From 5deda4376655de83b369f4fcea404ad89b44dd9b Mon Sep 17 00:00:00 2001
From: Justine Tunney <jtunney@gmail.com>
Date: Fri, 10 Jun 2022 21:51:46 -0700
Subject: [PATCH] Handle wildcard certificates in redbean

---
 net/https/certhashost.c | 22 +++++++++++++++++++---
 tool/net/redbean.c      | 10 +++++++---
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/net/https/certhashost.c b/net/https/certhashost.c
index efabb542d..9a1112f50 100644
--- a/net/https/certhashost.c
+++ b/net/https/certhashost.c
@@ -23,9 +23,25 @@ bool CertHasHost(const mbedtls_x509_crt *cert, const void *s, size_t n) {
   const mbedtls_x509_sequence *cur;
   for (cur = &cert->subject_alt_names; cur; cur = cur->next) {
     if ((cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) ==
-            MBEDTLS_X509_SAN_DNS_NAME &&
-        SlicesEqualCase(s, n, cur->buf.p, cur->buf.len)) {
-      return true;
+        MBEDTLS_X509_SAN_DNS_NAME) {
+      if (cur->buf.len > 2 && cur->buf.p[0] == '*' && cur->buf.p[1] == '.') {
+        // handle subject alt name like *.foo.com (matching foo.com)
+        if (SlicesEqualCase(s, n, cur->buf.p + 2, cur->buf.len - 2)) {
+          return true;
+        }
+        // handle subject alt name like *.foo.com (matching bar.foo.com)
+        if (n > cur->buf.len - 1 &&
+            SlicesEqualCase((char *)s + n - (cur->buf.len - 1),
+                            cur->buf.len - 1, cur->buf.p + 1,
+                            cur->buf.len - 1)) {
+          return true;
+        }
+      } else {
+        // handle subject alt name like foo.com
+        if (SlicesEqualCase(s, n, cur->buf.p, cur->buf.len)) {
+          return true;
+        }
+      }
     }
   }
   return false;
diff --git a/tool/net/redbean.c b/tool/net/redbean.c
index 0758d84c4..662086a61 100644
--- a/tool/net/redbean.c
+++ b/tool/net/redbean.c
@@ -1732,9 +1732,11 @@ static void ConfigureCertificate(mbedtls_x509write_cert *cw, struct Cert *ca,
           }
         }
         if (!isduplicate) {
-          san = realloc(san, ++nsan * sizeof(*san));
+          san = realloc(san, (nsan += 2) * sizeof(*san));
+          san[nsan - 2].tag = MBEDTLS_X509_SAN_DNS_NAME;
+          san[nsan - 2].val = s;
           san[nsan - 1].tag = MBEDTLS_X509_SAN_DNS_NAME;
-          san[nsan - 1].val = s;
+          san[nsan - 1].val = gc(xasprintf("*.%s", s));
         }
       }
     }
@@ -7270,7 +7272,9 @@ void RedBean(int argc, char *argv[]) {
       free(monitortls);
     }
   }
-  INFOF("(srvr) shutdown complete");
+  if (!isexitingworker) {
+    INFOF("(srvr) shutdown complete");
+  }
 }
 
 int main(int argc, char *argv[]) {