SERVER-94766 Expand testing of intermediate CA chain validation (#27785)

GitOrigin-RevId: 959256e0584425022b79b8d7d96cc9bc4d301197
2024-10-04 08:45:35 -04:00 · 2024-10-04 08:45:35 -04:00 · bf491202a6
parent d59d165c43
commit bf491202a6
8 changed files with 304 additions and 0 deletions
--- a/jstests/libs/intermediate-ca-B-leaf.pem
+++ b/jstests/libs/intermediate-ca-B-leaf.pem
@ -0,0 +1,55 @@
+# Autogenerated file, do not edit.
+# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml intermediate-ca-B-leaf.pem
+#
+# First end-entity certificate signed by intermediate CA B
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIEUIFx6jANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEaMBgGA1UEAwwRSW50ZXJt
+ZWRpYXRlIENBIEIwHhcNMjQwOTI0MDAxODUyWhcNMjYxMjI3MDAxODUyWjCBkjEL
+MAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9y
+ayBDaXR5MRAwDgYDVQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxNTAzBgNV
+BAMMLEVuZC1lbnRpdHkgY2VydGlmaWNhdGUgdmlhIEludGVybWVkaWF0ZSBDQSBC
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoSGzhf1k1g4iySsXa/ne
+UbFSK0YFeEmxyV/YNYAXGnuv+UNzrNES2Pl58eukPbZRVkyqUfn33aq6uuTVbmG8
+7hw4YhwujCpaRh37CznLaz8V4cg6VeNR44otA+O/nSIWoAaL3Jhv5g7cYrCuu9OD
+w6+UNpCaZOCi6FrghmoI9dKPmlAhy59aA7zac8I2qog/urf1MnfCC80UECcHaeh9
+Edltxqk2J2XzaN70g7Zh0HiH8Syju24NhTUzQP+l0i+3OVizcdoyAlkr5aSYTab8
+s9OIRCM9diRRcxAV4ny31PnW9iVPZMP5wJrR5SQUZMIj/sk6kGvPPBxAASVKVeKp
+CQIDAQABoz0wOzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGgYDVR0R
+BBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB1PXgnNJtG
+4E+c9YqomiUWuKnSAjCtPfaFeWMHUeRKltWOF4uTedpU5iLr9hAlCslLaZIbVIyb
+pGJzv4deCapAUdz45QF2k3ekABeMsU4CbLWlzKDQn7bcLCWgRIbqjGt1eQRTTYOA
+tZYkIZ3ntsk6uyn+VJu3sTOwQM/kAuHHbnBuUZsRxKCKUgpgq6qXHVmQJ3FJJFVa
+2VVpX2iycLD5/3RIICNsbzz0zHPhV3DCwTHlK/I0ZzrmO/2NLQD/jQBpm1QCtRyU
+akVGR6/OokY1CWZD+VrnWcK7Ua/LHbwbzlJFioXXoAcSGyXaY/Ep9MFx7psvLsOQ
+2UaDEdtbu/p5
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQChIbOF/WTWDiLJ
+Kxdr+d5RsVIrRgV4SbHJX9g1gBcae6/5Q3Os0RLY+Xnx66Q9tlFWTKpR+ffdqrq6
+5NVuYbzuHDhiHC6MKlpGHfsLOctrPxXhyDpV41Hjii0D47+dIhagBovcmG/mDtxi
+sK6704PDr5Q2kJpk4KLoWuCGagj10o+aUCHLn1oDvNpzwjaqiD+6t/Uyd8ILzRQQ
