home: imp ip addr detection

heyxkhoa · Nov 1, 2022 · 815e299 · 815e299
1 parent 9d4ecd9
commit 815e299
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/internal/home/tls.go b/internal/home/tls.go
@@ -13,6 +13,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"net/http"
+	"net/netip"
 	"os"
 	"strings"
 	"sync"
@@ -512,6 +513,22 @@ func validateCertChain(certs []*x509.Certificate, srvName string) (err error) {
 	return nil
 }
 
+// certHasIP returns true if cert has at least a single IP address either in its
+// DNS names or in the IP addresses section.
+func certHasIP(cert *x509.Certificate) (ok bool) {
+	if len(cert.IPAddresses) > 0 {
+		return true
+	}
+
+	for _, name := range cert.DNSNames {
+		if _, err := netip.ParseAddr(name); err == nil {
+			return true
+		}
+	}
+
+	return false
+}
+
 // parseCertChain parses the certificate chain from raw data, and returns it.
 // If ok is true, the returned error, if any, is not critical.
 func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err error) {
@@ -532,7 +549,8 @@ func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err
 	}
 
 	log.Info("tls: number of certs: %d", len(parsedCerts))
-	if mainCert := parsedCerts[0]; len(mainCert.IPAddresses) == 0 {
+
+	if !certHasIP(parsedCerts[0]) {
 		err = errors.Error(`certificate has no IP addresses` +
 			`, this may cause issues with DNS-over-TLS clients`)
 	}