Strictly validations

Author: arturobernalg

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java

@@ -357,12 +357,21 @@ static List<SubjectName> getSubjectAltNames(final X509Certificate cert, final in
                         } else if (o instanceof byte[]) {
                             final byte[] bytes = (byte[]) o;
                             final String decodedValue;
-                            if (type == SubjectName.IP && bytes.length == 4) {
-                                decodedValue = byteArrayToIp(bytes);
-                            } else if (type == SubjectName.IP && bytes.length == 16) {
-                                decodedValue = byteArrayToIPv6(bytes);
+                            if (type == SubjectName.IP) {
+                                if (bytes.length == 4) {
+                                    decodedValue = byteArrayToIp(bytes); // IPv4
+                                } else if (bytes.length == 16) {
+                                    decodedValue = byteArrayToIPv6(bytes); // IPv6
+                                } else {
+                                    throw new IllegalArgumentException("Invalid byte length for IP address: " + bytes.length);
+                                }
+                            } else if (type == SubjectName.DNS) {
+                                throw new IllegalArgumentException("Unexpected byte[] for DNS SAN type");
                             } else {
-                                decodedValue = TextUtils.toHexString(bytes);
+                                if (LOG.isWarnEnabled()) {
+                                    LOG.warn("Unrecognized SAN type: {}, data: {}", type, TextUtils.toHexString(bytes));
+                                }
+                                decodedValue = TextUtils.toHexString(bytes); // Fallback to hex string
                             }
 
                             result.add(new SubjectName(decodedValue, type));

httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java

@@ -624,14 +624,8 @@ void testSimulatedBytePropertiesRawHex() throws Exception {
 
         // Mocking the certificate behavior
         final X509Certificate mockCert = generateX509Certificate(entries);
+        Assertions.assertThrows(IllegalArgumentException.class, () -> DefaultHostnameVerifier.getSubjectAltNames(mockCert, -1));
 
-        final List<SubjectName> result = DefaultHostnameVerifier.getSubjectAltNames(mockCert, -1);
-        Assertions.assertEquals(1, result.size(), "Should have one SubjectAltName");
-
-        final SubjectName sn = result.get(0);
-        Assertions.assertEquals(SubjectName.IP, sn.getType(), "Should be an IP type");
-        // Here, you'll need logic to convert byte array to string for assertion
-        Assertions.assertEquals("0a1b2c3d4e5f", sn.getValue(), "IP address should match after conversion");
     }