Hard-coded password was moved to resource file

alex268 · alex268 · commit d7545103ae22 · 2025-07-07T14:40:25.000+01:00
diff --git a/core/pom.xml b/core/pom.xml
@@ -87,6 +87,7 @@
                 <directory>src/main/resources</directory>
                 <includes>
                     <include>**/*.pkcs</include>
+                    <include>**/*.password</include>
                 </includes>
                 <filtering>false</filtering>
             </resource>
diff --git a/core/src/main/java/tech/ydb/core/ssl/YandexTrustManagersProvider.java b/core/src/main/java/tech/ydb/core/ssl/YandexTrustManagersProvider.java
@@ -2,6 +2,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
@@ -16,14 +17,15 @@
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
+import com.google.common.io.ByteStreams;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 final class YandexTrustManagersProvider {
     private static final Logger logger = LoggerFactory.getLogger(YandexTrustManagerFactory.class);
 
-    private static final String YANDEX_CA_STORE = "certificates/YandexAllCAs.pkcs";
-    private static final String STORE_PASSWORD = "yandex";
+    private static final String CA_STORE = "certificates/YandexAllCAs.pkcs";
+    private static final String CA_KEYPHRASE = "certificates/YandexAllCAs.password";
 
     private final TrustManager[] trustManagers;
 
@@ -45,8 +47,8 @@ private YandexTrustManagersProvider() {
             allTrustManagers.add(composite);
             trustManagers = allTrustManagers.toArray(new TrustManager[0]);
         } catch (NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
-            logger.debug("Can't init yandex root CA settings", e);
             String msg = "Can't init yandex root CA setting";
+            logger.debug(msg, e);
             throw new RuntimeException(msg, e);
         }
     }
@@ -55,11 +57,14 @@ private List<TrustManager> getDefaultTrustManagers() throws NoSuchAlgorithmExcep
         return getTrustManagersFromKeyStore(null);
     }
 
-    private List<TrustManager> getCustomTrustManagers()
-            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+    private List<TrustManager> getCustomTrustManagers() throws KeyStoreException, IOException, NoSuchAlgorithmException,
+            CertificateException {
         KeyStore keyStore = KeyStore.getInstance("PKCS12");
-        try (InputStream is = YandexTrustManagersProvider.class.getClassLoader().getResourceAsStream(YANDEX_CA_STORE)) {
-            keyStore.load(is, STORE_PASSWORD.toCharArray());
+        try (InputStream pis = YandexTrustManagersProvider.class.getClassLoader().getResourceAsStream(CA_KEYPHRASE)) {
+            String passPhrase = new String(ByteStreams.toByteArray(pis), StandardCharsets.UTF_8);
+            try (InputStream is = YandexTrustManagersProvider.class.getClassLoader().getResourceAsStream(CA_STORE)) {
+                keyStore.load(is, passPhrase.toCharArray());
+            }
         }
         return getTrustManagersFromKeyStore(keyStore);
     }
diff --git a/core/src/main/resources/certificates/YandexAllCAs.password b/core/src/main/resources/certificates/YandexAllCAs.password
@@ -0,0 +1 @@
+yandex
