Certificate name validation

[ocheron]

This request changes domain name matching in x509-validation to get closer to other implementations and RFCs :

• domain name matching is now case-insensitive
• a wildcard in the certificate domain name matches only a single domain component (see RFC 2818: Names may contain the wildcard character '*' which is considered to match any single domain name component or component fragment.)

Case conversion is performed directly in splitDot, and the function call is now moved into matchDomain so that the original name before conversion can be returned inside InvalidName.

A wildcard is supported only for the left-most component just like before. I didn’t consider extending this or supporting component fragments like f*o.example.com because this is more complex and probably never used in practice (discussed somehow in RFC 6125 §7.2).

[ocheron]

Related to vincenthz/hs-tls#163.

[vincenthz]

Thanks. looking good, although the general validation sorely lack automated testing

[ocheron]

OK, I'll see if I can add a test suite to x509-validation to test expected validation results.