From b43faf0fc5871fe07e8556e061c4e2ba08016a2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Mon, 17 Jan 2022 15:48:51 +0000 Subject: [PATCH] crypto: remove checkIP options argument None of the supported options have any effect on X509_check_ip_asc. Refs: https://github.com/openssl/openssl/pull/17536 PR-URL: https://github.com/nodejs/node/pull/41571 Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Luigi Pinca --- doc/api/crypto.md | 17 ++++++++++------- lib/internal/crypto/x509.js | 5 +++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 6ae651a68a9e49..485ec482faa100 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -2542,24 +2542,26 @@ does not contain any DNS names. This behavior is consistent with [RFC 2818][] If the `'subject'` option is set to `'never'`, the certificate subject is never considered, even if the certificate contains no subject alternative names. -### `x509.checkIP(ip[, options])` +### `x509.checkIP(ip)` * `ip` {string} -* `options` {Object} - * `subject` {string} `'always'` or `'never'`. **Default:** `'always'`. - * `wildcards` {boolean} **Default:** `true`. - * `partialWildcards` {boolean} **Default:** `true`. - * `multiLabelWildcards` {boolean} **Default:** `false`. - * `singleLabelSubdomains` {boolean} **Default:** `false`. * Returns: {string|undefined} Returns `ip` if the certificate matches, `undefined` if it does not. Checks whether the certificate matches the given IP address (IPv4 or IPv6). +Only [RFC 5280][] `iPAddress` subject alternative names are considered, and they +must match the given `ip` address exactly. Other subject alternative names as +well as the subject field of the certificate are ignored. + ### `x509.checkIssued(otherCert)`