From cc49207e2734ad8131d9b34fee99bfcfffe130d6 Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Thu, 19 Feb 2026 23:51:55 -0800
Subject: [PATCH] fix: return error for no peer certs, include IP SANs

- extractCertInfo now returns an error (ErrNoPeerCertificates) instead
  of an empty struct when there are no peer certificates
- SubjectAlternativeNames now includes both DNS names and IP addresses
  from cert.IPAddresses

Addresses review feedback on PR #7.
---
 internal/tlscheck/tlscheck.go | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/internal/tlscheck/tlscheck.go b/internal/tlscheck/tlscheck.go
index 90f768b..60f349a 100644
--- a/internal/tlscheck/tlscheck.go
+++ b/internal/tlscheck/tlscheck.go
@@ -27,6 +27,12 @@ var ErrUnexpectedConnType = errors.New(
 	"unexpected connection type",
 )
 
+// ErrNoPeerCertificates indicates the TLS connection had no peer
+// certificates.
+var ErrNoPeerCertificates = errors.New(
+	"no peer certificates",
+)
+
 // CertificateInfo holds information about a TLS certificate.
 type CertificateInfo struct {
 	CommonName              string
@@ -144,7 +150,7 @@ func (c *Checker) CheckCertificate(
 		)
 	}
 
-	return c.extractCertInfo(tlsConn), nil
+	return c.extractCertInfo(tlsConn)
 }
 
 func (c *Checker) buildTLSConfig(
@@ -165,16 +171,20 @@ func (c *Checker) buildTLSConfig(
 
 func (c *Checker) extractCertInfo(
 	conn *tls.Conn,
-) *CertificateInfo {
+) (*CertificateInfo, error) {
 	state := conn.ConnectionState()
 	if len(state.PeerCertificates) == 0 {
-		return &CertificateInfo{}
+		return nil, ErrNoPeerCertificates
 	}
 
 	cert := state.PeerCertificates[0]
 
-	sans := make([]string, len(cert.DNSNames))
-	copy(sans, cert.DNSNames)
+	sans := make([]string, 0, len(cert.DNSNames)+len(cert.IPAddresses))
+	sans = append(sans, cert.DNSNames...)
+
+	for _, ip := range cert.IPAddresses {
+		sans = append(sans, ip.String())
+	}
 
 	return &CertificateInfo{
 		CommonName:              cert.Subject.CommonName,
@@ -182,5 +192,5 @@ func (c *Checker) extractCertInfo(
 		NotAfter:                cert.NotAfter,
 		SubjectAlternativeNames: sans,
 		SerialNumber:            cert.SerialNumber.String(),
-	}
+	}, nil
 }