2 files changed, 15 insertions, 0 deletions

diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h
index 296d64ef2..20611fde9 100644
--- a/src/lib/ffi/ffi.h
+++ b/src/lib/ffi/ffi.h
@@ -1202,6 +1202,12 @@ enum botan_x509_cert_key_constraints {
 BOTAN_PUBLIC_API(2,0) int botan_x509_cert_allowed_usage(botan_x509_cert_t cert, unsigned int key_usage);
 
 /**
+* Check if the certificate matches the specified hostname via alternative name or CN match.
+* RFC 5280 wildcards also supported.
+*/
+BOTAN_PUBLIC_API(2,5) int botan_x509_cert_hostname_match(botan_x509_cert_t cert, const char* hostname);
+
+/**
  * Key wrapping as per RFC 3394
  */
 BOTAN_PUBLIC_API(2,2)
diff --git a/src/lib/ffi/ffi_cert.cpp b/src/lib/ffi/ffi_cert.cpp
index 6031d02aa..3c5f17277 100644
--- a/src/lib/ffi/ffi_cert.cpp
+++ b/src/lib/ffi/ffi_cert.cpp
@@ -133,4 +133,13 @@ int botan_x509_cert_get_public_key_bits(botan_x509_cert_t cert, uint8_t out[], s
    return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c, { return write_vec_output(out, out_len, c.subject_public_key_bits()); });
    }
 
+int botan_x509_cert_hostname_match(botan_x509_cert_t cert, const char* hostname)
+   {
+   if(hostname == nullptr)
+      return BOTAN_FFI_ERROR_NULL_POINTER;
+
+   return BOTAN_FFI_DO(Botan::X509_Certificate, cert, c,
+                       { return c.matches_dns_name(hostname) ? 0 : -1; });
+   }
+
 }