|
|
@ -91,7 +91,14 @@ function checkServerIdentity(host, cert) { |
|
|
// The same applies to hostname with more than one wildcard,
|
|
|
// The same applies to hostname with more than one wildcard,
|
|
|
// if hostname has wildcard when wildcards are not allowed,
|
|
|
// if hostname has wildcard when wildcards are not allowed,
|
|
|
// or if there are less than two dots after wildcard (i.e. *.com or *d.com)
|
|
|
// or if there are less than two dots after wildcard (i.e. *.com or *d.com)
|
|
|
if (/\*.*\*/.test(host) || !wildcards && /\*/.test(host) || |
|
|
//
|
|
|
|
|
|
// also
|
|
|
|
|
|
//
|
|
|
|
|
|
// "The client SHOULD NOT attempt to match a presented identifier in
|
|
|
|
|
|
// which the wildcard character comprises a label other than the
|
|
|
|
|
|
// left-most label (e.g., do not match bar.*.example.net)."
|
|
|
|
|
|
// RFC6125
|
|
|
|
|
|
if (!wildcards && /\*/.test(host) || /[\.\*].*\*/.test(host) || |
|
|
/\*/.test(host) && !/\*.*\..+\..+/.test(host)) { |
|
|
/\*/.test(host) && !/\*.*\..+\..+/.test(host)) { |
|
|
return /$./; |
|
|
return /$./; |
|
|
} |
|
|
} |
|
|
@ -112,6 +119,7 @@ function checkServerIdentity(host, cert) { |
|
|
var dnsNames = [], |
|
|
var dnsNames = [], |
|
|
uriNames = [], |
|
|
uriNames = [], |
|
|
ips = [], |
|
|
ips = [], |
|
|
|
|
|
matchCN = true, |
|
|
valid = false; |
|
|
valid = false; |
|
|
|
|
|
|
|
|
// There're several names to perform check against:
|
|
|
// There're several names to perform check against:
|
|
|
@ -120,6 +128,7 @@ function checkServerIdentity(host, cert) { |
|
|
//
|
|
|
//
|
|
|
// Walk through altnames and generate lists of those names
|
|
|
// Walk through altnames and generate lists of those names
|
|
|
if (cert.subjectaltname) { |
|
|
if (cert.subjectaltname) { |
|
|
|
|
|
matchCN = false; |
|
|
cert.subjectaltname.split(/, /g).forEach(function(altname) { |
|
|
cert.subjectaltname.split(/, /g).forEach(function(altname) { |
|
|
if (/^DNS:/.test(altname)) { |
|
|
if (/^DNS:/.test(altname)) { |
|
|
dnsNames.push(altname.slice(4)); |
|
|
dnsNames.push(altname.slice(4)); |
|
|
@ -155,14 +164,24 @@ function checkServerIdentity(host, cert) { |
|
|
|
|
|
|
|
|
dnsNames = dnsNames.concat(uriNames); |
|
|
dnsNames = dnsNames.concat(uriNames); |
|
|
|
|
|
|
|
|
// And only after check if hostname matches CN
|
|
|
if (dnsNames.length > 0) matchCN = false; |
|
|
var commonNames = cert.subject.CN; |
|
|
|
|
|
if (Array.isArray(commonNames)) { |
|
|
// Match against Common Name (CN) only if altnames are not present.
|
|
|
for (var i = 0, k = commonNames.length; i < k; ++i) { |
|
|
//
|
|
|
dnsNames.push(regexpify(commonNames[i], true)); |
|
|
// "As noted, a client MUST NOT seek a match for a reference identifier
|
|
|
|
|
|
// of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
|
|
|
|
|
|
// URI-ID, or any application-specific identifier types supported by the
|
|
|
|
|
|
// client."
|
|
|
|
|
|
// RFC6125
|
|
|
|
|
|
if (matchCN) { |
|
|
|
|
|
var commonNames = cert.subject.CN; |
|
|
|
|
|
if (Array.isArray(commonNames)) { |
|
|
|
|
|
for (var i = 0, k = commonNames.length; i < k; ++i) { |
|
|
|
|
|
dnsNames.push(regexpify(commonNames[i], true)); |
|
|
|
|
|
} |
|
|
|
|
|
} else { |
|
|
|
|
|
dnsNames.push(regexpify(commonNames, true)); |
|
|
} |
|
|
} |
|
|
} else { |
|
|
|
|
|
dnsNames.push(regexpify(commonNames, true)); |
|
|
|
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
valid = dnsNames.some(function(re) { |
|
|
valid = dnsNames.some(function(re) { |
|
|
|
Fedor Indutny
12 years ago
isaacs