+Jwdp6H0R2W3GqTYnZfNo3vSDtmHQeIfxLKO7bg2FNTNA/6XSL7c5WLNx2jICWSvl
+pJhNpvyz04hEIz12JFFzEBXifLfU+db2JU9kw/nAmtHlJBRkwiP+yTqQa888HEAB
+JUpV4qkJAgMBAAECggEBAJUU9WDXXeCfG5g9AmKowQWcpoXbN1xf8tp6jzSQ2s9p
+RsLSY9vsZyG1kj62O8wLHlIXZ2TRb4WJMaeyspiK8ey3IgJwxd0aCnPu2JbitYj
+fD92XmLw++cnBRdANR1RWNWeuPDVKVMWFNpK1qB5xsPbQ6poiDEllhSdYHd8y+WD
+/2/djk+Iqc1QSV0ZkVa0ZQ8fO+GeZ+3X1oPcKmxTOYcgZQzl/kjW+s8yW3Aw/UgF
+941LpnvbhjOfLET02T+/8Fjh4fNVDx6IN9EVdjkOFTZmkHsZVbYeBo2UZnw56rid
+txXqomcS157gVw7Q1t6HgVn5g8q7Yws1jtfOhDs37cECgYEA1moqBA4LF+ElWFih
+CVxwHuZXmISnuIzKgiG59lZBhL2/NOUGZFOqtYwsWJJ5y+C+tEqKCKj/+PzH70AU
+oPO/KabI6LWUunatkR7HrWPuCN9I5zdOMZM/tSzPj/A9xBWEAv3r3Rar4OeENuZq
+BILRjM6XA/DBSqRGYRh3fdqT4V0CgYEAwGH/P5zSR/P5G4qXt9EEVj9OzZYTaY1U
+7fy8Ru3vZLQeFrZSveeRrr80+IJ8UEDxGhNYKneYcVE7bj0zx1PnupMcDIH6tjv6
+8yT49D3BENurRxUiHkd+b/IsPaoZooZCipx3bECHMIi8q6ZaqBOp94auwJyYk2SC
+5Jx1i7ohD50CgYBqW709x62PCdrZiRVQrG7dlQssl9kOvaASjyJM5JqZevonBdh2
+2d3bMo4o3XfXP0O58SOpihN3cgTHVDUnZeGUiqwsay48lHQigW8xPlmsQv5J23BJ
+PS6j83d+ggBRjQ6v4T8nq4BVDuLRzNgYJsBFpZDZnopzOSvELDvRzSP/7QKBgQCl
+RIpuL15GCcT6b/keJCVBomkkG8TZbFyFhhSIKmb5b/JZOI+kLIbuQ7xRsGby2pdE
+1FGSi9fSZVwgos0tVPg5/e0lwS2AJj4v85Oo65zuQJOskz5DhoEOVrgLnyPLh+D
+zB6blGOOwiiynNpMgXgF+GGvfddk53e6xN4GBwPX0QKBgHfEQV1Cu+g+3kUHqB3a
+dhYscphGea5fMlutWfRcPrbcEvyWHbgZMDu2ORSbvMC7oLeOzTQWh5LsTgLZSahZ
+bIj8DVH+JehZQ3LnjgPgaviCyPQ47uP0vrJsWAyDmB8z+htUkPbLUUrMB+5AMCTd
+BdJ9ZlwgWJzJZxnVbv3pUs09
+-----END PRIVATE KEY-----
--- a/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha1
+++ b/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha1
@ -0,0 +1 @@
+399431186FBE5673C78AB28EBF74B0F378D4F973
--- a/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha256
+++ b/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha256
@ -0,0 +1 @@
+2A780CFD54A44D38DE416E46C91B609B9DA7435A2347B2DF62723A90EFBE143C
--- a/jstests/libs/intermediate-ca-B.pem
+++ b/jstests/libs/intermediate-ca-B.pem
@ -0,0 +1,53 @@
+# Autogenerated file, do not edit.
+# Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml intermediate-ca-B.pem
+#
+# Secondary intermediate CA issued by the primary root CA.
