From acda7b70429ebc09265ebea4bfe5b6daef263452 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Thu, 21 Nov 2019 12:48:57 +0200
Subject: Correctly handle wildcard certificates.

* certmon.go (CNMatch): New function.
(CertMatch): Use CNMatch instead of simple string equality test.
Convert all strings to lower case prior to comparing.
---
 certmon.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/certmon.go b/certmon.go
index 2b030d4..d76e44b 100644
--- a/certmon.go
+++ b/certmon.go
@@ -52,12 +52,23 @@ type CertResultList struct {
 	Result []CertResult
 }
 
+func CNMatch(pat, name string) bool {
+	pat = strings.ToLower(pat)
+	if (pat[0] == '*') {
+		return len(name) >= len(pat) &&
+			strings.HasSuffix(name, pat[1:]) &&
+			strings.Index(name[0:(len(name) - len(pat) + 1)], `.`) == -1
+	} else {
+		return pat == name
+	}
+}
+
 func CertMatch(cert *x509.Certificate, cn string) bool {
-	if cn == `` || cert.Subject.CommonName == cn {
+	if cn == `` || CNMatch(cert.Subject.CommonName, cn) {
 		return true
 	}
 	for _, name := range cert.DNSNames {
-		if cn == name {
+		if CNMatch(name, cn) {
 			return true
 		}
 	}
@@ -201,7 +212,7 @@ func (rl *CertResultList) Append(res CertResult) {
 }
 
 func (rl *CertResultList) Check(args *ArgList) {
-	cn := args.Next()
+	cn := strings.ToLower(args.Next())
 	addr := rl.Address;
 	a := strings.Split(addr, `:`)
 	switch (len(a)) {
-- 
cgit v1.2.1