SERVER-94766 Expand testing of intermediate CA chain validation (#27785)

GitOrigin-RevId: 959256e0584425022b79b8d7d96cc9bc4d301197
2024-10-04 08:45:35 -04:00 · 2024-10-04 08:45:35 -04:00 · bf491202a6
parent d59d165c43
commit bf491202a6
8 changed files with 304 additions and 0 deletions
--- a/jstests/libs/intermediate-ca-B-leaf.pem
+++ b/jstests/libs/intermediate-ca-B-leaf.pem
@ -0,0 +1,55 @@
 # Autogenerated file, do not edit.
 # Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml intermediate-ca-B-leaf.pem
 #
 # First end-entity certificate signed by intermediate CA B
 -----BEGIN CERTIFICATE-----
 MIIDxTCCAq2gAwIBAgIEUIFx6jANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
 UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
 BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEaMBgGA1UEAwwRSW50ZXJt
 ZWRpYXRlIENBIEIwHhcNMjQwOTI0MDAxODUyWhcNMjYxMjI3MDAxODUyWjCBkjEL
 MAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9y
 ayBDaXR5MRAwDgYDVQQKDAdNb25nb0RCMQ8wDQYDVQQLDAZLZXJuZWwxNTAzBgNV
 BAMMLEVuZC1lbnRpdHkgY2VydGlmaWNhdGUgdmlhIEludGVybWVkaWF0ZSBDQSBC
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoSGzhf1k1g4iySsXa/ne
 UbFSK0YFeEmxyV/YNYAXGnuv+UNzrNES2Pl58eukPbZRVkyqUfn33aq6uuTVbmG8
 7hw4YhwujCpaRh37CznLaz8V4cg6VeNR44otA+O/nSIWoAaL3Jhv5g7cYrCuu9OD
 w6+UNpCaZOCi6FrghmoI9dKPmlAhy59aA7zac8I2qog/urf1MnfCC80UECcHaeh9
 Edltxqk2J2XzaN70g7Zh0HiH8Syju24NhTUzQP+l0i+3OVizcdoyAlkr5aSYTab8
 s9OIRCM9diRRcxAV4ny31PnW9iVPZMP5wJrR5SQUZMIj/sk6kGvPPBxAASVKVeKp
 CQIDAQABoz0wOzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGgYDVR0R
 BBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB1PXgnNJtG
 4E+c9YqomiUWuKnSAjCtPfaFeWMHUeRKltWOF4uTedpU5iLr9hAlCslLaZIbVIyb
 pGJzv4deCapAUdz45QF2k3ekABeMsU4CbLWlzKDQn7bcLCWgRIbqjGt1eQRTTYOA
 tZYkIZ3ntsk6uyn+VJu3sTOwQM/kAuHHbnBuUZsRxKCKUgpgq6qXHVmQJ3FJJFVa
 2VVpX2iycLD5/3RIICNsbzz0zHPhV3DCwTHlK/I0ZzrmO/2NLQD/jQBpm1QCtRyU
 akVGR6/OokY1CWZD+VrnWcK7Ua/LHbwbzlJFioXXoAcSGyXaY/Ep9MFx7psvLsOQ
 2UaDEdtbu/p5
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQChIbOF/WTWDiLJ
 Kxdr+d5RsVIrRgV4SbHJX9g1gBcae6/5Q3Os0RLY+Xnx66Q9tlFWTKpR+ffdqrq6
 5NVuYbzuHDhiHC6MKlpGHfsLOctrPxXhyDpV41Hjii0D47+dIhagBovcmG/mDtxi
 sK6704PDr5Q2kJpk4KLoWuCGagj10o+aUCHLn1oDvNpzwjaqiD+6t/Uyd8ILzRQQ
 Jwdp6H0R2W3GqTYnZfNo3vSDtmHQeIfxLKO7bg2FNTNA/6XSL7c5WLNx2jICWSvl
 pJhNpvyz04hEIz12JFFzEBXifLfU+db2JU9kw/nAmtHlJBRkwiP+yTqQa888HEAB
 JUpV4qkJAgMBAAECggEBAJUU9WDXXeCfG5g9AmKowQWcpoXbN1xf8tp6jzSQ2s9p
