CDRIVER-3408 schannel support + tests on Windows

Author: kevinAlbs

.evergreen/config.yml

@@ -12640,6 +12640,31 @@ tasks:
         set -o errexit
         set -o xtrace
         TEST_COLUMN=TEST_3 CERT_TYPE=rsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-test_3-rsa-delegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=TEST_3 CERT_TYPE=rsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh
 - name: ocsp-openssl-test_3-ecdsa-delegate
   tags:
   - ocsp-openssl
@@ -12690,6 +12715,31 @@ tasks:
         set -o errexit
         set -o xtrace
         TEST_COLUMN=TEST_3 CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-test_3-rsa-nodelegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=TEST_3 CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
 - name: ocsp-openssl-test_3-ecdsa-nodelegate
   tags:
   - ocsp-openssl
@@ -12715,6 +12765,56 @@ tasks:
         set -o errexit
         set -o xtrace
         TEST_COLUMN=TEST_3 CERT_TYPE=ecdsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-test_4-rsa-delegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=TEST_4 CERT_TYPE=rsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-test_4-rsa-nodelegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=TEST_4 CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
 - name: ocsp-openssl-soft_fail_test-rsa-nodelegate
   tags:
   - ocsp-openssl
@@ -12740,6 +12840,31 @@ tasks:
         set -o errexit
         set -o xtrace
         TEST_COLUMN=SOFT_FAIL_TEST CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-soft_fail_test-rsa-nodelegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=SOFT_FAIL_TEST CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
 - name: ocsp-openssl-soft_fail_test-ecdsa-nodelegate
   tags:
   - ocsp-openssl
@@ -12765,6 +12890,81 @@ tasks:
         set -o errexit
         set -o xtrace
         TEST_COLUMN=SOFT_FAIL_TEST CERT_TYPE=ecdsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-malicious_server_test_1-rsa-delegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-mustStaple-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=MALICIOUS_SERVER_TEST_1 CERT_TYPE=rsa USE_DELEGATE=on sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-malicious_server_test_1-rsa-nodelegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-mustStaple-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=MALICIOUS_SERVER_TEST_1 CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
+- name: ocsp-winssl-malicious_server_test_2-rsa-nodelegate
+  tags:
+  - ocsp-winssl
+  depends_on:
+    name: debug-compile-nosasl-winssl
+  commands:
+  - func: fetch build
+    vars:
+      BUILD_NAME: debug-compile-nosasl-winssl
+  - func: bootstrap mongo-orchestration
+    vars:
+      OCSP: 'on'
+      ORCHESTRATION_FILE: rsa-basic-tls-ocsp-mustStaple-disableStapling
+      SSL: ssl
+      TOPOLOGY: server
+      VERSION: latest
+  - command: shell.exec
+    type: test
+    params:
+      working_dir: mongoc
+      shell: bash
+      script: |-
+        set -o errexit
+        set -o xtrace
+        TEST_COLUMN=MALICIOUS_SERVER_TEST_2 CERT_TYPE=rsa USE_DELEGATE=off sh .evergreen/run-ocsp-test.sh
 buildvariants:
 - name: releng
   display_name: '**Release Archive Creator'
@@ -13446,6 +13646,12 @@ buildvariants:
   - name: debug-compile-nosasl-openssl
     distros:
     - ubuntu1804-test
+  - name: debug-compile-nosasl-winssl
+    distros:
+    - windows-64-vs2017-test
   - name: .ocsp-openssl
     distros:
     - ubuntu1804-test
+  - name: .ocsp-winssl
+    distros:
+    - windows-64-vs2017-test

.evergreen/run-ocsp-test.sh

@@ -111,12 +111,6 @@ expect_failure () {
     fi
 }
 
-# Start a mock responder if necessary.
-if curl localhost:8100 > /dev/null 2>&1; then
-    echo "Detected process listening on port 8100. Attempting to kill running mock responders.";
-    pkill -f "ocsp_mock" || true
-fi
-
 # Same responder is used for both server and client. So even stapling tests require a responder.
 if [ "TEST_1" = "$TEST_COLUMN" ]; then
     RESPONDER_REQUIRED="valid"
@@ -132,33 +126,52 @@ else
     RESPONDER_REQUIRED=""
 fi
 
-if [ "ON" = "$USE_DELEGATE" ]; then
-    DELEGATE_TOKEN="delegate"
-fi
-
 if [ -n "$RESPONDER_REQUIRED" ]; then
     echo "Starting mock responder"
     if [ -z "$SKIP_PIP_INSTALL" ]; then
         echo "Installing python dependencies"
         # Installing dependencies.
-        /opt/mongodbtoolchain/v3/bin/python3 -m venv ./venv
-        . ./venv/bin/activate
-        pip install oscrypto bottle asn1crypto
+        if [ "$OS" = "WINDOWS" ]; then
+            /cygdrive/c/python/Python36/python --version
+            /cygdrive/c/python/Python36/python -m virtualenv venv_ocsp
+            PYTHON="$(pwd)/venv_ocsp/Scripts/python"
+        else
+            /opt/mongodbtoolchain/v3/bin/python3 -m venv ./venv_ocsp
+            PYTHON=./venv_ocsp/bin/python
+        fi
+        $PYTHON -m pip install oscrypto bottle asn1crypto
     fi
     cd "$CDRIVER_ROOT/.evergreen/ocsp/$CERT_TYPE"
-    ./mock-$DELEGATE_TOKEN$RESPONDER_REQUIRED.sh > $CDRIVER_BUILD/responder.log 2>&1 &
+    if [ "$RESPONDER_REQUIRED" = "invalid" ]; then
+        FAULT="--fault revoked"
+    fi
+    if [ "ON" = "$USE_DELEGATE" ]; then
+        RESPONDER_SIGNER="ocsp-responder"
+    else
+        RESPONDER_SIGNER="ca"
+    fi
+    $PYTHON ../ocsp_mock.py \
+        --ca_file ca.pem \
+        --ocsp_responder_cert $RESPONDER_SIGNER.crt \
+        --ocsp_responder_key $RESPONDER_SIGNER.key \
+        -p 8100 -v $FAULT \
+        > $CDRIVER_BUILD/responder.log 2>&1 &
     cd -
 fi
 
