11 files changed, 168 insertions, 166 deletions

diff --git a/lib/public_key/doc/src/Makefile b/lib/public_key/doc/src/Makefile
index 5bdc5d4159..f5157fe87a 100644
--- a/lib/public_key/doc/src/Makefile
+++ b/lib/public_key/doc/src/Makefile
@@ -1,7 +1,7 @@
 #
 # %CopyrightBegin%
 #
-# Copyright Ericsson AB 2008-2016. All Rights Reserved.
+# Copyright Ericsson AB 2008-2017. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@ XML_APPLICATION_FILES = ref_man.xml
 XML_REF3_FILES = public_key.xml
 XML_REF6_FILES = public_key_app.xml
 
-XML_PART_FILES = part.xml part_notes.xml
+XML_PART_FILES = part.xml
 XML_CHAPTER_FILES = \
 	introduction.xml \
         public_key_records.xml \
@@ -50,9 +50,9 @@ XML_CHAPTER_FILES = \
 BOOK_FILES = book.xml
 
 XML_FILES = $(BOOK_FILES) $(XML_APPLICATION_FILES) $(XML_REF3_FILES) \
-             $(XML_REF6_FILES) $(XML_PART_FILES) $(XML_CHAPTER_FILES) 
+             $(XML_REF6_FILES) $(XML_PART_FILES) $(XML_CHAPTER_FILES)
 
