mongodb/jstests/ssl/ssl_with_system_ca.js

// On OSX this test assumes that jstests/libs/trusted-ca.pem has been added as a trusted
// certificate to the login keychain of the evergreen user. See,
// https://github.com/10gen/buildslave-cookbooks/commit/af7cabe5b6e0885902ebd4902f7f974b64cc8961
// for details.
// To install trusted-ca.pem for local testing on OSX, invoke the following at a console:
//   security add-trusted-cert -d jstests/libs/trusted-ca.pem
(function() {
'use strict';

const HOST_TYPE = getBuildInfo().buildEnvironment.target_os;
if (HOST_TYPE == "windows") {
    // OpenSSL backed imports Root CA and intermediate CA
    runProgram("certutil.exe", "-addstore", "-user", "-f", "CA", "jstests\\libs\\trusted-ca.pem");

    // SChannel backed follows Windows rules and only trusts the Root store in Local Machine and
    // Current User.
    runProgram("certutil.exe", "-addstore", "-f", "Root", "jstests\\libs\\trusted-ca.pem");
}

function testWithCerts(prefix) {
    jsTest.log(
        `Testing with SSL certs $ {
            clientPem connecting to serverPem
        }`);

    // allowSSL to get a non-SSL control connection.
    const conn = MongoRunner.runMongod(
        {sslMode: 'allowSSL', sslPEMKeyFile: 'jstests/libs/' + prefix + 'server.pem'});

    let argv = [
        './mongo',
        '--ssl',
        '--port',
        conn.port,
        '--sslPEMKeyFile',
        'jstests/libs/' + prefix + 'client.pem',
        '--eval',
        ';'
    ];

    if (HOST_TYPE == "linux") {
        // On Linux we override the default path to the system CA store to point to our
        // "trusted" CA. On Windows, this CA will have been added to the user's trusted CA list
        argv.unshift("env", "SSL_CERT_FILE=jstests/libs/trusted-ca.pem");
    }

    const exitCode = runMongoProgram.apply(null, argv);
    MongoRunner.stopMongod(conn);
    return exitCode;
}

assert.neq(0, testWithCerts(''), 'Certs signed with untrusted CA');
assert.eq(0, testWithCerts('trusted-'), 'Certs signed with trusted CA');
})();