anaisbetts · anaisbetts · Sep 19, 2014 · Sep 19, 2014 · Sep 19, 2014 · Sep 19, 2014
diff --git a/src/ModernHttpClient/Android/OkHttpNetworkHandler.cs b/src/ModernHttpClient/Android/OkHttpNetworkHandler.cs
@@ -9,6 +9,7 @@
 using Javax.Net.Ssl;
 using System.Text.RegularExpressions;
 using Java.IO;
+using System.Globalization;
 
 namespace ModernHttpClient
 {
@@ -153,7 +154,7 @@ public void OnResponse(Response p0)
 
     class HostnameVerifier : Java.Lang.Object, IHostnameVerifier
     {
-        static readonly Regex cnRegex = new Regex("CN=(.*?),.*", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.Singleline);
+        static readonly Regex cnRegex = new Regex(@"CN\s*=\s*([^,]*)", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.Singleline);
 
         public bool Verify(string hostname, ISSLSession session)
         {
@@ -212,7 +213,7 @@ bool verifyServerCertificate(string hostname, ISSLSession session)
             var subject = root.Subject;
             var subjectCn = cnRegex.Match(subject).Groups[1].Value;
 
-            if (String.IsNullOrWhiteSpace(subjectCn) || subjectCn != hostname) {
+            if (String.IsNullOrWhiteSpace(subjectCn) || !match(hostname, subjectCn)) {
                 errors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch;
                 goto bail;
             }
@@ -238,5 +239,54 @@ bool verifyClientCiphers(string hostname, ISSLSession session)
 
             return acceptedCiphers.Contains(session.CipherSuite);
         }
+
+        static bool match(string hostname, string pattern)
+        {
+            // check if this is a pattern
+            int index = pattern.IndexOf('*');
+            if (index == -1)
+            {
+                // not a pattern, do a direct case-insensitive comparison
+                return (String.Compare(hostname, pattern, true, CultureInfo.InvariantCulture) == 0);
+            }
+
+            // check pattern validity
+            // A "*" wildcard character MAY be used as the left-most name component in the certificate.
+
+            // unless this is the last char (valid)
+            if (index != pattern.Length - 1)
+            {
+                // then the next char must be a dot .'.
+                if (pattern[index + 1] != '.')
+                    return false;
+            }
+
+            // only one (A) wildcard is supported
+            int i2 = pattern.IndexOf('*', index + 1);
+            if (i2 != -1)
+                return false;
+
+            // match the end of the pattern
+            string end = pattern.Substring(index + 1);
+            int length = hostname.Length - end.Length;
+            // no point to check a pattern that is longer than the hostname
+            if (length <= 0)
+                return false;
+
+            if (String.Compare(hostname, length, end, 0, end.Length, true, CultureInfo.InvariantCulture) != 0)
+                return false;
+
+            // special case, we start with the wildcard
+            if (index == 0)
+            {
+                // ensure we hostname non-matched part (start) doesn't contain a dot
+                int i3 = hostname.IndexOf('.');
+                return ((i3 == -1) || (i3 >= (hostname.Length - end.Length)));
+            }
+
+            // match the start of the pattern
+            string start = pattern.Substring(0, index);
+            return (String.Compare(hostname, 0, start, 0, start.Length, true, CultureInfo.InvariantCulture) == 0);
+        }
     }
 }
diff --git a/src/ModernHttpClient/iOS/NSUrlSessionHandler.cs b/src/ModernHttpClient/iOS/NSUrlSessionHandler.cs
@@ -14,6 +14,7 @@
 using Foundation;
 #else
 using MonoTouch.Foundation;
+using System.Globalization;
 #endif
 
 namespace ModernHttpClient
@@ -218,7 +219,7 @@ InflightOperation getResponseForTask(NSUrlSessionTask task)
                 }
             }
 
-            static readonly Regex cnRegex = new Regex("CN=(.*?),.*", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.Singleline);
+            static readonly Regex cnRegex = new Regex(@"CN\s*=\s*([^,]*)", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.Singleline);
 
             public override void DidReceiveChallenge(NSUrlSession session, NSUrlSessionTask task, NSUrlAuthenticationChallenge challenge, Action<NSUrlSessionAuthChallengeDisposition, NSUrlCredential> completionHandler)
             {
@@ -274,7 +275,7 @@ public override void DidReceiveChallenge(NSUrlSession session, NSUrlSessionTask
                 var subject = root.Subject;
                 var subjectCn = cnRegex.Match(subject).Groups[1].Value;
 
-                if (String.IsNullOrWhiteSpace(subjectCn) || subjectCn != task.CurrentRequest.Url.Host) {
+                if (String.IsNullOrWhiteSpace(subjectCn) || !match(task.CurrentRequest.Url.Host, subjectCn)) {
                     errors = SslPolicyErrors.RemoteCertificateNameMismatch;
                     goto sslErrorVerify;
                 }
@@ -293,6 +294,55 @@ public override void DidReceiveChallenge(NSUrlSession session, NSUrlSessionTask
                 return;
             }
 
+            static bool match(string hostname, string pattern)
+            {
+                // check if this is a pattern
+                int index = pattern.IndexOf('*');
+                if (index == -1)
+                {
+                    // not a pattern, do a direct case-insensitive comparison
+                    return (String.Compare(hostname, pattern, true, CultureInfo.InvariantCulture) == 0);
+                }
+
+                // check pattern validity
+                // A "*" wildcard character MAY be used as the left-most name component in the certificate.
+
+                // unless this is the last char (valid)
+                if (index != pattern.Length - 1)
+                {
+                    // then the next char must be a dot .'.
+                    if (pattern[index + 1] != '.')
+                        return false;
+                }
+
+                // only one (A) wildcard is supported
+                int i2 = pattern.IndexOf('*', index + 1);
+                if (i2 != -1)
+                    return false;
+
+                // match the end of the pattern
+                string end = pattern.Substring(index + 1);
+                int length = hostname.Length - end.Length;
+                // no point to check a pattern that is longer than the hostname
+                if (length <= 0)
+                    return false;
+
+                if (String.Compare(hostname, length, end, 0, end.Length, true, CultureInfo.InvariantCulture) != 0)
+                    return false;
+
+                // special case, we start with the wildcard
+                if (index == 0)
+                {
+                    // ensure we hostname non-matched part (start) doesn't contain a dot
+                    int i3 = hostname.IndexOf('.');
+                    return ((i3 == -1) || (i3 >= (hostname.Length - end.Length)));
+                }
+
+                // match the start of the pattern
+                string start = pattern.Substring(0, index);
+                return (String.Compare(hostname, 0, start, 0, start.Length, true, CultureInfo.InvariantCulture) == 0);
+            }
+
             Exception createExceptionForNSError(NSError error)
             {
                 var ret = default(Exception);