ZOOKEEPER-3832: ZKHostnameVerifier rejects valid certificates with su…

…bjectAltNames

This issue has been reported by a user who wanted to use a cert that contains SAN entries that are not of type DNS or IP.
I've come across the following ticket in http client project which seems to be related:
https://issues.apache.org/jira/browse/HTTPCLIENT-1906

This is the backport of the fix.

Original patch: apache/httpcomponents-client@56cc245

Target versions: 3.5, 3.6, 3.7

Author: Andor Molnar <andor@apache.org>

Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org>

Closes apache#1353 from anmolnar/ZOOKEEPER-3832

checkstyleSuppressions.xml

@@ -32,4 +32,6 @@
 
     <!-- TODO ZOOKEEPER-3469 -->
     <suppress checks="Javadoc.+" files=".+[\\/]zookeeper-server[\\/].+\.java"/>
+
+    <suppress checks="OperatorWrap|ModifierOrder" files="zookeeper-server/src/test/java/org/apache/zookeeper/common/CertificatesToPlayWith\.java" />
 </suppressions>

zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKHostnameVerifier.java

@@ -324,8 +324,14 @@ private static List<SubjectName> getSubjectAltNames(final X509Certificate cert)
             for (List<?> entry : entries) {
                 final Integer type = entry.size() >= 2 ? (Integer) entry.get(0) : null;
                 if (type != null) {
-                    final String s = (String) entry.get(1);
-                    result.add(new SubjectName(s, type));
+                    if (type == SubjectName.DNS || type == SubjectName.IP) {
+                        final Object o = entry.get(1);
+                        if (o instanceof String) {
+                            result.add(new SubjectName((String) o, type));
+                        } else if (o instanceof byte[]) {
+                            // TODO ASN.1 DER encoded form
+                        }
+                    }
                 }
             }
             return result;