Require that endpoint DNS name is matched by SAN

1 files changed, 23 insertions, 0 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificate.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificate.java
index 6f056edd226..6988da6a0ad 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificate.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificate.java
@@ -135,4 +135,27 @@ public record EndpointCertificate(String keyName, String certName, int version,
                 this.generatedId);
     }
 
+    /** Returns whether given DNS name matches any of the requested SANs in this */
+    public boolean sanMatches(String dnsName) {
+        return sanMatches(dnsName, requestedDnsSans);
+    }
+
+    static boolean sanMatches(String dnsName, List<String> sanDnsNames) {
+        return sanDnsNames.stream().anyMatch(sanDnsName -> sanMatches(dnsName, sanDnsName));
+    }
+
+    private static boolean sanMatches(String dnsName, String sanDnsName) {
+        String[] sanNameParts = sanDnsName.split("\\.");
+        String[] dnsNameParts = dnsName.split("\\.");
+        if (sanNameParts.length != dnsNameParts.length || sanNameParts.length == 0) {
+            return false;
+        }
+        for (int i = 0; i < sanNameParts.length; i++) {
+            if (!sanNameParts[i].equals("*") && !sanNameParts[i].equals(dnsNameParts[i])) {
+                return false;
+            }
+        }
+        return true;
+    }
+
 }