Comment 22 for bug 376484

Created an attachment (id=288681)
Alternative patch for (more restrictive) wildcard matching

(In reply to [my own] comment #16)
> In a further step, cert_TestHostName() could be actually modified to not rely
> on PORT_RegExpCaseSearch() any longer, in my opinion (or is there any need for
> supporting shell-style matching besides the '*' character?).

Here's an alternative patch (for cert_TestHostName) which implements a more "radical" solution, by further limiting the cases where '*' is interpreted as a wildcard character. From the explanation in the source:

   /* for a cn pattern to be considered valid, the wildcard character...
      - may occur in the first component only, and must be its last character
      - may occur only once
      - may be preceded by additional characters
    */

Of course this is (still) in line with RFCs 2595, 2818 and 4513, and has the advantage of no longer depending on PORT_RegExpCaseSearch (so portreg.{h,c} could actually be dropped from NSS, since cert_TestHostName is its only caller).

Can somebody (Nelson?) advise on how I should proceed? Is this patch acceptable for review, or would it also need to cover the changes to lib/util? Thanks for any guidance.