Skip to content

Commit

Permalink
crypto: remove checkIP options argument
Browse files Browse the repository at this point in the history
None of the supported options have any effect on X509_check_ip_asc.

Refs: openssl/openssl#17536

PR-URL: #41571
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
  • Loading branch information
tniessen committed Jan 19, 2022
1 parent eda54ba commit 6d66649
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 7 deletions.
17 changes: 10 additions & 7 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -2542,24 +2542,26 @@ does not contain any DNS names. This behavior is consistent with [RFC 2818][]
If the `'subject'` option is set to `'never'`, the certificate subject is never
considered, even if the certificate contains no subject alternative names.

### `x509.checkIP(ip[, options])`
### `x509.checkIP(ip)`

<!-- YAML
added: v15.6.0
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/41571
description: The `options` argument has been removed since it had no effect.
-->

* `ip` {string}
* `options` {Object}
* `subject` {string} `'always'` or `'never'`. **Default:** `'always'`.
* `wildcards` {boolean} **Default:** `true`.
* `partialWildcards` {boolean} **Default:** `true`.
* `multiLabelWildcards` {boolean} **Default:** `false`.
* `singleLabelSubdomains` {boolean} **Default:** `false`.
* Returns: {string|undefined} Returns `ip` if the certificate matches,
`undefined` if it does not.

Checks whether the certificate matches the given IP address (IPv4 or IPv6).

Only [RFC 5280][] `iPAddress` subject alternative names are considered, and they
must match the given `ip` address exactly. Other subject alternative names as
well as the subject field of the certificate are ignored.

### `x509.checkIssued(otherCert)`

<!-- YAML
Expand Down Expand Up @@ -5976,6 +5978,7 @@ See the [list of SSL OP Flags][] for details.
[RFC 4055]: https://www.rfc-editor.org/rfc/rfc4055.txt
[RFC 4122]: https://www.rfc-editor.org/rfc/rfc4122.txt
[RFC 5208]: https://www.rfc-editor.org/rfc/rfc5208.txt
[RFC 5280]: https://www.rfc-editor.org/rfc/rfc5280.txt
[Web Crypto API documentation]: webcrypto.md
[`BN_is_prime_ex`]: https://www.openssl.org/docs/man1.1.1/man3/BN_is_prime_ex.html
[`Buffer`]: buffer.md
Expand Down
5 changes: 5 additions & 0 deletions lib/internal/crypto/x509.js
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,11 @@ class X509Certificate extends JSTransferable {

checkIP(ip, options) {
validateString(ip, 'ip');
// The options argument is currently undocumented since none of the options
// have any effect on the behavior of this function. However, we still parse
// the options argument in case OpenSSL adds flags in the future that do
// affect the behavior of X509_check_ip. This ensures that no invalid values
// are passed as the second argument in the meantime.
return this[kHandle].checkIP(ip, getFlags(options));
}

Expand Down

0 comments on commit 6d66649

Please sign in to comment.