Wildcards. Also fixed a bug with multiple GNs
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 6f64613..ec69292 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -152,7 +152,12 @@
gn.type = backend._lib.GEN_DNS
ia5 = backend._lib.ASN1_IA5STRING_new()
assert ia5 != backend._ffi.NULL
- value = idna.encode(alt_name.value)
+
+ if alt_name.value.startswith(u"*."):
+ value = b"*." + idna.encode(alt_name.value[2:])
+ else:
+ value = idna.encode(alt_name.value)
+
res = backend._lib.ASN1_STRING_set(ia5, value, len(value))
assert res == 1
gn.d.dNSName = ia5
@@ -160,7 +165,7 @@
raise NotImplementedError("Only DNSNames are supported right now")
res = backend._lib.sk_GENERAL_NAME_push(general_names, gn)
- assert res == 1
+ assert res >= 0
pp = backend._ffi.new("unsigned char **")
r = backend._lib.i2d_GENERAL_NAMES(general_names, pp)
diff --git a/tests/test_x509.py b/tests/test_x509.py
index b8c3b03..7855297 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -920,7 +920,8 @@
])
).add_extension(
x509.SubjectAlternativeName([
- x509.DNSName(u"google.com"),
+ x509.DNSName(u"example.com"),
+ x509.DNSName(u"*.example.com"),
]),
critical=False,
).sign(private_key, hashes.SHA256(), backend)
@@ -932,7 +933,8 @@
assert not ext.critical
assert ext.oid == x509.OID_SUBJECT_ALTERNATIVE_NAME
assert list(ext.value) == [
- x509.DNSName(u"google.com"),
+ x509.DNSName(u"example.com"),
+ x509.DNSName(u"*.example.com"),
]
def test_subject_alt_name_unsupported_general_name(self, backend):