From 959817a83f66e5ad3377176fe4ef447f64980afe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Mon, 17 Jan 2022 14:35:47 +0000 Subject: [PATCH] crypto: support RFC 2818 compatible checkHost The 'subject' option should not only accept the values 'always' and 'never' because neither is compatible with RFC 2818, i.e., HTTPS. This change adds a third value 'default', which implies the behavior that HTTPS mandates. The new 'default' case matches the default behavior of OpenSSL for both DNS names and email addresses. Future Node.js versions should change the default option value from 'always' to 'default'. Refs: https://github.com/nodejs/node/pull/36804 --- doc/api/crypto.md | 38 +++++++++++++++++++++++++++-- lib/internal/crypto/x509.js | 4 ++- test/parallel/test-x509-escaping.js | 18 ++++++++++++++ 3 files changed, 57 insertions(+), 3 deletions(-) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 4dbccff3122d36..a5f3d630afa902 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -2471,11 +2471,16 @@ added: v15.6.0 * `email` {string} * `options` {Object} - * `subject` {string} `'always'` or `'never'`. **Default:** `'always'`. + * `subject` {string} `'default'`, `'always'`, or `'never'`. + **Default:** `'always'`. * `wildcards` {boolean} **Default:** `true`. * `partialWildcards` {boolean} **Default:** `true`. * `multiLabelWildcards` {boolean} **Default:** `false`. @@ -2485,15 +2490,31 @@ added: v15.6.0 Checks whether the certificate matches the given email address. +If the `'subject'` option is set to `'always'` and if the subject alternative +name extension either does not exist or does not contain a matching email +address, the certificate subject is considered. + +If the `'subject'` option is set to `'default`', the certificate subject is only +considered if the subject alternative name extension either does not exist or +does not contain any email addresses. + +If the `'subject'` option is set to `'never'`, the certificate subject is never +considered, even if the certificate contains no subject alternative names. + ### `x509.checkHost(name[, options])` * `name` {string} * `options` {Object} - * `subject` {string} `'always'` or `'never'`. **Default:** `'always'`. + * `subject` {string} `'default'`, `'always'`, or `'never'`. + **Default:** `'always'`. * `wildcards` {boolean} **Default:** `true`. * `partialWildcards` {boolean} **Default:** `true`. * `multiLabelWildcards` {boolean} **Default:** `false`. @@ -2509,6 +2530,18 @@ or it might contain wildcards (e.g., `*.example.com`). Because host name comparisons are case-insensitive, the returned subject name might also differ from the given `name` in capitalization. +If the `'subject'` option is set to `'always'` and if the subject alternative +name extension either does not exist or does not contain a matching DNS name, +the certificate subject is considered. + +If the `'subject'` option is set to `'default'`, the certificate subject is only +considered if the subject alternative name extension either does not exist or +does not contain any DNS names. This behavior is consistent with [RFC 2818][] +("HTTP Over TLS"). + +If the `'subject'` option is set to `'never'`, the certificate subject is never +considered, even if the certificate contains no subject alternative names. + ### `x509.checkIP(ip[, options])`