mongo/jstests/sslSpecial/ssl_ecdsa_cert.js

import {requireSSLProvider} from "jstests/ssl/libs/ssl_helpers.js";

const test = () => {
    const ECDSA_CA_CERT = "jstests/libs/ecdsa-ca.pem";
    const ECDSA_CLIENT_CERT = "jstests/libs/ecdsa-client.pem";
    const ECDSA_SERVER_CERT = "jstests/libs/ecdsa-server.pem";

    const CLIENT_USER = "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US";

    print("Testing if platform supports usage of ECDSA certificates");
    const tlsOptions = {
        tlsMode: "preferTLS",
        tlsCertificateKeyFile: ECDSA_SERVER_CERT,
        tlsCAFile: ECDSA_CA_CERT,
        ipv6: "",
        bind_ip_all: "",
        waitForConnect: true,
        tlsAllowConnectionsWithoutCertificates: "",
    };

    let mongod = MongoRunner.runMongod(tlsOptions);

    // Verify we can connect
    assert.eq(
        0,
        runMongoProgram("mongo", "--tls", "--tlsCAFile", ECDSA_CA_CERT, "--port", mongod.port, "--eval", "db.hello()"),
        "mongo did not initialize properly",
    );

    // Add an X509 user
    const addUserCmd = {createUser: CLIENT_USER, roles: [{role: "root", db: "admin"}]};
    assert.commandWorked(
        mongod.getDB("$external").runCommand(addUserCmd),
        "Failed to create X509 user using ECDSA certificates",
    );

    const command = function () {
        assert(db.getSiblingDB("$external").auth({mechanism: "MONGODB-X509", user: "CLIENT_USER"}));

        const connStatus = db.getSiblingDB("admin").runCommand({connectionStatus: 1});
        assert(connStatus.authInfo.authenticatedUsers[0].user === "CLIENT_USER");
    };

    // Verify we can authenticate via X509
    assert.eq(
        0,
        runMongoProgram(
            "mongo",
            "--tls",
            "--tlsCertificateKeyFile",
            ECDSA_CLIENT_CERT,
            "--tlsCAFile",
            ECDSA_CA_CERT,
            "--port",
            mongod.port,
            "--eval",
            "(" + command.toString().replace(/CLIENT_USER/g, CLIENT_USER) + ")();",
        ),
        "ECDSA X509 authentication failed",
    );
    MongoRunner.stopMongod(mongod);
};

const EXCLUDED_BUILDS = ["amazon", "amzn64"];
if (EXCLUDED_BUILDS.includes(buildInfo().buildEnvironment.distmod)) {
    print("*****************************************************");
    print("Skipping test because Amazon Linux does not support ECDSA certificates");
    print("*****************************************************");
} else {
    requireSSLProvider("openssl", test);
}