From 0ed671153e9fea4dcf00adc610b0f941cdbc58b7 Mon Sep 17 00:00:00 2001
From: Oleg Kalnichevski <olegk@apache.org>
Date: Fri, 3 May 2013 19:15:51 +0000
Subject: [PATCH] HTTPCLIENT-1348: Use plus character in addition to comma as a
 multi-value delimiter when extracting certificate CN in AbstractVerifier
 Contributed by Vasil Badev <v_badev at infonotary.com>

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1478931 13f79535-47bb-0310-9956-ffa450edef68
---
 .../http/conn/ssl/AbstractVerifier.java       |  2 +-
 .../http/conn/ssl/CertificatesToPlayWith.java | 37 +++++++++++++++++++
 .../http/conn/ssl/TestHostnameVerifier.java   |  6 +++
 3 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
index eeed1dbb0..133107689 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
@@ -267,7 +267,7 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
         */
 
         final String subjectPrincipal = cert.getSubjectX500Principal().toString();
-        final StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+        final StringTokenizer st = new StringTokenizer(subjectPrincipal, ",+");
         while(st.hasMoreTokens()) {
             final String tok = st.nextToken().trim();
             if (tok.length() > 3) {
diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java b/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java
index 85269e048..4b3156d63 100644
--- a/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java
+++ b/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java
@@ -471,4 +471,41 @@ public class CertificatesToPlayWith {
         "BSW775NHlkjsscFVgXkNf0PobqJ9\n" +
         "-----END CERTIFICATE-----").getBytes();
 
