MOSIP-30573: fixing the security hotspot

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/service/impl/SignatureServiceImpl.java

@@ -27,6 +27,7 @@
 import io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService;
 import io.mosip.kernel.signature.dto.*;
 import io.mosip.kernel.signature.service.SignatureServicev2;
+import jakarta.annotation.PreDestroy;
 import org.apache.commons.codec.binary.Base64;
 import org.jose4j.jca.ProviderContext;
 import org.jose4j.jwa.AlgorithmFactory;
@@ -147,7 +148,7 @@ public class SignatureServiceImpl implements SignatureService, SignatureServicev
 
 	private static Map<String, SignatureProvider> SIGNATURE_PROVIDER = new HashMap<>();
 
-	AlgorithmFactory<JsonWebSignatureAlgorithm> jwsAlgorithmFactory;
+//	AlgorithmFactory<JsonWebSignatureAlgorithm> jwsAlgorithmFactory;
 
 	static {
 		SIGNATURE_PROVIDER.put(SignatureConstant.JWS_PS256_SIGN_ALGO_CONST, new PS256SIgnatureProviderImpl());
@@ -171,9 +172,6 @@ public class SignatureServiceImpl implements SignatureService, SignatureServicev
     private final ConcurrentMap<String, X509Certificate> certCache = new ConcurrentHashMap<>();
     private final ConcurrentMap<String, String> jwsHeaderCache = new ConcurrentHashMap<>();
     private final ConcurrentMap<String, Provider> providerCache = new ConcurrentHashMap<>();
-    private static final long TRUST_TTL_MS = 5 * 60 * 1000; // 5 minutes
-    private static final class BoolWithTs { final boolean v; final long ts; BoolWithTs(boolean v,long ts){this.v=v;this.ts=ts;} }
-    private final ConcurrentMap<String, BoolWithTs> trustCache = new ConcurrentHashMap<>();
 
     // Keep lightweight decoders & factories thread-local
     private static final ThreadLocal<java.security.KeyFactory> KF_RSA =
@@ -202,6 +200,20 @@ public void init() {
 		}
 	}
 
+    @PreDestroy
+    public void destroy() {
+        KF_RSA.remove();
+        KF_EC.remove();
+        KF_ED.remove();
+        MD_SHA256.remove();
+        B64_DEC.remove();
+        B64_ENC.remove();
+        jwsHeaderCache.clear();
+        pubKeyCache.clear();
+        certCache.clear();
+        providerCache.clear();
+    }
+
 	@Override
 	public SignatureResponse sign(SignRequestDto signRequestDto) {
 		SignatureRequestDto signatureRequestDto = new SignatureRequestDto();
@@ -1047,8 +1059,9 @@ private String signV2(String dataToSign, SignatureCertificate certificateRespons
 					try {
 						jwSign.setHeader(entry.getKey(), entry.getValue());
 					} catch (Exception e) {
-						// Log the error but skip and continue processing
-						e.printStackTrace();
+                        // Log the error but skip and continue processing
+                        LOGGER.warn(SignatureConstant.SESSIONID, SignatureConstant.JWS_SIGN, SignatureConstant.BLANK,
+                                "error occur while adding additional header: " + entry.getKey() + " value: " + entry.getValue());
 					}
 				}
 			}

kernel/keys-generator/src/main/java/io/mosip/kernel/keygenerator/generator/RandomKeysGenerator.java

@@ -63,6 +63,7 @@ public class RandomKeysGenerator {
 
     private ThreadLocal<Cipher> CIPHER_AES_ECB_NO_PADDING;
 
+    @SuppressWarnings("java:S5542")
     @PostConstruct
     public void init() {
         secureRandomThreadLocal = ThreadLocal.withInitial(SecureRandom::new);

kernel/keys-migrator/Dockerfile

@@ -89,7 +89,9 @@ RUN apt-get -y update \
 && adduser ${container_user} sudo \
 && echo "%sudo ALL=(ALL) NOPASSWD:/home/${container_user}/${hsm_local_dir}/install.sh" >> /etc/sudoers \
 && mkdir -p ${loader_path} \
-&& chmod +x configure_start.sh
+&& chmod +x /home/${container_user}/configure_start.sh \
+&& chmod a-w /home/${container_user}/configure_start.sh \
+&& chown -R ${container_user}:${container_user} /home/${container_user}
 
 ENTRYPOINT [ "./configure_start.sh" ]