Skip to content

Commit

Permalink
crypto: remove checkIP options argument
Browse files Browse the repository at this point in the history
None of the supported options have any effect on X509_check_ip_asc.

Refs: openssl/openssl#17536

PR-URL: #41571
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
  • Loading branch information
tniessen authored and danielleadams committed Feb 27, 2022
1 parent 7e9ee6e commit e464990
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 7 deletions.
29 changes: 22 additions & 7 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -2509,24 +2509,38 @@ or it might contain wildcards (e.g., `*.example.com`). Because host name
comparisons are case-insensitive, the returned subject name might also differ
from the given `name` in capitalization.

### `x509.checkIP(ip[, options])`
If the `'subject'` option is set to `'always'` and if the subject alternative
name extension either does not exist or does not contain a matching DNS name,
the certificate subject is considered.

If the `'subject'` option is set to `'default'`, the certificate subject is only
considered if the subject alternative name extension either does not exist or
does not contain any DNS names. This behavior is consistent with [RFC 2818][]
("HTTP Over TLS").

If the `'subject'` option is set to `'never'`, the certificate subject is never
considered, even if the certificate contains no subject alternative names.

### `x509.checkIP(ip)`

<!-- YAML
added: v15.6.0
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/41571
description: The `options` argument has been removed since it had no effect.
-->

* `ip` {string}
* `options` {Object}
* `subject` {string} `'always'` or `'never'`. **Default:** `'always'`.
* `wildcards` {boolean} **Default:** `true`.
* `partialWildcards` {boolean} **Default:** `true`.
* `multiLabelWildcards` {boolean} **Default:** `false`.
* `singleLabelSubdomains` {boolean} **Default:** `false`.
* Returns: {string|undefined} Returns `ip` if the certificate matches,
`undefined` if it does not.

Checks whether the certificate matches the given IP address (IPv4 or IPv6).

Only [RFC 5280][] `iPAddress` subject alternative names are considered, and they
must match the given `ip` address exactly. Other subject alternative names as
well as the subject field of the certificate are ignored.

### `x509.checkIssued(otherCert)`

<!-- YAML
Expand Down Expand Up @@ -5911,6 +5925,7 @@ See the [list of SSL OP Flags][] for details.
[RFC 4055]: https://www.rfc-editor.org/rfc/rfc4055.txt
[RFC 4122]: https://www.rfc-editor.org/rfc/rfc4122.txt
[RFC 5208]: https://www.rfc-editor.org/rfc/rfc5208.txt
[RFC 5280]: https://www.rfc-editor.org/rfc/rfc5280.txt
[Web Crypto API documentation]: webcrypto.md
[`BN_is_prime_ex`]: https://www.openssl.org/docs/man1.1.1/man3/BN_is_prime_ex.html
[`Buffer`]: buffer.md
Expand Down
5 changes: 5 additions & 0 deletions lib/internal/crypto/x509.js
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,11 @@ class X509Certificate extends JSTransferable {

checkIP(ip, options) {
validateString(ip, 'ip');
// The options argument is currently undocumented since none of the options
// have any effect on the behavior of this function. However, we still parse
// the options argument in case OpenSSL adds flags in the future that do
// affect the behavior of X509_check_ip. This ensures that no invalid values
// are passed as the second argument in the meantime.
return this[kHandle].checkIP(ip, getFlags(options));
}

Expand Down

0 comments on commit e464990

Please sign in to comment.