diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2019-06-01 09:01:22 +0200 |
---|---|---|
committer | Daniel Bevenius <daniel.bevenius@gmail.com> | 2019-06-04 08:07:31 +0200 |
commit | f585dca83ddeef32213e011e6ff5645cf42527a3 (patch) | |
tree | ef53d078c2e5fac4d698d8d4712192bfb2e83a0c /test/parallel/test-tls-check-server-identity.js | |
parent | 714a32c41f7cedec76cd7a237ac12f4cee7fcf85 (diff) | |
download | android-node-v8-f585dca83ddeef32213e011e6ff5645cf42527a3.tar.gz android-node-v8-f585dca83ddeef32213e011e6ff5645cf42527a3.tar.bz2 android-node-v8-f585dca83ddeef32213e011e6ff5645cf42527a3.zip |
test: more tls hostname verification coverage
Add some additional tests that check the interaction of an IP address
as the Common Name and the presence (or lack of presence) of DNS, URI,
and IP Address Subject Alternative Names.
PR-URL: https://github.com/nodejs/node/pull/27999
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Diffstat (limited to 'test/parallel/test-tls-check-server-identity.js')
-rw-r--r-- | test/parallel/test-tls-check-server-identity.js | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js index fe27770c1e..afeb6c7499 100644 --- a/test/parallel/test-tls-check-server-identity.js +++ b/test/parallel/test-tls-check-server-identity.js @@ -70,6 +70,48 @@ const tests = [ error: 'Host: a.com. is not cert\'s CN: .a.com' }, + // IP address in CN. Technically allowed but so rare that we reject + // it anyway. If we ever do start allowing them, we should take care + // to only allow public (non-internal, non-reserved) IP addresses, + // because that's what the spec mandates. + { + host: '8.8.8.8', + cert: { subject: { CN: '8.8.8.8' } }, + error: 'IP: 8.8.8.8 is not in the cert\'s list: ' + }, + + // The spec suggests that a "DNS:" Subject Alternative Name containing an + // IP address is valid but it seems so suspect that we currently reject it. + { + host: '8.8.8.8', + cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'DNS:8.8.8.8' }, + error: 'IP: 8.8.8.8 is not in the cert\'s list: ' + }, + + // Likewise for "URI:" Subject Alternative Names. + // See also https://github.com/nodejs/node/issues/8108. + { + host: '8.8.8.8', + cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'URI:http://8.8.8.8/' }, + error: 'IP: 8.8.8.8 is not in the cert\'s list: ' + }, + + // An "IP Address:" Subject Alternative Name however is acceptable. + { + host: '8.8.8.8', + cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'IP Address:8.8.8.8' } + }, + + // But not when it's a CIDR. + { + host: '8.8.8.8', + cert: { + subject: { CN: '8.8.8.8' }, + subjectaltname: 'IP Address:8.8.8.0/24' + }, + error: 'IP: 8.8.8.8 is not in the cert\'s list: ' + }, + // Wildcards in CN { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } }, { |