Expand description
Domain name and identity matching for TLS certificates (RFC 6125).
Implements the rules for verifying that a TLS certificate is valid for a given reference identifier (hostname, IP address, or email address).
§RFC 6125 compliance
- Section 6.4.1: case-insensitive comparison for DNS names.
- Section 6.4.3: wildcard matching — only the leftmost label may be
a wildcard (
*), no partial wildcards, wildcard does not match dots. - Section 6.4.4: if SANs are present, the subject CN MUST be ignored.
- Section 6.5.2: IP address matching via iPAddress SAN entries.
§Usage in Kipuka
- POP linking in
/simpleenrolland/simplereenroll(mTLS client cert identity vs. CSR subject) — seesuper::mtls. - EST server certificate validation by clients (informational; the actual TLS validation is done by rustls, but this module provides the matching logic for EST-specific identity checks).
Functions§
- matches_
domain - Check whether a certificate DNS name pattern matches a hostname.
- matches_
email - Check whether a certificate rfc822Name SAN matches an email address.
- matches_
ip - Check whether a certificate iPAddress SAN matches a client IP address.
- validate_
identity - Validate that a DER-encoded certificate is authorized for a given identity.