From df4e36c3fb35c8cf7b055b2a0d7b4b13a7b5621c Mon Sep 17 00:00:00 2001
From: Oleg Kalnichevski <olegk@apache.org>
Date: Sat, 28 Nov 2015 13:25:27 +0000
Subject: [PATCH] HTTPCLIENT-1698: Fixed matching of IPv6 addresses by
 DefaultHostnameVerifier

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1716971 13f79535-47bb-0310-9956-ffa450edef68
---
 .../conn/ssl/DefaultHostnameVerifier.java     | 33 ++++++++++++++-----
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
index 7a916e4a8..2a472e41a 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
@@ -64,6 +64,8 @@ import org.apache.http.conn.util.PublicSuffixMatcher;
 @Immutable
 public final class DefaultHostnameVerifier implements HostnameVerifier {
 
+    enum TYPE { IPv4, IPv6, DNS };
+
     final static int DNS_NAME_TYPE        = 2;
     final static int IP_ADDRESS_TYPE      = 7;
 
@@ -96,17 +98,30 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
 
     public void verify(
             final String host, final X509Certificate cert) throws SSLException {
-        final boolean ipv4 = InetAddressUtils.isIPv4Address(host);
-        final boolean ipv6 = InetAddressUtils.isIPv6Address(host);
-        final int subjectType = ipv4 || ipv6 ? IP_ADDRESS_TYPE : DNS_NAME_TYPE;
+        TYPE hostFormat = TYPE.DNS;
+        if (InetAddressUtils.isIPv4Address(host)) {
+            hostFormat = TYPE.IPv4;
+        } else {
+            String s = host;
+            if (s.startsWith("[") && s.endsWith("]")) {
+                s = host.substring(1, host.length() - 1);
+            }
+            if (InetAddressUtils.isIPv6Address(s)) {
+                hostFormat = TYPE.IPv6;
+            }
+        }
+        final int subjectType = hostFormat == TYPE.IPv4 || hostFormat == TYPE.IPv6 ? IP_ADDRESS_TYPE : DNS_NAME_TYPE;
         final List<String> subjectAlts = extractSubjectAlts(cert, subjectType);
         if (subjectAlts != null && !subjectAlts.isEmpty()) {
-            if (ipv4) {
-                matchIPAddress(host, subjectAlts);
-            } else if (ipv6) {
-                matchIPv6Address(host, subjectAlts);
-            } else {
-                matchDNSName(host, subjectAlts, this.publicSuffixMatcher);
+            switch (hostFormat) {
+                case IPv4:
+                    matchIPAddress(host, subjectAlts);
+                    break;
+                case IPv6:
+                    matchIPv6Address(host, subjectAlts);
+                    break;
+                default:
+                    matchDNSName(host, subjectAlts, this.publicSuffixMatcher);
             }
         } else {
             // CN matching has been deprecated by rfc2818 and can be used