Skip to content

MOSIP-43972: make allowed sign algorithm as configurable #506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mahammedtaheer merged 2 commits into from
Dec 12, 2025
Merged

MOSIP-43972: make allowed sign algorithm as configurable #506

mahammedtaheer merged 2 commits into from
Dec 12, 2025

Conversation

@nagendra0721
Copy link
Contributor

@nagendra0721 nagendra0721 commented Dec 8, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features
    • Certificate signature algorithms are now configurable (default: SHA256withRSA).
    • CWT signing requests now accept an optional CWT identifier; you can provide one, request an auto-generated UUID, or omit it.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Dec 8, 2025
edited
Loading

Walkthrough

Replaces a hard-coded signature-algorithm check with a configurable allowed algorithms list; removes an unused HASH_SHA2 constant; adds a CWTId field to the sign request DTO and logic to use/auto-generate CWT IDs (supporting "UUID" to request a random UUID); adds a RANDOM_UUID constant.

Changes

Cohort / File(s) Change Summary
Partner cert algorithm config
kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerConstants.java, kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java, kernel/kernel-keymanager-service/src/main/resources/application-local.properties		 Removed HASH_SHA2 constant; added allowedSignAlgorithms field injected from mosip.kernel.partner.certificate.allowed.sign.algorithms (default SHA256withRSA); replaced static startsWith check with validation against configured allowed algorithms; added property values in local properties.
CWT request DTO
kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/dto/CWTSignRequestDto.java		 Added optional CWTId field with @ApiModelProperty.
Signature constants & util
kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/constant/SignatureConstant.java, kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/util/SignatureUtil.java		 Added RANDOM_UUID = "UUID" constant; updated SignatureUtil to: accept provided CWTId, treat RANDOM_UUID (case-insensitive) as a request to generate a random UUID, and only set the CWT claim cti when the computed ID is non-blank.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Areas needing attention:
    • Property injection and default value parsing in PartnerCertificateManagerServiceImpl
    • Matching logic between configured algorithm strings and incoming signature algorithm (case/format sensitivity)
    • CWTId handling in SignatureUtil: blank/null checks and UUID generation branch
    • Any usages or references to removed HASH_SHA2 constant elsewhere

Suggested reviewers

  • mahammedtaheer

Poem

🐰 I found a key within a leaf,

Configured winds replace old belief.
CWT whispers an ID new—
Say "UUID" and I’ll hop one through.
Hop, clang, spring—code fresh as dew!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title accurately reflects the primary change: making allowed sign algorithms configurable instead of hard-coded.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 329c144 and d52ff71.

📒 Files selected for processing (1)
  • kernel/kernel-keymanager-service/src/main/resources/application-local.properties (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: keys-generator / build-dockers
  • GitHub Check: kernel-keymanager-service / build-dockers
  • GitHub Check: keys-migrator / build-dockers
🔇 Additional comments (2)
kernel/kernel-keymanager-service/src/main/resources/application-local.properties (2)

143-190: Scope clarification: Role-permission properties appear orthogonal to algorithm configurability.

These 40+ role-permission properties seem to be audit/compliance completeness additions unrelated to the main PR objective of making sign algorithms configurable. Many operations duplicate identical role lists. Verify whether these are intended scope for this PR or should be separated into a follow-up.

140-141: Verify Java implementation correctly injects and parses the allowed signature algorithms configuration.

The comma-separated algorithm list in the configuration property (lines 140-141) is syntactically correct and includes industry-standard RSA, ECDSA, and EdDSA variants. However, the claim that PartnerCertificateManagerServiceImpl uses @Value injection with a default fallback to SHA256withRSA, and how the comma-separated value is parsed, requires verification in the actual Java implementation files.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 8, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (5)
kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/constant/SignatureConstant.java (1)

137-138: Clarify sentinel value used for random CWT UUID generation

Using RANDOM_UUID = "UUID" as a magic trigger works but is quite generic; a legitimate CWT ID of "UUID" would now be impossible to use literally. Consider either:

  • Using a less collision‑prone sentinel (e.g. "__RANDOM_UUID__"), or
  • Clearly documenting in the API contract that "UUID" is reserved to mean “generate a random UUID”.

This is non‑blocking but will reduce surprises for integrators.

kernel/kernel-keymanager-service/src/main/resources/application-local.properties (1)

135-137: Make ops expectations for allowed sign algorithms explicit

The new property is good, and the values look correct for common JCA names. Since validation does a plain equalsIgnoreCase check against X509Certificate.getSigAlgName(), it would help operators if the comment clarified that:

  • Each entry must match X509Certificate.getSigAlgName() exactly (case‑insensitive).
  • Values are comma‑separated (no extra commas / empty entries).

