NODE-951 Added support for sslCRL option and added a test case for it

Author: christkv

docs/reference/content/tutorials/connect/ssl.md

@@ -142,6 +142,7 @@ The following TLS/SSL options are available.
 | `ssl` | {Boolean, default: false} | Use ssl connection |
 | `sslValidate` | {Boolean, default: true} | Validate server certificate against certificate authority. |
 | `sslCA` | {Buffer[]\|string[], default: null} | Array of valid certificates for Certificate Authority either as Buffers or Strings. |
+| `sslCRL` | {Buffer[]\|string[], default: null} | Array of revocation certificates as Buffers or Strings. |
 | `sslCert` | {Buffer\|string, default: null} | String or buffer containing the client certificate. |
 | `sslPass` | {Buffer\|string, default: null} | String or buffer containing the client certificate password. |
 

lib/mongo_client.js

@@ -27,7 +27,7 @@ var parse = require('./url_parser')
  * });
  */
 var validOptionNames = ['poolSize', 'ssl', 'sslValidate', 'sslCA', 'sslCert',
-  'sslKey', 'sslPass', 'autoReconnect', 'noDelay', 'keepAlive', 'connectTimeoutMS',
+  'sslKey', 'sslPass', 'sslCRL', 'autoReconnect', 'noDelay', 'keepAlive', 'connectTimeoutMS',
   'socketTimeoutMS', 'reconnectTries', 'reconnectInterval', 'ha', 'haInterval',
   'replicaSet', 'secondaryAcceptableLatencyMS', 'acceptableLatencyMS',
   'connectWithNoPrimary', 'authSource', 'w', 'wtimeout', 'j', 'forceServerObjectId',
@@ -85,6 +85,7 @@ function MongoClient() {
    * @param {number} [options.poolSize=5] poolSize The maximum size of the individual server pool.
    * @param {boolean} [options.ssl=false] Enable SSL connection.
    * @param {Buffer} [options.sslCA=undefined] SSL Certificate store binary buffer
+   * @param {Buffer} [options.sslCRL=undefined] SSL Certificate revocation list binary buffer
    * @param {Buffer} [options.sslCert=undefined] SSL Certificate binary buffer
    * @param {Buffer} [options.sslKey=undefined] SSL Key file binary buffer
    * @param {string} [options.sslPass=undefined] SSL Certificate pass phrase
@@ -146,6 +147,7 @@ var define = MongoClient.define = new Define('MongoClient', MongoClient, false);
  * @param {number} [options.poolSize=5] poolSize The maximum size of the individual server pool.
  * @param {boolean} [options.ssl=false] Enable SSL connection.
  * @param {Buffer} [options.sslCA=undefined] SSL Certificate store binary buffer
+ * @param {Buffer} [options.sslCRL=undefined] SSL Certificate revocation list binary buffer
  * @param {Buffer} [options.sslCert=undefined] SSL Certificate binary buffer
  * @param {Buffer} [options.sslKey=undefined] SSL Key file binary buffer
  * @param {string} [options.sslPass=undefined] SSL Certificate pass phrase

lib/mongos.js

@@ -49,7 +49,7 @@ var release = os.release();
  // Allowed parameters
  var legalOptionNames = ['ha', 'haInterval', 'acceptableLatencyMS'
    , 'poolSize', 'ssl', 'checkServerIdentity', 'sslValidate'
-   , 'sslCA', 'sslCert', 'sslKey', 'sslPass', 'socketOptions', 'bufferMaxEntries'
+   , 'sslCA', 'sslCRL', 'sslCert', 'sslKey', 'sslPass', 'socketOptions', 'bufferMaxEntries'
    , 'store', 'auto_reconnect', 'autoReconnect', 'emitError'
    , 'keepAlive', 'noDelay', 'connectTimeoutMS', 'socketTimeoutMS'
    , 'loggerLevel', 'logger', 'reconnectTries', 'appname', 'domainsEnabled'
@@ -69,6 +69,7 @@ var release = os.release();
  * @param {boolean|function} [options.checkServerIdentity=true] Ensure we check server identify during SSL, set to false to disable checking. Only works for Node 0.12.x or higher. You can pass in a boolean or your own checkServerIdentity override function.
  * @param {object} [options.sslValidate=true] Validate mongod server certificate against ca (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {array} [options.sslCA=null] Array of valid certificates either as Buffers or Strings (needs to have a mongod server with ssl support, 2.4 or higher)
+ * @param {array} [options.sslCRL=null] Array of revocation certificates either as Buffers or Strings (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslCert=null] String or buffer containing the certificate we wish to present (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslKey=null] String or buffer containing the certificate private key we wish to present (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslPass=null] String or buffer containing the certificate password (needs to have a mongod server with ssl support, 2.4 or higher)

