diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 90c3eee2419d3f..32982621613d8d 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -2578,11 +2578,27 @@ The SHA-512 fingerprint of this certificate. * Type: {string} -The information access content of this certificate. +A textual representation of the certificate's authority information access +extension. + +This is a line feed separated list of access descriptions. Each line begins with +the access method and the kind of the access location, followed by a colon and +the value associated with the access location. + +After the prefix denoting the access method and the kind of the access location, +the remainder of each line might be enclosed in quotes to indicate that the +value is a JSON string literal. For backward compatibility, Node.js only uses +JSON string literals within this property when necessary to avoid ambiguity. +Third-party code should be prepared to handle both possible entry formats. ### `x509.issuer` @@ -2659,12 +2675,32 @@ The complete subject of this certificate. * Type: {string} The subject alternative name specified for this certificate. +This is a comma-separated list of subject alternative names. Each entry begins +with a string identifying the kind of the subject alternative name followed by +a colon and the value associated with the entry. + +Earlier versions of Node.js incorrectly assumed that it is safe to split this +property at the two-character sequence `', '` (see [CVE-2021-44532][]). However, +both malicious and legitimate certificates can contain subject alternative names +that include this sequence when represented as a string. + +After the prefix denoting the type of the entry, the remainder of each entry +might be enclosed in quotes to indicate that the value is a JSON string literal. +For backward compatibility, Node.js only uses JSON string literals within this +property when necessary to avoid ambiguity. Third-party code should be prepared +to handle both possible entry formats. + ### `x509.toJSON()`