-GIF_FILES = note.gif
+GIF_FILES =
 
 # ----------------------------------------------------
 
diff --git a/lib/public_key/doc/src/fascicules.xml b/lib/public_key/doc/src/fascicules.xml
deleted file mode 100644
index 25e7008537..0000000000
--- a/lib/public_key/doc/src/fascicules.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE fascicules SYSTEM "fascicules.dtd">
-
-<fascicules>
-  <fascicule file="usersguide" href="part_frame.html" entry="no">
-    User's Guide
-  </fascicule>
-  <fascicule file="ref_man" href="ref_man_frame.html" entry="yes">
-    Reference  Manual
-  </fascicule>
-  <fascicule file="release_notes" href="part_notes_frame.html" entry="no">
-    Release Notes
-  </fascicule>
-  <fascicule file="" href="../../../../doc/print.html" entry="no">
-    Off-Print
-  </fascicule>
-</fascicules>
-
-
diff --git a/lib/public_key/doc/src/note.gif b/lib/public_key/doc/src/note.gif
deleted file mode 100644
index 6fffe30419..0000000000
--- a/lib/public_key/doc/src/note.gif
+++ /dev/null
diff --git a/lib/public_key/doc/src/part_notes.xml b/lib/public_key/doc/src/part_notes.xml
deleted file mode 100644
index 17f06d14f5..0000000000
--- a/lib/public_key/doc/src/part_notes.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE part SYSTEM "part.dtd">
-
-<part xmlns:xi="http://www.w3.org/2001/XInclude">
-  <header>
-    <copyright>
-      <year>2008</year>
-      <year>2016</year>
-      <holder>Ericsson AB, All Rights Reserved</holder>
-    </copyright>
-    <legalnotice>
-  Licensed under the Apache License, Version 2.0 (the "License");
-  you may not use this file except in compliance with the License.
-  You may obtain a copy of the License at
- 
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
-
-  The Initial Developer of the Original Code is Ericsson AB.
-    </legalnotice>
-
-    <title>public_key Release Notes</title>
-    <prepared>Ingela Anderton Andin</prepared>
-    <docno></docno>
-    <date>2008-01-22</date>
-    <rev></rev>
-  </header>
-  <description>
-    <p></p>
-  </description>
-  <xi:include href="notes.xml"/>
-</part>
-
-
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index fcf37a7a4d..5230cef496 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -871,19 +871,20 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
     <type>
       <v>Cert = der_encoded() | #'OTPCertificate'{} </v>
       <v>ReferenceIDs = [ RefID ]</v>
-      <v>RefID = {IdType,string()}</v>
-      <v>IdType = dns_id | srv_id | uri_id</v>
+      <v>RefID = {dns_id,string()} | {srv_id,string()} | {uri_id,string()} | {ip,inet:ip_address()|string()} | {OtherRefID,term()}}</v>
+      <v>OtherRefID = atom()</v>
       <v>Opts = [ PvhOpt() ]</v>
       <v>PvhOpt = [MatchOpt | FailCallBackOpt | FqdnExtractOpt]</v>
-      <v>MatchOpt = {fun(RefId | FQDN::string(), PresentedID) -> boolean() | default}</v>
-      <v>PresentedID = {dNSName,string()} | {uniformResourceIdentifier,string()}</v>
+      <v>MatchOpt = {match_fun, fun(RefId | FQDN::string(), PresentedID) -> boolean() | default}</v>
+      <v>PresentedID = {dNSName,string()} | {uniformResourceIdentifier,string() | {iPAddress,list(byte())} | {OtherPresId,term()}}</v>
+      <v>OtherPresID = atom()</v>
       <v>FailCallBackOpt = {fail_callback, fun(#'OTPCertificate'{}) -> boolean()}</v>
       <v>FqdnExtractOpt = {fqdn_fun, fun(RefID) -> FQDN::string() | default | undefined}</v>
     </type>
     <desc>
       <p>This function checks that the <i>Presented Identifier</i> (e.g hostname) in a peer certificate
-      conforms with the Expected Identifier that the client wants to connect to.
-      This functions is intended to be added as an extra client check to the peer certificate when performing
+      is in agreement with the <i>Reference Identifier</i> that the client expects to be connected to.
+      The function is intended to be added as an extra client check of the peer certificate when performing
       <seealso marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_validation/3</seealso>
       </p>
       <p>See <url href="https://tools.ietf.org/html/rfc6125">RFC 6125</url>
@@ -893,6 +894,12 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
       <seealso marker="using_public_key#verify_hostname_examples">code examples</seealso>
       describes this function more detailed.
       </p>
+      <p>The <c>{OtherRefId,term()}</c> is defined by the user and is passed to the <c>match_fun</c>, if defined.
+      If that term is a binary, it will be converted to a string.
+      </p>
+      <p>The <c>ip</c> Reference ID takes an <seealso marker="inet:inet#type-ip_address">inet:ip_address()</seealso>
+      or an ip address in string format (E.g "10.0.1.1" or "1234::5678:9012") as second element.
+      </p>
     </desc>
   </func>
 
diff --git a/lib/public_key/src/pubkey_pbe.erl b/lib/public_key/src/pubkey_pbe.erl
index 0243bcaa82..e89e16f120 100644
--- a/lib/public_key/src/pubkey_pbe.erl
+++ b/lib/public_key/src/pubkey_pbe.erl
@@ -222,7 +222,8 @@ pbe_pad(Data, {#'PBEParameter'{}, _}) ->
 pbe_pad(Data, #'PBES2-params'{}) ->
     pbe_pad(Data);
 pbe_pad(Data, _) ->
-    Data.
+pbe_pad(Data).%%    Data.
+
 
 pbe_pad(Data) ->
     N = 8 - (erlang:byte_size(Data) rem 8), 
diff --git a/lib/public_key/src/pubkey_ssh.erl b/lib/public_key/src/pubkey_ssh.erl
index 75c1880655..a7d018e440 100644
--- a/lib/public_key/src/pubkey_ssh.erl
+++ b/lib/public_key/src/pubkey_ssh.erl
@@ -29,7 +29,15 @@
 	]).
 
