Handle wildcard certificates in redbean

2025-01-31 03:27:39 +00:00 · 2022-06-10 21:51:46 -07:00 · 2022-06-10 21:51:46 -07:00 · 5deda43766
commit 5deda43766
parent c6d8e516b2
2 changed files with 26 additions and 6 deletions
--- a/net/https/certhashost.c
+++ b/net/https/certhashost.c
@ -23,9 +23,25 @@ bool CertHasHost(const mbedtls_x509_crt *cert, const void *s, size_t n) {
  const mbedtls_x509_sequence *cur;
  for (cur = &cert->subject_alt_names; cur; cur = cur->next) {
    if ((cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) ==
-            MBEDTLS_X509_SAN_DNS_NAME &&
-        SlicesEqualCase(s, n, cur->buf.p, cur->buf.len)) {
-      return true;
+        MBEDTLS_X509_SAN_DNS_NAME) {
+      if (cur->buf.len > 2 && cur->buf.p[0] == '*' && cur->buf.p[1] == '.') {
+        // handle subject alt name like *.foo.com (matching foo.com)
+        if (SlicesEqualCase(s, n, cur->buf.p + 2, cur->buf.len - 2)) {
+          return true;
+        }
+        // handle subject alt name like *.foo.com (matching bar.foo.com)
+        if (n > cur->buf.len - 1 &&
+            SlicesEqualCase((char *)s + n - (cur->buf.len - 1),
+                            cur->buf.len - 1, cur->buf.p + 1,
+                            cur->buf.len - 1)) {
+          return true;
+        }
+      } else {
+        // handle subject alt name like foo.com
+        if (SlicesEqualCase(s, n, cur->buf.p, cur->buf.len)) {
+          return true;
+        }
+      }
    }
  }
  return false;
--- a/tool/net/redbean.c
+++ b/tool/net/redbean.c
@ -1732,9 +1732,11 @@ static void ConfigureCertificate(mbedtls_x509write_cert *cw, struct Cert *ca,
          }
        }
        if (!isduplicate) {
-          san = realloc(san, ++nsan * sizeof(*san));
+          san = realloc(san, (nsan += 2) * sizeof(*san));
+          san[nsan - 2].tag = MBEDTLS_X509_SAN_DNS_NAME;
+          san[nsan - 2].val = s;
          san[nsan - 1].tag = MBEDTLS_X509_SAN_DNS_NAME;
-          san[nsan - 1].val = s;
+          san[nsan - 1].val = gc(xasprintf("*.%s", s));
        }
      }
    }
@ -7270,7 +7272,9 @@ void RedBean(int argc, char *argv[]) {
      free(monitortls);
    }
  }
-  INFOF("(srvr) shutdown complete");
+  if (!isexitingworker) {
+    INFOF("(srvr) shutdown complete");
+  }
 }

 int main(int argc, char *argv[]) {