diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/service/impl/SignatureServiceImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/service/impl/SignatureServiceImpl.java index 5d2dda02..50bdfd62 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/service/impl/SignatureServiceImpl.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/service/impl/SignatureServiceImpl.java @@ -27,6 +27,7 @@ import io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService; import io.mosip.kernel.signature.dto.*; import io.mosip.kernel.signature.service.SignatureServicev2; +import jakarta.annotation.PreDestroy; import org.apache.commons.codec.binary.Base64; import org.jose4j.jca.ProviderContext; import org.jose4j.jwa.AlgorithmFactory; @@ -147,7 +148,7 @@ public class SignatureServiceImpl implements SignatureService, SignatureServicev private static Map SIGNATURE_PROVIDER = new HashMap<>(); - AlgorithmFactory jwsAlgorithmFactory; +// AlgorithmFactory jwsAlgorithmFactory; static { SIGNATURE_PROVIDER.put(SignatureConstant.JWS_PS256_SIGN_ALGO_CONST, new PS256SIgnatureProviderImpl()); @@ -171,9 +172,6 @@ public class SignatureServiceImpl implements SignatureService, SignatureServicev private final ConcurrentMap certCache = new ConcurrentHashMap<>(); private final ConcurrentMap jwsHeaderCache = new ConcurrentHashMap<>(); private final ConcurrentMap providerCache = new ConcurrentHashMap<>(); - private static final long TRUST_TTL_MS = 5 * 60 * 1000; // 5 minutes - private static final class BoolWithTs { final boolean v; final long ts; BoolWithTs(boolean v,long ts){this.v=v;this.ts=ts;} } - private final ConcurrentMap trustCache = new ConcurrentHashMap<>(); // Keep lightweight decoders & factories thread-local private static final ThreadLocal KF_RSA = @@ -202,6 +200,20 @@ public void init() { } } + @PreDestroy + public void destroy() { + KF_RSA.remove(); + KF_EC.remove(); + KF_ED.remove(); + MD_SHA256.remove(); + B64_DEC.remove(); + B64_ENC.remove(); + jwsHeaderCache.clear(); + pubKeyCache.clear(); + certCache.clear(); + providerCache.clear(); + } + @Override public SignatureResponse sign(SignRequestDto signRequestDto) { SignatureRequestDto signatureRequestDto = new SignatureRequestDto(); @@ -1047,8 +1059,9 @@ private String signV2(String dataToSign, SignatureCertificate certificateRespons try { jwSign.setHeader(entry.getKey(), entry.getValue()); } catch (Exception e) { - // Log the error but skip and continue processing - e.printStackTrace(); + // Log the error but skip and continue processing + LOGGER.warn(SignatureConstant.SESSIONID, SignatureConstant.JWS_SIGN, SignatureConstant.BLANK, + "error occur while adding additional header: " + entry.getKey() + " value: " + entry.getValue()); } } } diff --git a/kernel/keys-generator/src/main/java/io/mosip/kernel/keygenerator/generator/RandomKeysGenerator.java b/kernel/keys-generator/src/main/java/io/mosip/kernel/keygenerator/generator/RandomKeysGenerator.java index 12060c75..35a2783b 100644 --- a/kernel/keys-generator/src/main/java/io/mosip/kernel/keygenerator/generator/RandomKeysGenerator.java +++ b/kernel/keys-generator/src/main/java/io/mosip/kernel/keygenerator/generator/RandomKeysGenerator.java @@ -63,6 +63,7 @@ public class RandomKeysGenerator { private ThreadLocal CIPHER_AES_ECB_NO_PADDING; + @SuppressWarnings("java:S5542") @PostConstruct public void init() { secureRandomThreadLocal = ThreadLocal.withInitial(SecureRandom::new); diff --git a/kernel/keys-migrator/Dockerfile b/kernel/keys-migrator/Dockerfile index 9cf68598..3912fa49 100755 --- a/kernel/keys-migrator/Dockerfile +++ b/kernel/keys-migrator/Dockerfile @@ -89,7 +89,9 @@ RUN apt-get -y update \ && adduser ${container_user} sudo \ && echo "%sudo ALL=(ALL) NOPASSWD:/home/${container_user}/${hsm_local_dir}/install.sh" >> /etc/sudoers \ && mkdir -p ${loader_path} \ -&& chmod +x configure_start.sh +&& chmod +x /home/${container_user}/configure_start.sh \ +&& chmod a-w /home/${container_user}/configure_start.sh \ +&& chown -R ${container_user}:${container_user} /home/${container_user} ENTRYPOINT [ "./configure_start.sh" ]