Fixed CN extraction from DN of X500 principal

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1411702 13f79535-47bb-0310-9956-ffa450edef68

Author: ok2c

httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java

@@ -178,12 +178,12 @@ public final void verify(final String host, final String[] cns,
 
         // We're can be case-insensitive when comparing the host we used to
         // establish the socket to the hostname in the certificate.
-        String hostName = host.trim().toLowerCase(Locale.ENGLISH);
+        String hostName = host.trim().toLowerCase(Locale.US);
         boolean match = false;
         for(Iterator<String> it = names.iterator(); it.hasNext();) {
             // Don't trim the CN, though!
             String cn = it.next();
-            cn = cn.toLowerCase(Locale.ENGLISH);
+            cn = cn.toLowerCase(Locale.US);
             // Store CN in StringBuilder in case we need to report an error.
             buf.append(" <");
             buf.append(cn);
@@ -260,13 +260,15 @@ whereas toString() gives me this:
            Looks like toString() even works with non-ascii domain names!
            I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
         */
+
         String subjectPrincipal = cert.getSubjectX500Principal().toString();
         StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
         while(st.hasMoreTokens()) {
-            String tok = st.nextToken();
-            int x = tok.indexOf("CN=");
-            if(x >= 0) {
-                cnList.add(tok.substring(x + 3));
+            String tok = st.nextToken().trim();
+            if (tok.length() > 3) {
+                if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+                    cnList.add(tok.substring(3));
+                }
             }
         }
         if(!cnList.isEmpty()) {

httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java

@@ -29,6 +29,7 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
+import java.security.Principal;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
@@ -37,6 +38,7 @@
 
 import org.junit.Assert;
 import org.junit.Test;
+import org.mockito.Mockito;
 
 /**
  * Unit tests for {@link X509HostnameVerifier}.
@@ -336,7 +338,7 @@ private void checkWildcard(String host, boolean isOK) {
 
     @Test
     // Various checks of 2TLDs
-    public void testacceptableCountryWildcards() {
+    public void testAcceptableCountryWildcards() {
         checkWildcard("*.co.org", true); // Not a 2 character TLD
         checkWildcard("s*.co.org", true); // Not a 2 character TLD
         checkWildcard("*.co.uk", false); // 2 character TLD, invalid 2TLD
@@ -345,4 +347,17 @@ public void testacceptableCountryWildcards() {
         checkWildcard("*.a.co.uk", true); // 2 character TLD, invalid 2TLD, but using subdomain
         checkWildcard("s*.a.co.uk", true); // 2 character TLD, invalid 2TLD, but using subdomain
     }
+
+    public void testGetCNs() {
+        Principal principal = Mockito.mock(Principal.class);
+        X509Certificate cert = Mockito.mock(X509Certificate.class);
+        Mockito.when(cert.getSubjectDN()).thenReturn(principal);
+        Mockito.when(principal.toString()).thenReturn("bla,  bla, blah");
+        Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert));
+        Mockito.when(principal.toString()).thenReturn("Cn=,  Cn=  , CN, OU=CN=");
+        Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert));
+        Mockito.when(principal.toString()).thenReturn("  Cn=blah,  CN= blah , OU=CN=yada");
+        Assert.assertArrayEquals(new String[] {"blah", " blah"}, AbstractVerifier.getCNs(cert));
+    }
+
 }