lib: make tls.checkServerIdentity() more strict

PR-URL: https://github.com/nodejs/node-private/pull/75
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

lib/tls.js

@@ -66,134 +66,137 @@ exports.convertALPNProtocols = function(protocols, out) {
   }
 };
 
+function unfqdn(host) {
+  return host.replace(/[.]$/, '');
+}
+
+function splitHost(host) {
+  // String#toLowerCase() is locale-sensitive so we use
+  // a conservative version that only lowercases A-Z.
+  const replacer = (c) => String.fromCharCode(32 + c.charCodeAt(0));
+  return unfqdn(host).replace(/[A-Z]/g, replacer).split('.');
+}
+
+function check(hostParts, pattern, wildcards) {
+  // Empty strings, null, undefined, etc. never match.
+  if (!pattern)
+    return false;
+
+  const patternParts = splitHost(pattern);
+
+  if (hostParts.length !== patternParts.length)
+    return false;
+
+  // Pattern has empty components, e.g. "bad..example.com".
+  if (patternParts.includes(''))
+    return false;
+
+  // RFC 6125 allows IDNA U-labels (Unicode) in names but we have no
+  // good way to detect their encoding or normalize them so we simply
+  // reject them.  Control characters and blanks are rejected as well
+  // because nothing good can come from accepting them.
+  const isBad = (s) => /[^\u0021-\u007F]/u.test(s);
+  if (patternParts.some(isBad))
+    return false;
+
+  // Check host parts from right to left first.
+  for (let i = hostParts.length - 1; i > 0; i -= 1)
+    if (hostParts[i] !== patternParts[i])
+      return false;
+
+  const hostSubdomain = hostParts[0];
+  const patternSubdomain = patternParts[0];
+  const patternSubdomainParts = patternSubdomain.split('*');
+
+  // Short-circuit when the subdomain does not contain a wildcard.
+  // RFC 6125 does not allow wildcard substitution for components
+  // containing IDNA A-labels (Punycode) so match those verbatim.
+  if (patternSubdomainParts.length === 1 || patternSubdomain.includes('xn--'))
+    return hostSubdomain === patternSubdomain;
+
+  if (!wildcards)
+    return false;
+
+  // More than one wildcard is always wrong.
+  if (patternSubdomainParts.length > 2)
+    return false;
+
+  // *.tld wildcards are not allowed.
+  if (patternParts.length <= 2)
+    return false;
+
+  const [prefix, suffix] = patternSubdomainParts;
+
+  if (prefix.length + suffix.length > hostSubdomain.length)
+    return false;
+
+  if (!hostSubdomain.startsWith(prefix))
+    return false;
+
+  if (!hostSubdomain.endsWith(suffix))
+    return false;
+
+  return true;
+}
+
 exports.checkServerIdentity = function checkServerIdentity(host, cert) {
-  // Create regexp to much hostnames
+  const subject = cert.subject;
-  function regexpify(host, wildcards) {
+  const altNames = cert.subjectaltname;
-    // Add trailing dot (make hostnames uniform)
+  const dnsNames = [];
-    if (!host || !host.endsWith('.')) host += '.';
+  const uriNames = [];
-
-    // The same applies to hostname with more than one wildcard,
-    // if hostname has wildcard when wildcards are not allowed,
-    // or if there are less than two dots after wildcard (i.e. *.com or *d.com)
-    //
-    // also
-    //
-    // "The client SHOULD NOT attempt to match a presented identifier in
-    // which the wildcard character comprises a label other than the
-    // left-most label (e.g., do not match bar.*.example.net)."
-    // RFC6125
-    if (!wildcards && /\*/.test(host) || /[\.\*].*\*/.test(host) ||
-        /\*/.test(host) && !/\*.*\..+\..+/.test(host)) {
-      return /$./;
-    }
-
-    // Replace wildcard chars with regexp's wildcard and
-    // escape all characters that have special meaning in regexps
-    // (i.e. '.', '[', '{', '*', and others)
-    var re = host.replace(
-        /\*([a-z0-9\\-_\.])|[\.,\-\\\^\$+?*\[\]\(\):!\|{}]/g,
-        function(all, sub) {
-          if (sub) return '[a-z0-9\\-_]*' + (sub === '-' ? '\\-' : sub);
-          return '\\' + all;
-        });
-
-    return new RegExp('^' + re + '$', 'i');
-  }
-
-  var dnsNames = [];
-  var uriNames = [];
   const ips = [];
-  var matchCN = true;
-  var valid = false;
-  var reason = 'Unknown reason';
 
-  // There're several names to perform check against:
+  host = '' + host;
-  // CN and altnames in certificate extension
+
-  // (DNS names, IP addresses, and URIs)
+  if (altNames) {
-  //
+    for (const name of altNames.split(', ')) {
-  // Walk through altnames and generate lists of those names
+      if (name.startsWith('DNS:')) {
-  if (cert.subjectaltname) {
+        dnsNames.push(name.slice(4));
-    cert.subjectaltname.split(/, /g).forEach(function(altname) {
+      } else if (name.startsWith('URI:')) {
-      var option = altname.match(/^(DNS|IP Address|URI):(.*)$/);
+        const uri = url.parse(name.slice(4));
-      if (!option)
+        uriNames.push(uri.hostname);  // TODO(bnoordhuis) Also use scheme.
-        return;
+      } else if (name.startsWith('IP Address:')) {
-      if (option[1] === 'DNS') {
+        ips.push(name.slice(11));
-        dnsNames.push(option[2]);
+      }
-      } else if (option[1] === 'IP Address') {
-        ips.push(option[2]);
-      } else if (option[1] === 'URI') {
-        var uri = url.parse(option[2]);
-        if (uri) uriNames.push(uri.hostname);
     }
-    });
   }
 
-  // If hostname is an IP address, it should be present in the list of IP
+  let valid = false;
-  // addresses.
+  let reason = 'Unknown reason';
+
   if (net.isIP(host)) {
-    valid = ips.some(function(ip) {
+    valid = ips.includes(host);
-      return ip === host;
+    if (!valid)
-    });
-    if (!valid) {
       reason = `IP: ${host} is not in the cert's list: ${ips.join(', ')}`;
-    }
+    // TODO(bnoordhuis) Also check URI SANs that are IP addresses.
-  } else if (cert.subject) {
+  } else if (subject) {
-    // Transform hostname to canonical form
+    host = unfqdn(host);  // Remove trailing dot for error messages.
-    if (!host || !host.endsWith('.')) host += '.';
+    const hostParts = splitHost(host);
+    const wildcard = (pattern) => check(hostParts, pattern, true);
+    const noWildcard = (pattern) => check(hostParts, pattern, false);
 
-    // Otherwise check all DNS/URI records from certificate
+    // Match against Common Name only if no supported identifiers are present.
-    // (with allowed wildcards)
+    if (dnsNames.length === 0 && ips.length === 0 && uriNames.length === 0) {
-    dnsNames = dnsNames.map(function(name) {
+      const cn = subject.CN;
-      return regexpify(name, true);
-    });
 
-    // Wildcards ain't allowed in URI names
+      if (Array.isArray(cn))
-    uriNames = uriNames.map(function(name) {
+        valid = cn.some(wildcard);
-      return regexpify(name, false);
+      else if (cn)
-    });
+        valid = wildcard(cn);
 