 -define(UINT32(X), X:32/unsigned-big-integer).
--define(STRING(X), ?UINT32((size(X))), (X)/binary).
+-define(STRING(X), ?UINT32((byte_size(X))), (X)/binary).
+
+-define(DEC_BIN(X,Len),   ?UINT32(Len), X:Len/binary ).
+-define(DEC_MPINT(I,Len), ?DEC_INT(I,Len) ).
+-define(DEC_INT(I,Len),   ?UINT32(Len), I:Len/big-signed-integer-unit:8 ).
+
+-define(Empint(X),  (mpint(X))/binary ).
+-define(Estring(X), (string(X))/binary ).
+
 
 %% Max encoded line length is 72, but conformance examples use 68
 %% Comment from rfc 4716: "The following are some examples of public
@@ -47,12 +55,12 @@
 %% Description: Decodes a ssh file-binary.
 %%--------------------------------------------------------------------
 decode(Bin, public_key)->
-    case binary:match(Bin, begin_marker()) of
-	nomatch ->
-	    openssh_decode(Bin, openssh_public_key);
-	_ ->
-	    rfc4716_decode(Bin)
-    end;
+    PKtype =
+        case binary:match(Bin, begin_marker()) of
+            nomatch -> openssh_public_key;
+            _ -> rfc4716_public_key
+        end,
+    decode(Bin, PKtype);
 decode(Bin, rfc4716_public_key) ->
     rfc4716_decode(Bin);
 decode(Bin, ssh2_pubkey) ->
@@ -164,26 +172,8 @@ join_entry([Line | Lines], Entry) ->
     join_entry(Lines, [Line | Entry]).
 
 
-rfc4716_pubkey_decode(<<?UINT32(Len), Type:Len/binary,
-			?UINT32(SizeE), E:SizeE/binary,
-			?UINT32(SizeN), N:SizeN/binary>>) when Type == <<"ssh-rsa">> ->
-    #'RSAPublicKey'{modulus = erlint(SizeN, N),
-		    publicExponent = erlint(SizeE, E)};
-
-rfc4716_pubkey_decode(<<?UINT32(Len), Type:Len/binary,
-			?UINT32(SizeP), P:SizeP/binary,
-			?UINT32(SizeQ), Q:SizeQ/binary,
-			?UINT32(SizeG), G:SizeG/binary,
-			?UINT32(SizeY), Y:SizeY/binary>>) when Type == <<"ssh-dss">> ->
-    {erlint(SizeY, Y),
-     #'Dss-Parms'{p = erlint(SizeP, P),
-		  q = erlint(SizeQ, Q),
-		  g = erlint(SizeG, G)}};
-rfc4716_pubkey_decode(<<?UINT32(Len), ECDSA_SHA2_etc:Len/binary,
-			?UINT32(SizeId), Id:SizeId/binary,
-			?UINT32(SizeQ), Q:SizeQ/binary>>) ->
-    <<"ecdsa-sha2-", Id/binary>> = ECDSA_SHA2_etc,
-    {#'ECPoint'{point = Q}, {namedCurve,public_key:ssh_curvename2oid(Id)}}.
+rfc4716_pubkey_decode(BinKey) -> ssh2_pubkey_decode(BinKey).
+
 
 openssh_decode(Bin, FileType) ->
     Lines = binary:split(Bin, <<"\n">>, [global]),
@@ -267,18 +257,14 @@ decode_comment(Comment) ->
 
 openssh_pubkey_decode(Type,  Base64Enc) ->
     try
-	ssh2_pubkey_decode(Type,  base64:mime_decode(Base64Enc))
+        <<?DEC_BIN(Type,_TL), Bin/binary>> = base64:mime_decode(Base64Enc),
+	ssh2_pubkey_decode(Type,  Bin)
     catch
 	_:_ ->
 	    {Type, base64:mime_decode(Base64Enc)}
     end.
 
