-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: fix reference to certificate object subjectAltName in checkServerIdentity function #42470
base: main
Are you sure you want to change the base?
Conversation
…rIdentity function The checkServerIdentify() function always fails with ERR_TLS_CERT_ALTNAME_INVALID error due to a bad reference to the certificate object's subjectAltName property. Changed the property reference from all lowercase to camelcase.
Review requested:
|
Can you please add a unit test? |
Certificate property name is camel case, "subjectAltName" but tests and documentation was using all lowercase.
Sorry, I'm new to the node source code. Turns out there were tests in place for this case, as well as others, but the tests were also using the lowercase of the certificate field "subjectAltName". I updated the tests, documentation, and there was a property in env.h that I changed but I don't fully understand the purpose and need somebody who knows to verify. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is the right fix. The code clearly is written for the field to be the lowercase subjectaltname
as verified by the tests. Where exactly is the issue? Is this just a documentation problem?
The issue was in real world use the checkServerIdentity() function fails on valid certificates because the crypto module uses camelcase for the certificate properties... https://github.com/nodejs/node/blob/master/src/crypto/crypto_x509.cc#L64 |
Doing this would be a semver-major change, I guess. |
I'd also argue for adding a subjectaltname -> subjectAltName, i.e.: diff --git a/lib/internal/crypto/x509.js b/lib/internal/crypto/x509.js
index 386b41f3e4a..555d31c52ac 100644
--- a/lib/internal/crypto/x509.js
+++ b/lib/internal/crypto/x509.js
@@ -163,6 +163,10 @@ class X509Certificate extends JSTransferable {
return value;
}
+ get subjectaltname() {
+ return this.subjectAltName;
+ }
+
get subjectAltName() {
let value = this[kInternalState].get('subjectAltName');
if (value === undefined) { |
There are many inconsistencies between the legacy certificate object and instances of Both certificate representations are flawed. The legacy certificate objects allow simpler access to some fields (e.g., I've been trying to make various small improvements to those representations, but it's difficult without breaking things. Eventually, we'll probably want to migrate to |
|
I don't think we should. It reinforces unusual naming conventions and, since other properties are already incompatible between legacy certificate objects and Instead of using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution @bnielsen1965. Unfortunately, I don't think this is the right way to fix the problem.
@tniessen going forward is a warning needed in the docs for the checkServerIdentity() function? The checkHost() method should take care of my needs but others may unknowingly fall into the same path where I was trapped. In looking for a certificate validation method my search led me to checkServerIdentity() where the cert object argument then landed me on the X509Certificate object and I failed to noticed that I didn't really need the checkServerIdentify(). My issue is handled but just want to help others to avoid the same situation. |
@bnielsen1965 That's a good idea! Please take a look at #42495. |
Refs: nodejs#42470 PR-URL: nodejs#42495 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Refs: nodejs#42470 PR-URL: nodejs#42495 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
Refs: nodejs/node#42470 PR-URL: nodejs/node#42495 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
tls: fix reference to certificate object subjectAltName in checkServerIdentity function