+-----BEGIN CERTIFICATE-----
+MIIDeTCCAmGgAwIBAgIEED+pWDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
+BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
+IFRlc3QgQ0EwHhcNMjQwOTI0MDAxODUxWhcNMjYxMjI3MDAxODUxWjB3MQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
+dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEaMBgGA1UEAwwR
+SW50ZXJtZWRpYXRlIENBIEIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDdic72SasL8/GPCBYEanD/UrhC4st38jq2lAfEInHJb4Bkam4U2vmQcha7lI6y
+HyhNQbw7Id5GzpR6oVeg7eRRHG4WrLlBq3VMOKcNoyTEinSwZ9O3Ei530o2Te6Ff
+wqmAS1pge8f4Sp1BZxO3pW+qschdA6KTRkWQV71Qcmg/V5g/0ozk3EmmyPitnFmC
+saJGRcUsJQE92f6cYYaZN7/d1MSZ47w9l0revtD5ICYKF3fCbTm3WDDVRmKP3m44
+M/X5TP29ChfZyFvn4PHd+hYtbW7JECHMwcXLI7EtazzkyoS+hkp24NomnDZDpBY+
+lNDEu/wjXxnIcNYnqUDAyHVbAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHb32m5NNURKVqv5fgl73+ZgVw95LrzK3GW617lZf1BtJRzR
+V3ksCM07va9ylu0lS8HlglNJMYlC0vCw8kVNolutL/l6IunyzIK418VViYlOluvY
+SE8f6dhRsIhMggbD/qkHqDc4Awu++6Ix+6LwC+34ttc7BUuG91Y3Kp0H4uzv4VIJ
+Rhbq8r5AOWWKFbtNqE4kqjXqIN/7pFvTlW8CeK9wGMG2ax/fX5GDtMcAQdQ1z0/n
+4GPxy+f4SM9vtkJlUDOm/YmJlYUvRVUd4pB3F4TlN2fzdcOJyT3cMCQEBLXTIVnP
+pQ+YtXGx+9SK1j3hmIPG4lAl9hmRT7esVY2sYPU=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdic72SasL8/GP
+CBYEanD/UrhC4st38jq2lAfEInHJb4Bkam4U2vmQcha7lI6yHyhNQbw7Id5GzpR6
+oVeg7eRRHG4WrLlBq3VMOKcNoyTEinSwZ9O3Ei530o2Te6FfwqmAS1pge8f4Sp1B
+ZxO3pW+qschdA6KTRkWQV71Qcmg/V5g/0ozk3EmmyPitnFmCsaJGRcUsJQE92f6c
+YYaZN7/d1MSZ47w9l0revtD5ICYKF3fCbTm3WDDVRmKP3m44M/X5TP29ChfZyFvn
+4PHd+hYtbW7JECHMwcXLI7EtazzkyoS+hkp24NomnDZDpBY+lNDEu/wjXxnIcNYn
+qUDAyHVbAgMBAAECggEBALAXw0+XXQOiQwcbOU0HQoxgtyBLX8oW276WydmIO4QP
+QjIPOzMOn8LGPPWbbxV8mK9YKgOityj3OaSELMA5d/tVKtiRMKxXWmRcv8SiQi6L
+k5dI4Eurgw4xaeGqKqqQc+ULgGoi2d+th3QeN9kJAkrfB9GPeyGvgMnsRAn29pAp
+WGV8r6Ag/PQV7sEqpnXa5j0FGTlU/+og1OROSD+hp3bjKD6137TDZdx04WBrZ8x6
+QaK1v6SgS4SHMjytMr5TBKEuyTtSFxP9GEr8dEJ4VsqAdNFpujzM6SmvVqiV0vhS
+UpZ0zEModdMCJchBV+BkwH6Ef2L1RaVjmYhp98NDYGECgYEA+JM78lTCr3xVBhlz
+qE/GCuSn9/Z+1o2IE6n2p+s/2GJ7N5o1L3O70YD10pxGVSipua90nsuDIiP61PZ9
+orsmzWRx8Ax5XYvwupMf+6gJYSZyLU60MIO8+pqxC4I40NOPLf+LcggDzrvi+lYN
+4U4CsdowBr/ut/8l2EmX+OZF+EsCgYEA5CfVVEUTUkO3w/nfdhef4uKEOzqA2LA1
+TUBuUSN/vBOAwFvPNVDi/qrIkR8b2mKo0QsdvuCRqsQsHNdnc6DWon09kDFpVnhN
+B/mz/KEPGIcTegrEijmgXtOGqU5BbXoccDF7GtXLaYcydLNrrYrlX9AeIm97DYcP
+1rme5RSEbTECgYBM/+bI6UKpc30u94FhONzjEPOLFxsxQQRO+w5B89iCIfeDQMyK
+13HtsuHzDJ+oz4DL2TLp4abMU5LmlzhRyWF6rEuzDVonBStb0ClPHj1Rj8Q8jq24
+fYZzpqmDJCKPZYlruUYr25m6V283FqMUEMM67piD7r521p2Vgy6FVmeEQwKBgQDF
+/k9h7wPiawPJXUlv6PaGZT6NS6rO4LOQ064oWZ8a7u3XgJTj1sr2Z+zgC1gXf3Cy
+4Guy3p1qzQzfBosvS8+XeQn43Phl4sYueqKYRIieJ3JegYOn1HR4diYxPMkIoWSW
+dEo5snjwnjPKFH4IPzXonOnZxlbKGYBEPhdHAzQcsQKBgQCIHaqZ7VrSvgaeBlZT
