Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-9657-33wf-rmvx
Remove insecure TrustManager & HostnameVerifier.
  • Loading branch information
vorburger committed Mar 14, 2021
2 parents 7ed4f22 + 5840b39 commit e505f62
Showing 1 changed file with 0 additions and 45 deletions.
45 changes: 0 additions & 45 deletions app/src/main/java/org/mifos/mobile/api/SelfServiceOkHttpClient.kt
Expand Up @@ -20,51 +20,6 @@ class SelfServiceOkHttpClient(private val tenant: String?, private val authToken
val mifosOkHttpClient: OkHttpClient
get() {
val builder = OkHttpClient.Builder()
try {
// Create a trust manager that does not validate certificate chains
val trustAllCerts = arrayOf<TrustManager>(
object : X509TrustManager {
@Throws(CertificateException::class)
override fun checkClientTrusted(
chain: Array<X509Certificate>,
authType: String
) {
}

@Throws(CertificateException::class)
override fun checkServerTrusted(
chain: Array<X509Certificate>,
authType: String
) {
}

override fun getAcceptedIssuers(): Array<X509Certificate?> {
return arrayOfNulls(0)
}
}
)

// Install the all-trusting trust manager
val sslContext = SSLContext.getInstance("SSL")
sslContext.init(null, trustAllCerts, SecureRandom())
// Create an ssl socket factory with our all-trusting manager
val sslSocketFactory = sslContext.socketFactory

//Enable Full Body Logging
val logger = HttpLoggingInterceptor()
logger.level = HttpLoggingInterceptor.Level.BODY
val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
trustManagerFactory.init(null as KeyStore?)
val trustManagers = trustManagerFactory.trustManagers
check(!(trustManagers.size != 1 || trustManagers[0] !is X509TrustManager)) { "Unexpected default trust managers:" + Arrays.toString(trustManagers) }
val trustManager = trustManagers[0] as X509TrustManager

//Set SSL certificate to OkHttpClient Builder
builder.sslSocketFactory(sslSocketFactory, trustManager)
builder.hostnameVerifier { _, _ -> true }
} catch (e: Exception) {
throw RuntimeException(e)
}

//Enable Full Body Logging
val logger = HttpLoggingInterceptor()
Expand Down

0 comments on commit e505f62

Please sign in to comment.