mirror of
https://github.com/nodejs/node.git
synced 2025-05-07 15:35:41 +00:00
f585dca83d
Add some additional tests that check the interaction of an IP address as the Common Name and the presence (or lack of presence) of DNS, URI, and IP Address Subject Alternative Names. PR-URL: https://github.com/nodejs/node/pull/27999 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
338 lines
8.7 KiB
JavaScript
338 lines
8.7 KiB
JavaScript
// Copyright Joyent, Inc. and other Node contributors.
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining a
|
|
// copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to permit
|
|
// persons to whom the Software is furnished to do so, subject to the
|
|
// following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be included
|
|
// in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
|
|
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
|
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
|
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
|
|
// USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
'use strict';
|
|
const common = require('../common');
|
|
|
|
if (!common.hasCrypto)
|
|
common.skip('missing crypto');
|
|
|
|
const assert = require('assert');
|
|
const util = require('util');
|
|
|
|
const tls = require('tls');
|
|
|
|
common.expectWarning('DeprecationWarning', [
|
|
['The URI http://[a.b.a.com]/ found in cert.subjectaltname ' +
|
|
'is not a valid URI, and is supported in the tls module ' +
|
|
'solely for compatibility.',
|
|
'DEP0109'],
|
|
]);
|
|
|
|
const tests = [
|
|
// False-y values.
|
|
{
|
|
host: false,
|
|
cert: { subject: { CN: 'a.com' } },
|
|
error: 'Host: false. is not cert\'s CN: a.com'
|
|
},
|
|
{
|
|
host: null,
|
|
cert: { subject: { CN: 'a.com' } },
|
|
error: 'Host: null. is not cert\'s CN: a.com'
|
|
},
|
|
{
|
|
host: undefined,
|
|
cert: { subject: { CN: 'a.com' } },
|
|
error: 'Host: undefined. is not cert\'s CN: a.com'
|
|
},
|
|
|
|
// Basic CN handling
|
|
{ host: 'a.com', cert: { subject: { CN: 'a.com' } } },
|
|
{ host: 'a.com', cert: { subject: { CN: 'A.COM' } } },
|
|
{
|
|
host: 'a.com',
|
|
cert: { subject: { CN: 'b.com' } },
|
|
error: 'Host: a.com. is not cert\'s CN: b.com'
|
|
},
|
|
{ host: 'a.com', cert: { subject: { CN: 'a.com.' } } },
|
|
{
|
|
host: 'a.com',
|
|
cert: { subject: { CN: '.a.com' } },
|
|
error: 'Host: a.com. is not cert\'s CN: .a.com'
|
|
},
|
|
|
|
// IP address in CN. Technically allowed but so rare that we reject
|
|
// it anyway. If we ever do start allowing them, we should take care
|
|
// to only allow public (non-internal, non-reserved) IP addresses,
|
|
// because that's what the spec mandates.
|
|
{
|
|
host: '8.8.8.8',
|
|
cert: { subject: { CN: '8.8.8.8' } },
|
|
error: 'IP: 8.8.8.8 is not in the cert\'s list: '
|
|
},
|
|
|
|
// The spec suggests that a "DNS:" Subject Alternative Name containing an
|
|
// IP address is valid but it seems so suspect that we currently reject it.
|
|
{
|
|
host: '8.8.8.8',
|
|
cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'DNS:8.8.8.8' },
|
|
error: 'IP: 8.8.8.8 is not in the cert\'s list: '
|
|
},
|
|
|
|
// Likewise for "URI:" Subject Alternative Names.
|
|
// See also https://github.com/nodejs/node/issues/8108.
|
|
{
|
|
host: '8.8.8.8',
|
|
cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'URI:http://8.8.8.8/' },
|
|
error: 'IP: 8.8.8.8 is not in the cert\'s list: '
|
|
},
|
|
|
|
// An "IP Address:" Subject Alternative Name however is acceptable.
|
|
{
|
|
host: '8.8.8.8',
|
|
cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'IP Address:8.8.8.8' }
|
|
},
|
|
|
|
// But not when it's a CIDR.
