• 
  
    
 
    
 
    

    



    
    
    
    
     
    




    
 
    

  
    



    
 

 

  

  

 

    


  
    





    
 
    



  

    
 
 
    
  
    Add support for matching certificate hostnames.
    
 
    

    



 
    
 
    

  Review Request #15017
  —
  Created April 16, 2026 and updated 

 
    


    




    




    






 
    
  
    
   Information

  
    



    
 
 
    
  chipx86
 
    

    





    
 
 
    
  Review Board
 
    

    





    
 
 
    
  release-7.1.x
 
    

    





    
 
 
    
  
 
    

    





    
 
 
    
  15016
 
    

    



 
    



 
    
  
    
   Reviewers

  
    



    
 
 
    
  reviewboard
 
    

    





    
 
 
    
  
 
    

    



 
    



    


    
 
    




  

    
 
 
    
  
    This introduces Certificate.matches_hostname(), which takes a hostname
    
and matches it against the hostnames and/or wildcard hostnames stored in
    
the certificate (as both the primary hostname and in the SAN fields).
    

    It wraps a utility function, get_cert_hostname_matches(), which can be
    
used without a Certificate instance.
    

    Wildcard matching takes care to only match the first label in a hostname
    
(such as *.example.com) and to avoid matching bare hostnames. It does
    
not support partial wildcards, such as foo*, *bar, or foo*bar, as
    
these are largely unsupported by browsers, servers, and Certificate
    
Authorities these days (Chrome treats them as a security issue).
    
 
    

    





  

    
 
 
    
  
    Unit tests pass.
    
 
    

    




 
    

    





    
 
    




  
    
 
 
    
  


    
 
    
  
   
    

    Summary
    ID

   
    
      
  

   
    

    

     
    
      Add support for matching certificate hostnames.
      
    This introduces `Certificate.matches_hostname()`, which takes a hostname
and matches it against the hostnames and/or wildcard hostnames stored in
the certificate (as both the primary hostname and in the SAN fields).

It wraps a utility function, `get_cert_hostname_matches()`, which can be
used without a `Certificate` instance.

Wildcard matching takes care to only match the first label in a hostname
(such as `*.example.com`) and to avoid matching bare hostnames. It does
not support partial wildcards, such as `foo*`, `*bar`, or `foo*bar`, as
these are largely unsupported by browsers, servers, and Certificate
Authorities these days (Chrome treats them as a security issue).
    
     
    

        		
    8db5a6fef00d888a815fe6768ea804686cdff372

   
    


      
 
    

    
    
 
    

    






 









 
    

    



  
    
 
    

    


    












    
 




 

    


 













    
 



 
    
  
    
   
    



chipx86




   
    
   
    
  
    
 
    


 
    
  
    

   
    

   
    

    
    
Review request changed
    
    
    
    
     


      


     
    
    
   
    


  
    
  
    
  
    




    



  
    
   
    
    Change Summary:
   
    
   
    
    
    Hostname matching now uses the Subject instead of the caller-provided hostname.
    
   
    
  
    







  
    
   
    
    Commits:
   
    
   
    
    
    



    
 
    
  
   
    

    

    Summary
    ID

   
    
      
  

   
    

    

    

     
    
      Add support for matching certificate hostnames.
      
    This introduces `Certificate.matches_hostname()`, which takes a hostname
and matches it against the hostnames and/or wildcard hostnames stored in
the certificate (as both the primary hostname and in the SAN fields).

It wraps a utility function, `get_cert_hostname_matches()`, which can be
used without a `Certificate` instance.

Wildcard matching takes care to only match the first label in a hostname
(such as `*.example.com`) and to avoid matching bare hostnames. It does
not support partial wildcards, such as `foo*`, `*bar`, or `foo*bar`, as
these are largely unsupported by browsers, servers, and Certificate
Authorities these days (Chrome treats them as a security issue).
    
     
    

        		
    2cde0d4733368274e342a5aa748efe875ff6d72b

   
    



   
    

    

    

     
    
      Add support for matching certificate hostnames.
      
    This introduces `Certificate.matches_hostname()`, which takes a hostname
and matches it against the hostnames and/or wildcard hostnames stored in
the certificate (as both the primary hostname and in the SAN fields).

It wraps a utility function, `get_cert_hostname_matches()`, which can be
used without a `Certificate` instance.

Wildcard matching takes care to only match the first label in a hostname
(such as `*.example.com`) and to avoid matching bare hostnames. It does
not support partial wildcards, such as `foo*`, `*bar`, or `foo*bar`, as
these are largely unsupported by browsers, servers, and Certificate
Authorities these days (Chrome treats them as a security issue).
    
     
    

        		
    8db5a6fef00d888a815fe6768ea804686cdff372

   
    


      
 
    

    


    

   
    
  
    




  
    
   
    
    Diff:
   
    
   
    
    
     Revision 2 (+480)
    Show changes
     
        docs/manual/extending/coderef/index.rst 
        reviewboard/certs/cert.py 
        reviewboard/certs/utils.py 
        reviewboard/certs/tests/test_certificate.py 
        reviewboard/certs/tests/test_utils.py 
     
    
   
    
  
    





    



    
 
    
  
    Checks run (2 succeeded)
    


  
    
 flake8
 passed.
 


    


  
    
 JSHint
 passed.