Domain name normalization

httpclient5/src/main/java/org/apache/hc/client5/http/psl/PublicSuffixMatcher.java

@@ -29,10 +29,10 @@ package org.apache.hc.client5.http.psl;
 import java.net.IDN;
 import java.util.Collection;
 import java.util.List;
-import java.util.Locale;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
+import org.apache.hc.client5.http.utils.DnsUtils;
 import org.apache.hc.core5.annotation.Contract;
 import org.apache.hc.core5.annotation.ThreadingBehavior;
 import org.apache.hc.core5.util.Args;
@@ -146,7 +146,7 @@ public final class PublicSuffixMatcher {
         if (domain.startsWith(".")) {
             return null;
         }
-        final String normalized = domain.toLowerCase(Locale.ROOT);
+        final String normalized = DnsUtils.normalize(domain);
         String segment = normalized;
         String result = null;
         while (segment != null) {

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java

@@ -36,7 +36,6 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
-import java.util.Locale;
 
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLPeerUnverifiedException;
@@ -45,6 +44,7 @@ import javax.security.auth.x500.X500Principal;
 
 import org.apache.hc.client5.http.psl.DomainType;
 import org.apache.hc.client5.http.psl.PublicSuffixMatcher;
+import org.apache.hc.client5.http.utils.DnsUtils;
 import org.apache.hc.core5.annotation.Contract;
 import org.apache.hc.core5.annotation.ThreadingBehavior;
 import org.apache.hc.core5.http.NameValuePair;
@@ -159,11 +159,11 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier
 
     static void matchDNSName(final String host, final List<SubjectName> subjectAlts,
                              final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
-        final String normalizedHost = host.toLowerCase(Locale.ROOT);
+        final String normalizedHost = DnsUtils.normalize(host);
         for (int i = 0; i < subjectAlts.size(); i++) {
             final SubjectName subjectAlt = subjectAlts.get(i);
             if (subjectAlt.getType() == SubjectName.DNS) {
-                final String normalizedSubjectAlt = subjectAlt.getValue().toLowerCase(Locale.ROOT);
+                final String normalizedSubjectAlt = DnsUtils.normalize(subjectAlt.getValue());
                 if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) {
                     return;
                 }
@@ -175,8 +175,8 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier
 
     static void matchCN(final String host, final String cn,
                  final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
-        final String normalizedHost = host.toLowerCase(Locale.ROOT);
-        final String normalizedCn = cn.toLowerCase(Locale.ROOT);
+        final String normalizedHost = DnsUtils.normalize(host);
+        final String normalizedCn = DnsUtils.normalize(cn);
         if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) {
             throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " +
                     "common name of the certificate subject: " + cn);

httpclient5/src/main/java/org/apache/hc/client5/http/utils/DnsUtils.java

@@ -0,0 +1,76 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.client5.http.utils;
+
+/**
+ * A collection of utilities relating to Domain Name System.
+ *
+ * @since 4.5
+ */
+public class DnsUtils {
+
+    private DnsUtils() {
+    }
+
+    private static boolean isUpper(final char c) {
+        return c >= 'A' && c <= 'Z';
+    }
+
+    public static String normalize(final String s) {
+        if (s == null) {
+            return null;
+        }
+        int pos = 0;
+        int remaining = s.length();
+        while (remaining > 0) {
+            if (isUpper(s.charAt(pos))) {
+                break;
+            }
+            pos++;
+            remaining--;
+        }
+        if (remaining > 0) {
+            final StringBuilder buf = new StringBuilder(s.length());
+            buf.append(s, 0, pos);
+            while (remaining > 0) {
+                final char c = s.charAt(pos);
+                if (isUpper(c)) {
+                    buf.append((char) (c + ('a' - 'A')));
+                } else {
+                    buf.append(c);
+                }
+                pos++;
+                remaining--;
+            }
+            return buf.toString();
+        } else {
+            return s;
+        }
+    }
+
+}

httpclient5/src/test/java/org/apache/hc/client5/http/utils/TesDnsUtils.java

@@ -0,0 +1,51 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.client5.http.utils;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Unit tests for DnsUtils.
+ */
+public class TesDnsUtils {
+
+    @Test
+    public void testNormalize() {
+        Assert.assertThat(DnsUtils.normalize(null), CoreMatchers.equalTo(null));
+        Assert.assertThat(DnsUtils.normalize(""), CoreMatchers.equalTo(""));
+        Assert.assertThat(DnsUtils.normalize("blah"), CoreMatchers.equalTo("blah"));
+        Assert.assertThat(DnsUtils.normalize("BLAH"), CoreMatchers.equalTo("blah"));
+        Assert.assertThat(DnsUtils.normalize("blAh"), CoreMatchers.equalTo("blah"));
+        Assert.assertThat(DnsUtils.normalize("blaH"), CoreMatchers.equalTo("blah"));
+        Assert.assertThat(DnsUtils.normalize("blaH"), CoreMatchers.equalTo("blah"));
+        Assert.assertThat(DnsUtils.normalize("hac\u212A!!!"), CoreMatchers.equalTo("hac\u212A!!!"));
+    }
+
+}