 +RsLSY9vsZyG1kj62O8wLHlIXZ2TRb4WJMaeyspiK8ey3IgJwxd0aCnPu2JbitYj
 fD92XmLw++cnBRdANR1RWNWeuPDVKVMWFNpK1qB5xsPbQ6poiDEllhSdYHd8y+WD
 /2/djk+Iqc1QSV0ZkVa0ZQ8fO+GeZ+3X1oPcKmxTOYcgZQzl/kjW+s8yW3Aw/UgF
 941LpnvbhjOfLET02T+/8Fjh4fNVDx6IN9EVdjkOFTZmkHsZVbYeBo2UZnw56rid
 txXqomcS157gVw7Q1t6HgVn5g8q7Yws1jtfOhDs37cECgYEA1moqBA4LF+ElWFih
 CVxwHuZXmISnuIzKgiG59lZBhL2/NOUGZFOqtYwsWJJ5y+C+tEqKCKj/+PzH70AU
 oPO/KabI6LWUunatkR7HrWPuCN9I5zdOMZM/tSzPj/A9xBWEAv3r3Rar4OeENuZq
 BILRjM6XA/DBSqRGYRh3fdqT4V0CgYEAwGH/P5zSR/P5G4qXt9EEVj9OzZYTaY1U
 7fy8Ru3vZLQeFrZSveeRrr80+IJ8UEDxGhNYKneYcVE7bj0zx1PnupMcDIH6tjv6
 8yT49D3BENurRxUiHkd+b/IsPaoZooZCipx3bECHMIi8q6ZaqBOp94auwJyYk2SC
 5Jx1i7ohD50CgYBqW709x62PCdrZiRVQrG7dlQssl9kOvaASjyJM5JqZevonBdh2
 2d3bMo4o3XfXP0O58SOpihN3cgTHVDUnZeGUiqwsay48lHQigW8xPlmsQv5J23BJ
 PS6j83d+ggBRjQ6v4T8nq4BVDuLRzNgYJsBFpZDZnopzOSvELDvRzSP/7QKBgQCl
 RIpuL15GCcT6b/keJCVBomkkG8TZbFyFhhSIKmb5b/JZOI+kLIbuQ7xRsGby2pdE
 +1FGSi9fSZVwgos0tVPg5/e0lwS2AJj4v85Oo65zuQJOskz5DhoEOVrgLnyPLh+D
 zB6blGOOwiiynNpMgXgF+GGvfddk53e6xN4GBwPX0QKBgHfEQV1Cu+g+3kUHqB3a
 dhYscphGea5fMlutWfRcPrbcEvyWHbgZMDu2ORSbvMC7oLeOzTQWh5LsTgLZSahZ
 bIj8DVH+JehZQ3LnjgPgaviCyPQ47uP0vrJsWAyDmB8z+htUkPbLUUrMB+5AMCTd
 BdJ9ZlwgWJzJZxnVbv3pUs09
 -----END PRIVATE KEY-----
--- a/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha1
+++ b/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha1
@ -0,0 +1 @@
 399431186FBE5673C78AB28EBF74B0F378D4F973
--- a/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha256
+++ b/jstests/libs/intermediate-ca-B-leaf.pem.digest.sha256
@ -0,0 +1 @@
 2A780CFD54A44D38DE416E46C91B609B9DA7435A2347B2DF62723A90EFBE143C
--- a/jstests/libs/intermediate-ca-B.pem
+++ b/jstests/libs/intermediate-ca-B.pem
@ -0,0 +1,53 @@
 # Autogenerated file, do not edit.
 # Generate using jstests/ssl/x509/mkcert.py --config jstests/ssl/x509/certs.yml intermediate-ca-B.pem
 #
 # Secondary intermediate CA issued by the primary root CA.
 -----BEGIN CERTIFICATE-----
 MIIDeTCCAmGgAwIBAgIEED+pWDANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJV
 UzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAO
 BgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEXMBUGA1UEAwwOS2VybmVs
 IFRlc3QgQ0EwHhcNMjQwOTI0MDAxODUxWhcNMjYxMjI3MDAxODUxWjB3MQswCQYD
 VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENp
 dHkxEDAOBgNVBAoMB01vbmdvREIxDzANBgNVBAsMBktlcm5lbDEaMBgGA1UEAwwR
 SW50ZXJtZWRpYXRlIENBIEIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
