[440547] Add support for wildcard certificates.

Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=440547
Change-Id: I681f8f67fcd476b70825146416886562369fee0e

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 6e1886ae41a6881c309a09b50467d44af69bf9a9..462abf83c543d3e2f1b1ffc642b0d393793af281 100644 (file)
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -1,3 +1,9 @@
+v1.1 - 2015-01-30
+=================
+
+- Add support for wildcard certificates. Closes #440547.
+
+
 v1.0.2 - 2014-09-13
 ===================
 

diff --git a/src/paho/mqtt/client.py b/src/paho/mqtt/client.py
index 72c5505afefdeeaa2a6e81a615426ae0ab488895..096aec8076866ddc11af802a92ef8bf20c278fcf 100755 (executable)
--- a/src/paho/mqtt/client.py
+++ b/src/paho/mqtt/client.py
@@ -2277,6 +2277,23 @@ class Client(object):
 
         self.loop_forever()
 
+    def _host_matches_cert(self, host, cert_host):
+        if cert_host[0:2] == "*.":
+            if cert_host.count("*") != 1:
+                return False
+
+            host_match = host.split(".", 1)[1]
+            cert_match = cert_host.split(".", 1)[1]
+            if host_match == cert_match:
+                return True
+            else:
+                return False
+        else:
+            if host == cert_host:
+                return True
+            else:
+                return False
+
     def _tls_match_hostname(self):
         cert = self._ssl.getpeercert()
         san = cert.get('subjectAltName')
@@ -2285,7 +2302,7 @@ class Client(object):
             for (key, value) in san:
                 if key == 'DNS':
                     have_san_dns = True
-                    if value.lower() == self._host.lower():
+                    if self._host_matches_cert(self._host.lower(), value.lower()) == True:
                         return
                 if key == 'IP Address':
                     have_san_dns = True
@@ -2299,7 +2316,7 @@ class Client(object):
         if subject:
             for ((key, value),) in subject:
                 if key == 'commonName':
-                    if value.lower() == self._host.lower():
+                    if self._host_matches_cert(self._host.lower(), value.lower()) == True:
                         return
 
         raise ssl.SSLError('Certificate subject does not match remote hostname.')