-    dnsNames = dnsNames.concat(uriNames);
+      if (!valid)
-
+        reason = `Host: ${host}. is not cert's CN: ${cn}`;
-    if (dnsNames.length > 0) matchCN = false;
-
-    // Match against Common Name (CN) only if no supported identifiers are
-    // present.
-    //
-    // "As noted, a client MUST NOT seek a match for a reference identifier
-    //  of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
-    //  URI-ID, or any application-specific identifier types supported by the
-    //  client."
-    // RFC6125
-    if (matchCN) {
-      var commonNames = cert.subject.CN;
-      if (Array.isArray(commonNames)) {
-        for (var i = 0, k = commonNames.length; i < k; ++i) {
-          dnsNames.push(regexpify(commonNames[i], true));
-        }
     } else {
-        dnsNames.push(regexpify(commonNames, true));
+      valid = dnsNames.some(wildcard) || uriNames.some(noWildcard);
-      }
+      if (!valid)
-    }
+        reason = `Host: ${host}. is not in the cert's altnames: ${altNames}`;
-
-    valid = dnsNames.some(function(re) {
-      return re.test(host);
-    });
-
-    if (!valid) {
-      if (cert.subjectaltname) {
-        reason =
-            `Host: ${host} is not in the cert's altnames: ` +
-            `${cert.subjectaltname}`;
-      } else {
-        reason = `Host: ${host} is not cert's CN: ${cert.subject.CN}`;
-      }
     }
   } else {
     reason = 'Cert is empty';
   }
 
   if (!valid) {
-    var err = new Error(
+    const err = new Error(
         `Hostname/IP doesn't match certificate's altnames: "${reason}"`);
     err.reason = reason;
     err.host = host;

test/parallel/test-tls-check-server-identity.js

@@ -11,6 +11,23 @@ var tls = require('tls');
 
 
 var tests = [
+  // False-y values.
+  {
+    host: false,
+    cert: { subject: { CN: 'a.com' } },
+    error: 'Host: false. is not cert\'s CN: a.com'
+  },
+  {
+    host: null,
+    cert: { subject: { CN: 'a.com' } },
+    error: 'Host: null. is not cert\'s CN: a.com'
+  },
+  {
+    host: undefined,
+    cert: { subject: { CN: 'a.com' } },
+    error: 'Host: undefined. is not cert\'s CN: a.com'
+  },
+
   // Basic CN handling
   { host: 'a.com', cert: { subject: { CN: 'a.com' } } },
   { host: 'a.com', cert: { subject: { CN: 'A.COM' } } },
@@ -20,15 +37,35 @@ var tests = [
     error: 'Host: a.com. is not cert\'s CN: b.com'
   },
   { host: 'a.com', cert: { subject: { CN: 'a.com.' } } },
+  {
+    host: 'a.com',
+    cert: { subject: { CN: '.a.com' } },
+    error: 'Host: a.com. is not cert\'s CN: .a.com'
+  },
 
   // Wildcards in CN
   { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } },
+  {
+    host: 'ba.com',
+    cert: { subject: { CN: '*.a.com' } },
+    error: 'Host: ba.com. is not cert\'s CN: *.a.com'
+  },
+  {
+    host: '\n.b.com',
+    cert: { subject: { CN: '*n.b.com' } },
+    error: 'Host: \n.b.com. is not cert\'s CN: *n.b.com'
+  },
   { host: 'b.a.com', cert: {
     subjectaltname: 'DNS:omg.com',
     subject: { CN: '*.a.com' } },
     error: 'Host: b.a.com. is not in the cert\'s altnames: ' +
            'DNS:omg.com'
   },
+  {
+    host: 'b.a.com',
+    cert: { subject: { CN: 'b*b.a.com' } },
+    error: 'Host: b.a.com. is not cert\'s CN: b*b.a.com'
+  },
 
   // Empty Cert
   {
@@ -199,6 +236,20 @@ var tests = [
     error: 'Host: localhost. is not in the cert\'s altnames: ' +
            'DNS:a.com'
   },
+  // IDNA
+  {
+    host: 'xn--bcher-kva.example.com',
+    cert: { subject: { CN: '*.example.com' } },
+  },
+  // RFC 6125, section 6.4.3: "[...] the client SHOULD NOT attempt to match
+  // a presented identifier where the wildcard character is embedded within
+  // an A-label [...]"
+  {
+    host: 'xn--bcher-kva.example.com',
+    cert: { subject: { CN: 'xn--*.example.com' } },
+    error: 'Host: xn--bcher-kva.example.com. is not cert\'s CN: ' +
+            'xn--*.example.com',
+  },
 ];
 
 tests.forEach(function(test, i) {