 AQDdic72SasL8/GPCBYEanD/UrhC4st38jq2lAfEInHJb4Bkam4U2vmQcha7lI6y
 HyhNQbw7Id5GzpR6oVeg7eRRHG4WrLlBq3VMOKcNoyTEinSwZ9O3Ei530o2Te6Ff
 wqmAS1pge8f4Sp1BZxO3pW+qschdA6KTRkWQV71Qcmg/V5g/0ozk3EmmyPitnFmC
 saJGRcUsJQE92f6cYYaZN7/d1MSZ47w9l0revtD5ICYKF3fCbTm3WDDVRmKP3m44
 M/X5TP29ChfZyFvn4PHd+hYtbW7JECHMwcXLI7EtazzkyoS+hkp24NomnDZDpBY+
 lNDEu/wjXxnIcNYnqUDAyHVbAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZI
 hvcNAQELBQADggEBAHb32m5NNURKVqv5fgl73+ZgVw95LrzK3GW617lZf1BtJRzR
 V3ksCM07va9ylu0lS8HlglNJMYlC0vCw8kVNolutL/l6IunyzIK418VViYlOluvY
 SE8f6dhRsIhMggbD/qkHqDc4Awu++6Ix+6LwC+34ttc7BUuG91Y3Kp0H4uzv4VIJ
 Rhbq8r5AOWWKFbtNqE4kqjXqIN/7pFvTlW8CeK9wGMG2ax/fX5GDtMcAQdQ1z0/n
 4GPxy+f4SM9vtkJlUDOm/YmJlYUvRVUd4pB3F4TlN2fzdcOJyT3cMCQEBLXTIVnP
 pQ+YtXGx+9SK1j3hmIPG4lAl9hmRT7esVY2sYPU=
 -----END CERTIFICATE-----
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdic72SasL8/GP
 CBYEanD/UrhC4st38jq2lAfEInHJb4Bkam4U2vmQcha7lI6yHyhNQbw7Id5GzpR6
 oVeg7eRRHG4WrLlBq3VMOKcNoyTEinSwZ9O3Ei530o2Te6FfwqmAS1pge8f4Sp1B
 ZxO3pW+qschdA6KTRkWQV71Qcmg/V5g/0ozk3EmmyPitnFmCsaJGRcUsJQE92f6c
 YYaZN7/d1MSZ47w9l0revtD5ICYKF3fCbTm3WDDVRmKP3m44M/X5TP29ChfZyFvn
 4PHd+hYtbW7JECHMwcXLI7EtazzkyoS+hkp24NomnDZDpBY+lNDEu/wjXxnIcNYn
 qUDAyHVbAgMBAAECggEBALAXw0+XXQOiQwcbOU0HQoxgtyBLX8oW276WydmIO4QP
 QjIPOzMOn8LGPPWbbxV8mK9YKgOityj3OaSELMA5d/tVKtiRMKxXWmRcv8SiQi6L
 k5dI4Eurgw4xaeGqKqqQc+ULgGoi2d+th3QeN9kJAkrfB9GPeyGvgMnsRAn29pAp
 WGV8r6Ag/PQV7sEqpnXa5j0FGTlU/+og1OROSD+hp3bjKD6137TDZdx04WBrZ8x6
 QaK1v6SgS4SHMjytMr5TBKEuyTtSFxP9GEr8dEJ4VsqAdNFpujzM6SmvVqiV0vhS
 UpZ0zEModdMCJchBV+BkwH6Ef2L1RaVjmYhp98NDYGECgYEA+JM78lTCr3xVBhlz
 qE/GCuSn9/Z+1o2IE6n2p+s/2GJ7N5o1L3O70YD10pxGVSipua90nsuDIiP61PZ9
 orsmzWRx8Ax5XYvwupMf+6gJYSZyLU60MIO8+pqxC4I40NOPLf+LcggDzrvi+lYN
 4U4CsdowBr/ut/8l2EmX+OZF+EsCgYEA5CfVVEUTUkO3w/nfdhef4uKEOzqA2LA1
 TUBuUSN/vBOAwFvPNVDi/qrIkR8b2mKo0QsdvuCRqsQsHNdnc6DWon09kDFpVnhN
 B/mz/KEPGIcTegrEijmgXtOGqU5BbXoccDF7GtXLaYcydLNrrYrlX9AeIm97DYcP
 1rme5RSEbTECgYBM/+bI6UKpc30u94FhONzjEPOLFxsxQQRO+w5B89iCIfeDQMyK
 13HtsuHzDJ+oz4DL2TLp4abMU5LmlzhRyWF6rEuzDVonBStb0ClPHj1Rj8Q8jq24
 fYZzpqmDJCKPZYlruUYr25m6V283FqMUEMM67piD7r521p2Vgy6FVmeEQwKBgQDF
 /k9h7wPiawPJXUlv6PaGZT6NS6rO4LOQ064oWZ8a7u3XgJTj1sr2Z+zgC1gXf3Cy
 4Guy3p1qzQzfBosvS8+XeQn43Phl4sYueqKYRIieJ3JegYOn1HR4diYxPMkIoWSW
 dEo5snjwnjPKFH4IPzXonOnZxlbKGYBEPhdHAzQcsQKBgQCIHaqZ7VrSvgaeBlZT
 XBY6apYnFtBvWP9Iw/uYRn1WyXPl846huKDz6GfhNNQcsfLclYC0h5h94G6Fe+Hw
 UMtT6s5v+NxGP6PRj8SgfQTLQczcIZkh0qBJ6UrjxMHkj8kmVIaq+6VffIMm/hds
