GODRIVER-2239 use source of PyKMIP (#1051)

* add script to generate elliptic curve certificates

* GODRIVER-2239 do not use fork of PyKMIP

Co-authored-by: Preston Vasquez <[email protected]>

Author: kevinAlbs

.evergreen/config.yml

@@ -481,8 +481,8 @@ functions:
           export AWS_DEFAULT_REGION="us-east-1"
 
           # Set client-side encryption credentials.
-          export CSFLE_TLS_CA_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/ca.pem"
-          export CSFLE_TLS_CERTIFICATE_KEY_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/client.pem"
+          export CSFLE_TLS_CA_FILE="$PROJECT_DIRECTORY/data/kmip-certs/ca-ec.pem"
+          export CSFLE_TLS_CERTIFICATE_KEY_FILE="$PROJECT_DIRECTORY/data/kmip-certs/client-ec.pem"
 
           ${PYTHON3_BINARY} -m venv ./venv
           ./venv/${VENV_BIN_DIR|bin}/pip3 install boto3
@@ -940,9 +940,6 @@ functions:
           # only run this if virtualenv is installed
           if ${PYTHON3_BINARY} -m venv ./venv; then
             . ./activate_venv.sh
-
-            # TODO (GODRIVER-2239): Stabilize this pip install with a non-forked version of PyKMIP in
-            pip install git+https://github.com/kevinAlbs/PyKMIP.git@expand_tls12_ciphers
           else
             echo "Python module venv not found, skipping virtual environment setup..."
           fi
@@ -952,9 +949,15 @@ functions:
         script: |
           cd ${DRIVERS_TOOLS}/.evergreen/csfle
           if [ "Windows_NT" = "$OS" ]; then
-            kmstlsvenv/Scripts/python.exe -u kms_kmip_server.py --port 5698
+            kmstlsvenv/Scripts/python.exe -u kms_kmip_server.py \
+              --port 5698 \
+              --ca_file "${PROJECT_DIRECTORY}/data/kmip-certs/ca-ec.pem" \
+              --cert_file "${PROJECT_DIRECTORY}/data/kmip-certs/server-ec.pem"
           else
-            ./kmstlsvenv/bin/python3 -u kms_kmip_server.py --port 5698
+            ./kmstlsvenv/bin/python3 -u kms_kmip_server.py \
+              --port 5698 \
+              --ca_file "${PROJECT_DIRECTORY}/data/kmip-certs/ca-ec.pem" \
+              --cert_file "${PROJECT_DIRECTORY}/data/kmip-certs/server-ec.pem"
           fi
 
   run-kms-tls-test:
@@ -1007,8 +1010,8 @@ functions:
           AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \
           GCP_EMAIL="${cse_gcp_email}" \
           GCP_PRIVATE_KEY="${cse_gcp_private_key}" \
-          CSFLE_TLS_CA_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/ca.pem"
-          CSFLE_TLS_CERTIFICATE_KEY_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/client.pem"
+          CSFLE_TLS_CA_FILE="$PROJECT_DIRECTORY/data/kmip-certs/ca-ec.pem"
+          CSFLE_TLS_CERTIFICATE_KEY_FILE="$PROJECT_DIRECTORY/data/kmip-certs/client-ec.pem"
           make evg-test-kmip \
           PKG_CONFIG_PATH=$PKG_CONFIG_PATH \
           LD_LIBRARY_PATH=$LD_LIBRARY_PATH

.evergreen/run-tests.sh

@@ -96,6 +96,14 @@ else
   echo "crypt_shared library will be loaded from path: $CRYPT_SHARED_LIB_PATH"
 fi
 
+CSFLE_TLS_CA_FILE="$(pwd)/data/kmip-certs/ca-ec.pem"
+CSFLE_TLS_CERTIFICATE_KEY_FILE="$(pwd)/data/kmip-certs/client-ec.pem"
+
+if [ "Windows_NT" = "$OS" ]; then
+  CSFLE_TLS_CA_FILE=$(cygpath -m $CSFLE_TLS_CA_FILE)
+  CSFLE_TLS_CERTIFICATE_KEY_FILE=$(cygpath -m $CSFLE_TLS_CERTIFICATE_KEY_FILE)
+fi
+
 AUTH=${AUTH} \
 SSL=${SSL} \
 MONGO_GO_DRIVER_CA_FILE=${MONGO_GO_DRIVER_CA_FILE} \
@@ -117,8 +125,8 @@ AZURE_CLIENT_ID="${cse_azure_client_id}" \
 AZURE_CLIENT_SECRET="${cse_azure_client_secret}" \
 GCP_EMAIL="${cse_gcp_email}" \
 GCP_PRIVATE_KEY="${cse_gcp_private_key}" \
-CSFLE_TLS_CA_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/ca.pem" \
-CSFLE_TLS_CERTIFICATE_KEY_FILE="$DRIVERS_TOOLS/.evergreen/x509gen/client.pem" \
+CSFLE_TLS_CA_FILE="$CSFLE_TLS_CA_FILE" \
+CSFLE_TLS_CERTIFICATE_KEY_FILE="$CSFLE_TLS_CERTIFICATE_KEY_FILE" \
 CRYPT_SHARED_LIB_PATH=$CRYPT_SHARED_LIB_PATH \
 make evg-test \
 PKG_CONFIG_PATH=$PKG_CONFIG_PATH \