 
-erlint(MPIntSize, MPIntValue) ->
-    Bits= MPIntSize * 8,
-    <<Integer:Bits/integer>> = MPIntValue,
-    Integer.
-
 ssh1_rsa_pubkey_decode(MBin, EBin) ->
     #'RSAPublicKey'{modulus = integer_decode(MBin),
 		    publicExponent = integer_decode(EBin)}.
@@ -411,71 +397,37 @@ comma_list_encode([Option | Rest], Acc) ->
 
 
 ssh2_pubkey_encode(#'RSAPublicKey'{modulus = N, publicExponent = E}) ->
-    ssh2_pubkey_encode({#'RSAPublicKey'{modulus = N, publicExponent = E}, 'ssh-rsa'});
-
-ssh2_pubkey_encode({Key, 'rsa-sha2-256'}) -> ssh2_pubkey_encode({Key, 'ssh-rsa'});
-ssh2_pubkey_encode({Key, 'rsa-sha2-512'}) -> ssh2_pubkey_encode({Key, 'ssh-rsa'});
-ssh2_pubkey_encode({#'RSAPublicKey'{modulus = N, publicExponent = E}, SignAlg}) ->
-    SignAlgName = list_to_binary(atom_to_list(SignAlg)),
-    StrLen = size(SignAlgName),
-    EBin = mpint(E),
-    NBin = mpint(N),
-    <<?UINT32(StrLen), SignAlgName:StrLen/binary,
-      EBin/binary,
-      NBin/binary>>;
-ssh2_pubkey_encode({{_,#'Dss-Parms'{}}=Key, _}) ->
-    ssh2_pubkey_encode(Key);
+    <<?STRING(<<"ssh-rsa">>), ?Empint(E), ?Empint(N)>>;
 ssh2_pubkey_encode({Y,  #'Dss-Parms'{p = P, q = Q, g = G}}) ->
-    TypeStr = <<"ssh-dss">>,
-    StrLen = size(TypeStr),
-    PBin = mpint(P),
-    QBin = mpint(Q),
-    GBin = mpint(G),
-    YBin = mpint(Y),
-    <<?UINT32(StrLen), TypeStr:StrLen/binary,
-      PBin/binary,
-      QBin/binary,
-      GBin/binary,
-      YBin/binary>>;
-ssh2_pubkey_encode({{#'ECPoint'{},_}=Key, _}) ->
-    ssh2_pubkey_encode(Key);
+    <<?STRING(<<"ssh-dss">>), ?Empint(P), ?Empint(Q), ?Empint(G), ?Empint(Y)>>;
 ssh2_pubkey_encode(Key={#'ECPoint'{point = Q}, {namedCurve,OID}}) ->
-    TypeStr = key_type(Key),
-    StrLen = size(TypeStr),
-    IdB = public_key:oid2ssh_curvename(OID),
-    <<?UINT32(StrLen), TypeStr:StrLen/binary,
-      (string(IdB))/binary,
-      (string(Q))/binary>>.
+    Curve = public_key:oid2ssh_curvename(OID),
+    <<?STRING(key_type(Key)), ?Estring(Curve), ?Estring(Q)>>.
 
 
-ssh2_pubkey_decode(Bin = <<?UINT32(Len), Type:Len/binary, _/binary>>) ->
+ssh2_pubkey_decode(<<?DEC_BIN(Type,_TL), Bin/binary>>) ->
     ssh2_pubkey_decode(Type, Bin).
 
-ssh2_pubkey_decode(<<"rsa-sha2-256">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
-ssh2_pubkey_decode(<<"rsa-sha2-512">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
+%% ssh2_pubkey_decode(<<"rsa-sha2-256">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
+%% ssh2_pubkey_decode(<<"rsa-sha2-512">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
 ssh2_pubkey_decode(<<"ssh-rsa">>,
-		   <<?UINT32(Len),   _:Len/binary,
-		     ?UINT32(SizeE), E:SizeE/binary,
-		     ?UINT32(SizeN), N:SizeN/binary>>) ->
-    #'RSAPublicKey'{modulus = erlint(SizeN, N),
-		    publicExponent = erlint(SizeE, E)};
+                   <<?DEC_INT(E, _EL),
+                     ?DEC_INT(N, _NL)>>) ->
+    #'RSAPublicKey'{modulus = N,
+		    publicExponent = E};
 
