Improved FQDN matching

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java

@@ -35,6 +35,7 @@ import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.LinkedList;
 import java.util.List;
 
 import javax.net.ssl.SSLException;
@@ -182,12 +183,41 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier
         }
     }
 
+    static List<CharSequence> parseFQDN(final CharSequence s) {
+        if (s == null) {
+            return null;
+        }
+        final LinkedList<CharSequence> elements = new LinkedList<>();
+        int pos = 0;
+        for (int i = 0; i < s.length(); i++) {
+            final char ch = s.charAt(i);
+            if (ch == '.') {
+                elements.addFirst(s.subSequence(pos, i));
+                pos = i + 1;
+            }
+        }
+        elements.addFirst(s.subSequence(pos, s.length()));
+        return elements;
+    }
+
     static boolean matchDomainRoot(final String host, final String domainRoot) {
         if (domainRoot == null) {
             return false;
         }
-        return host.endsWith(domainRoot) && (host.length() == domainRoot.length()
+        final List<CharSequence> hostElements = parseFQDN(host);
-                || host.charAt(host.length() - domainRoot.length() - 1) == '.');
+        final List<CharSequence> rootElements = parseFQDN(domainRoot);
+        if (hostElements.size() >= rootElements.size()) {
+            for (int i = 0; i < rootElements.size(); i++) {
+                final CharSequence s1 = rootElements.get(i);
+                final CharSequence s2 = hostElements.get(i);
+                if (!s1.equals(s2)) {
+                    return false;
+                }
+            }
+            return true;
+        } else {
+            return false;
+        }
     }
 
     private static boolean matchIdentity(final String host, final String identity,

httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java

@@ -34,6 +34,7 @@ import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -210,8 +211,25 @@ class TestDefaultHostnameVerifier {
     }
 
     @Test
-    void testDomainRootMatching() {
+    void testParseFQDN() {
+        Assertions.assertEquals(Arrays.asList("blah"),
+                DefaultHostnameVerifier.parseFQDN("blah"));
+        Assertions.assertEquals(Arrays.asList("blah", "blah"),
+                DefaultHostnameVerifier.parseFQDN("blah.blah"));
+        Assertions.assertEquals(Arrays.asList("blah", "blah", "blah"),
+                DefaultHostnameVerifier.parseFQDN("blah.blah.blah"));
+        Assertions.assertEquals(Arrays.asList("", "", "blah", ""),
+                DefaultHostnameVerifier.parseFQDN(".blah.."));
+        Assertions.assertEquals(Arrays.asList(""),
+                DefaultHostnameVerifier.parseFQDN(""));
+        Assertions.assertEquals(Arrays.asList("", ""),
+                DefaultHostnameVerifier.parseFQDN("."));
+        Assertions.assertEquals(Arrays.asList("com", "domain", "host"),
+                DefaultHostnameVerifier.parseFQDN("host.domain.com"));
+    }
 
+    @Test
+    void testDomainRootMatching() {
         Assertions.assertFalse(DefaultHostnameVerifier.matchDomainRoot("a.b.c", null));
         Assertions.assertTrue(DefaultHostnameVerifier.matchDomainRoot("a.b.c", "a.b.c"));
         Assertions.assertFalse(DefaultHostnameVerifier.matchDomainRoot("aa.b.c", "a.b.c"));