+XBY6apYnFtBvWP9Iw/uYRn1WyXPl846huKDz6GfhNNQcsfLclYC0h5h94G6Fe+Hw
+UMtT6s5v+NxGP6PRj8SgfQTLQczcIZkh0qBJ6UrjxMHkj8kmVIaq+6VffIMm/hds
+BuBEtlHp6qkEDHWkVMXk4ZMI2Q==
+-----END PRIVATE KEY-----
--- a/jstests/libs/intermediate-ca-B.pem.digest.sha1
+++ b/jstests/libs/intermediate-ca-B.pem.digest.sha1
@ -0,0 +1 @@
+A829D6E7E82F9A3D22F55E117DD50AF5B27F6826
--- a/jstests/libs/intermediate-ca-B.pem.digest.sha256
+++ b/jstests/libs/intermediate-ca-B.pem.digest.sha256
@ -0,0 +1 @@
+EC0AC5E4827BB348A6799569FC39C83C1DC0A72D30C162BFA6A7E127D019B523
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@ -785,6 +785,23 @@ certs:
      - "ca.pem"
      - "intermediate-ca.pem"

+  - name: "intermediate-ca-B.pem"
+    description: Secondary intermediate CA issued by the primary root CA.
+    Subject: {CN: "Intermediate CA B"}
+    extensions:
+      basicConstraints: {CA: true}
+    Issuer: "ca.pem"
+
+  - name: "intermediate-ca-B-leaf.pem"
+    description: First end-entity certificate signed by intermediate CA B
+    Subject: {CN: "End-entity certificate via Intermediate CA B"}
+    Issuer: "intermediate-ca-B.pem"
+    extensions:
+      extendedKeyUsage: [serverAuth, clientAuth]
+      subjectAltName:
+        DNS: localhost
+        IP: 127.0.0.1
+
  ###
  # Split Horizon
  ###
--- a/src/mongo/util/net/ssl_manager_test.cpp
+++ b/src/mongo/util/net/ssl_manager_test.cpp
@ -29,6 +29,7 @@


 #include <asio.hpp>
+#include <boost/filesystem.hpp>
 #include <fstream>

 #include "mongo/config.h"
@ -55,6 +56,7 @@

 #define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kTest

+namespace fs = boost::filesystem;

 namespace mongo {
 namespace {
@ -65,6 +67,11 @@ constexpr const char* caFile = TEST_CERTS_DIR "ca.pem";
 constexpr const char* serverKeyFile = TEST_CERTS_DIR "server.pem";
 constexpr const char* clientKeyFile = TEST_CERTS_DIR "client.pem";

+constexpr const char* intermediateACaFile = TEST_CERTS_DIR "intermediate-ca.pem";
+constexpr const char* intermediateALeafKeyFile = TEST_CERTS_DIR "server-intermediate-leaf.pem";
+constexpr const char* intermediateBCaFile = TEST_CERTS_DIR "intermediate-ca-B.pem";
+constexpr const char* intermediateBLeafKeyFile = TEST_CERTS_DIR "intermediate-ca-B-leaf.pem";
+
 // certs rooted in trusted-ca.pem
 constexpr const char* trustedCaFile = TEST_CERTS_DIR "trusted-ca.pem";
 constexpr const char* trustedServerKeyFile = TEST_CERTS_DIR "trusted-server.pem";
@ -123,6 +130,74 @@ std::string loadFile(const std::string& name) {
    return str;
 }

+// Reads the input stream until EOF or a valid PEM block is encountered.
+// Skips private key PEM blocks if includePrivateKeys is true.
+// Returns the parsed PEM block as a string (with newlines), or an empty
+// string if none is found or a read error occurs.
+std::string readOnePEMBlock(std::ifstream& inputStrm, bool includePrivateKeys) {
+    std::string line;
+    for (;;) {
+        std::stringstream output;
+        bool foundBegin = false;
+        bool foundEnd = false;
+        bool discard = false;
+
+        while (!foundBegin && std::getline(inputStrm, line)) {
+            foundBegin = (line.starts_with("-----BEGIN ") && line.ends_with("-----"));
+        }
+        if (!foundBegin) {
+            return "";
+        }
+
+        discard = (!includePrivateKeys && line.find("PRIVATE KEY") != std::string::npos);
+        output << line << std::endl;
+
+        while (!foundEnd && std::getline(inputStrm, line)) {
+            output << line << std::endl;
+            foundEnd = (line.starts_with("-----END ") && line.ends_with("-----"));
+        }
+        if (!foundEnd) {
+            return "";
+        }
+        if (!discard) {
+            return output.str();
+        }
+    }
+}
+
+struct PEMFileSpec {
+    std::string path;
+    bool includePrivateKeys{false};
+    void serialize(BSONObjBuilder* bob) const {
+        bob->append("path", path);
+        bob->append("includePrivateKeys", includePrivateKeys);
+    }
+};
+// Given a list of PEM files, this concatenates the PEM blocks in those files
+// (optionally filtering out private keys) and writes the result into a temporary
+// file. Returns the path to the temp file.
+std::string combinePEMFiles(const std::vector<PEMFileSpec>& pemSpecs) {
+    // make a temp file for the output
+    auto path = fs::temp_directory_path() / fs::unique_path("tmpfile_%%%%_%%%%_%%%%_%%%%.pem");
+    std::ofstream outStream(path.string());
+    invariant(outStream.is_open());
+
+    LOGV2(
+        9476600, "Combining PEM files", "output"_attr = path.string(), "pemFiles"_attr = pemSpecs);
+
+    // read & parse the PEM files; append PEM blocks to output
+    for (auto& pemSpec : pemSpecs) {
+        std::ifstream input(pemSpec.path);
+        std::string pemBlock;
+        do {
+            pemBlock = readOnePEMBlock(input, pemSpec.includePrivateKeys);
+            outStream << pemBlock;
+        } while (!pemBlock.empty());
+    }
+    outStream.close();
+    return path.string();
+}
+
 TEST(SSLManager, matchHostname) {
    enum Expected : bool { match = true, mismatch = false };
    const struct {
@ -1407,6 +1482,106 @@ TEST(SSLManager, transientSSLParamsOverrideGlobalParamsTests) {
    }
 }

+// Tests that SSL validation can build its chain of trust given different CAFile & peer certificate
+// configurations that include intermediate CA certificates.
+// Caveats:
+// - Apple: allows intermediate certs (without root CA cert) to be the root of trust
+//          when validating chains.
+TEST(SSLManager, intermediateCATests) {
+    struct TestCase {
+        std::string clientCAFile;
+        std::string serverKeyFile;
+        bool clientPass;
+        void serialize(BSONObjBuilder* bob) const {
+            bob->append("clientCAFile", clientCAFile);
+            bob->append("serverKeyFile", serverKeyFile);
+            bob->append("clientPass", clientPass);
+        }
+    };
+
+    // intermediate-ca.pem + server-intermediate-leaf.pem bundle
+    const std::string intermediateALeafWithIssuerCertKeyFile = combinePEMFiles(
+        {{intermediateALeafKeyFile, true /*includePrivKey*/}, {intermediateACaFile}});
+    // ca.pem + intermediate-ca.pem + server-intermediate-leaf.pem bundle
+    const std::string intermediateALeafWithAllIssuerCertsKeyFile = combinePEMFiles(
+        {{intermediateALeafWithIssuerCertKeyFile, true /*includePrivKey*/}, {caFile}});
+    // intermediate-ca.pem + ca.pem
+    const std::string intermediateAWithRootCaFile =
+        combinePEMFiles({{intermediateACaFile}, {caFile}});
+    // intermediate-ca-B.pem + intermediate-ca-B-leaf.pem bundle
+    const std::string intermediateBLeafWithIssuerCertKeyFile = combinePEMFiles(
+        {{intermediateBLeafKeyFile, true /*includePrivKey*/}, {intermediateBCaFile}});
+
+#if MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_APPLE
+    // Apple allows intermediate CA certs to be the root of trust when validating a chain.
