To meet our internal security requirements, I've written a Java client that uses certificates to mutually authenticate with the server. However, to get the certificate into a SSLContext, I have to provide a password to the keystore and trustore. The password is in plaint text in the code, which is also against our requirements.
Is there any way to avoid having the keystore/truststore passwords in plain text in the code? I've tried answers on Stack Overflow that suggest creating a store without a password and/or just loading a certificate directly into the SSLContext, but authentication fails when I try these methods.
Typically, certificates and truststores do not contain information that must be kept secret. The one thing that has to be kept secret is the private key which is contained in the keystore. Protecting the keystore with a password is somehow like putting a key in a safe and locking that safe with a second key - so it doesn't really help.
Anyway, you could read the password from a (resource) file that you don't check in to your VCS and leave it to the deployment to provide that file (which could be protected by restricting read access to the appropiate user at operating system level).
But of course, you could do that directly with the keystore, too - without using a password.
If requirements are high, have a look at Trusted Platform Module.
Key- and truststores can be configured by system properties, so it could be possible to deal not at all with it from source code.