 BuBEtlHp6qkEDHWkVMXk4ZMI2Q==
 -----END PRIVATE KEY-----
--- a/jstests/libs/intermediate-ca-B.pem.digest.sha1
+++ b/jstests/libs/intermediate-ca-B.pem.digest.sha1
@ -0,0 +1 @@
 A829D6E7E82F9A3D22F55E117DD50AF5B27F6826
--- a/jstests/libs/intermediate-ca-B.pem.digest.sha256
+++ b/jstests/libs/intermediate-ca-B.pem.digest.sha256
@ -0,0 +1 @@
 EC0AC5E4827BB348A6799569FC39C83C1DC0A72D30C162BFA6A7E127D019B523
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@ -785,6 +785,23 @@ certs:
      - "ca.pem"
      - "intermediate-ca.pem"
  - name: "intermediate-ca-B.pem"
    description: Secondary intermediate CA issued by the primary root CA.
    Subject: {CN: "Intermediate CA B"}
    extensions:
      basicConstraints: {CA: true}
    Issuer: "ca.pem"
  - name: "intermediate-ca-B-leaf.pem"
    description: First end-entity certificate signed by intermediate CA B
    Subject: {CN: "End-entity certificate via Intermediate CA B"}
    Issuer: "intermediate-ca-B.pem"
    extensions:
      extendedKeyUsage: [serverAuth, clientAuth]
      subjectAltName:
        DNS: localhost
        IP: 127.0.0.1
  ###
  # Split Horizon
  ###
--- a/src/mongo/util/net/ssl_manager_test.cpp
+++ b/src/mongo/util/net/ssl_manager_test.cpp
@ -29,6 +29,7 @@
 #include <asio.hpp>
 #include <boost/filesystem.hpp>
 #include <fstream>
 #include "mongo/config.h"
@ -55,6 +56,7 @@
 #define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kTest
 namespace fs = boost::filesystem;
 namespace mongo {
 namespace {
@ -65,6 +67,11 @@ constexpr const char* caFile = TEST_CERTS_DIR "ca.pem";
 constexpr const char* serverKeyFile = TEST_CERTS_DIR "server.pem";
 constexpr const char* clientKeyFile = TEST_CERTS_DIR "client.pem";
 constexpr const char* intermediateACaFile = TEST_CERTS_DIR "intermediate-ca.pem";
 constexpr const char* intermediateALeafKeyFile = TEST_CERTS_DIR "server-intermediate-leaf.pem";
 constexpr const char* intermediateBCaFile = TEST_CERTS_DIR "intermediate-ca-B.pem";
 constexpr const char* intermediateBLeafKeyFile = TEST_CERTS_DIR "intermediate-ca-B-leaf.pem";
 // certs rooted in trusted-ca.pem
 constexpr const char* trustedCaFile = TEST_CERTS_DIR "trusted-ca.pem";
 constexpr const char* trustedServerKeyFile = TEST_CERTS_DIR "trusted-server.pem";
@ -123,6 +130,74 @@ std::string loadFile(const std::string& name) {
    return str;
 }
 // Reads the input stream until EOF or a valid PEM block is encountered.
