Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » EGit / JGit » How to configure the JGit client to trust only the stash Certificate signed by root CA
How to configure the JGit client to trust only the stash Certificate signed by root CA [message #1772496] Mon, 11 September 2017 14:09 Go to next message
milani Athapattu is currently offline milani AthapattuFriend
Messages: 1
Registered: September 2017
Junior Member
In my project I am using jgit to clone the git repository and do some modifications to the files and commit the code changes.
I am currently using SSH with public key authentication method to do the git authentication.
But as a requirement I need to accept only the stash certificate is signed by companies CA.
So far I have implemented a trust manager using X509TrustManger.
Something similar to below stack-overflow answer
CertificateFactory cf = CertificateFactory.getInstance("X.509");   
FileInputStream inputStream = new FileInputStream("CACertificate.cer"); 
X509Certificate caCertificate = (X509Certificate)cf.generateCertificate(inputStream);  

X509TrustManager cutomTm = new X509TrustManager() {
 @Override        
 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)  throws CertificateException {

 if (certs == null || certs.length == 0) {  
      throw new IllegalArgumentException("null or zero-length certificate chain");  
 }  

 if (authType == null || authType.length() == 0) {  
            throw new IllegalArgumentException("null or zero-length authentication type");  
  }  
    if(!certs[0].equals(caCertificate)){
         try
         {   
             certs[0].verify(caCertificate.getPublicKey())
         }
         catch(Exception e){   
              throw new CertificateException("Certificate not trusted",e);
         }
    } 
     try{
          certs[0].checkValidity();
      }
      catch(Exception e){
            throw new CertificateException("Certificate not trusted. It has expired",e);
      }  
	}
}

Now I need to configure this trust manager in JGit client.
I am using org.eclipse.jgit.http.apache HttpClientConnection to configure the custom trust manager as below. I am debugging and ensure that when establish the SSL connection with the stash it is not calling to the checkServerTrusted method in X509TrustManger .
HttpClientConnection  clientConnection = new HttpClientConnection(" https://git@stash.mycompany.com:7999/PROJECT/repo.git");
clientConnection.configure(null, new TrustManager[]{customTm}, null);

I am using below dependencies.
<dependency>
    <groupId>org.eclipse.jgit</groupId>
    <artifactId>org.eclipse.jgit.http.apache</artifactId>
    <version>3.6.2.201501210735-r</version>
</dependency>

<dependency>
    <groupId>org.eclipse.jgit</groupId>
    <artifactId>org.eclipse.jgit</artifactId>
    <version>4.5.0.201609210915-r</version>
</dependency>

Please correct me if I am doing wrong and help me to configure my custom trust manager to JGit client...
Re: How to configure the JGit client to trust only the stash Certificate signed by root CA [message #1774528 is a reply to message #1772496] Mon, 16 October 2017 19:56 Go to previous message
Matthias Sohn is currently offline Matthias SohnFriend
Messages: 1026
Registered: July 2009
Senior Member
First of all you need to configure JGit to use the apache httpclient.
For that you need to call
HttpTransport.setConnectionFactory(new org.eclipse.jgit.transport.http.apache.HttpClientConnectionFactory())
Otherwise you will use the default JDKHttpConnectionFactory which uses HttpURLConnection under the hood.

Though HttpConnectionFactory does not yet allow to configure a custom trust manager. You may consider to
subclass HttpClientFactory and override connect() to first call configure(KeyManager[], TrustManager[], SecureRandom)
using your custom KeyManage/TrustManager and then call super.connect().
Previous Topic:Finding a repository
Next Topic:JGIT how to delete remote tag and branch ? thanks
Goto Forum:
  


Current Time: Mon Jun 18 13:52:04 GMT 2018

Powered by FUDForum. Page generated in 0.01804 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top