test: expand tls-check-server-identity coverage

PR-URL: https://github.com/nodejs/node/pull/60002 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
2025-12-06 00:20:08 +01:00 · 2025-09-24 19:27:57 -04:00 · 2025-09-24 19:27:57 -04:00 · 93ee08cf27
commit 93ee08cf27
parent b51fd73e10
1 changed files with 68 additions and 0 deletions
--- a/test/parallel/test-tls-check-server-identity.js
+++ b/test/parallel/test-tls-check-server-identity.js
@ -62,6 +62,11 @@ const tests = [
    cert: { subject: { CN: '.a.com' } },
    error: 'Host: a.com. is not cert\'s CN: .a.com'
  },
+  {
+    host: 'bad.x.example.com',
+    cert: { subject: { CN: 'bad..example.com' } },
+    error: 'Host: bad.x.example.com. is not cert\'s CN: bad..example.com'
+  },

  // IP address in CN. Technically allowed but so rare that we reject
  // it anyway. If we ever do start allowing them, we should take care
@ -129,6 +134,16 @@ const tests = [
    cert: { subject: { CN: 'b*b.a.com' } },
    error: 'Host: b.a.com. is not cert\'s CN: b*b.a.com'
  },
+  {
+    host: 'bxa.a.com',
+    cert: { subject: { CN: 'b**.a.com' } },
+    error: 'Host: bxa.a.com. is not cert\'s CN: b**.a.com'
+  },
+  {
+    host: 'xbcd.a.com',
+    cert: { subject: { CN: 'ab*cd.a.com' } },
+    error: 'Host: xbcd.a.com. is not cert\'s CN: ab*cd.a.com'
+  },

  // Empty Cert
  {
@ -158,6 +173,11 @@ const tests = [
      subject: { CN: ['foo.com', 'bar.com'] } // CN=foo.com; CN=bar.com;
    }
  },
+  {
+    host: 'a.com',
+    cert: { subject: { CN: [''] } },
+    error: 'Host: a.com. is not cert\'s CN: '
+  },

  // DNS names and CN
  {
@ -212,6 +232,46 @@ const tests = [
  },

  // DNS names
+  {
+    host: 'a.com',
+    cert: {
+      subjectaltname: 'DNS:',
+      subject: {}
+    },
+    error: 'Host: a.com. is not in the cert\'s altnames: DNS:'
+  },
+  {
+    host: 'bad.x.example.com',
+    cert: {
+      subjectaltname: 'DNS:bad..example.com',
+      subject: {}
+    },
+    error: 'Host: bad.x.example.com. is not in the cert\'s altnames: DNS:bad..example.com'
+  },
+  {
+    host: 'x.example.com',
+    cert: {
+      subjectaltname: 'DNS:caf\u00E9.example.com', // "café.example.com"
+      subject: {}
+    },
+    error: 'Host: x.example.com. is not in the cert\'s altnames: DNS:caf\u00E9.example.com'
+  },
+  {
+    host: 'xbcd.a.com',
+    cert: {
+      subjectaltname: 'DNS:ab*cd.a.com',
+      subject: {}
+    },
+    error: 'Host: xbcd.a.com. is not in the cert\'s altnames: DNS:ab*cd.a.com'
+  },
+  {
+    host: 'x.example.com',
+    cert: {
+      subjectaltname: 'DNS:bad label.com',
+      subject: {}
+    },
+    error: 'Host: x.example.com. is not in the cert\'s altnames: DNS:bad label.com'
+  },
  {
    host: 'a.com', cert: {
      subjectaltname: 'DNS:*.a.com',
@ -261,6 +321,14 @@ const tests = [
      subject: {}
    }
  },
+  {
+    host: 'bxa.a.com',
+    cert: {
+      subjectaltname: 'DNS:b**.a.com',
+      subject: {}
+    },
+    error: 'Host: bxa.a.com. is not in the cert\'s altnames: DNS:b**.a.com'
+  },
  // URI names
  {
    host: 'a.b.a.com', cert: {