New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add securityDetails.subjectAlternativeNames() #5628
Conversation
test/ignorehttpserrors.spec.js
Outdated
@@ -63,6 +63,7 @@ describeFailsFirefox('ignoreHTTPSErrors', function() { | |||
expect(securityDetails.subjectName()).toBe('puppeteer-tests'); | |||
expect(securityDetails.validFrom()).toBe(1550084863); | |||
expect(securityDetails.validTo()).toBe(33086084863); | |||
expect(securityDetails.sanList()).toEqual([]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a test with an actual SAN list?
You can use https://1000-sans.badssl.com/
for the test, and check the length of the resulting array, as well as one particular element (so that the tests show the expected format of a single SAN object).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be included in the local test webserver certificate? Seems risky to me to have the whole test chain depend on network presence & internet presence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, adding some SANs to the local cert would be ideal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mtoma Do you want to give this a go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mathiasbynens Yes, it's the plan. I'm just catastrophically busy these days. Any help or guidance with generating the local certificate wit a san list would be greatly appreciated.
Maybe someone knows how the certificate was generated in the first place? openssl command line probably?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea how the existing cert was generated, but it seems we could use something like https://github.com/FiloSottile/mkcert.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. For future the command line I used to generate the certificate is:
openssl req -x509 -nodes -subj "/CN=puppeteer-tests" -newkey rsa:2048 -keyout key.pem -out cert.pem -addext "subjectAltName=DNS:www.puppeteer-tests.tld,DNS:www.puppeteer-tests-1.tld" -days 3650
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, Firefox can expose this. |
test/ignorehttpserrors.spec.js
Outdated
expect(securityDetails.validTo()).toBe(33086084863); | ||
expect(securityDetails.validFrom()).toBe(1589283259); | ||
expect(securityDetails.validTo()).toBe(1904643259); | ||
expect(securityDetails.subjectAlternativeNames()).toEqual(['www.puppeteer-tests.tld', 'www.puppeteer-tests-1.tld']); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let’s use .test
as the TLD per https://tools.ietf.org/html/rfc2606#section-2.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! One last request w.r.t. the test domain names.
Would you mind rebasing? After the rebase this looks good to go. Thanks! |
Fixes issue #5625 - Get the sanList array of the SSL Certificate