public static bool SslCheckHostnameMatch(SafeSslHandle handle, string hostName, DateTime notBefore) { int result; // The IdnMapping converts Unicode input into the IDNA punycode sequence. // It also does host case normalization. The bypass logic would be something // like "all characters being within [a-z0-9.-]+" // // The SSL Policy (SecPolicyCreateSSL) has been verified as not inherently supporting // IDNA as of macOS 10.12.1 (Sierra). If it supports low-level IDNA at a later date, // this code could be removed. // // It was verified as supporting case invariant match as of 10.12.1 (Sierra). string matchName = s_idnMapping.GetAscii(hostName); using (SafeCFDateHandle cfNotBefore = CoreFoundation.CFDateCreate(notBefore)) using (SafeCreateHandle cfHostname = CoreFoundation.CFStringCreateWithCString(matchName)) { result = AppleCryptoNative_SslIsHostnameMatch(handle, cfHostname, cfNotBefore); } switch (result) { case 0: return(false); case 1: return(true); default: Debug.Fail($"AppleCryptoNative_SslIsHostnameMatch returned {result}"); throw new SslException(); } }