocation policy.
|
// Set Revocation policy.
|
||||||
|
|
|
||||||
|
|
@ -1768,16 +1768,27 @@ Status validatePeerCertificate(const std::string& remoteHost,
|
||||||
|
|
||||||
// szOID_PKIX_KP_SERVER_AUTH ("1.3.6.1.5.5.7.3.1") - means the certificate can be used for
|
// szOID_PKIX_KP_SERVER_AUTH ("1.3.6.1.5.5.7.3.1") - means the certificate can be used for
|
||||||
// server authentication
|
// server authentication
|
||||||
LPSTR usage[] = {
|
LPSTR serverUsage[] = {
|
||||||
const_cast<LPSTR>(szOID_PKIX_KP_SERVER_AUTH),
|
const_cast<LPSTR>(szOID_PKIX_KP_SERVER_AUTH),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// szOID_PKIX_KP_CLIENT_AUTH ("1.3.6.1.5.5.7.3.2") - means the certificate can be used for
|
||||||
|
// client authentication
|
||||||
|
LPSTR clientUsage[] = {
|
||||||
|
const_cast<LPSTR>(szOID_PKIX_KP_CLIENT_AUTH),
|
||||||
|
};
|
||||||
|
|
||||||
// If remoteHost is not empty, then this is running on the client side, and we want to verify
|
// If remoteHost is not empty, then this is running on the client side, and we want to verify
|
||||||
// the server cert.
|
// the server cert.
|
||||||
if (!remoteHost.empty()) {
|
if (!remoteHost.empty()) {
|
||||||
certChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
|
certChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
|
||||||
certChainPara.RequestedUsage.Usage.cUsageIdentifier = _countof(usage);
|
certChainPara.RequestedUsage.Usage.cUsageIdentifier = _countof(serverUsage);
|
||||||
certChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = usage;
|
certChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = serverUsage;
|
||||||
|
} // else, this is running on the server side, validate the client cert
|
||||||
|
else {
|
||||||
|
certChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
|
||||||
|
certChainPara.RequestedUsage.Usage.cUsageIdentifier = _countof(clientUsage);
|
||||||
|
certChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = clientUsage;
|
||||||
}
|
}
|
||||||
|
|
||||||
certChainPara.dwUrlRetrievalTimeout = gTLSOCSPVerifyTimeoutSecs * 1000;
|
certChainPara.dwUrlRetrievalTimeout = gTLSOCSPVerifyTimeoutSecs * 1000;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue