Skip to content

Instantly share code, notes, and snippets.

@kidmose
Created March 23, 2021 07:55
Show Gist options
  • Save kidmose/76805ce6bf46621f2ca10e1bf30e25b3 to your computer and use it in GitHub Desktop.
Save kidmose/76805ce6bf46621f2ca10e1bf30e25b3 to your computer and use it in GitHub Desktop.
Matching domain names to SubjectAltName (SAN), with approximate wildcard handling as per HTTPS (RFC2818)
def sanMatch(san, domain):
"""If a `san` (Subject Alternative Name) matches (includes) 'domain`
Note: This does some rough, inaccurate wildcard matching; `*`
matches *one or more* prefixed domain name components (or
sub-domain labels in DNS terms). RFC2818 specifies that `*`
matches any *single* domain name component, or a fragment
thereof. This has bee OK for my usage.
* On SANs in X.509 certificates:
https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Subject-Alternative-Name
* On DNS SANs in HTTPS with wildcards: https://tools.ietf.org/html/rfc2818
"""
# Canonical form without trailing (or leading) dots
san = san.strip(".")
domain = domain.strip(".")
if san.startswith("*."): # a wildcard SAN
return domain.endswith(san[1:])
else:
return (san == domain) or (domain.endswith("." + san))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment