mongodb

mirror of https://github.com/mongodb/mongo.git synced 2024-11-22 13:07:39 +01:00

History

Justin Seyster b3c26131f6 SERVER-41183 Add test suites for change streams with transactions		2019-06-14 18:31:40 -04:00
..
command_line
config_files
jstestfuzz
openssl_config
override_methods
txns
8k-prime.dhparam
analyze_plan.js
assert_schema_match.js
authTestsKey
backup_utils.js
badSAN.pem
ca.pem
change_stream_util.js
check_log.js
check_unique_indexes.js
check_uuids.js
chunk_manipulation_util.js
cleanup_orphaned_util.js
client_email.pem
client_escape.pem
client_privatekey.pem
client_revoked.pem
client_roles.pem
client_title.pem
client_utf8.cnf
client_utf8.pem
client-all-the-oids.csr.in
client-all-the-oids.pem
client-custom-oids.csr.in
client-custom-oids.pem
client-multivalue-rdn.pem
client-self-signed.pem
client.pem
cluster_cert.pem
collection_drop_recreate.js
command_sequence_with_retries.js
crl_client_revoked.pem
crl_expired.pem
crl.pem
csrs_upgrade_util.js
curop_helpers.js
cycle_detection.js
database_versioning.js
dateutil.js
discover_topology.js
ecdsa-ca.pem
ecdsa-client.pem
ecdsa-server.pem
error_code_utils.js
expired.pem
feature_compatibility_version.js
fixture_helpers.js
fsm_serial_client.js
ftdc.js
fts.js
geo_math.js
geo_near_random.js
get_index_helpers.js
global_snapshot_reads_util.js
host_ipaddr.js
index_bigkeys.js
json_schema_test_runner.js
key1
key1_644
key2
keyForRollover
kill_sessions.js
localhostnameCN.pem
localhostnameSAN.pem
mockkrb5.conf
mockservice.keytab
mockuser.keytab
mongodbauthorizationgrant.cnf
mongoebench.js
mql_model_mongod_test_runner.js
namespace_utils.js
not_yet_valid.pem
parallel_shell_helpers.js
parallelTester.js
password_protected.pem
pin_getmore_cursor.js
profiler.js
python.js
read_committed_lib.js
README.ssl
retryable_writes_util.js
rollover_ca_merged.pem
rollover_ca.pem
rollover_server.pem
server_SAN2.pem
server_SAN.pem
server-intermediate-ca.pem
server-intermediate-ca.pem.sh
server-with-ip-san-2.csr.in
server-with-ip-san.csr.in
server.pem
sessions_collection.js
smoke.pem
specific_secondary_reader_mongo.js
splithorizon-ca.pem
splithorizon-server.pem
ssl_test.js
stats.js
test_background_ops.js
testconfig
trace_missing_docs.js
transactions_util.js
trusted-ca.pem
trusted-client.pem
trusted-client.pfx
trusted-server.pem
trusted-server.pfx
uuid_util.js
write_concern_util.js

README.ssl

rollover_*.pem are certificates and a CA used to test rolling over X509 cluster authentication

# Generate the root CA certificate:
openssl genrsa -out rollover_ca.key 4096
openssl req -key rollover_ca.key -new -x509 -days 3650 -out rollover_ca.pem \
    -subj '/CN=Kernel Rollover Test CA/OU=Kernel/O=MongoDB\, Inc./L=New York/ST=New York/C=US' \
    -addext "keyUsage = critical, digitalSignature, cRLSign, keyCertSign"

cat rollover_ca.pem ca.pem > rollover_ca_merged.pem
cat rollover_ca.key >> rollover_ca.pem
rm rollover_ca.key

# Generate the server key and cert:
openssl genrsa -out rollover_server.key 2048
openssl req -new -key rollover_server.key -days 3650 -out rollover_server.csr \
    -subj '/CN=server/OU=Kernel (Rollover)/O=MongoDB\, Inc. (Rollover)/L=New York/ST=New York/C=US/'

# Sign the new server cert and clean up
openssl x509 -req -days 3650 -in rollover_server.csr -CA rollover_ca.pem -CAcreateserial \
    -out rollover_server.pem -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")
cat rollover_server.key >> rollover_server.pem
rm rollover_server.key
rm rollover_server.csr
rm rollover_ca.srl

---------------------------

client-self-signed.pem represents the same RDN as client.pem, but using itself as a CA:

openssl req -nodes -new -subj '/CN=client/OU=KernelUser/O=MongoDB/L=New York City/ST=New York/C=US' -out css.csr -keyout css.rsa
openssl rsa -in css.rsa -out css.key
openssl x509 -in css.csr -out jstests/libs/client-self-signed.pem -req -signkey client-self-signed.key -days 3650
cat css.key >> jstests/libs/client-self-signed.pem
rm css.{csr,rsa,key}