|
|
{
|
|
host: '8.8.8.8',
|
|
cert: {
|
|
subject: { CN: '8.8.8.8' },
|
|
subjectaltname: 'IP Address:8.8.8.0/24'
|
|
},
|
|
error: 'IP: 8.8.8.8 is not in the cert\'s list: '
|
|
},
|
|
|
|
// Wildcards in CN
|
|
{ host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } },
|
|
{
|
|
host: 'ba.com',
|
|
cert: { subject: { CN: '*.a.com' } },
|
|
error: 'Host: ba.com. is not cert\'s CN: *.a.com'
|
|
},
|
|
{
|
|
host: '\n.b.com',
|
|
cert: { subject: { CN: '*n.b.com' } },
|
|
error: 'Host: \n.b.com. is not cert\'s CN: *n.b.com'
|
|
},
|
|
{ host: 'b.a.com', cert: {
|
|
subjectaltname: 'DNS:omg.com',
|
|
subject: { CN: '*.a.com' } },
|
|
error: 'Host: b.a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:omg.com'
|
|
},
|
|
{
|
|
host: 'b.a.com',
|
|
cert: { subject: { CN: 'b*b.a.com' } },
|
|
error: 'Host: b.a.com. is not cert\'s CN: b*b.a.com'
|
|
},
|
|
|
|
// Empty Cert
|
|
{
|
|
host: 'a.com',
|
|
cert: { },
|
|
error: 'Cert is empty'
|
|
},
|
|
|
|
// Multiple CN fields
|
|
{
|
|
host: 'foo.com', cert: {
|
|
subject: { CN: ['foo.com', 'bar.com'] } // CN=foo.com; CN=bar.com;
|
|
}
|
|
},
|
|
|
|
// DNS names and CN
|
|
{
|
|
host: 'a.com', cert: {
|
|
subjectaltname: 'DNS:*',
|
|
subject: { CN: 'b.com' }
|
|
},
|
|
error: 'Host: a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:*'
|
|
},
|
|
{
|
|
host: 'a.com', cert: {
|
|
subjectaltname: 'DNS:*.com',
|
|
subject: { CN: 'b.com' }
|
|
},
|
|
error: 'Host: a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:*.com'
|
|
},
|
|
{
|
|
host: 'a.co.uk', cert: {
|
|
subjectaltname: 'DNS:*.co.uk',
|
|
subject: { CN: 'b.com' }
|
|
}
|
|
},
|
|
{
|
|
host: 'a.com', cert: {
|
|
subjectaltname: 'DNS:*.a.com',
|
|
subject: { CN: 'a.com' }
|
|
},
|
|
error: 'Host: a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:*.a.com'
|
|
},
|
|
{
|
|
host: 'a.com', cert: {
|
|
subjectaltname: 'DNS:*.a.com',
|
|
subject: { CN: 'b.com' }
|
|
},
|
|
error: 'Host: a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:*.a.com'
|
|
},
|
|
{
|
|
host: 'a.com', cert: {
|
|
subjectaltname: 'DNS:a.com',
|
|
subject: { CN: 'b.com' }
|
|
}
|
|
},
|
|
{
|
|
host: 'a.com', cert: {
|
|
subjectaltname: 'DNS:A.COM',
|
|
subject: { CN: 'b.com' }
|
|
}
|
|
},
|
|
|
|
// DNS names
|
|
{
|
|
host: 'a.com', cert: {
|
|
subjectaltname: 'DNS:*.a.com',
|
|
subject: {}
|
|
},
|
|
error: 'Host: a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:*.a.com'
|
|
},
|
|
{
|
|
host: 'b.a.com', cert: {
|
|
subjectaltname: 'DNS:*.a.com',
|
|
subject: {}
|
|
}
|
|
},
|
|
{
|
|
host: 'c.b.a.com', cert: {
|
|
subjectaltname: 'DNS:*.a.com',
|
|
subject: {}
|
|
},
|
|
error: 'Host: c.b.a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:*.a.com'
