[@types/node] tls.Certificate DN fields should be string | string[], not string

[tgies]

Problem

The tls.Certificate interface (used by PeerCertificate.subject and PeerCertificate.issuer) types all Distinguished Name fields as string:

interface Certificate {
    C: string;
    ST: string;
    L: string;
    O: string;
    OU: string;
    CN: string;
}

However, Node.js returns string[] when a DN attribute has multiple values. This is a well-known X.509 feature -- certificates can have multiple OUs, for example. Node.js's own documentation shows this in its example output for tlsSocket.getPeerCertificate():

subject:
  { OU: [ 'Domain Control Validated', 'PositiveSSL Wildcard' ],
    CN: '*.nodejs.org' },

(Source: https://nodejs.org/api/tls.html#certificate-object)

Runtime Proof

const { X509Certificate } = require('crypto');
const { execSync } = require('child_process');

const pem = execSync(
  'openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 ' +
  '-nodes -keyout /dev/null -days 1 ' +
  '-subj "/CN=test/OU=Engineering/OU=DevTeam/O=TestCorp" 2>/dev/null'
);

const cert = new X509Certificate(pem).toLegacyObject();
console.log(cert.subject.OU);
// -> [ 'Engineering', 'DevTeam' ]
console.log(Array.isArray(cert.subject.OU));
// -> true

Impact

Any code that assumes cert.subject.OU (or any other DN field) is always a string will silently produce wrong results on multi-valued certificates:

// These all fail silently when OU is an array:
cert.subject.OU.toLowerCase()    // TypeError at runtime
cert.subject.OU === 'Engineering' // false (comparing string to array)
new Set(allowed).has(cert.subject.OU) // false

OU is the most commonly multi-valued field in enterprise PKI, but any DN attribute can repeat per X.509/RFC 5280.

Suggested Fix

interface Certificate {
    C: string | string[];
    ST: string | string[];
    L: string | string[];
    O: string | string[];
    OU: string | string[];
    CN: string | string[];
}

This is a type-level breaking change -- downstream code doing cert.subject.CN.toLowerCase() would need a type guard -- but it reflects the actual runtime behavior and prevents silent bugs.

Workaround

Consumers can use declaration merging in the meantime:

declare module 'tls' {
    interface Certificate {
        C: string | string[];
        ST: string | string[];
        L: string | string[];
        O: string | string[];
        OU: string | string[];
        CN: string | string[];
    }
}

[tgies]

Source-level confirmation from Node.js internals

Traced the exact code path to confirm this is key-agnostic -- every DN field can be string | string[], not just OU.

1. Iterator produces raw key-value pairs

deps/ncrypto/ncrypto.cc:4642 -- X509Name::Iterator::operator*() iterates every X509_NAME_ENTRY, calls OBJ_nid2sn(OBJ_obj2nid(name)) to get the short name ("CN", "OU", "O", "C", etc.), and returns std::pair<std::string, std::string>:

std::pair<std::string, std::string> X509Name::Iterator::operator*() const {
  // ...
  int nid = OBJ_obj2nid(name);
  std::string name_str;
  if (nid != NID_undef) {
    name_str = std::string(OBJ_nid2sn(nid));
  } else {
    char buf[80];
    OBJ_obj2txt(buf, sizeof(buf), name, 0);
    name_str = std::string(buf);
  }
  // ...
  return {std::move(name_str), std::move(out)};
}

2. Duplicate keys are mechanically promoted to arrays

src/crypto/crypto_x509.cc:622 -- GetX509NameObject() checks if the key already exists; if so, it promotes the value to an array. The code itself acknowledges the awkwardness:

// For backward compatibility, we only create arrays if multiple values
// exist for the same key. That is not great but there is not much we can
// change here without breaking things. Note that this creates nested data
// structures, yet still does not allow representing Distinguished Names
// accurately.

The logic is purely mechanical: same key appears twice on the X509_NAME -> array. There is no allowlist of which fields can repeat.

3. Keys beyond the six typed fields are also possible

The OBJ_nid2sn() fallback to OBJ_obj2txt() means keys like emailAddress, serialNumber, DC (domain component), jurisdictionC, etc. can also appear on the object. The current Certificate interface only types six fields (C, ST, L, O, OU, CN), so these are invisible to TypeScript consumers as well.

Suggested fix (revised)

Given the above, the fix should probably use an index signature to cover arbitrary DN attributes:

interface Certificate {
    C: string | string[];
    ST: string | string[];
    L: string | string[];
    O: string | string[];
    OU: string | string[];
    CN: string | string[];
    [key: string]: string | string[] | undefined;
}

The index signature would cover emailAddress, serialNumber, DC, and any other OID that OpenSSL recognizes or renders as a dotted-decimal string.

[Renegade334]

PRs welcome.

[Bashamega]

This should be closed @tgies