tls: normalize hostname for server identity checks

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: nodejs-private/node-private#869
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
CVE-ID: CVE-2026-48618
Refs: https://hackerone.com/reports/3688064

Author: mcollina

lib/tls.js

@@ -68,6 +68,7 @@ const { Buffer } = require('buffer');
 const { canonicalizeIP } = internalBinding('cares_wrap');
 const tlsCommon = require('internal/tls/common');
 const tlsWrap = require('internal/tls/wrap');
+const { domainToASCII } = require('internal/url');
 const { validateString } = require('internal/validators');
 
 const {
@@ -403,6 +404,11 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
   const ips = [];
 
   hostname = '' + hostname;
+  const hostnameASCII = domainToASCII(hostname);
+
+  // Remove trailing dots for error messages and matching.
+  hostname = unfqdn(hostname);
+  const hostnameASCIIWithoutFQDN = unfqdn(hostnameASCII);
 
   if (altNames) {
     const splitAltNames = altNames.includes('"') ?
@@ -420,14 +426,14 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
   let valid = false;
   let reason = 'Unknown reason';
 
-  hostname = unfqdn(hostname);  // Remove trailing dot for error messages.
-
-  if (net.isIP(hostname)) {
-    valid = ips.includes(canonicalizeIP(hostname));
-    if (!valid)
-      reason = `IP: ${hostname} is not in the cert's list: ` + ips.join(', ');
+  if (net.isIP(hostnameASCIIWithoutFQDN)) {
+    valid = ips.includes(canonicalizeIP(hostnameASCIIWithoutFQDN));
+    if (!valid) {
+      reason =
+        `IP: ${hostname} is not in the cert's list: ` + ips.join(', ');
+    }
   } else if (dnsNames.length > 0 || subject?.CN) {
-    const hostParts = splitHost(hostname);
+    const hostParts = splitHost(hostnameASCIIWithoutFQDN);
     const wildcard = (pattern) => check(hostParts, pattern, true);
 
     if (dnsNames.length > 0) {

test/parallel/test-tls-check-server-identity.js

@@ -381,6 +381,15 @@ const tests = [
     error: 'Host: localhost. is not in the cert\'s altnames: ' +
            'DNS:a.com'
   },
+  {
+    host: 'foo。bar.example.com',
+    cert: {
+      subjectaltname: 'DNS:*.example.com',
+      subject: {}
+    },
+    error: 'Host: foo。bar.example.com. is not in the cert\'s altnames: ' +
+           'DNS:*.example.com'
+  },
   // IDNA
   {
     host: 'xn--bcher-kva.example.com',