---------------------------
client-multivalue-rdn.pem represents the same RDN as client.pem, but grouping some elements together:

openssl req -new -nodes -subj '/CN=client+OU=KernelUser+O=MongoDB/L=New York City+ST=New York+C=US' -multivalue-rdn \
            -keyout client-multivalue-rdn.key -out client-multivalue-rdn.csr
openssl rsa -in client-multivalue-rdn.key -out client-multivalue-rdn.rsa
openssl x509 -in client-multivalue-rdn.csr -out client-multivalue-rdn.pem -req -CA ca.pem -days 3650 -CAcreateserial
cat client-multivalue-rdn.rsa >> client-multivalue-rdn.pem
rm ca.srl client-multivalue-rdn.key client-multivalue-rdn.rsa client-multivalue-rdn.csr

---------------------------
ecdsa-*.pem are ECDSA signed certificates:

generate an ec-key (from a well known curve)
openssl ecparam -name prime256v1 -genkey -out mykey.key

create certificate request
openssl req -new -key mykey.key -out mycsr.csr

sign key and generate certificate
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256

to include SANs in the certificate, instead run
openssl x509 -req -days 3650 -in mycsr.csr -CA ecdsa-ca.pem -CAcreateserial -out mycrt.crt -sha256 -extfile <(printf "subjectAltName=DNS:localhost,DNS:127.0.0.1")

combine key and certificate
cat mycrt.crt mykey.key > mycrt.pem

---------------------------
How to generate a certificate with a custom extension:

1. Generate a normal certificate signing request without an extension
2. Make a copy of the system openssl.cnf and append this text to the file
    On Redhat/Fedora, openssl.cnf is in /etc/pki/tls

See jstests\libs\mongodbauthorizationgrant.cnf for how to generate the text with the
'openssl asn1parse' command.

[MongoDBAuthorizationGrant]
1.3.6.1.4.1.34601.2.1.1 = DER:312B300F0C066261636B75700C0561646D696E30180C0F72656164416E7944617461626173650C0561646D696E

3. Sign the certificate and add the custom extension
4. Make a new pem with the certificate and key

Example Commands
----------------
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr

Example with subject name:
openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=KernelUser/CN=client/emailAddress=example@mongodb.com"

openssl x509 -req -sha256 -in roles.csr -days 3650 -out roles.pem -extfile openssl.cnf -extensions MongoDBAuthorizationGrant -CA jstests/libs/ca.pem -CAcreateserial

openssl rsa -in roles.key -out roles2.key

cat roles.pem roles2.key > roles_final.pem


Example Commands for UTF-8
--------------------------
openssl req -new -utf8 -nameopt multiline,utf8  -config .\jstests\libs\client_utf8.cnf -newkey rsa:2048 -nodes -keyout roles.key -out roles.csr

Generating other certificates
-----------------------------

The openssl_configs directory contains the openssl config files to create/sign certificates from the
test CA. There is one config file per certificate. As an example, to generate server.pem:

Reset the CA state with fresh directories and a new serial
$ mkdir ca_state
$ echo '01' > ca_state/serial
$ touch ca_state/index.txt

Create the CSR for the server certificate from its config (this will also generate server.key)
$ openssl req -new -config openssl_config/server.cnf -out server.csr

Sign the certificate with the CA (this will update ca_state and output the certificate as server.pem)
$ openssl ca -config openssl_config/ca.cnf -out server.pem -in server.csr

Concatenate the server key into the certificate you just generated
$ cat server.key >> server.pem

Clean up - we don't keep the ca_state around
$ rm -rf ca_state server.key server.csr

Generating CRLs
---------------

Issue your certificate using the ca config above and then revoke it/create a CRL file:

Reset the CA state with fresh directories and a new serial
$ mkdir ca_state
$ echo '01' > ca_state/serial
$ touch ca_state/index.txt

Create the CSR for the server certificate from its config (this will also generate server.key)
$ openssl req -new -config openssl_config/client_revoked.cnf -out client_revoked.csr

Sign the certificate
$ openssl ca -config openssl_config/ca.cnf -out client_revoked.pem -in client_revoked.csr

Revoked the certificate
$ openssl ca -config openssl_config/ca.cnf -revoke client_revoked.pem

Generate the CRL
$ openssl ca -config openssl_config/ca.cnf -gencrl -out crl_client_revoked.pem

Concatenate the revoked certificate
$ cat client_revoked.key >> client_revoked.pem

Clean up
$ rm -rf ca_state client_revoked.key client_revoked.csr