Add an option to disable SSL verification

artemlos · artemlos · commit 83c2b5858fb0 · 2021-11-08T13:59:21.000+01:00
diff --git a/src/main/java/io/cryptolens/internal/HelperMethods.java b/src/main/java/io/cryptolens/internal/HelperMethods.java
@@ -7,8 +7,12 @@
 import io.cryptolens.models.ErrorType;
 import io.cryptolens.models.RequestModel;
 
+import javax.net.ssl.*;
 import java.lang.reflect.Field;
 import java.lang.reflect.Type;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
@@ -17,6 +21,13 @@
 
 public class HelperMethods {
 
+    /**
+     * This field can be used to bypass SSL verification when calling app.cryptolens.io. Set this to 'false'
+     * before calling any of the API methods. Once an API method is called, it will no longer be possible
+     * to re-enable SSL verification by setting this variable to false.
+     */
+    public static boolean SSLEnabled = true;
+
     public static <T extends BasicResult> T SendRequestToWebAPI(String method, RequestModel model, Map<String,String> extraParams, Class<T> clazz) {
         return SendRequestToWebAPI(method, model, extraParams, clazz, null);
     }
@@ -55,6 +66,29 @@ public static <T extends BasicResult> T SendRequestToWebAPI(String method, Reque
         RequestHandler requestHandler = new HttpsURLConnectionRequestHandler();
 
         try {
+            if(!HelperMethods.SSLEnabled) {
+                HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
+                    public boolean verify(String hostname, SSLSession session) {
+                        return true;
+                    }
+                });
+                SSLContext context = SSLContext.getInstance("TLS");
+                context.init(null, new X509TrustManager[]{new X509TrustManager() {
+                    public void checkClientTrusted(X509Certificate[] chain,
+                                                   String authType) throws CertificateException {
+                    }
+
+                    public void checkServerTrusted(X509Certificate[] chain,
+                                                   String authType) throws CertificateException {
+                    }
+
+                    public X509Certificate[] getAcceptedIssuers() {
+                        return new X509Certificate[0];
+                    }
+                }}, new SecureRandom());
+                HttpsURLConnection.setDefaultSSLSocketFactory(
+                        context.getSocketFactory());
+            }
 
             String response = requestHandler.makePostRequest(licenseServerUrl + "/api/" + method, params);
 