+    /**
+     * subject CN=repository.infonotary.com (Multiple AVA in RDN).
+     */
+    public final static byte[] X509_MULTIPLE_VALUE_AVA = (
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFxzCCBK+gAwIBAgIIRO/2+/XA7z4wDQYJKoZIhvcNAQEFBQAwgZwxgZkwCQYD\n" +
+        "VQQGDAJCRzAVBgNVBAoMDkluZm9Ob3RhcnkgUExDMBcGCgmSJomT8ixkARkWCWRv\n" +
+        "bWFpbi1jYTAtBgNVBAMMJmktTm90YXJ5IFRydXN0UGF0aCBWYWxpZGF0ZWQgRG9t\n" +
+        "YWluIENBMC0GA1UECwwmaS1Ob3RhcnkgVHJ1c3RQYXRoIFZhbGlkYXRlZCBEb21h\n" +
+        "aW4gQ0EwHhcNMTIwNjE4MDg1MzIyWhcNMTMwNjE4MDg1MzIyWjCBxjGBwzAJBgNV\n" +
+        "BAYTAkJHMBUGA1UEChMOSW5mb05vdGFyeSBQTEMwFwYDVQQLExBGaWxlcyBSZXBv\n" +
+        "c2l0b3J5MBcGCgmSJomT8ixkARkWCWRvbWFpbi1jYTAgBgNVBAMTGXJlcG9zaXRv\n" +
+        "cnkuaW5mb25vdGFyeS5jb20wIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGluZm9ub3Rh\n" +
+        "cnkuY29tMCYGCSqGSIb3DQEJAhMZcmVwb3NpdG9yeS5pbmZvbm90YXJ5LmNvbTCC\n" +
+        "ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKWjGpgsuz103xVEW/GSg5I\n" +
+        "tBoLbXPxockabOTHnOh0VO2sImycyhBH78nMj+VMexn4y+kdCOuJqAA5LApxyhTA\n" +
+        "KgKlRN7TfoC90IYHjB1dqLMIseg4YM7Oe0e4Z2nL50bHoqXg7OUHaILUQn7ufpYp\n" +
+        "+VCWxyI43KvaR4+HnST3x47wqeArg/rULGV1a16X+46cxq2eoMAcDfostXHaemvz\n" +
+        "vg/Wd5xcWfPbF/oY1/sBXH+AK+peVBMen82+3GtAWtNWbyPE3bT4RG+WgKUyfLZ1\n" +
+        "7A67rX9DkUEVMPQpa50MpLnrRveiM9w6R3mrMHMHbNnwID0Tqfds5zzOi/7cLD0C\n" +
+        "AwEAAaOCAd8wggHbMA4GA1UdDwEB/wQEAwIDuDATBgNVHSUEDDAKBggrBgEFBQcD\n" +
+        "ATBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwLmluZm9u\n" +
+        "b3RhcnkuY29tL3Jlc3BvbmRlci5jZ2kwgZAGA1UdIASBiDCBhTCBggYMKwYBBAGB\n" +
+        "rQABAgMBMHIwOAYIKwYBBQUHAgEWLGh0dHA6Ly9yZXBvc2l0b3J5LmluZm9ub3Rh\n" +
+        "cnkuY29tL2RvbWFpbi5odG1sMDYGCCsGAQUFBwICMCoaKGktTm90YXJ5IFZhbGlk\n" +
+        "YXRlZCBEb21haW4gQ2VydGlmaWNhdGUgQ1AwgYkGA1UdHwSBgTB/MDWgL6Athito\n" +
+        "dHRwOi8vY3JsLmluZm9ub3RhcnkuY29tL2NybC9kb21haW4tY2EuY3JsgQIBVjBG\n" +
+        "oECgPoY8bGRhcDovL2xkYXAuaW5mb25vdGFyeS5jb20vZGM9ZG9tYWluLWNhLGRj\n" +
+        "PWluZm9ub3RhcnksZGM9Y29tgQIBVjAPBgNVHRMBAf8EBTADAQEAMB0GA1UdDgQW\n" +
+        "BBTImKJZrgV/8n7mHrA0U5EeGsBvbzAfBgNVHSMEGDAWgBTbkorEK+bPdVPpvyVI\n" +
+        "PTxGFnuOoDANBgkqhkiG9w0BAQUFAAOCAQEAhsMbqsqvkbfVaKZ+wDY9rX3EtuDS\n" +
+        "isdAo4AjmWgTtj/aBGiEiXcIGP312x+0JF+mEEQ75ZOKN+WsM8eLB0F4aqylklk7\n" +
+        "6yRYauRXp8dfbXrT3ozxekt0cpSMqbzze456krI12nL+C00V2Iwq96k5J/yZboNW\n" +
+        "Q+ibCaEAHNiL4tGVHSHm6znkWvIuUTbDgDEsm5RdafO27suz5H6zMnV+VE6onN1J\n" +
+        "I1mQmUs44cg2HZAqnFBpDyJQhNYy8M7yGVaRkbfuVaMqiPa+xDPR5v7NFB3kxRq2\n" +
+        "Za2Snopi52eUxDEhJ0MNqFi3Jfj/ZSmJ+XHra5lU4R8lijCAq8SVLZCmIQ==\n" +
+        "-----END CERTIFICATE-----").getBytes();
 }
diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java b/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
index 0986d4bba..a71ec2334 100644
--- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
+++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
@@ -188,6 +188,12 @@ public class TestHostnameVerifier {
         //STRICT.verify("\u82b1\u5b50.\u82b1\u5b50.co.jp", x509 );
         //DEFAULT.verify("a.b.\u82b1\u5b50.co.jp", x509 );
         //exceptionPlease(STRICT,"a.b.\u82b1\u5b50.co.jp", x509 );
+
+        in = new ByteArrayInputStream(CertificatesToPlayWith.X509_MULTIPLE_VALUE_AVA);
+        x509 = (X509Certificate) cf.generateCertificate(in);
+        ALLOW_ALL.verify("repository.infonotary.com", x509);
+        DEFAULT.verify("repository.infonotary.com", x509);
+        STRICT.verify("repository.infonotary.com", x509);
     }
 
     @Test