ok2c commented on code in PR #610:
URL:
https://github.com/apache/httpcomponents-client/pull/610#discussion_r1922112547
##########
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java:
##########
@@ -355,7 +355,26 @@ static List<SubjectName> getSubjectAltNames(final
X509Certificate cert, final in
if (o instanceof String) {
result.add(new SubjectName((String) o, type));
} else if (o instanceof byte[]) {
- // TODO ASN.1 DER encoded form
+ final byte[] bytes = (byte[]) o;
+ final String decodedValue;
+ if (type == SubjectName.IP) {
+ if (bytes.length == 4) {
+ decodedValue = byteArrayToIp(bytes); //
IPv4
+ } else if (bytes.length == 16) {
+ decodedValue = byteArrayToIPv6(bytes); //
IPv6
+ } else {
+ throw new
IllegalArgumentException("Invalid byte length for IP address: " + bytes.length);
+ }
+ } else if (type == SubjectName.DNS) {
+ throw new IllegalArgumentException("Unexpected
byte[] for DNS SAN type");
Review Comment:
@arturobernalg `IllegalArgumentException` looks really wrong here. Can we
just ignore those bits that we are not able to properly recognize and handle?
##########
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java:
##########
@@ -355,7 +355,26 @@ static List<SubjectName> getSubjectAltNames(final
X509Certificate cert, final in
if (o instanceof String) {
result.add(new SubjectName((String) o, type));
} else if (o instanceof byte[]) {
- // TODO ASN.1 DER encoded form
+ final byte[] bytes = (byte[]) o;
+ final String decodedValue;
+ if (type == SubjectName.IP) {
+ if (bytes.length == 4) {
+ decodedValue = byteArrayToIp(bytes); //
IPv4
+ } else if (bytes.length == 16) {
+ decodedValue = byteArrayToIPv6(bytes); //
IPv6
+ } else {
+ throw new
IllegalArgumentException("Invalid byte length for IP address: " + bytes.length);
+ }
+ } else if (type == SubjectName.DNS) {
+ throw new IllegalArgumentException("Unexpected
byte[] for DNS SAN type");
+ } else {
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Unrecognized SAN type: {}, data:
{}", type, TextUtils.toHexString(bytes));
+ }
+ decodedValue = TextUtils.toHexString(bytes);
// Fallback to hex string
Review Comment:
@arturobernalg I would not do that. Before you know there will be so called
security professionals with all sorts of hand-crafted certificates, claiming
vulnerabilities in our code and demanding we issue CVE with them as a finder.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
