grpc · ericgribkoff · Apr 3, 2018 · Apr 2, 2018 · Apr 2, 2018 · Apr 2, 2018
diff --git a/okhttp/src/main/java/io/grpc/okhttp/OkHttpTlsUpgrader.java b/okhttp/src/main/java/io/grpc/okhttp/OkHttpTlsUpgrader.java
@@ -70,9 +70,24 @@ public static SSLSocket upgrade(SSLSocketFactory sslSocketFactory,
     if (hostnameVerifier == null) {
       hostnameVerifier = OkHostnameVerifier.INSTANCE;
     }
-    if (!hostnameVerifier.verify(host, sslSocket.getSession())) {
+    if (!hostnameVerifier.verify(canonicalizeHost(host), sslSocket.getSession())) {
       throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
     }
     return sslSocket;
   }
+
+  /**
+   * Converts a host from URI to X509 format.
+   *
+   * <p>IPv6 host addresses derived from URIs are enclosed in square brackets per RFC2732, but
+   * omit these brackets in X509 certificate subjectAltName extensions per RFC5280.
+   *
+   * @see <a href="https://www.ietf.org/rfc/rfc2732.txt">RFC2732</a>
+   * @see <a href="https://tools.ietf.org/html/rfc5280#section-4.2.1.6">RFC5280</a>
+   *
+   * @return {@param host} in a form consistent with X509 certificates
+   */
+  static String canonicalizeHost(String host) {
+    return host.replaceAll("[\\[\\]]", "");
+  }
 }
diff --git a/okhttp/src/test/java/io/grpc/okhttp/OkHttpTlsUpgraderTest.java b/okhttp/src/test/java/io/grpc/okhttp/OkHttpTlsUpgraderTest.java
@@ -16,6 +16,8 @@
 
 package io.grpc.okhttp;
 
+import static io.grpc.okhttp.OkHttpTlsUpgrader.canonicalizeHost;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 import io.grpc.okhttp.internal.Protocol;
@@ -32,4 +34,44 @@ public class OkHttpTlsUpgraderTest {
             || OkHttpTlsUpgrader.TLS_PROTOCOLS.indexOf(Protocol.GRPC_EXP)
                 < OkHttpTlsUpgrader.TLS_PROTOCOLS.indexOf(Protocol.HTTP_2));
   }
+
+  @Test public void upgrade_canonicalizeHost() {
+    // IPv4
+    assertEquals(canonicalizeHost("127.0.0.1"), "127.0.0.1");
+    assertEquals(canonicalizeHost("1.2.3.4"), "1.2.3.4");
+
+    // IPv6
+    assertEquals(canonicalizeHost("::1"), "::1");
+    assertEquals(canonicalizeHost("[::1]"), "::1");
+    assertEquals(canonicalizeHost("2001:db8::1"), "2001:db8::1");
+    assertEquals(canonicalizeHost("[2001:db8::1]"), "2001:db8::1");
+    assertEquals(canonicalizeHost("::192.168.0.1"), "::192.168.0.1");
+    assertEquals(canonicalizeHost("[::192.168.0.1]"), "::192.168.0.1");
+    assertEquals(canonicalizeHost("::ffff:192.168.0.1"), "::ffff:192.168.0.1");
+    assertEquals(canonicalizeHost("[::ffff:192.168.0.1]"), "::ffff:192.168.0.1");
+    assertEquals(canonicalizeHost("FEDC:BA98:7654:3210:FEDC:BA98:7654:3210"),
+            "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210");
+    assertEquals(canonicalizeHost("[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]"),
+            "FEDC:BA98:7654:3210:FEDC:BA98:7654:3210");
+    assertEquals(canonicalizeHost("1080:0:0:0:8:800:200C:417A"), "1080:0:0:0:8:800:200C:417A");
+    assertEquals(canonicalizeHost("[1080:0:0:0:8:800:200C:417A]"), "1080:0:0:0:8:800:200C:417A");
+    assertEquals(canonicalizeHost("1080::8:800:200C:417A"), "1080::8:800:200C:417A");
+    assertEquals(canonicalizeHost("[1080::8:800:200C:417A]"), "1080::8:800:200C:417A");
+    assertEquals(canonicalizeHost("FF01::101"), "FF01::101");
+    assertEquals(canonicalizeHost("[FF01::101]"), "FF01::101");
+    assertEquals(canonicalizeHost("0:0:0:0:0:0:13.1.68.3"), "0:0:0:0:0:0:13.1.68.3");
+    assertEquals(canonicalizeHost("[0:0:0:0:0:0:13.1.68.3]"), "0:0:0:0:0:0:13.1.68.3");
+    assertEquals(canonicalizeHost("0:0:0:0:0:FFFF:129.144.52.38"), "0:0:0:0:0:FFFF:129.144.52.38");
+    assertEquals(canonicalizeHost("[0:0:0:0:0:FFFF:129.144.52.38]"), "0:0:0:0:0:FFFF:129.144.52.38");
+    assertEquals(canonicalizeHost("::13.1.68.3"), "::13.1.68.3");
+    assertEquals(canonicalizeHost("[::13.1.68.3]"), "::13.1.68.3");
+    assertEquals(canonicalizeHost("::FFFF:129.144.52.38"), "::FFFF:129.144.52.38");
+    assertEquals(canonicalizeHost("[::FFFF:129.144.52.38]"), "::FFFF:129.144.52.38");
+
+    // Hostnames
+    assertEquals(canonicalizeHost("go"), "go");
+    assertEquals(canonicalizeHost("localhost"), "localhost");
+    assertEquals(canonicalizeHost("squareup.com"), "squareup.com");
+    assertEquals(canonicalizeHost("www.nintendo.co.jp"), "www.nintendo.co.jp");
+  }
 }