+    const bool allowsIntermediateTrustRoot = true;
+#else
+    const bool allowsIntermediateTrustRoot = false;
+#endif
+
+    std::vector<TestCase> testCases = {
+        // Client configured with CAFile = intermediate-ca.pem only (ie. no root trust anchor)
+        // None of these should pass validation in the client:
+        // 1. server key = server-intermediate-leaf.pem
+        // 2. server key = server.pem
+        // 3. server key = intermediate-ca.pem + server-intermediate-leaf.pem bundle
+        // 4. server key = ca.pem + intermediate-ca.pem + server-intermediate-leaf.pem bundle
+        {intermediateACaFile, intermediateALeafKeyFile, allowsIntermediateTrustRoot},
+        {intermediateACaFile, serverKeyFile, false},
+        {intermediateACaFile, intermediateALeafWithIssuerCertKeyFile, allowsIntermediateTrustRoot},
+        {intermediateACaFile,
+         intermediateALeafWithAllIssuerCertsKeyFile,
+         allowsIntermediateTrustRoot},
+
+        // Client configured with CAFile = intermediate-ca.pem + ca.pem bundle (ie. w/ trust anchor)
+        // The following should pass validation in the client:
+        // 1. server key = server-intermediate-leaf.pem
+        // 2. server key = server.pem
+        // 3. server key = intermediate-ca-B.pem + intermediate-ca-B-leaf.pem bundle
+        //                 (leaf not signed by intermediate-ca.pem, but chain rooted in ca.pem)
+        // These should fail validation in the client:
+        // 4. server key = intermediate-ca-B-leaf.pem (no path to trusted root)
+        {intermediateAWithRootCaFile, intermediateALeafKeyFile, true},
+        {intermediateAWithRootCaFile, serverKeyFile, true},
+        {intermediateAWithRootCaFile, intermediateBLeafWithIssuerCertKeyFile, true},
+        {intermediateAWithRootCaFile, intermediateBLeafKeyFile, false},
+
+        // Client configured with CAFile = ca.pem
+        // The following should fail validation in the client:
+        // 1. server key = server-intermediate-leaf.pem
+        // 2. server key = intermediate-ca-B-leaf.pem
+        // The following should pass validation in the client:
+        // 3. server key = intermediate-ca.pem + server-intermediate-leaf.pem bundle
+        // 4. server key = intermediate-ca-B.pem + intermediate-ca-B-leaf.pem bundle
+        {caFile, intermediateALeafKeyFile, false},
+        {caFile, intermediateBLeafKeyFile, false},
+        {caFile, intermediateALeafWithIssuerCertKeyFile, true},
+        {caFile, intermediateBLeafWithIssuerCertKeyFile, true},
+    };
+
+    SSLParams clientParams;
+    clientParams.sslMode.store(::mongo::sslGlobalParams.SSLMode_requireSSL);
+    clientParams.sslAllowInvalidHostnames = true;
+    clientParams.sslPEMKeyFile = trustedClientKeyFile;
+
+    SSLParams serverParams;
+    serverParams.sslMode.store(::mongo::sslGlobalParams.SSLMode_requireSSL);
+    serverParams.sslAllowInvalidHostnames = true;
+    serverParams.sslCAFile = trustedCaFile;
+
+    for (auto& test : testCases) {
+        clientParams.sslCAFile = test.clientCAFile;
+        serverParams.sslPEMKeyFile = test.serverKeyFile;
+
+        LOGV2(9476601, "Running test case", "test"_attr = test);
+
+        SSLTestFixture tf(serverParams, clientParams);
+        tf.doHandshake();
+        auto result = tf.runIngressEgressValidation();
+        checkValidationResults(result, true /*expectIngressPass*/, test.clientPass);
+    }
+}
+
 #endif  // MONGO_CONFIG_SSL
 }  // namespace
 }  // namespace mongo
				`@ -0,0 +1 @@`
				`2A780CFD54A44D38DE416E46C91B609B9DA7435A2347B2DF62723A90EFBE143C`
				`@ -0,0 +1 @@`
				`EC0AC5E4827BB348A6799569FC39C83C1DC0A72D30C162BFA6A7E127D019B523`