data/kmip-certs/README.md

@@ -0,0 +1,4 @@
+These Elliptic Curve (EC) certificates were generated by running `etc/gen-ec-certs/gen-ec-certs.sh`.
+The EC certificates are used for testing the Go driver with PyKMIP.
+PyKMIP does not support Golang's default TLS cipher suites with RSA.
+

data/kmip-certs/ca-ec.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtjCCAVsCAj+0MAoGCCqGSM49BAMCMGUxCzAJBgNVBAYTAlVTMREwDwYDVQQI
+DAhOZXcgWW9yazEWMBQGA1UEBwwNTmV3IFlvcmsgQ2l0eTEQMA4GA1UECgwHTW9u
+Z29EQjEMMAoGA1UECwwDREJYMQswCQYDVQQDDAJjYTAgFw0yMjA4MTgwMDM5NTZa
+GA8yMDYyMDgwODAwMzk1NlowZTELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZ
+b3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQKDAdNb25nb0RCMQww
+CgYDVQQLDANEQlgxCzAJBgNVBAMMAmNhMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAE0YOWpm6I2mES1h6CKMw5j29lWDfk36/S7i2+Rw5e9JvGmDGSepDH03MJlm4l
+J9pou6NJrtAfIhMsxvh4oECodTAKBggqhkjOPQQDAgNJADBGAiEAyr7ByfWjA1aG
+hJD1zFtU2C/+i59vGY3oYQ3gX6Y7HrICIQDkO5JF9tXeDOL5IPkpjBAp6OjACE6Y
+Ns42/ywMFmyWhA==
+-----END CERTIFICATE-----

data/kmip-certs/client-ec.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIB/jCCAaSgAwIBAgICYz4wCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCVVMxETAP
+BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK
+DAdNb25nb0RCMQwwCgYDVQQLDANEQlgxCzAJBgNVBAMMAmNhMCAXDTIyMDgxODAw
+Mzk1NloYDzIwNjIwODA4MDAzOTU2WjBpMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
+TmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdv
+REIxDDAKBgNVBAsMA0RCWDEPMA0GA1UEAwwGY2xpZW50MFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAE3lcl3A0IqcmuNeNhk9u8KZKe/Du5/e2xd3B8MRqROb/MDTFY
+JkBatcCNhcSCIjgtFMjZ8Rv2WrrN0fvmEqYpm6M+MDwwCQYDVR0TBAIwADAaBgNV
+HREEEzARgglsb2NhbGhvc3SHBH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYI
+KoZIzj0EAwIDSAAwRQIgbkV6V3MK2nZdjr7LV0PKqfxKCWRyxRACEOH61a6dctsC
+IQD6k65C8AXAPOL+cqaZjoEMBpRea4F8gL0jIwzHh+tkAA==
+-----END CERTIFICATE-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOw4V3MEjv/5go8JQGr9Au1sa9yzLzPXVsiZ2OihwN7joAoGCCqGSM49
+AwEHoUQDQgAE3lcl3A0IqcmuNeNhk9u8KZKe/Du5/e2xd3B8MRqROb/MDTFYJkBa
+tcCNhcSCIjgtFMjZ8Rv2WrrN0fvmEqYpmw==
+-----END EC PRIVATE KEY-----

data/kmip-certs/server-ec.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAaSgAwIBAgICNNIwCgYIKoZIzj0EAwIwZTELMAkGA1UEBhMCVVMxETAP
+BgNVBAgMCE5ldyBZb3JrMRYwFAYDVQQHDA1OZXcgWW9yayBDaXR5MRAwDgYDVQQK
+DAdNb25nb0RCMQwwCgYDVQQLDANEQlgxCzAJBgNVBAMMAmNhMCAXDTIyMDgxODAw
+Mzk1NloYDzIwNjIwODA4MDAzOTU2WjBpMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
+TmV3IFlvcmsxFjAUBgNVBAcMDU5ldyBZb3JrIENpdHkxEDAOBgNVBAoMB01vbmdv
+REIxDDAKBgNVBAsMA0RCWDEPMA0GA1UEAwwGc2VydmVyMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEgWFZeI/XzPl42qAMa8UZBLoW2IdkIowhz+iu9F5LkAXI388L
+qbRE4327RvquPO7Ca5eB9GNs77DEtnfMnVuXQ6M+MDwwCQYDVR0TBAIwADAaBgNV
+HREEEzARgglsb2NhbGhvc3SHBH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYI
+KoZIzj0EAwIDRwAwRAIgHz7k59ubmnFHM+4GQpz0aeQ+FQGadRYe/h31iRye2wMC
+IAvirZCoxYBLlZ0NoXH8ncmEQzgkCx9hhv7mWpjNRk/h
+-----END CERTIFICATE-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIRjzdANl/ghc/LgEdyGRc3xo07YHu1qku3GQNGY2OnboAoGCCqGSM49
+AwEHoUQDQgAEgWFZeI/XzPl42qAMa8UZBLoW2IdkIowhz+iu9F5LkAXI388LqbRE
+4327RvquPO7Ca5eB9GNs77DEtnfMnVuXQw==
+-----END EC PRIVATE KEY-----

etc/gen-ec-certs/client.ext

@@ -0,0 +1,3 @@
+basicConstraints = CA: FALSE
+subjectAltName = DNS: localhost, IP: 127.0.0.1
+extendedKeyUsage = clientAuth

etc/gen-ec-certs/empty.cnf

@@ -0,0 +1,6 @@
+# A nearly empty OpenSSL CA configuration file.
+# `openssl req` complains without a configuration file.
+[ req ]
+distinguished_name = distinguished_name
+
+[ distinguished_name ]

etc/gen-ec-certs/gen-ec-certs.sh

@@ -0,0 +1,45 @@
+# This script is used to generate Elliptic Curve (EC) certificates.
+# The EC certificates are used for testing the Go driver with PyKMIP.
+# PyKMIP does not support Go's default TLS cipher suites with RSA.
+# See: GODRIVER-2239. 
+set -euo pipefail
+CA_SERIAL=$RANDOM
+SERVER_SERIAL=$RANDOM
+CLIENT_SERIAL=$RANDOM
+DAYS=14600
+
+# Generate CA certificate ... begin
+# Generate an EC private key.
+openssl ecparam -name prime256v1 -genkey -out ca-ec.key -noout
+# Generate a certificate signing request.
+openssl req -new -key ca-ec.key -out ca-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=ca/" -config empty.cnf -sha256
+# Self-sign the request.
+openssl x509 -in ca-ec.csr -out ca-ec.pem -req -signkey ca-ec.key -days $DAYS -sha256 -set_serial $CA_SERIAL
+# Generate CA certificate ... end
+
+# Generate Server certificate ... begin
+# Generate an EC private key.
+openssl ecparam -name prime256v1 -genkey -out server-ec.key -noout
+# Generate a certificate signing request.
+openssl req -new -key server-ec.key -out server-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=server/" -config empty.cnf -sha256
+# Sign the request with the CA. Add server extensions.
+openssl x509 -in server-ec.csr -out server-ec.pem -req -CA ca-ec.pem -CAkey ca-ec.key -days $DAYS -sha256 -set_serial $SERVER_SERIAL -extfile server.ext
+# Append private key to .pem file.
+cat server-ec.key >> server-ec.pem
+# Generate Server certificate ... end
+
+# Generate Client certificate ... begin
+# Generate an EC private key.
+openssl ecparam -name prime256v1 -genkey -out client-ec.key -noout
+# Generate a certificate signing request.
+# Use the Common Name (CN) of "client". PyKMIP identifies the client by the CN. The test server expects the identity of "client".
+openssl req -new -key client-ec.key -out client-ec.csr -subj "/C=US/ST=New York/L=New York City/O=MongoDB/OU=DBX/CN=client/" -config empty.cnf -sha256
+# Sign the request with the CA. Add client extensions.
+openssl x509 -in client-ec.csr -out client-ec.pem -req -CA ca-ec.pem -CAkey ca-ec.key -days $DAYS -sha256 -set_serial $CLIENT_SERIAL -extfile client.ext
+# Append private key to .pem file.
+cat client-ec.key >> client-ec.pem
+# Generate Client certificate ... end
+
+# Clean-up.
+rm *.csr
+rm *.key

etc/gen-ec-certs/server.ext

@@ -0,0 +1,3 @@
+basicConstraints = CA: FALSE
+subjectAltName = DNS: localhost, IP: 127.0.0.1
+extendedKeyUsage = serverAuth