 ssh2_pubkey_decode(<<"ssh-dss">>,
-		   <<?UINT32(Len),   _:Len/binary,
-		     ?UINT32(SizeP), P:SizeP/binary,
-		     ?UINT32(SizeQ), Q:SizeQ/binary,
-		     ?UINT32(SizeG), G:SizeG/binary,
-		     ?UINT32(SizeY), Y:SizeY/binary>>) ->
-    {erlint(SizeY, Y),
-     #'Dss-Parms'{p = erlint(SizeP, P),
-		  q = erlint(SizeQ, Q),
-		  g = erlint(SizeG, G)}};
+                   <<?DEC_INT(P, _PL),
+                     ?DEC_INT(Q, _QL),
+                     ?DEC_INT(G, _GL),
+                     ?DEC_INT(Y, _YL)>>) ->
+    {Y, #'Dss-Parms'{p = P,
+                     q = Q,
+                     g = G}};
 
 ssh2_pubkey_decode(<<"ecdsa-sha2-",Id/binary>>,
-		   <<?UINT32(Len), ECDSA_SHA2_etc:Len/binary,
-		     ?UINT32(SizeId), Id:SizeId/binary,
-		     ?UINT32(SizeQ), Q:SizeQ/binary>>) ->
-    <<"ecdsa-sha2-", Id/binary>> = ECDSA_SHA2_etc,
+                   <<?DEC_BIN(Id, _IL),
+                     ?DEC_BIN(Q, _QL)>>) ->
     {#'ECPoint'{point = Q}, {namedCurve,public_key:ssh_curvename2oid(Id)}}.
 
 
@@ -575,17 +527,16 @@ mpint(X) -> mpint_pos(X).
 
 mpint_neg(X) ->
     Bin = int_to_bin_neg(X, []),
-    Sz = byte_size(Bin),
-    <<?UINT32(Sz), Bin/binary>>.
+    <<?STRING(Bin)>>.
     
 mpint_pos(X) ->
     Bin = int_to_bin_pos(X, []),
     <<MSB,_/binary>> = Bin,
-    Sz = byte_size(Bin),
     if MSB band 16#80 == 16#80 ->
-	    <<?UINT32((Sz+1)), 0, Bin/binary>>;
+            B = << 0, Bin/binary>>,
+	    <<?STRING(B)>>;
        true ->
-	    <<?UINT32(Sz), Bin/binary>>
+	    <<?STRING(Bin)>>
     end.
 
 int_to_bin_pos(0,Ds=[_|_]) ->
@@ -602,7 +553,8 @@ int_to_bin_neg(X,Ds) ->
 string(X) when is_binary(X) ->
     << ?STRING(X) >>;
 string(X) ->
-    << ?STRING(list_to_binary(X)) >>.
+    B = list_to_binary(X),
+    << ?STRING(B) >>.
 
 is_ssh_curvename(Id) -> try public_key:ssh_curvename2oid(Id) of _ -> true
 			catch _:_  -> false
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index cc01b61433..c6ab4d06ae 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -942,7 +942,6 @@ ssh_decode(SshBin, Type) when is_binary(SshBin),
 %%--------------------------------------------------------------------
 -spec ssh_encode([{public_key(), Attributes::list()}], ssh_file()) -> binary()
 	      ; (public_key(), ssh2_pubkey) -> binary()
-	      ; ({public_key(),atom()}, ssh2_pubkey) -> binary()
 	      .
 %%
 %% Description: Encodes a list of ssh file entries (public keys and
@@ -1454,13 +1453,43 @@ verify_hostname_match_default0({dns_id,R}, {dNSName,P}) ->
     R==P;
 verify_hostname_match_default0({uri_id,R}, {uniformResourceIdentifier,P}) ->
     R==P;
-verify_hostname_match_default0({srv_id,R}, {T,P}) when T == srvName ;
-                                                       T == ?srvName_OID ->
+verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 4 ->
+    %% IPv4
+    try
+        list_to_tuple(P)
+            == if is_tuple(R), size(R)==4 -> R;
+                  is_list(R) -> ok(inet:parse_ipv4strict_address(R))
+               end
+    catch
+        _:_ ->
+            false
+    end;
+
+verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 16 ->
+    %% IPv6. The length 16 is due to the certificate specification.
+    try
+        l16_to_tup(P)
+            == if is_tuple(R), size(R)==8 -> R;
+                  is_list(R) -> ok(inet:parse_ipv6strict_address(R))
+               end
+    catch
+        _:_ ->
+            false
+    end;
+verify_hostname_match_default0({srv_id,R}, {srvName,P}) ->
+    R==P;
+verify_hostname_match_default0({srv_id,R}, {?srvName_OID,P}) ->
     R==P;
 verify_hostname_match_default0(_, _) ->
     false.
 
