Fix handling of empty subject names in certs

2025-12-05 23:53:21 +00:00 · 2021-03-11 12:42:10 +10:00
parent 71b5f6a38a
commit b4301c7d41
1 changed files with 23 additions and 3 deletions
--- a/src/services/ldap-directory.service.ts
+++ b/src/services/ldap-directory.service.ts
@@ -1,6 +1,8 @@
 import * as fs from 'fs';
 import * as ldap from 'ldapjs';

+import { checkServerIdentity, PeerCertificate } from 'tls';
+
 import { DirectoryType } from '../enums/directoryType';

 import { GroupEntry } from '../models/groupEntry';
@@ -360,9 +362,8 @@ export class LdapDirectoryService implements IDirectoryService {
                }
            }

-            if (Object.keys(tlsOptions).length > 0) {
-                options.tlsOptions = tlsOptions;
-            }
+            tlsOptions.checkServerIdentity = this.checkServerIdentityAltNames;
+            options.tlsOptions = tlsOptions;

            this.client = ldap.createClient(options);

@@ -425,4 +426,23 @@ export class LdapDirectoryService implements IDirectoryService {
            '-' + Utils.fromBufferToHex(p4) + '-' + Utils.fromBufferToHex(p5);
        return guid.toLowerCase();
    }
+
+    private checkServerIdentityAltNames(host: string, cert: PeerCertificate) {
+        // Fixes the cert representation when subject is empty and altNames are present
+        // Required for node versions < 12.14.1 (which could be used for bwdc cli)
+        // Adapted from: https://github.com/auth0/ad-ldap-connector/commit/1f4dd2be6ed93dda591dd31ed5483a9b452a8d2a
+        // See https://github.com/nodejs/node/issues/11771 for details
+        if (cert && cert.subject == null && /(IP|DNS|URL)/.test(cert.subjectaltname)) {
+            cert.subject = {
+                C: null,
+                ST: null,
+                L: null,
+                O: null,
+                OU: null,
+                CN: null
+            }
+        }
+
+        return checkServerIdentity(host, cert);
+    }
 }