This repository has been archived by the owner on Oct 30, 2023. It is now read-only.
forked from electron/electron
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
crypto: change default check(Host|Email) behavior
- Loading branch information
Showing
2 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
99 changes: 99 additions & 0 deletions
99
patches/node/crypto_change_default_check_host_email_behavior.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de> | ||
Date: Wed, 19 Jan 2022 19:05:53 +0000 | ||
Subject: crypto: change default check(Host|Email) behavior | ||
|
||
This changes the default behavior of the X509Certificate functions | ||
checkHost and checkEmail to match the default behavior of OpenSSL's | ||
X509_check_host and X509_check_email functions, respectively, which | ||
is also what RFC 2818 mandates for HTTPS. | ||
|
||
Refs: https://github.com/nodejs/node/pull/36804 | ||
Refs: https://github.com/nodejs/node/pull/41569 | ||
|
||
PR-URL: https://github.com/nodejs/node/pull/41600 | ||
Reviewed-By: Matteo Collina <matteo.collina@gmail.com> | ||
Reviewed-By: Rich Trott <rtrott@gmail.com> | ||
Reviewed-By: Filip Skokan <panva.ip@gmail.com> | ||
(cherry picked from commit 18365d8ee6a5fdeb8b46d1a0ec9b954d61ebca7e) | ||
|
||
diff --git a/doc/api/crypto.md b/doc/api/crypto.md | ||
index dff4142fd4a5e29c744b2e849b66b65088d4002b..175d89f54acb991d8f36230aacbfd0b46168a5dd 100644 | ||
--- a/doc/api/crypto.md | ||
+++ b/doc/api/crypto.md | ||
@@ -2511,14 +2511,14 @@ changes: | ||
|
||
Checks whether the certificate matches the given email address. | ||
|
||
+If the `'subject'` option is undefined or set to `'default'`, the certificate | ||
+subject is only considered if the subject alternative name extension either does | ||
+not exist or does not contain any email addresses. | ||
+ | ||
If the `'subject'` option is set to `'always'` and if the subject alternative | ||
name extension either does not exist or does not contain a matching email | ||
address, the certificate subject is considered. | ||
|
||
-If the `'subject'` option is set to `'default'`, the certificate subject is only | ||
-considered if the subject alternative name extension either does not exist or | ||
-does not contain any email addresses. | ||
- | ||
If the `'subject'` option is set to `'never'`, the certificate subject is never | ||
considered, even if the certificate contains no subject alternative names. | ||
|
||
@@ -2535,7 +2535,7 @@ changes: | ||
* `name` {string} | ||
* `options` {Object} | ||
* `subject` {string} `'default'`, `'always'`, or `'never'`. | ||
- **Default:** `'always'`. | ||
+ **Default:** `'default'`. | ||
* `wildcards` {boolean} **Default:** `true`. | ||
* `partialWildcards` {boolean} **Default:** `true`. | ||
* `multiLabelWildcards` {boolean} **Default:** `false`. | ||
@@ -2551,15 +2551,15 @@ or it might contain wildcards (e.g., `*.example.com`). Because host name | ||
comparisons are case-insensitive, the returned subject name might also differ | ||
from the given `name` in capitalization. | ||
|
||
+If the `'subject'` option is undefined or set to `'default'`, the certificate | ||
+subject is only considered if the subject alternative name extension either does | ||
+not exist or does not contain any DNS names. This behavior is consistent with | ||
+[RFC 2818][] ("HTTP Over TLS"). | ||
+ | ||
If the `'subject'` option is set to `'always'` and if the subject alternative | ||
name extension either does not exist or does not contain a matching DNS name, | ||
the certificate subject is considered. | ||
|
||
-If the `'subject'` option is set to `'default'`, the certificate subject is only | ||
-considered if the subject alternative name extension either does not exist or | ||
-does not contain any DNS names. This behavior is consistent with [RFC 2818][] | ||
-("HTTP Over TLS"). | ||
- | ||
If the `'subject'` option is set to `'never'`, the certificate subject is never | ||
considered, even if the certificate contains no subject alternative names. | ||
|
||
diff --git a/lib/internal/crypto/x509.js b/lib/internal/crypto/x509.js | ||
index cd20f6868da72ccfa65fabdcb572b3e3f2e8a8a5..e7098d17da6aacf4912fcca001702e3f43689548 100644 | ||
--- a/lib/internal/crypto/x509.js | ||
+++ b/lib/internal/crypto/x509.js | ||
@@ -65,8 +65,7 @@ function isX509Certificate(value) { | ||
function getFlags(options = {}) { | ||
validateObject(options, 'options'); | ||
const { | ||
- // TODO(tniessen): change the default to 'default' | ||
- subject = 'always', // Can be 'default', 'always', or 'never' | ||
+ subject = 'default', // Can be 'default', 'always', or 'never' | ||
wildcards = true, | ||
partialWildcards = true, | ||
multiLabelWildcards = false, | ||
diff --git a/test/parallel/test-x509-escaping.js b/test/parallel/test-x509-escaping.js | ||
index 99418e4c0bf21c26d5ba0ad9d617419abc625593..4e88d324cd3d5abe6b056d32ea40969531d31639 100644 | ||
--- a/test/parallel/test-x509-escaping.js | ||
+++ b/test/parallel/test-x509-escaping.js | ||
@@ -425,7 +425,7 @@ const { hasOpenSSL3 } = common; | ||
assert.strictEqual(certX509.subjectAltName, 'DNS:evil.example.com'); | ||
|
||
// The newer X509Certificate API allows customizing this behavior: | ||
- assert.strictEqual(certX509.checkHost(servername), servername); | ||
+ assert.strictEqual(certX509.checkHost(servername), undefined); | ||
assert.strictEqual(certX509.checkHost(servername, { subject: 'default' }), | ||
undefined); | ||
assert.strictEqual(certX509.checkHost(servername, { subject: 'always' }), |