+ok({ok,X}) -> X.
 
+l16_to_tup(L) -> list_to_tuple(l16_to_tup(L, [])).
+%%
+l16_to_tup([A,B|T], Acc) -> l16_to_tup(T, [(A bsl 8) bor B | Acc]);
+l16_to_tup([], Acc) -> lists:reverse(Acc).
+    
 match_wild(A,     [$*|B]) -> match_wild_suffixes(A, B);
 match_wild([C|A], [ C|B]) -> match_wild(A, B);
 match_wild([],        []) -> true;
@@ -1499,13 +1528,16 @@ verify_hostname_match_loop(Refs, Pres, MatchFun, FailCB, Cert) ->
       Refs).
 
 
+to_lower_ascii({ip,_}=X) -> X;
+to_lower_ascii({iPAddress,_}=X) -> X;
 to_lower_ascii(S) when is_list(S) -> lists:map(fun to_lower_ascii/1, S);
 to_lower_ascii({T,S}) -> {T, to_lower_ascii(S)};
 to_lower_ascii(C) when $A =< C,C =< $Z -> C + ($a-$A);
 to_lower_ascii(C) -> C.
 
 to_string(S) when is_list(S) -> S;
-to_string(B) when is_binary(B) -> binary_to_list(B).
+to_string(B) when is_binary(B) -> binary_to_list(B);
+to_string(X) -> X.
 
 format_details([]) ->
     no_relevant_crls;
diff --git a/lib/public_key/test/public_key_SUITE.erl b/lib/public_key/test/public_key_SUITE.erl
index 374fb20375..0100f0a912 100644
--- a/lib/public_key/test/public_key_SUITE.erl
+++ b/lib/public_key/test/public_key_SUITE.erl
@@ -47,6 +47,7 @@ all() ->
      pkix_iso_rsa_oid, pkix_iso_dsa_oid, pkix_crl, general_name,
      pkix_verify_hostname_cn,
      pkix_verify_hostname_subjAltName,
+     pkix_verify_hostname_subjAltName_IP,
      pkix_verify_hostname_options,
      pkix_test_data_all_default,
      pkix_test_data,
@@ -985,6 +986,43 @@ pkix_verify_hostname_options(Config) ->
     false =  public_key:pkix_verify_hostname(Cert, [{uri_id,"some://very.wrong.domain"}]).
 
