From 7fa80ac80ba49d0936c615d115209087c53e968a Mon Sep 17 00:00:00 2001 From: dotasek Date: Mon, 12 Jun 2023 15:53:41 -0400 Subject: [PATCH] Get rid of too trusting SSLCertTruster --- .../hl7/fhir/utilities/SimpleHTTPClient.java | 16 ++---- .../npm/FilesystemPackageCacheManager.java | 2 +- .../fhir/utilities/npm/SSLCertTruster.java | 54 ------------------- 3 files changed, 4 insertions(+), 68 deletions(-) delete mode 100644 org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/SSLCertTruster.java diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/SimpleHTTPClient.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/SimpleHTTPClient.java index 39c6ef877..f97cef2f9 100644 --- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/SimpleHTTPClient.java +++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/SimpleHTTPClient.java @@ -1,6 +1,5 @@ package org.hl7.fhir.utilities; -import java.io.DataOutputStream; import java.io.IOException; import java.net.HttpURLConnection; import java.net.URL; @@ -13,9 +12,6 @@ import java.util.List; import java.util.Map; import org.hl7.fhir.exceptions.FHIRException; -import org.hl7.fhir.utilities.SimpleHTTPClient.HTTPResult; -import org.hl7.fhir.utilities.SimpleHTTPClient.Header; -import org.hl7.fhir.utilities.npm.SSLCertTruster; import org.hl7.fhir.utilities.settings.FhirSettings; public class SimpleHTTPClient { @@ -113,12 +109,9 @@ public class SimpleHTTPClient { } - private boolean trustAll = false; + - public void trustAllhosts() { - trustAll = true; - SSLCertTruster.trustAllHosts(); - } + public HTTPResult get(String url) throws IOException { return get(url, null); @@ -150,10 +143,7 @@ public class SimpleHTTPClient { c.setRequestProperty("Accept", accept); } setHeaders(c); - c.setInstanceFollowRedirects(false); - if (trustAll && url.startsWith("https://")) { - ((javax.net.ssl.HttpsURLConnection) c).setHostnameVerifier(SSLCertTruster.DO_NOT_VERIFY); - } + c.setInstanceFollowRedirects(false); switch (c.getResponseCode()) { case HttpURLConnection.HTTP_MOVED_PERM: diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/FilesystemPackageCacheManager.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/FilesystemPackageCacheManager.java index 7c5325133..e451e8868 100644 --- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/FilesystemPackageCacheManager.java +++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/FilesystemPackageCacheManager.java @@ -740,7 +740,7 @@ public class FilesystemPackageCacheManager extends BasePackageCacheManager imple private void loadFromBuildServer() throws IOException { SimpleHTTPClient http = new SimpleHTTPClient(); - http.trustAllhosts(); + HTTPResult res = http.get("https://build.fhir.org/ig/qas.json?nocache=" + System.currentTimeMillis()); res.checkThrowException(); diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/SSLCertTruster.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/SSLCertTruster.java deleted file mode 100644 index 709d1fbdc..000000000 --- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/SSLCertTruster.java +++ /dev/null @@ -1,54 +0,0 @@ -package org.hl7.fhir.utilities.npm; - -import java.security.cert.X509Certificate; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; - -/** - * This is a _temporary_ fix to get around the fact that the build server's SSL certs have expired and people cannot - * publish IGs or run tests that rely on that box. The intention is to overhaul much of the current networking code - * to a more central, unified, HttpClient module. - *

- * If this is still in the code in 2021, contact markiantorno on github and yell at him. - */ -public class SSLCertTruster { - - // always verify the host - dont check for certificate - public final static HostnameVerifier DO_NOT_VERIFY = new HostnameVerifier() { - public boolean verify(String hostname, SSLSession session) { - return true; - } - }; - - /** - * Trust every server - don't check for any certificate - */ - public static void trustAllHosts() { - // Create a trust manager that does not validate certificate chains - TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { - @Override - public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {} - - @Override - public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {} - - public X509Certificate[] getAcceptedIssuers() { - return new X509Certificate[]{}; - } - }}; - - // Install the all-trusting trust manager - try { - SSLContext sc = SSLContext.getInstance("TLS"); - sc.init(null, trustAllCerts, new java.security.SecureRandom()); - HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); - } catch (Exception e) { - e.printStackTrace(); - } - } -}