Match a hostname against a pattern, supporting wildcard certificates (*.example.com). Implements RFC 6125 wildcard matching rules: - Wildcard must be in the leftmost label - Wildcard must be the only character in that label - Wildcard must match at least one character
(expected: &str, pattern: &str)
| 1703 | /// - Wildcard must be the only character in that label |
| 1704 | /// - Wildcard must match at least one character |
| 1705 | fn hostname_matches(expected: &str, pattern: &str) -> bool { |
| 1706 | // Wildcard matching for *.example.com |
| 1707 | if let Some(pattern_base) = pattern.strip_prefix("*.") { |
| 1708 | // Find the first dot in expected hostname |
| 1709 | if let Some(dot_pos) = expected.find('.') { |
| 1710 | let expected_base = &expected[dot_pos + 1..]; |
| 1711 | |
| 1712 | // The base domains must match (case insensitive) |
| 1713 | // and the leftmost label must not be empty |
| 1714 | return dot_pos > 0 && expected_base.eq_ignore_ascii_case(pattern_base); |
| 1715 | } |
| 1716 | |
| 1717 | // No dot in expected, can't match wildcard |
| 1718 | return false; |
| 1719 | } |
| 1720 | |
| 1721 | // Exact match (case insensitive per RFC 4343) |
| 1722 | expected.eq_ignore_ascii_case(pattern) |
| 1723 | } |
| 1724 | |
| 1725 | /// Verify that a certificate is valid for the given IP address. |
| 1726 | /// Checks Subject Alternative Names for IP Address entries. |
no test coverage detected