CDRIVER-5998 import persisted private keys for SChannel

.evergreen/scripts/run-auth-tests.sh

@@ -24,12 +24,20 @@ secrets_dir="$(to_absolute "${mongoc_dir}/../secrets")"
 mkdir -p "${secrets_dir}"
 chmod 700 "${secrets_dir}"
 
-# Create certificate to test X509 auth with Atlas:
+# Create certificate to test X509 auth with Atlas on cloud-prod:
 atlas_x509_path="${secrets_dir:?}/atlas_x509.pem"
 echo "${atlas_x509_cert_base64:?}" | base64 --decode > "${secrets_dir:?}/atlas_x509.pem"
 # Fix path on Windows:
 if $IS_WINDOWS; then
-    atlas_x509_path="$(cygpath -m "${secrets_dir:?}/atlas_x509.pem")"
+    atlas_x509_path="$(cygpath -m "${atlas_x509_path}")"
+fi
+
+# Create certificate to test X509 auth with Atlas on cloud-dev
+atlas_x509_dev_path="${secrets_dir:?}/atlas_x509_dev.pem"
+echo "${atlas_x509_dev_cert_base64:?}" | base64 --decode > "${atlas_x509_dev_path:?}"
+# Fix path on Windows:
+if $IS_WINDOWS; then
+    atlas_x509_dev_path="$(cygpath -m "${atlas_x509_dev_path}")"
 fi
 
 # Create Kerberos config and keytab files.
@@ -187,9 +195,12 @@ if [[ "${ssl}" != "OFF" ]]; then
     LD_LIBRARY_PATH="${openssl_lib_prefix}" "${ping}" "${atlas_serverless:?}&${c_timeout}"
   fi
 
-  echo "Connecting to Atlas with X509"
+  echo "Connecting to Atlas (cloud-prod) with X509"
   LD_LIBRARY_PATH="${openssl_lib_prefix}" "${ping}" "${atlas_x509:?}&tlsCertificateKeyFile=${atlas_x509_path}&${c_timeout}"
 
+  echo "Connecting to Atlas (cloud-dev) with X509"
+  LD_LIBRARY_PATH="${openssl_lib_prefix}" "${ping}" "${atlas_x509_dev:?}&tlsCertificateKeyFile=${atlas_x509_dev_path}&${c_timeout}"
+
 fi
 
 echo "Authenticating using PLAIN"

CONTRIBUTING.md

@@ -179,6 +179,13 @@ If you start `mongod` with SSL, set these variables to configure how
 * `MONGOC_TEST_SSL_CRL_FILE`: path to a certificate revocation list.
 * `MONGOC_TEST_SSL_WEAK_CERT_VALIDATION`: set to `on` to relax the client's
   validation of the server's certificate.
+* `MONGOC_TEST_SCHANNEL_CRL=on`: set to `on` to enable Windows Secure Channel tests loading CRL files.
+  * If CRL tests abort before deleting the CRL file, this may cause later test errors like `The certificate is revoked`. Manually remove the CRL file with:
+    ```powershell
+    $crl = ".\src\libmongoc\tests\x509gen\crl.pem"
+    $fingerprint = (openssl crl -in ".\src\libmongoc\tests\x509gen\crl.pem" -noout -fingerprint) -replace 'SHA1 Fingerprint=', '' -replace ':', ''
+    certutil -delstore Root $fingerprint
+    ```
 
 The SASL / GSSAPI / Kerberos tests are skipped by default. To run them, set up a
 separate `mongod` with Kerberos and set its host and Kerberos principal name

src/libmongoc/CMakeLists.txt

@@ -204,7 +204,7 @@ endfunction()
 # Per-backend link libs/options:
 set(SecureTransport/LINK_LIBRARIES "-framework CoreFoundation" "-framework Security")
 set(SecureTransport/pkg_config_LIBS -framework Corefoundation -framework Security)
-set(SecureChannel/LINK_LIBRARIES secur32.lib crypt32.lib Bcrypt.lib)
+set(SecureChannel/LINK_LIBRARIES secur32.lib crypt32.lib Bcrypt.lib ncrypt.lib)
 set(SecureChannel/pkg_config_LIBS ${SecureChannel/LINK_LIBRARIES})
 set(OpenSSL/LINK_LIBRARIES OpenSSL::SSL OpenSSL::Crypto $<$<PLATFORM_ID:Windows>:crypt32.lib>)
 set(OpenSSL/pkg_config_LIBS -lssl -lcrypto $<$<PLATFORM_ID:Windows>:crypt32.lib>)