From e4649906a0b9b7cae078b18b869d0ac18a382435 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Mon, 17 Jan 2022 15:48:51 +0000 Subject: [PATCH] crypto: remove checkIP options argument None of the supported options have any effect on X509_check_ip_asc. Refs: https://github.com/openssl/openssl/pull/17536 PR-URL: https://github.com/nodejs/node/pull/41571 Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Luigi Pinca --- doc/api/crypto.md | 29 ++++++++++++++++++++++------- lib/internal/crypto/x509.js | 5 +++++ 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 04898130dd7f09..599f0b2ffd8b58 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -2509,24 +2509,38 @@ or it might contain wildcards (e.g., `*.example.com`). Because host name comparisons are case-insensitive, the returned subject name might also differ from the given `name` in capitalization. -### `x509.checkIP(ip[, options])` +If the `'subject'` option is set to `'always'` and if the subject alternative +name extension either does not exist or does not contain a matching DNS name, +the certificate subject is considered. + +If the `'subject'` option is set to `'default'`, the certificate subject is only +considered if the subject alternative name extension either does not exist or +does not contain any DNS names. This behavior is consistent with [RFC 2818][] +("HTTP Over TLS"). + +If the `'subject'` option is set to `'never'`, the certificate subject is never +considered, even if the certificate contains no subject alternative names. + +### `x509.checkIP(ip)` * `ip` {string} -* `options` {Object} - * `subject` {string} `'always'` or `'never'`. **Default:** `'always'`. - * `wildcards` {boolean} **Default:** `true`. - * `partialWildcards` {boolean} **Default:** `true`. - * `multiLabelWildcards` {boolean} **Default:** `false`. - * `singleLabelSubdomains` {boolean} **Default:** `false`. * Returns: {string|undefined} Returns `ip` if the certificate matches, `undefined` if it does not. Checks whether the certificate matches the given IP address (IPv4 or IPv6). +Only [RFC 5280][] `iPAddress` subject alternative names are considered, and they +must match the given `ip` address exactly. Other subject alternative names as +well as the subject field of the certificate are ignored. + ### `x509.checkIssued(otherCert)`