This request changes domain name matching in x509-validation to get closer to other implementations and RFCs :
domain name matching is now case-insensitive
a wildcard in the certificate domain name matches only a single domain component (see RFC 2818: Names may contain the wildcard character '*' which is considered to match any single domain name component or component fragment.)
Case conversion is performed directly in splitDot, and the function call is now moved into matchDomain so that the original name before conversion can be returned inside InvalidName.
A wildcard is supported only for the left-most component just like before. I didn’t consider extending this or supporting component fragments like f*o.example.com because this is more complex and probably never used in practice (discussed somehow in RFC 6125 §7.2).
This request changes domain name matching in
x509-validation
to get closer to other implementations and RFCs :Case conversion is performed directly in
splitDot
, and the function call is now moved intomatchDomain
so that the original name before conversion can be returned insideInvalidName
.A wildcard is supported only for the left-most component just like before. I didn’t consider extending this or supporting component fragments like
f*o.example.com
because this is more complex and probably never used in practice (discussed somehow in RFC 6125 §7.2).