 // Skips private key PEM blocks if includePrivateKeys is true.
 // Returns the parsed PEM block as a string (with newlines), or an empty
 // string if none is found or a read error occurs.
 std::string readOnePEMBlock(std::ifstream& inputStrm, bool includePrivateKeys) {
    std::string line;
    for (;;) {
        std::stringstream output;
        bool foundBegin = false;
        bool foundEnd = false;
        bool discard = false;
        while (!foundBegin && std::getline(inputStrm, line)) {
            foundBegin = (line.starts_with("-----BEGIN ") && line.ends_with("-----"));
        }
        if (!foundBegin) {
            return "";
        }
        discard = (!includePrivateKeys && line.find("PRIVATE KEY") != std::string::npos);
        output << line << std::endl;
        while (!foundEnd && std::getline(inputStrm, line)) {
            output << line << std::endl;
            foundEnd = (line.starts_with("-----END ") && line.ends_with("-----"));
        }
        if (!foundEnd) {
            return "";
        }
        if (!discard) {
            return output.str();
        }
    }
 }
 struct PEMFileSpec {
    std::string path;
    bool includePrivateKeys{false};
    void serialize(BSONObjBuilder* bob) const {
        bob->append("path", path);
        bob->append("includePrivateKeys", includePrivateKeys);
    }
 };
 // Given a list of PEM files, this concatenates the PEM blocks in those files
 // (optionally filtering out private keys) and writes the result into a temporary
 // file. Returns the path to the temp file.
 std::string combinePEMFiles(const std::vector<PEMFileSpec>& pemSpecs) {
    // make a temp file for the output
    auto path = fs::temp_directory_path() / fs::unique_path("tmpfile_%%%%_%%%%_%%%%_%%%%.pem");
    std::ofstream outStream(path.string());
    invariant(outStream.is_open());
    LOGV2(
        9476600, "Combining PEM files", "output"_attr = path.string(), "pemFiles"_attr = pemSpecs);
    // read & parse the PEM files; append PEM blocks to output
    for (auto& pemSpec : pemSpecs) {
        std::ifstream input(pemSpec.path);
        std::string pemBlock;
        do {
            pemBlock = readOnePEMBlock(input, pemSpec.includePrivateKeys);
            outStream << pemBlock;
        } while (!pemBlock.empty());
    }
    outStream.close();
    return path.string();
 }
 TEST(SSLManager, matchHostname) {
    enum Expected : bool { match = true, mismatch = false };
    const struct {
@ -1407,6 +1482,106 @@ TEST(SSLManager, transientSSLParamsOverrideGlobalParamsTests) {
    }
 }
 // Tests that SSL validation can build its chain of trust given different CAFile & peer certificate
 // configurations that include intermediate CA certificates.
 // Caveats:
 // - Apple: allows intermediate certs (without root CA cert) to be the root of trust
 //          when validating chains.
 TEST(SSLManager, intermediateCATests) {
    struct TestCase {
        std::string clientCAFile;
        std::string serverKeyFile;
        bool clientPass;
        void serialize(BSONObjBuilder* bob) const {
            bob->append("clientCAFile", clientCAFile);
            bob->append("serverKeyFile", serverKeyFile);
            bob->append("clientPass", clientPass);
        }
    };
    // intermediate-ca.pem + server-intermediate-leaf.pem bundle
    const std::string intermediateALeafWithIssuerCertKeyFile = combinePEMFiles(
        {{intermediateALeafKeyFile, true /*includePrivKey*/}, {intermediateACaFile}});
    // ca.pem + intermediate-ca.pem + server-intermediate-leaf.pem bundle
    const std::string intermediateALeafWithAllIssuerCertsKeyFile = combinePEMFiles(
        {{intermediateALeafWithIssuerCertKeyFile, true /*includePrivKey*/}, {caFile}});
    // intermediate-ca.pem + ca.pem
    const std::string intermediateAWithRootCaFile =
        combinePEMFiles({{intermediateACaFile}, {caFile}});
    // intermediate-ca-B.pem + intermediate-ca-B-leaf.pem bundle
    const std::string intermediateBLeafWithIssuerCertKeyFile = combinePEMFiles(
        {{intermediateBLeafKeyFile, true /*includePrivKey*/}, {intermediateBCaFile}});
 #if MONGO_CONFIG_SSL_PROVIDER == MONGO_CONFIG_SSL_PROVIDER_APPLE
    // Apple allows intermediate CA certs to be the root of trust when validating a chain.
