Improve alt-name checks in HostnameUtil

peterdettman · peterdettman · commit 19c27c671216 · 2025-08-29T14:35:09.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/HostnameUtil.java b/tls/src/main/java/org/bouncycastle/jsse/provider/HostnameUtil.java
@@ -37,13 +37,17 @@ static void checkHostname(String hostname, X509Certificate certificate, boolean
             {
                 for (List<?> subjectAltName : subjectAltNames)
                 {
-                    int type = ((Integer)subjectAltName.get(0)).intValue();
-                    if (GeneralName.iPAddress != type)
+                    if (!isAltNameType(subjectAltName, GeneralName.iPAddress))
+                    {
+                        continue;
+                    }
+
+                    String ipAddress = getAltNameValue(subjectAltName);
+                    if (ipAddress == null)
                     {
                         continue;
                     }
 
-                    String ipAddress = (String)subjectAltName.get(1);
                     if (hostname.equalsIgnoreCase(ipAddress))
                     {
                         return;
@@ -76,15 +80,19 @@ else if (isValidDomainName(hostname))
                 boolean foundAnyDNSNames = false;
                 for (List<?> subjectAltName : subjectAltNames)
                 {
-                    int type = ((Integer)subjectAltName.get(0)).intValue();
-                    if (GeneralName.dNSName != type)
+                    if (!isAltNameType(subjectAltName, GeneralName.dNSName))
                     {
                         continue;
                     }
 
                     foundAnyDNSNames = true;
 
-                    String dnsName = (String)subjectAltName.get(1);
+                    String dnsName = getAltNameValue(subjectAltName);
+                    if (dnsName == null)
+                    {
+                        continue;
+                    }
+
                     if (matchesDNSName(hostname, dnsName, allWildcards))
                     {
                         return;
@@ -134,6 +142,19 @@ private static ASN1Primitive findMostSpecificCN(X500Principal principal)
         return null;
     }
 
+    private static String getAltNameValue(List<?> subjectAltName)
+    {
+        if (subjectAltName != null && subjectAltName.size() >= 2)
+        {
+            Object objValue = subjectAltName.get(1);
+            if (objValue instanceof String)
+            {
+                return (String)objValue;
+            }
+        }
+        return null;
+    }
+
     private static String getLabel(String s, int begin)
     {
         int end = s.indexOf('.', begin);
@@ -144,6 +165,19 @@ private static String getLabel(String s, int begin)
         return s.substring(begin, end);
     }
 
+    private static boolean isAltNameType(List<?> subjectAltName, int type)
+    {
+        if (subjectAltName != null && subjectAltName.size() >= 1)
+        {
+            Object objValue = subjectAltName.get(0);
+            if (objValue instanceof Integer)
+            {
+                return ((Integer)objValue).intValue() == type;
+            }
+        }
+        return false;
+    }
+
     private static boolean isValidDomainName(String name)
     {
         try
