Merge pull request #514 from alex268/master

Fixed low security warnings

Author: alex268

core/pom.xml

@@ -87,6 +87,7 @@
                 <directory>src/main/resources</directory>
                 <includes>
                     <include>**/*.pkcs</include>
+                    <include>**/*.password</include>
                 </includes>
                 <filtering>false</filtering>
             </resource>

core/src/main/java/tech/ydb/core/ssl/MultiX509TrustManager.java

@@ -8,7 +8,12 @@
 
 import javax.net.ssl.X509TrustManager;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 final class MultiX509TrustManager implements X509TrustManager {
+    private static final Logger logger = LoggerFactory.getLogger(MultiX509TrustManager.class);
+
     final List<X509TrustManager> trustManagers;
 
     MultiX509TrustManager(final List<X509TrustManager> trustManagers) {
@@ -23,6 +28,7 @@ public void checkClientTrusted(final X509Certificate[] x509Certificates, final S
                 trustManager.checkClientTrusted(x509Certificates, authType);
                 return;
             } catch (CertificateException ignored) {
+                logger.trace("cannot use trust manager {}",  trustManager, ignored);
             }
         }
         throw new CertificateException("No trust manager trusts this certificates");
@@ -36,6 +42,7 @@ public void checkServerTrusted(final X509Certificate[] x509Certificates, final S
                 trustManager.checkServerTrusted(x509Certificates, authType);
                 return;
             } catch (CertificateException ignored) {
+                logger.trace("cannot use trust manager {}",  trustManager, ignored);
             }
         }
         throw new CertificateException("No trust manager trusts this certificates");

core/src/main/java/tech/ydb/core/ssl/YandexTrustManagersProvider.java

@@ -2,6 +2,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
@@ -16,9 +17,15 @@
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
+import com.google.common.io.ByteStreams;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 final class YandexTrustManagersProvider {
-    private static final String YANDEX_CA_STORE = "certificates/YandexAllCAs.pkcs";
-    private static final String STORE_PASSWORD = "yandex";
+    private static final Logger logger = LoggerFactory.getLogger(YandexTrustManagerFactory.class);
+
+    private static final String CA_STORE = "certificates/YandexAllCAs.pkcs";
+    private static final String CA_KEYPHRASE = "certificates/YandexAllCAs.password";
 
     private final TrustManager[] trustManagers;
 
@@ -41,6 +48,7 @@ private YandexTrustManagersProvider() {
             trustManagers = allTrustManagers.toArray(new TrustManager[0]);
         } catch (NoSuchAlgorithmException | KeyStoreException | CertificateException | IOException e) {
             String msg = "Can't init yandex root CA setting";
+            logger.debug(msg, e);
             throw new RuntimeException(msg, e);
         }
     }
@@ -49,11 +57,14 @@ private List<TrustManager> getDefaultTrustManagers() throws NoSuchAlgorithmExcep
         return getTrustManagersFromKeyStore(null);
     }
 
-    private List<TrustManager> getCustomTrustManagers()
-            throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+    private List<TrustManager> getCustomTrustManagers() throws KeyStoreException, IOException, NoSuchAlgorithmException,
+            CertificateException {
         KeyStore keyStore = KeyStore.getInstance("PKCS12");
-        try (InputStream is = YandexTrustManagersProvider.class.getClassLoader().getResourceAsStream(YANDEX_CA_STORE)) {
-            keyStore.load(is, STORE_PASSWORD.toCharArray());
+        try (InputStream pis = YandexTrustManagersProvider.class.getClassLoader().getResourceAsStream(CA_KEYPHRASE)) {
+            String passPhrase = new String(ByteStreams.toByteArray(pis), StandardCharsets.UTF_8);
+            try (InputStream is = YandexTrustManagersProvider.class.getClassLoader().getResourceAsStream(CA_STORE)) {
+                keyStore.load(is, passPhrase.toCharArray());
+            }
         }
         return getTrustManagersFromKeyStore(keyStore);
     }

core/src/main/resources/certificates/YandexAllCAs.password

@@ -0,0 +1 @@
+yandex