    const bool allowsIntermediateTrustRoot = true;
 #else
    const bool allowsIntermediateTrustRoot = false;
 #endif
    std::vector<TestCase> testCases = {
        // Client configured with CAFile = intermediate-ca.pem only (ie. no root trust anchor)
        // None of these should pass validation in the client:
        // 1. server key = server-intermediate-leaf.pem
        // 2. server key = server.pem
        // 3. server key = intermediate-ca.pem + server-intermediate-leaf.pem bundle
        // 4. server key = ca.pem + intermediate-ca.pem + server-intermediate-leaf.pem bundle
        {intermediateACaFile, intermediateALeafKeyFile, allowsIntermediateTrustRoot},
        {intermediateACaFile, serverKeyFile, false},
        {intermediateACaFile, intermediateALeafWithIssuerCertKeyFile, allowsIntermediateTrustRoot},
        {intermediateACaFile,
         intermediateALeafWithAllIssuerCertsKeyFile,
         allowsIntermediateTrustRoot},
        // Client configured with CAFile = intermediate-ca.pem + ca.pem bundle (ie. w/ trust anchor)
        // The following should pass validation in the client:
        // 1. server key = server-intermediate-leaf.pem
        // 2. server key = server.pem
        // 3. server key = intermediate-ca-B.pem + intermediate-ca-B-leaf.pem bundle
        //                 (leaf not signed by intermediate-ca.pem, but chain rooted in ca.pem)
        // These should fail validation in the client:
        // 4. server key = intermediate-ca-B-leaf.pem (no path to trusted root)
        {intermediateAWithRootCaFile, intermediateALeafKeyFile, true},
        {intermediateAWithRootCaFile, serverKeyFile, true},
        {intermediateAWithRootCaFile, intermediateBLeafWithIssuerCertKeyFile, true},
        {intermediateAWithRootCaFile, intermediateBLeafKeyFile, false},
        // Client configured with CAFile = ca.pem
        // The following should fail validation in the client:
        // 1. server key = server-intermediate-leaf.pem
        // 2. server key = intermediate-ca-B-leaf.pem
        // The following should pass validation in the client:
        // 3. server key = intermediate-ca.pem + server-intermediate-leaf.pem bundle
        // 4. server key = intermediate-ca-B.pem + intermediate-ca-B-leaf.pem bundle
        {caFile, intermediateALeafKeyFile, false},
        {caFile, intermediateBLeafKeyFile, false},
        {caFile, intermediateALeafWithIssuerCertKeyFile, true},
        {caFile, intermediateBLeafWithIssuerCertKeyFile, true},
    };
    SSLParams clientParams;
    clientParams.sslMode.store(::mongo::sslGlobalParams.SSLMode_requireSSL);
    clientParams.sslAllowInvalidHostnames = true;
    clientParams.sslPEMKeyFile = trustedClientKeyFile;
    SSLParams serverParams;
    serverParams.sslMode.store(::mongo::sslGlobalParams.SSLMode_requireSSL);
    serverParams.sslAllowInvalidHostnames = true;
    serverParams.sslCAFile = trustedCaFile;
    for (auto& test : testCases) {
        clientParams.sslCAFile = test.clientCAFile;
        serverParams.sslPEMKeyFile = test.serverKeyFile;
        LOGV2(9476601, "Running test case", "test"_attr = test);
        SSLTestFixture tf(serverParams, clientParams);
        tf.doHandshake();
        auto result = tf.runIngressEgressValidation();
        checkValidationResults(result, true /*expectIngressPass*/, test.clientPass);
    }
 }
 #endif  // MONGO_CONFIG_SSL
 }  // namespace
 }  // namespace mongo
		`@ -0,0 +1 @@`
							`2A780CFD54A44D38DE416E46C91B609B9DA7435A2347B2DF62723A90EFBE143C`
		`@ -0,0 +1 @@`
							`EC0AC5E4827BB348A6799569FC39C83C1DC0A72D30C162BFA6A7E127D019B523`