lib/replset.js

@@ -42,7 +42,7 @@ var EventEmitter = require('events').EventEmitter
 // Allowed parameters
 var legalOptionNames = ['ha', 'haInterval', 'replicaSet', 'rs_name', 'secondaryAcceptableLatencyMS'
   , 'connectWithNoPrimary', 'poolSize', 'ssl', 'checkServerIdentity', 'sslValidate'
-  , 'sslCA', 'sslCert', 'sslKey', 'sslPass', 'socketOptions', 'bufferMaxEntries'
+  , 'sslCA', 'sslCert', 'sslCRL', 'sslKey', 'sslPass', 'socketOptions', 'bufferMaxEntries'
   , 'store', 'auto_reconnect', 'autoReconnect', 'emitError'
   , 'keepAlive', 'noDelay', 'connectTimeoutMS', 'socketTimeoutMS', 'strategy', 'debug'
   , 'loggerLevel', 'logger', 'reconnectTries', 'appname', 'domainsEnabled'
@@ -72,6 +72,7 @@ var release = os.release();
  * @param {boolean|function} [options.checkServerIdentity=true] Ensure we check server identify during SSL, set to false to disable checking. Only works for Node 0.12.x or higher. You can pass in a boolean or your own checkServerIdentity override function.
  * @param {object} [options.sslValidate=true] Validate mongod server certificate against ca (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {array} [options.sslCA=null] Array of valid certificates either as Buffers or Strings (needs to have a mongod server with ssl support, 2.4 or higher)
+ * @param {array} [options.sslCRL=null] Array of revocation certificates either as Buffers or Strings (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslCert=null] String or buffer containing the certificate we wish to present (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslKey=null] String or buffer containing the certificate private key we wish to present (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslPass=null] String or buffer containing the certificate password (needs to have a mongod server with ssl support, 2.4 or higher)

lib/server.js

@@ -46,7 +46,7 @@ var release = os.release();
  // Allowed parameters
  var legalOptionNames = ['ha', 'haInterval', 'acceptableLatencyMS'
    , 'poolSize', 'ssl', 'checkServerIdentity', 'sslValidate'
-   , 'sslCA', 'sslCert', 'sslKey', 'sslPass', 'socketOptions', 'bufferMaxEntries'
+   , 'sslCA', 'sslCRL', 'sslCert', 'sslKey', 'sslPass', 'socketOptions', 'bufferMaxEntries'
    , 'store', 'auto_reconnect', 'autoReconnect', 'emitError'
    , 'keepAlive', 'noDelay', 'connectTimeoutMS', 'socketTimeoutMS'
    , 'loggerLevel', 'logger', 'reconnectTries', 'reconnectInterval', 'monitoring'
@@ -65,6 +65,7 @@ var release = os.release();
  * @param {object} [options.sslValidate=true] Validate mongod server certificate against ca (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {boolean|function} [options.checkServerIdentity=true] Ensure we check server identify during SSL, set to false to disable checking. Only works for Node 0.12.x or higher. You can pass in a boolean or your own checkServerIdentity override function.
  * @param {array} [options.sslCA=null] Array of valid certificates either as Buffers or Strings (needs to have a mongod server with ssl support, 2.4 or higher)
+ * @param {array} [options.sslCRL=null] Array of revocation certificates either as Buffers or Strings (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslCert=null] String or buffer containing the certificate we wish to present (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslKey=null] String or buffer containing the certificate private key we wish to present (needs to have a mongod server with ssl support, 2.4 or higher)
  * @param {(Buffer|string)} [options.sslPass=null] String or buffer containing the certificate password (needs to have a mongod server with ssl support, 2.4 or higher)

lib/utils.js

@@ -262,7 +262,8 @@ var mergeOptions = function(target, source) {
 var translateOptions = function(target, source) {
   var translations = {
     // SSL translation options
-    'sslCA': 'ca', 'sslValidate': 'rejectUnauthorized', 'sslKey': 'key', 'sslCert': 'cert', 'sslPass': 'passphrase',
+    'sslCA': 'ca', 'sslCRL': 'crl', 'sslValidate': 'rejectUnauthorized', 'sslKey': 'key', 
+    'sslCert': 'cert', 'sslPass': 'passphrase',
     // SocketTimeout translation options
     'socketTimeoutMS': 'socketTimeout', 'connectTimeoutMS': 'connectionTimeout',
     // Replicaset options

test/functional/ssl_mongoclient_tests.js

@@ -54,6 +54,60 @@ exports.shouldCorrectlyCommunicateUsingSSLSocket = {
   }
 }
 
+/**
+ * @ignore
+ */
+exports['should fail due to CRL list passed in'] = {
+  metadata: { requires: { topology: 'ssl' } },
+
+  // The actual test we wish to run
+  test: function(configuration, test) {
+    var ServerManager = require('mongodb-topology-manager').Server
+      , MongoClient = configuration.require.MongoClient;
+
+    // All inserted docs
+    var docs = [];
+    var errs = [];
+    var insertDocs = [];
+
+    // Start server
+    var serverManager = new ServerManager('mongod', {
+        journal: null
+      , port: 27019
+      , sslOnNormalPorts: null
+      , sslPEMKeyFile: __dirname + "/ssl/server.pem"
+      , dbpath: path.join(path.resolve('db'), f("data-%d", 27019))
+    }, {
+      ssl:true
+    });
+
+    // Read the ca
+    var crl = [fs.readFileSync(__dirname + "/ssl/crl_expired.pem")];
+    var ca = [fs.readFileSync(__dirname + "/ssl/ca.pem")];
+
+    serverManager.purge().then(function() {
+      // Start the server
+      serverManager.start().then(function() {
+        setTimeout(function() {
+          // Connect
+          MongoClient.connect("mongodb://server:27019/test?ssl=true", {
+            sslValidate: true,
+            sslCA: ca,
+            sslCRL: crl,
+          }, function(err, db) {
+            test.ok(err);
+            test.ok(err.message.indexOf('CRL has expired') != -1);
+
+            serverManager.stop().then(function() {
+              test.done();
+            });
+          });
+        }, 10000);
+      });
+    });
+  }
+}
+
 /**
  * @ignore
  */