From 73725e94fe5187ca4da53bfb6caa19da2b17aaee Mon Sep 17 00:00:00 2001
From: gbrodman <gbrodman@google.com>
Date: Wed, 20 May 2026 16:02:35 -0400
Subject: [PATCH] Avoid injection of a possibly-null string value if thee
 Valkey cert key doesn't exist (#3055)

---
 .../java/google/registry/cache/CacheModule.java     | 13 ++++++-------
 .../java/google/registry/keyring/KeyringModule.java |  5 +++--
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/core/src/main/java/google/registry/cache/CacheModule.java b/core/src/main/java/google/registry/cache/CacheModule.java
index d43c64e74..0b6188676 100644
--- a/core/src/main/java/google/registry/cache/CacheModule.java
+++ b/core/src/main/java/google/registry/cache/CacheModule.java
@@ -60,12 +60,15 @@ public final class CacheModule {
   public static Optional<UnifiedJedis> provideJedis(
       @ApplicationDefaultCredential GoogleCredentialsBundle credentialsBundle,
       @Config("valkeyHostsAndPorts") Optional<ImmutableList<String>> valkeyHostsAndPorts,
-      @Config("valkeySslSocketFactory") SSLSocketFactory valkeySslSocketFactory) {
-    if (valkeyHostsAndPorts.map(ImmutableList::isEmpty).orElse(true)) {
+      @Config("valkeyCertificateAuthority") Optional<String> valkeyCertificateAuthority) {
+    if (valkeyHostsAndPorts.map(ImmutableList::isEmpty).orElse(true)
+        || valkeyCertificateAuthority.isEmpty()) {
       return Optional.empty();
     }
     ImmutableSet<HostAndPort> hostsAndPorts =
         valkeyHostsAndPorts.get().stream().map(HostAndPort::from).collect(toImmutableSet());
+    SSLSocketFactory valkeySslSocketFactory =
+        createValkeySslSocketFactory(valkeyCertificateAuthority.get());
     JedisClientConfig clientConfig =
         DefaultJedisClientConfig.builder()
             .ssl(true)
@@ -111,11 +114,7 @@ public final class CacheModule {
     return new MultilayerHostCache(jedisClient.get(), cacheMetrics);
   }
 
-  @Provides
-  @Singleton
-  @Config("valkeySslSocketFactory")
-  static SSLSocketFactory provideValkeySslSocketFactory(
-      @Config("valkeyCertificateAuthority") String valkeyCertificateAuthority) {
+  private static SSLSocketFactory createValkeySslSocketFactory(String valkeyCertificateAuthority) {
     try {
       ImmutableList<X509Certificate> trustedCerts =
           CertificateFactory.getInstance("X.509")
diff --git a/core/src/main/java/google/registry/keyring/KeyringModule.java b/core/src/main/java/google/registry/keyring/KeyringModule.java
index bd400f922..ca7d28994 100644
--- a/core/src/main/java/google/registry/keyring/KeyringModule.java
+++ b/core/src/main/java/google/registry/keyring/KeyringModule.java
@@ -22,6 +22,7 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.keyring.api.Keyring;
 import google.registry.keyring.secretmanager.SecretManagerKeyring;
 import jakarta.inject.Singleton;
+import java.util.Optional;
 
 /** Dagger module for {@link Keyring} */
 @Module
@@ -55,7 +56,7 @@ public abstract class KeyringModule {
 
   @Provides
   @Config("valkeyCertificateAuthority")
-  public static String provideValkeyCertificateAuthority(Keyring keyring) {
-    return keyring.getValkeyCertificateAuthority();
+  public static Optional<String> provideValkeyCertificateAuthority(Keyring keyring) {
+    return Optional.ofNullable(keyring.getValkeyCertificateAuthority());
   }
 }