org.eclipse.egit.core/src/org/eclipse/egit/core/NetUtil.java - egit/egit - Git at Google

 /*******************************************************************************
  * Copyright (C) 2015, Christian Halstrick <christian.halstrick@sap.com>
  *
  * All rights reserved. This program and the accompanying materials are made
  * available under the terms of the Eclipse Public License 2.0 which
  * accompanies this distribution, and is available at
  * https://www.eclipse.org/legal/epl-2.0/
  *
  * SPDX-License-Identifier: EPL-2.0
  *******************************************************************************/
 package org.eclipse.egit.core;

 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URISyntaxException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;

 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;

 import org.eclipse.jgit.lib.Repository;
 import org.eclipse.jgit.transport.HttpConfig;
 import org.eclipse.jgit.transport.URIish;

 /**
  * Networking utilities
  */
 public class NetUtil {

 	private static final TrustManager[] TRUST_ALL_CERTS = new TrustManager[] {
 			new X509TrustManager() {
 				@Override
 				public X509Certificate[] getAcceptedIssuers() {
 					return null;
 				}

 				@Override
 				public void checkClientTrusted(X509Certificate[] certs,
 						String authType) {
 					// no check
 				}

 				@Override
 				public void checkServerTrusted(X509Certificate[] certs,
 						String authType) {
 					// no check
 				}
 			} };

 	private static final HostnameVerifier TRUST_ALL_HOST_NAMES = (hostname,
 			session) -> true; // always accept

 	/**
 	 * Configures a {@link HttpURLConnection} according to the value of the
 	 * repositories configuration parameter "http.sslVerify". When this value is
 	 * false and when the URL is for the "https" protocol then all hostnames are
 	 * accepted and certificates are also accepted when they can't be validated
 	 *
 	 * @param repo
 	 *            the repository to be asked for the configuration parameter
 	 *            http.sslVerify
 	 * @param conn
 	 *            the connection to be configured
 	 * @throws IOException
 	 */
 	public static void setSslVerification(Repository repo,
 			HttpURLConnection conn) throws IOException {
 		if ("https".equals(conn.getURL().getProtocol())) { //$NON-NLS-1$
 			HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
 			try {
 				HttpConfig http = new HttpConfig(repo.getConfig(),
 						new URIish(conn.getURL().toString()));
 				if (!http.isSslVerify()) {
 					SSLContext ctx = SSLContext.getInstance("TLS"); //$NON-NLS-1$
 					ctx.init(null, TRUST_ALL_CERTS, null);
 					httpsConn.setSSLSocketFactory(ctx.getSocketFactory());
 					httpsConn.setHostnameVerifier(TRUST_ALL_HOST_NAMES);
 				}
 			} catch (KeyManagementException | NoSuchAlgorithmException
 					| URISyntaxException e) {
 				throw new IOException(e.getMessage(), e);
 			}
 		}
 	}
 }
	/*******************************************************************************
	* Copyright (C) 2015, Christian Halstrick <christian.halstrick@sap.com>
	*
	* All rights reserved. This program and the accompanying materials are made
	* available under the terms of the Eclipse Public License 2.0 which
	* accompanies this distribution, and is available at
	* https://www.eclipse.org/legal/epl-2.0/
	*
	* SPDX-License-Identifier: EPL-2.0
	*******************************************************************************/
	package org.eclipse.egit.core;

	import java.io.IOException;
	import java.net.HttpURLConnection;
	import java.net.URISyntaxException;
	import java.security.KeyManagementException;
	import java.security.NoSuchAlgorithmException;
	import java.security.cert.X509Certificate;

	import javax.net.ssl.HostnameVerifier;
	import javax.net.ssl.HttpsURLConnection;
	import javax.net.ssl.SSLContext;
	import javax.net.ssl.TrustManager;
	import javax.net.ssl.X509TrustManager;

	import org.eclipse.jgit.lib.Repository;
	import org.eclipse.jgit.transport.HttpConfig;
	import org.eclipse.jgit.transport.URIish;

	/**
	* Networking utilities
	*/
	public class NetUtil {

	private static final TrustManager[] TRUST_ALL_CERTS = new TrustManager[] {
	new X509TrustManager() {
	@Override
	public X509Certificate[] getAcceptedIssuers() {
	return null;
	}

	@Override
	public void checkClientTrusted(X509Certificate[] certs,
	String authType) {
	// no check
	}

	@Override
	public void checkServerTrusted(X509Certificate[] certs,
	String authType) {
	// no check
	}
	} };

	private static final HostnameVerifier TRUST_ALL_HOST_NAMES = (hostname,
	session) -> true; // always accept

	/**
	* Configures a {@link HttpURLConnection} according to the value of the
	* repositories configuration parameter "http.sslVerify". When this value is
	* false and when the URL is for the "https" protocol then all hostnames are
	* accepted and certificates are also accepted when they can't be validated
	*
	* @param repo
	* the repository to be asked for the configuration parameter
	* http.sslVerify
	* @param conn
	* the connection to be configured
	* @throws IOException
	*/
	public static void setSslVerification(Repository repo,
	HttpURLConnection conn) throws IOException {
	if ("https".equals(conn.getURL().getProtocol())) { //$NON-NLS-1$
	HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
	try {
	HttpConfig http = new HttpConfig(repo.getConfig(),
	new URIish(conn.getURL().toString()));
	if (!http.isSslVerify()) {
	SSLContext ctx = SSLContext.getInstance("TLS"); //$NON-NLS-1$
	ctx.init(null, TRUST_ALL_CERTS, null);
	httpsConn.setSSLSocketFactory(ctx.getSocketFactory());
	httpsConn.setHostnameVerifier(TRUST_ALL_HOST_NAMES);
	}
	} catch (KeyManagementException \| NoSuchAlgorithmException
	\| URISyntaxException e) {
	throw new IOException(e.getMessage(), e);
	}
	}
	}
	}