Skip to content

Commit 30b034c

Browse files
tniessentniessen
committed
tls: remove checkIP options argument
None of the supported options have any effect on X509_check_ip_asc. (iPAddress is not a typo, it is what RFC 5280 calls subject alternative names that are IP addresses.) Refs: openssl/openssl#17536
1 parent 3f0bcfb commit 30b034c

File tree

2 files changed

+13
-7
lines changed

2 files changed

+13
-7
lines changed

doc/api/crypto.md

+8-7
Original file line numberDiff line numberDiff line change
@@ -2509,24 +2509,25 @@ or it might contain wildcards (e.g., `*.example.com`). Because host name
25092509
comparisons are case-insensitive, the returned subject name might also differ
25102510
from the given `name` in capitalization.
25112511

2512-
### `x509.checkIP(ip[, options])`
2512+
### `x509.checkIP(ip)`
25132513

25142514
<!-- YAML
25152515
added: v15.6.0
2516+
changes:
2517+
- version: REPLACEME
2518+
pr-url: https://github.com/nodejs/node/pull/41571
2519+
description: The `options` argument has been removed since it had no effect.
25162520
-->
25172521

25182522
* `ip` {string}
2519-
* `options` {Object}
2520-
* `subject` {string} `'always'` or `'never'`. **Default:** `'always'`.
2521-
* `wildcards` {boolean} **Default:** `true`.
2522-
* `partialWildcards` {boolean} **Default:** `true`.
2523-
* `multiLabelWildcards` {boolean} **Default:** `false`.
2524-
* `singleLabelSubdomains` {boolean} **Default:** `false`.
25252523
* Returns: {string|undefined} Returns `ip` if the certificate matches,
25262524
`undefined` if it does not.
25272525

25282526
Checks whether the certificate matches the given IP address (IPv4 or IPv6).
25292527

2528+
Only `iPAddress` subject alternative names are considered, and they must match
2529+
the given `ip` address exactly. The certificate subject is ignored.
2530+
25302531
### `x509.checkIssued(otherCert)`
25312532

25322533
<!-- YAML

lib/internal/crypto/x509.js

+5
Original file line numberDiff line numberDiff line change
@@ -313,6 +313,11 @@ class X509Certificate extends JSTransferable {
313313

314314
checkIP(ip, options) {
315315
validateString(ip, 'ip');
316+
// The options argument is currently undocumented since none of the options
317+
// have any effect on the behavior of this function. However, we still parse
318+
// the options argument in case OpenSSL adds flags in the future that do
319+
// affect the behavior of X509_check_ip. This ensures that no invalid values
320+
// are passed as the second argument in the meantime.
316321
return this[kHandle].checkIP(ip, getFlags(options));
317322
}
318323

0 commit comments

Comments
 (0)