Created
March 23, 2021 07:55
-
-
Save kidmose/76805ce6bf46621f2ca10e1bf30e25b3 to your computer and use it in GitHub Desktop.
Matching domain names to SubjectAltName (SAN), with approximate wildcard handling as per HTTPS (RFC2818)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def sanMatch(san, domain): | |
"""If a `san` (Subject Alternative Name) matches (includes) 'domain` | |
Note: This does some rough, inaccurate wildcard matching; `*` | |
matches *one or more* prefixed domain name components (or | |
sub-domain labels in DNS terms). RFC2818 specifies that `*` | |
matches any *single* domain name component, or a fragment | |
thereof. This has bee OK for my usage. | |
* On SANs in X.509 certificates: | |
https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Subject-Alternative-Name | |
* On DNS SANs in HTTPS with wildcards: https://tools.ietf.org/html/rfc2818 | |
""" | |
# Canonical form without trailing (or leading) dots | |
san = san.strip(".") | |
domain = domain.strip(".") | |
if san.startswith("*."): # a wildcard SAN | |
return domain.endswith(san[1:]) | |
else: | |
return (san == domain) or (domain.endswith("." + san)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment