From fcc6f3248c6e3a370d2598c54ed7abb4b786bb12 Mon Sep 17 00:00:00 2001
From: yan <unknown>
Date: Sat, 18 Apr 2020 12:16:42 +0800
Subject: [PATCH] 8237592: Enhance certificate verification Reviewed-by:
 mbalao, andrew

---
 .../classes/sun/security/util/HostnameChecker.java     | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/share/classes/sun/security/util/HostnameChecker.java b/src/share/classes/sun/security/util/HostnameChecker.java
index 89712ddd9..230b67d3b 100644
--- a/src/share/classes/sun/security/util/HostnameChecker.java
+++ b/src/share/classes/sun/security/util/HostnameChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@ import java.util.*;
 
 import java.security.Principal;
 import java.security.cert.*;
+import java.text.Normalizer;
 
 import javax.security.auth.x500.X500Principal;
 import javax.net.ssl.SNIHostName;
@@ -220,7 +221,12 @@ public class HostnameChecker {
                                                     (X500Name.commonName_oid);
         if (derValue != null) {
             try {
-                if (isMatched(expectedName, derValue.getAsString())) {
+                String cname = derValue.getAsString();
+                if (!Normalizer.isNormalized(cname, Normalizer.Form.NFKC)) {
+                    throw new CertificateException("Not a formal name "
+                            + cname);
+                }
+                if (isMatched(expectedName, cname)) {
                     return;
                 }
             } catch (IOException e) {
-- 
GitLab