|
|
},
|
|
{
|
|
host: 'b.a.com', cert: {
|
|
subjectaltname: 'DNS:*b.a.com',
|
|
subject: {}
|
|
}
|
|
},
|
|
{
|
|
host: 'a-cb.a.com', cert: {
|
|
subjectaltname: 'DNS:*b.a.com',
|
|
subject: {}
|
|
}
|
|
},
|
|
{
|
|
host: 'a.b.a.com', cert: {
|
|
subjectaltname: 'DNS:*b.a.com',
|
|
subject: {}
|
|
},
|
|
error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
|
|
'DNS:*b.a.com'
|
|
},
|
|
// Multiple DNS names
|
|
{
|
|
host: 'a.b.a.com', cert: {
|
|
subjectaltname: 'DNS:*b.a.com, DNS:a.b.a.com',
|
|
subject: {}
|
|
}
|
|
},
|
|
// URI names
|
|
{
|
|
host: 'a.b.a.com', cert: {
|
|
subjectaltname: 'URI:http://a.b.a.com/',
|
|
subject: {}
|
|
}
|
|
},
|
|
{
|
|
host: 'a.b.a.com', cert: {
|
|
subjectaltname: 'URI:http://*.b.a.com/',
|
|
subject: {}
|
|
},
|
|
error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
|
|
'URI:http://*.b.a.com/'
|
|
},
|
|
// Invalid URI
|
|
{
|
|
host: 'a.b.a.com', cert: {
|
|
subjectaltname: 'URI:http://[a.b.a.com]/',
|
|
subject: {}
|
|
}
|
|
},
|
|
// IP addresses
|
|
{
|
|
host: 'a.b.a.com', cert: {
|
|
subjectaltname: 'IP Address:127.0.0.1',
|
|
subject: {}
|
|
},
|
|
error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
|
|
'IP Address:127.0.0.1'
|
|
},
|
|
{
|
|
host: '127.0.0.1', cert: {
|
|
subjectaltname: 'IP Address:127.0.0.1',
|
|
subject: {}
|
|
}
|
|
},
|
|
{
|
|
host: '127.0.0.2', cert: {
|
|
subjectaltname: 'IP Address:127.0.0.1',
|
|
subject: {}
|
|
},
|
|
error: 'IP: 127.0.0.2 is not in the cert\'s list: ' +
|
|
'127.0.0.1'
|
|
},
|
|
{
|
|
host: '127.0.0.1', cert: {
|
|
subjectaltname: 'DNS:a.com',
|
|
subject: {}
|
|
},
|
|
error: 'IP: 127.0.0.1 is not in the cert\'s list: '
|
|
},
|
|
{
|
|
host: 'localhost', cert: {
|
|
subjectaltname: 'DNS:a.com',
|
|
subject: { CN: 'localhost' }
|
|
},
|
|
error: 'Host: localhost. is not in the cert\'s altnames: ' +
|
|
'DNS:a.com'
|
|
},
|
|
// IDNA
|
|
{
|
|
host: 'xn--bcher-kva.example.com',
|
|
cert: { subject: { CN: '*.example.com' } },
|
|
},
|
|
// RFC 6125, section 6.4.3: "[...] the client SHOULD NOT attempt to match
|
|
// a presented identifier where the wildcard character is embedded within
|
|
// an A-label [...]"
|
|
{
|
|
host: 'xn--bcher-kva.example.com',
|
|
cert: { subject: { CN: 'xn--*.example.com' } },
|
|
error: 'Host: xn--bcher-kva.example.com. is not cert\'s CN: ' +
|
|
'xn--*.example.com',
|
|
},
|
|
];
|
|
|
|
tests.forEach(function(test, i) {
|
|
const err = tls.checkServerIdentity(test.host, test.cert);
|
|
assert.strictEqual(err && err.reason,
|
|
test.error,
|
|
`Test# ${i} failed: ${util.inspect(test)} \n` +
|
|
`${test.error} != ${(err && err.reason)}`);
|
|
});
|