Merge pull request #2315 from coreos-inc/ssl-wildcard-branches

DNS name check got reversed; breaks wildcards

test/test_ssl_util.py

@@ -64,6 +64,19 @@ class TestSSLCertificate(unittest.TestCase):
     for name in cert.names:
       self.assertTrue(cert.matches_name(name))
 
+  def test_wildcard_hostnames(self):
+    (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['DNS:*.bar'])
+    cert = load_certificate(public_key_data)
+    self.assertEquals(set(['foo', '*.bar']), cert.names)
+
+    for name in cert.names:
+      self.assertTrue(cert.matches_name(name))
+
+    self.assertTrue(cert.matches_name('something.bar'))
+    self.assertTrue(cert.matches_name('somethingelse.bar'))
+    self.assertTrue(cert.matches_name('cool.bar'))
+    self.assertFalse(cert.matches_name('*'))
+
   def test_nondns_hostnames(self):
     (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['URI:yarg'])
     cert = load_certificate(public_key_data)

util/security/ssl.py

@@ -45,7 +45,7 @@ class SSLCertificate(object):
   def matches_name(self, check_name):
     """ Returns true if this SSL certificate matches the given DNS hostname. """
     for dns_name in self.names:
-      if fnmatch(dns_name, check_name):
+      if fnmatch(check_name, dns_name):
         return True
 
     return False