This introduces Certificate.matches_hostname(), which takes a hostname

and matches it against the hostnames and/or wildcard hostnames stored in

the certificate (as both the primary hostname and in the SAN fields).
It wraps a utility function, get_cert_hostname_matches(), which can be

used without a Certificate instance.
Wildcard matching takes care to only match the first label in a hostname

(such as *.example.com) and to avoid matching bare hostnames. It does

not support partial wildcards, such as foo*, *bar, or foo*bar, as

these are largely unsupported by browsers, servers, and Certificate

Authorities these days (Chrome treats them as a security issue).

Unit tests pass.