From 7165254f8b59b195c022275438ba113c32469635 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Sat, 1 Jun 2019 09:01:22 +0200
Subject: [PATCH] test: more tls hostname verification coverage

Add some additional tests that check the interaction of an IP address
as the Common Name and the presence (or lack of presence) of DNS, URI,
and IP Address Subject Alternative Names.

PR-URL: https://github.com/nodejs/node/pull/27999
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
---
 .../test-tls-check-server-identity.js         | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js
index fe27770c1ebc84..afeb6c749928c3 100644
--- a/test/parallel/test-tls-check-server-identity.js
+++ b/test/parallel/test-tls-check-server-identity.js
@@ -70,6 +70,48 @@ const tests = [
     error: 'Host: a.com. is not cert\'s CN: .a.com'
   },
 
+  // IP address in CN. Technically allowed but so rare that we reject
+  // it anyway. If we ever do start allowing them, we should take care
+  // to only allow public (non-internal, non-reserved) IP addresses,
+  // because that's what the spec mandates.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' } },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
+  // The spec suggests that a "DNS:" Subject Alternative Name containing an
+  // IP address is valid but it seems so suspect that we currently reject it.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'DNS:8.8.8.8' },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
+  // Likewise for "URI:" Subject Alternative Names.
+  // See also https://github.com/nodejs/node/issues/8108.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'URI:http://8.8.8.8/' },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
+  // An "IP Address:" Subject Alternative Name however is acceptable.
+  {
+    host: '8.8.8.8',
+    cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'IP Address:8.8.8.8' }
+  },
+
+  // But not when it's a CIDR.
+  {
+    host: '8.8.8.8',
+    cert: {
+      subject: { CN: '8.8.8.8' },
+      subjectaltname: 'IP Address:8.8.8.0/24'
+    },
+    error: 'IP: 8.8.8.8 is not in the cert\'s list: '
+  },
+
   // Wildcards in CN
   { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } },
   {