DNS name check got reversed; breaks wildcards

2017-01-29 11:51:37 -05:00 · 2017-01-29 11:51:37 -05:00 · d63cca025a
commit d63cca025a
parent 2dfae9e892
2 changed files with 14 additions and 1 deletions
--- a/test/test_ssl_util.py
+++ b/test/test_ssl_util.py
@ -64,6 +64,19 @@ class TestSSLCertificate(unittest.TestCase):
    for name in cert.names:
      self.assertTrue(cert.matches_name(name))

+  def test_wildcard_hostnames(self):
+    (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['DNS:*.bar'])
+    cert = load_certificate(public_key_data)
+    self.assertEquals(set(['foo', '*.bar']), cert.names)
+
+    for name in cert.names:
+      self.assertTrue(cert.matches_name(name))
+
+    self.assertTrue(cert.matches_name('something.bar'))
+    self.assertTrue(cert.matches_name('somethingelse.bar'))
+    self.assertTrue(cert.matches_name('cool.bar'))
+    self.assertFalse(cert.matches_name('*'))
+
  def test_nondns_hostnames(self):
    (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['URI:yarg'])
    cert = load_certificate(public_key_data)
--- a/util/security/ssl.py
+++ b/util/security/ssl.py
@ -45,7 +45,7 @@ class SSLCertificate(object):
  def matches_name(self, check_name):
    """ Returns true if this SSL certificate matches the given DNS hostname. """
    for dns_name in self.names:
-      if fnmatch(dns_name, check_name):
+      if fnmatch(check_name, dns_name):
        return True

    return False