 echo "Clearing OCSP cache for macOS/Windows"
 if [ "$OS" = "MACOS" ]; then
-    find ~/profile/Library/Keychains -name 'ocspcache.sqlite3' -exec sqlite3 "{}" 'DELETE FROM responses' \;
+    find ~/profile/Library/Keychains -name 'ocspcache.sqlite3' -exec sqlite3 "{}" 'DELETE FROM responses' \; || true
 elif [ "$OS" = "WINDOWS" ]; then
-    certutil -urlcache "*" delete
+    certutil -urlcache "*" delete || true
 fi
 
 # Always add the tlsCAFile
-BASE_URI="mongodb://localhost:$MONGODB_PORT/?tls=true&tlsCAFile=$CDRIVER_ROOT/.evergreen/ocsp/$CERT_TYPE/ca.pem"
+CA_PATH=$CDRIVER_ROOT/.evergreen/ocsp/$CERT_TYPE/ca.pem
+if [ "$OS" = "WINDOWS" ]; then
+    CA_PATH=$(cygpath -m -a $CA_PATH)
+fi
+BASE_URI="mongodb://localhost:$MONGODB_PORT/?tls=true&tlsCAFile=$CA_PATH"
 MONGODB_URI="$BASE_URI"
 
 # Only a handful of cases are expected to fail.

build/evergreen_config_lib/tasks.py

@@ -938,8 +938,7 @@ def to_dict(self):
     def _check_allowed(self):
         # Current latest macOS does not support the disableStapling failpoint.
         # There are no tests that can run on macOS in current evergreen configuration.
-        # Removing windows for now too.
-        if self.ssl == 'darwinssl' or self.ssl == 'winssl':
+        if self.ssl == 'darwinssl':
             # TODO: remove this when macOS latest download is updated
             prohibit (True)
 
@@ -950,12 +949,9 @@ def _check_allowed(self):
         # OCSP stapling is not supported on macOS or Windows.
         if self.ssl == 'darwinssl' or self.ssl == 'winssl':
             prohibit (self.test in ['test_1', 'test_2'])
+
         if self.test == 'soft_fail_test' or self.test == 'malicious_server_test_2':
             prohibit(self.delegate == 'delegate')
-
-        # Until soft-fail is supported on Windows, skip test.
-        if self.ssl == 'winssl':
-            prohibit (self.test == 'soft_fail_test')
 
         # Until OCSP is supported in OpenSSL, skip tests that expect to be revoked.
         if self.ssl == 'openssl':

build/evergreen_config_lib/variants.py

@@ -616,9 +616,9 @@
     Variant ('ocsp', 'OCSP tests', 'ubuntu1804-test', [
         OD([('name', 'debug-compile-nosasl-openssl'), ('distros', ['ubuntu1804-test'])]),
         #OD([('name', 'debug-compile-nosasl-darwinssl'), ('distros', ['macos-1014'])]),
-        #OD([('name', 'debug-compile-nosasl-winssl'), ('distros', ['windows-64-vs2017-test'])]),
+        OD([('name', 'debug-compile-nosasl-winssl'), ('distros', ['windows-64-vs2017-test'])]),
         OD([('name', '.ocsp-openssl'), ('distros', ['ubuntu1804-test'])]),
         #OD([('name', '.ocsp-darwinssl'), ('distros', ['macos-1014'])]),
-        #OD([('name', '.ocsp-winssl'), ('distros', ['windows-64-vs2017-test'])])
+        OD([('name', '.ocsp-winssl'), ('distros', ['windows-64-vs2017-test'])])
     ])
 ]

src/libmongoc/doc/mongoc_ssl_opt_t.rst

@@ -96,7 +96,7 @@ When compiled against the Windows native libraries, the ``ca_dir`` option is not
 
 Encrypted PEM files (e.g., requiring ``pem_pwd``) are also not supported, and will result in error when attempting to load them.
 
-When ``ca_file`` is provided, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``ca_file`` is provided, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate.
+When ``ca_file`` is provided, the driver will only allow server certificates issued by the authority (or authorities) provided. When no ``ca_file`` is provided, the driver will look up the Certificate Authority using the ``System Local Machine Root`` certificate store to confirm the provided certificate or the ``Current user certificate store`` if the ``System Local Machine Root`` certificate store is unavailable.
 
 When ``crl_file`` is provided, the driver will import the revocation list to the ``System Local Machine Root`` certificate store.
 

src/libmongoc/src/mongoc/mongoc-secure-channel.c

@@ -383,8 +383,17 @@ mongoc_secure_channel_setup_ca (
       L"Root"); /* system store name. "My" or "Root" */
 
    if (cert_store == NULL) {
-      MONGOC_ERROR ("Error opening certificate store");
-      return false;
+      cert_store = CertOpenStore (
+         CERT_STORE_PROV_SYSTEM,                  /* provider */
+         X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, /* certificate encoding */
+         0,                                       /* unused */
+         CERT_SYSTEM_STORE_CURRENT_USER,         /* dwFlags */
+         L"My"); /* system store name. "My" or "Root" */
+
+      if (cert_store == NULL) {
+         MONGOC_ERROR ("Error opening certificate store");
+         return false;
+      }
    }
 
    if (CertAddCertificateContextToStore (