You might tweak the comment along the lines of:

-# Partner certificate allowed sign algorithms
-mosip.kernel.partner.certificate.allowed.sign.algorithms=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withECDSA,SHA384withECDSA,SHA512withECDSA,Ed25519
+# Partner certificate allowed sign algorithms (must match X509Certificate.getSigAlgName(), comma-separated)
+mosip.kernel.partner.certificate.allowed.sign.algorithms=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withECDSA,SHA384withECDSA,SHA512withECDSA,Ed25519

Also double‑check non‑local profiles define this consistently if they need algorithms beyond the default.

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/util/SignatureUtil.java (1)

470-474: CWT ID handling looks correct; consider trimming before sentinel check

The new logic:

  • Defaults cwtId to BLANK when null,
  • Generates a random UUID when cwtId.equalsIgnoreCase(RANDOM_UUID),
  • Only sets cti when cwtUniqueId is non‑blank,

is consistent and avoids emitting empty cti claims.

Two small optional improvements:

  1. Make the sentinel comparison tolerant to surrounding whitespace, in line with isDataValid:
-String cwtId = requestDto.getCWTId() != null ? requestDto.getCWTId() : SignatureConstant.BLANK;
-String cwtUniqueId = (cwtId.equalsIgnoreCase(SignatureConstant.RANDOM_UUID))
+String cwtId = requestDto.getCWTId() != null ? requestDto.getCWTId().trim() : SignatureConstant.BLANK;
+String cwtUniqueId = (cwtId.equalsIgnoreCase(SignatureConstant.RANDOM_UUID))
         ? UUID.randomUUID().toString()
         : cwtId;
  1. Ensure the API docs for CWTId mention that the special value "UUID" triggers random UUID generation, so callers understand this behavior.

Also applies to: 491-492

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java (1)

128-129: Config‑driven algorithm check is good; add minimal safety around the list

Moving to allowedSignAlgorithms is a nice improvement over the previous hard‑coded check.

A couple of non‑blocking suggestions:

  1. Guard against empty/misconfigured config

If the property is accidentally set to an empty value, all partner cert uploads will start failing at runtime. You could fail fast or at least log clearly on startup, e.g.:

@PostConstruct
private void validateAllowedSignAlgorithms() {
    if (allowedSignAlgorithms == null || allowedSignAlgorithms.isEmpty()) {
        LOGGER.error(PartnerCertManagerConstants.SESSIONID,
                     PartnerCertManagerConstants.UPLOAD_PARTNER_CERT,
                     PartnerCertManagerConstants.EMPTY,
                     "No allowed certificate signature algorithms configured");
        // optionally: throw a PartnerCertManagerException or fall back to a default list
    }
}
  1. Normalize values once for cheaper lookups (optional)

If this check runs frequently, you might normalize allowedSignAlgorithms into a lower‑case Set<String> once and compare on lower‑case signatureAlgorithm, instead of streaming each time. Not required for correctness, just a micro‑optimization.

Overall, the comparison allowedSignAlgorithms.stream().noneMatch(signatureAlgorithm::equalsIgnoreCase) is fine as‑is.

Also applies to: 642-649

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/dto/CWTSignRequestDto.java (1)

96-100: Consider naming and document the special “UUID” behavior for CWTId

Functionally this field works and matches the getCWTId() usage in SignatureUtil.

Two small improvements to consider while the API is still new:

  1. Field name style

CWTId will serialize as JSON property "CWTId". If you prefer conventional camelCase JSON ("cwtId"), you could rename the field to cwtId and, if needed, use @JsonProperty("cwtId") to pin the wire name. Not mandatory, but more idiomatic.

  1. Surface the “UUID” sentinel in the contract

Since SignatureUtil treats the value "UUID" as “generate a random UUID”, it would be helpful to mention this explicitly in the Swagger annotation, e.g.:

@ApiModelProperty(
    notes = "CWT Id (use value 'UUID' to auto-generate a random UUID)",
    example = "123",
    required = false
)
private String CWTId;

This makes the feature discoverable for clients.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d5b7764 and 329c144.

📒 Files selected for processing (6)
  • kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerConstants.java (0 hunks)
  • kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java (2 hunks)
  • kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/constant/SignatureConstant.java (1 hunks)
  • kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/dto/CWTSignRequestDto.java (1 hunks)
  • kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/util/SignatureUtil.java (2 hunks)
  • kernel/kernel-keymanager-service/src/main/resources/application-local.properties (1 hunks)
💤 Files with no reviewable changes (1)
  • kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerConstants.java
🧰 Additional context used
🧬 Code graph analysis (1)
kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/util/SignatureUtil.java (1)
kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/constant/SignatureConstant.java (1)
  • SignatureConstant (10-139)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build-kernel / maven-build

@mahammedtaheer mahammedtaheer merged commit b60f7c4 into mosip:develop Dec 12, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@mahammedtaheer mahammedtaheer mahammedtaheer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nagendra0721 @mahammedtaheer