Get rid of too trusting SSLCertTruster

org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/SimpleHTTPClient.java

@@ -1,6 +1,5 @@
 package org.hl7.fhir.utilities;
 
-import java.io.DataOutputStream;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
@@ -13,9 +12,6 @@ import java.util.List;
 import java.util.Map;
 
 import org.hl7.fhir.exceptions.FHIRException;
-import org.hl7.fhir.utilities.SimpleHTTPClient.HTTPResult;
-import org.hl7.fhir.utilities.SimpleHTTPClient.Header;
-import org.hl7.fhir.utilities.npm.SSLCertTruster;
 import org.hl7.fhir.utilities.settings.FhirSettings;
 
 public class SimpleHTTPClient {
@@ -113,12 +109,9 @@ public class SimpleHTTPClient {
   }
 
 
-  private boolean trustAll = false;
+
   
-  public void trustAllhosts() {
-    trustAll  = true;
-    SSLCertTruster.trustAllHosts();    
-  }
+
  
   public HTTPResult get(String url) throws IOException {
     return get(url, null);    
@@ -150,10 +143,7 @@ public class SimpleHTTPClient {
         c.setRequestProperty("Accept", accept);
       }
       setHeaders(c);
-      c.setInstanceFollowRedirects(false); 
-      if (trustAll && url.startsWith("https://")) {
-        ((javax.net.ssl.HttpsURLConnection) c).setHostnameVerifier(SSLCertTruster.DO_NOT_VERIFY);
-      }
+      c.setInstanceFollowRedirects(false);
 
       switch (c.getResponseCode()) {
       case HttpURLConnection.HTTP_MOVED_PERM:

org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/FilesystemPackageCacheManager.java

@@ -740,7 +740,7 @@ public class FilesystemPackageCacheManager extends BasePackageCacheManager imple
 
   private void loadFromBuildServer() throws IOException {
     SimpleHTTPClient http = new SimpleHTTPClient();
-    http.trustAllhosts();
+
     HTTPResult res = http.get("https://build.fhir.org/ig/qas.json?nocache=" + System.currentTimeMillis());
     res.checkThrowException();
 

org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/SSLCertTruster.java

@@ -1,54 +0,0 @@
-package org.hl7.fhir.utilities.npm;
-
-import java.security.cert.X509Certificate;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-
-/**
- * This is a _temporary_ fix to get around the fact that the build server's SSL certs have expired and people cannot
- * publish IGs or run tests that rely on that box. The intention is to overhaul much of the current networking code
- * to a more central, unified, HttpClient module.
- * <p>
- * If this is still in the code in 2021, contact markiantorno on github and yell at him.
- */
-public class SSLCertTruster {
-
-  // always verify the host - dont check for certificate
-  public final static HostnameVerifier DO_NOT_VERIFY = new HostnameVerifier() {
-    public boolean verify(String hostname, SSLSession session) {
-      return true;
-    }
-  };
-
-  /**
-   * Trust every server - don't check for any certificate
-   */
-  public static void trustAllHosts() {
-    // Create a trust manager that does not validate certificate chains
-    TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() {
-      @Override
-      public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {}
-
-      @Override
-      public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {}
-
-      public X509Certificate[] getAcceptedIssuers() {
-        return new X509Certificate[]{};
-      }
-    }};
-
-    // Install the all-trusting trust manager
-    try {
-      SSLContext sc = SSLContext.getInstance("TLS");
-      sc.init(null, trustAllCerts, new java.security.SecureRandom());
-      HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-    } catch (Exception e) {
-      e.printStackTrace();
-    }
-  }
-}