2 * Copyright (C) The Arvados Authors. All rights reserved.
4 * SPDX-License-Identifier: AGPL-3.0 OR Apache-2.0
8 package org.arvados.client.api.client.factory;
10 import okhttp3.OkHttpClient;
11 import org.arvados.client.exception.ArvadosClientException;
12 import org.slf4j.Logger;
14 import javax.net.ssl.SSLContext;
15 import javax.net.ssl.SSLSocketFactory;
16 import javax.net.ssl.TrustManager;
17 import javax.net.ssl.X509TrustManager;
18 import java.security.KeyManagementException;
19 import java.security.NoSuchAlgorithmException;
20 import java.security.SecureRandom;
21 import java.security.cert.X509Certificate;
23 public class OkHttpClientFactory {
25 private final Logger log = org.slf4j.LoggerFactory.getLogger(OkHttpClientFactory.class);
27 OkHttpClientFactory() {
30 public static OkHttpClientFactoryBuilder builder() {
31 return new OkHttpClientFactoryBuilder();
34 public OkHttpClient create(boolean apiHostInsecure) {
35 OkHttpClient.Builder builder = new OkHttpClient.Builder();
36 if (apiHostInsecure) {
37 trustAllCertificates(builder);
39 return builder.build();
42 private void trustAllCertificates(OkHttpClient.Builder builder) {
43 log.warn("Creating unsafe OkHttpClient. All SSL certificates will be accepted.");
45 // Create a trust manager that does not validate certificate chains
46 final TrustManager[] trustAllCerts = new TrustManager[] { createX509TrustManager() };
48 // Install the all-trusting trust manager
49 SSLContext sslContext = SSLContext.getInstance("SSL");
50 sslContext.init(null, trustAllCerts, new SecureRandom());
51 // Create an ssl socket factory with our all-trusting manager
52 final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
54 builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);
55 builder.hostnameVerifier((hostname, session) -> true);
56 } catch (NoSuchAlgorithmException | KeyManagementException e) {
57 throw new ArvadosClientException("Error establishing SSL context", e);
61 private static X509TrustManager createX509TrustManager() {
62 return new X509TrustManager() {
65 public void checkClientTrusted(X509Certificate[] chain, String authType) {}
68 public void checkServerTrusted(X509Certificate[] chain, String authType) {}
71 public X509Certificate[] getAcceptedIssuers() {
72 return new X509Certificate[] {};
77 public static class OkHttpClientFactoryBuilder {
78 OkHttpClientFactoryBuilder() {
81 public OkHttpClientFactory build() {
82 return new OkHttpClientFactory();
85 public String toString() {
86 return "OkHttpClientFactory.OkHttpClientFactoryBuilder()";