 %%--------------------------------------------------------------------
+%% To generate the PEM file contents:
+%%
+%% openssl req -x509 -nodes -newkey rsa:1024 -keyout /dev/null -extensions SAN -config  public_key_SUITE_data/verify_hostname_ip.conf 2>/dev/null > public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
+%%
+%% Subject: C=SE, CN=example.com
+%% Subject Alternative Name: DNS:1.2.3.4, DNS: abcd:ef::1, IP:10.67.16.75, URI:https://10.11.12.13
+
+pkix_verify_hostname_subjAltName_IP(Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    {ok,Bin} = file:read_file(filename:join(DataDir,"pkix_verify_hostname_subjAltName_IP.pem")),
+    Cert = public_key:pkix_decode_cert(element(2,hd(public_key:pem_decode(Bin))), otp),
+
+    %% Print the tests that a matchfun has to handle
+    catch public_key:pkix_verify_hostname(Cert, [{some_tag,"some.domain"},
+                                                 {ip, {10,67,16,75}}
+                                                ],
+                                          [{match_fun,
+                                            fun(Ref,Pres) -> 
+                                                    ct:pal("~p:~p:~nRef : ~p~nPres: ~p",[?MODULE,?LINE,Ref,Pres]),
+                                                    false
+                                            end}]),
+
+    false =  public_key:pkix_verify_hostname(Cert, [{uri_id,"https://1.2.3.4"}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{uri_id,"https://10.11.12.13"}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{dns_id,"1.2.3.4"}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{dns_id,<<"1.2.3.4">>}]),
+    false =  public_key:pkix_verify_hostname(Cert, [{dns_id,"10.67.16.75"}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{ip, "aBcD:ef:0::0:1"}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{ip, {16#abcd,16#ef,0,0,0,0,0,1}}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{ip, "10.67.16.75"}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{ip, <<"10.67.16.75">>}]),
+    true  =  public_key:pkix_verify_hostname(Cert, [{ip, {10,67,16,75}}]),
+    false =  public_key:pkix_verify_hostname(Cert, [{ip, {1,2,3,4}}]),
+    false =  public_key:pkix_verify_hostname(Cert, [{ip, {10,11,12,13}}]).
+        
+
+%%--------------------------------------------------------------------
 pkix_iso_rsa_oid() ->
  [{doc, "Test workaround for supporting certs that use ISO oids"
    " 1.3.14.3.2.29 instead of PKIX/PKCS oid"}].
diff --git a/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
new file mode 100644
index 0000000000..97d12cdadf
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/pkix_verify_hostname_subjAltName_IP.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICBzCCAXCgAwIBAgIJAJgbo5FL73LuMA0GCSqGSIb3DQEBCwUAMCMxCzAJBgNV
+BAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNvbTAeFw0xNzEwMTExMDM0NDJaFw0x
+NzExMTAxMDM0NDJaMCMxCzAJBgNVBAYTAlNFMRQwEgYDVQQDEwtleGFtcGxlLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5muN8NIRHuqXgtAFpaJ4EPnd
+SD+hnzMiiWQ9qAsS8P4xFsl5aNH74BTgst6Rcq33qAw+4BtKFXMt7JbWMuZklFV3
+fzRSx099MVJSH3f2LDMNLfyDiSJnhBEv1rLPaosi91ZLvI5LiGTxzRLi3qftZBft
+Ryw1OempB4chLcBy2rsCAwEAAaNDMEEwPwYDVR0RBDgwNoIHMS4yLjMuNIcECkMQ
+S4cQq80A7wAAAAAAAAAAAAAAAYYTaHR0cHM6Ly8xMC4xMS4xMi4xMzANBgkqhkiG
+9w0BAQsFAAOBgQDMn8aqs/5FkkWhspvN2n+D2l87M+33a5My54ZVZhayZ/KRmhCN
+Gix/BiVYJ3UlmWmGcnQXb3MLt/LQHaD3S2whDaLN3xJ8BbnX7A4ZTybitdyeFhDw
+K3iDVUM3bSsBJ4EcBPWIMnow3ALP5HlGRMlH/87Qt+uVPXuwNh9pmyIhRQ==
+-----END CERTIFICATE-----
diff --git a/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
new file mode 100644
index 0000000000..798592e4f6
--- /dev/null
+++ b/lib/public_key/test/public_key_SUITE_data/verify_hostname_ip.conf
@@ -0,0 +1,17 @@
+[req]
+prompt             = no
+distinguished_name = DN
+
+[DN]
+C=SE
+CN=example.com
+
+[SAN]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS = 1.2.3.4
+IP.1 = 10.67.16.75
+IP.2 = abcd:ef::1
+URI = https://10.11.12.13
+