test: more tls hostname verification coverage

Add some additional tests that check the interaction of an IP address as the Common Name and the presence (or lack of presence) of DNS, URI, and IP Address Subject Alternative Names. PR-URL: https://github.com/nodejs/node/pull/27999 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
2019-06-01 09:01:22 +02:00 · 2019-06-01 09:01:22 +02:00 · f585dca83d
commit f585dca83d
parent 714a32c41f
1 changed files with 42 additions and 0 deletions
--- a/test/parallel/test-tls-check-server-identity.js
+++ b/test/parallel/test-tls-check-server-identity.js
@ -70,6 +70,48 @@ const tests = [
    error: 'Host: a.com. is not cert\'s CN: .a.com'
  },

+  // IP address in CN. Technically allowed but so rare that we reject
+  // it anyway. If we ever do start allowing them, we should take care
+  // to only allow public (non-internal, non-reserved) IP addresses,
+  // because that's what the spec mandates.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' } },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
+  // The spec suggests that a "DNS:" Subject Alternative Name containing an
+  // IP address is valid but it seems so suspect that we currently reject it.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'DNS:8.8.8.8' },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
+  // Likewise for "URI:" Subject Alternative Names.
+  // See also https://github.com/nodejs/node/issues/8108.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'URI:http://8.8.8.8/' },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
+  // An "IP Address:" Subject Alternative Name however is acceptable.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'IP Address:8.8.8.8' }
+  },
+
+  // But not when it's a CIDR.
+  {
+    host: '8.8.8.8',
+    cert: {
+      subject: { CN: '8.8.8.8' },
+      subjectaltname: 'IP Address:8.8.8.0/24'
+    },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
  // Wildcards in CN
  { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } },
  {