HTTPCLIENT-1698: Fixed matching of IPv6 addresses by DefaultHostnameVerifier

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1716971 13f79535-47bb-0310-9956-ffa450edef68
2015-11-28 13:25:27 +00:00 · 2015-11-28 13:25:27 +00:00 · df4e36c3fb
parent 3297b7a9f3
commit df4e36c3fb
1 changed files with 24 additions and 9 deletions
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
@ -64,6 +64,8 @@ import org.apache.http.conn.util.PublicSuffixMatcher;
@Immutable
 public final class DefaultHostnameVerifier implements HostnameVerifier {

+    enum TYPE { IPv4, IPv6, DNS };
+
    final static int DNS_NAME_TYPE        = 2;
    final static int IP_ADDRESS_TYPE      = 7;

@ -96,17 +98,30 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {

    public void verify(
            final String host, final X509Certificate cert) throws SSLException {
-        final boolean ipv4 = InetAddressUtils.isIPv4Address(host);
-        final boolean ipv6 = InetAddressUtils.isIPv6Address(host);
-        final int subjectType = ipv4 || ipv6 ? IP_ADDRESS_TYPE : DNS_NAME_TYPE;
+        TYPE hostFormat = TYPE.DNS;
+        if (InetAddressUtils.isIPv4Address(host)) {
+            hostFormat = TYPE.IPv4;
+        } else {
+            String s = host;
+            if (s.startsWith("[") && s.endsWith("]")) {
+                s = host.substring(1, host.length() - 1);
+            }
+            if (InetAddressUtils.isIPv6Address(s)) {
+                hostFormat = TYPE.IPv6;
+            }
+        }
+        final int subjectType = hostFormat == TYPE.IPv4 || hostFormat == TYPE.IPv6 ? IP_ADDRESS_TYPE : DNS_NAME_TYPE;
        final List<String> subjectAlts = extractSubjectAlts(cert, subjectType);
        if (subjectAlts != null && !subjectAlts.isEmpty()) {
-            if (ipv4) {
-                matchIPAddress(host, subjectAlts);
-            } else if (ipv6) {
-                matchIPv6Address(host, subjectAlts);
-            } else {
-                matchDNSName(host, subjectAlts, this.publicSuffixMatcher);
+            switch (hostFormat) {
+                case IPv4:
+                    matchIPAddress(host, subjectAlts);
+                    break;
+                case IPv6:
+                    matchIPv6Address(host, subjectAlts);
+                    break;
+                default:
+                    matchDNSName(host, subjectAlts, this.publicSuffixMatcher);
            }
        } else {
            // CN matching has been deprecated by rfc2818 and can be used