src/share/classes/sun/security/ssl/ClientHandshaker.java

@@ -57,10 +57,14 @@
  *
  * @author David Brownell
  */
 final class ClientHandshaker extends Handshaker {
 
+    // constants for subject alt names of type DNS and IP
+    private final static int ALTNAME_DNS = 2;
+    private final static int ALTNAME_IP  = 7;
+
     // the server's public key from its certificate.
     private PublicKey serverKey;
 
     // the server's ephemeral public key from the server key exchange message
     // for ECDHE/ECDH_anon and RSA_EXPORT.

@@ -1495,25 +1499,54 @@
             X509Certificate prevCert) {
         if (thisCert.equals(prevCert)) {
             return true;
         }
 
+        // check subject alternative names
+        Collection<List<?>> thisSubjectAltNames = null;
+        try {
+            thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
+        } catch (CertificateParsingException cpe) {
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println(
+                        "Attempt to obtain subjectAltNames extension failed!");
+            }
+        }
+
+        Collection<List<?>> prevSubjectAltNames = null;
+        try {
+            prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
+        } catch (CertificateParsingException cpe) {
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println(
+                        "Attempt to obtain subjectAltNames extension failed!");
+            }
+        }
+
+        if ((thisSubjectAltNames != null) && (prevSubjectAltNames != null)) {
         // check the iPAddress field in subjectAltName extension
-        Object thisIPAddress = getSubjectAltName(thisCert, 7);  // 7: iPAddress
-        Object prevIPAddress = getSubjectAltName(prevCert, 7);
-        if (thisIPAddress != null && prevIPAddress!= null) {
-            // only allow the exactly match
-            return Objects.equals(thisIPAddress, prevIPAddress);
+            Collection<String> thisSubAltIPAddrs =
+                        getSubjectAltNames(thisSubjectAltNames, ALTNAME_IP);
+            Collection<String> prevSubAltIPAddrs =
+                        getSubjectAltNames(prevSubjectAltNames, ALTNAME_IP);
+            if ((thisSubAltIPAddrs != null) && (prevSubAltIPAddrs != null) &&
+                (isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs))) {
+
+                return true;
         }
 
         // check the dNSName field in subjectAltName extension
-        Object thisDNSName = getSubjectAltName(thisCert, 2);    // 2: dNSName
-        Object prevDNSName = getSubjectAltName(prevCert, 2);
-        if (thisDNSName != null && prevDNSName!= null) {
-            // only allow the exactly match
-            return Objects.equals(thisDNSName, prevDNSName);
+            Collection<String> thisSubAltDnsNames =
+                        getSubjectAltNames(thisSubjectAltNames, ALTNAME_DNS);
+            Collection<String> prevSubAltDnsNames =
+                        getSubjectAltNames(prevSubjectAltNames, ALTNAME_DNS);
+            if ((thisSubAltDnsNames != null) && (prevSubAltDnsNames != null) &&
+                (isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames))) {
+
+                return true;
         }
+        }
 
         // check the certificate subject and issuer
         X500Principal thisSubject = thisCert.getSubjectX500Principal();
         X500Principal prevSubject = prevCert.getSubjectX500Principal();
         X500Principal thisIssuer = thisCert.getIssuerX500Principal();

@@ -1529,31 +1562,45 @@
     }
 
     /*
      * Returns the subject alternative name of the specified type in the
      * subjectAltNames extension of a certificate.
+     *
+     * Note that only those subjectAltName types that use String data
+     * should be passed into this function.
      */
-    private static Object getSubjectAltName(X509Certificate cert, int type) {
-        Collection<List<?>> subjectAltNames;
+    private static Collection<String> getSubjectAltNames(
+            Collection<List<?>> subjectAltNames, int type) {
 
-        try {
-            subjectAltNames = cert.getSubjectAlternativeNames();
-        } catch (CertificateParsingException cpe) {
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println(
-                        "Attempt to obtain subjectAltNames extension failed!");
-            }
-            return null;
-        }
-
-        if (subjectAltNames != null) {
+        HashSet<String> subAltDnsNames = null;
             for (List<?> subjectAltName : subjectAltNames) {
                 int subjectAltNameType = (Integer)subjectAltName.get(0);
                 if (subjectAltNameType == type) {
-                    return subjectAltName.get(1);
+                String subAltDnsName = (String)subjectAltName.get(1);
+                if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) {
+                    if (subAltDnsNames == null) {
+                        subAltDnsNames =
+                                new HashSet<>(subjectAltNames.size());
                 }
+                    subAltDnsNames.add(subAltDnsName);
             }
         }
+        }
 
-        return null;
+        return subAltDnsNames;
     }
+
+    private static boolean isEquivalent(Collection<String> thisSubAltNames,
+            Collection<String> prevSubAltNames) {
+
+        for (String thisSubAltName : thisSubAltNames) {
+            for (String prevSubAltName : prevSubAltNames) {
+                // Only allow the exactly match.  Check no wildcard character.
+                if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
 }