From 62975e4a3baae6a7421e5ed1496b386687699701 Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Thu, 12 Feb 2026 14:55:08 +1100 Subject: [PATCH 01/13] Changed to jdk for profiling --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5fb795c79..7346b0715 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 -FROM eclipse-temurin@sha256:693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 +FROM eclipse-temurin:21-jdk-alpine # For Amazon Corretto Crypto Provider RUN apk add --no-cache gcompat From 03b33f2822aad64ddab24b7560f3d03c51f706ec Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Thu, 12 Feb 2026 04:02:14 +0000 Subject: [PATCH 02/13] [CI Pipeline] Released Snapshot version: 5.65.1-alpha-304-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8f21067db..820dd2639 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.65.0 + 5.65.1-alpha-304-SNAPSHOT UTF-8 From eec1c63aaceec01573a60d5e2a133487ad06481b Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Fri, 13 Feb 2026 11:44:48 +1100 Subject: [PATCH 03/13] Switched to ubi 10 base image and set ACCP default for all crypto --- Dockerfile | 5 +-- .../service/CryptoProviderService.java | 35 ++++++++----------- 2 files changed, 15 insertions(+), 25 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7346b0715..56a39ee97 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,5 @@ # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 -FROM eclipse-temurin:21-jdk-alpine - -# For Amazon Corretto Crypto Provider -RUN apk add --no-cache gcompat +FROM eclipse-temurin:21-jdk-ubi10-minimal WORKDIR /app EXPOSE 8080 diff --git a/src/main/java/com/uid2/operator/service/CryptoProviderService.java b/src/main/java/com/uid2/operator/service/CryptoProviderService.java index c9fee2df3..38dd0b614 100644 --- a/src/main/java/com/uid2/operator/service/CryptoProviderService.java +++ b/src/main/java/com/uid2/operator/service/CryptoProviderService.java @@ -7,45 +7,38 @@ import javax.crypto.KeyAgreement; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; -import java.security.Security; public class CryptoProviderService { private static final Logger LOGGER = LoggerFactory.getLogger(CryptoProviderService.class); - // ECDH provider selection: tries ACCP first, falls back to default (SunEC) - private static final String ECDH_PROVIDER_NAME = initEcdhProvider(); + // ACCP provider name when available (after install()); null otherwise + private static final String ACCP_PROVIDER_NAME = initAccpAsDefault(); - private static String initEcdhProvider() { - // Try ACCP (Amazon Corretto Crypto Provider) first + private static String initAccpAsDefault() { try { - // Add ACCP at lowest priority so it doesn't become default for other algorithms - Security.addProvider(AmazonCorrettoCryptoProvider.INSTANCE); - - // Verify it works for ECDH - KeyAgreement ka = KeyAgreement.getInstance("ECDH", AmazonCorrettoCryptoProvider.PROVIDER_NAME); - LOGGER.info("ECDH using AmazonCorrettoCryptoProvider (added at lowest priority)"); - return AmazonCorrettoCryptoProvider.PROVIDER_NAME; + AmazonCorrettoCryptoProvider.install(); + if (AmazonCorrettoCryptoProvider.INSTANCE.getLoadingError() == null) { + LOGGER.info("AmazonCorrettoCryptoProvider installed as default for all crypto"); + return AmazonCorrettoCryptoProvider.PROVIDER_NAME; + } } catch (Throwable e) { - // ACCP not available LOGGER.info("AmazonCorrettoCryptoProvider is not available: {}", e.getMessage()); } - - // Fall back to default provider - LOGGER.info("ECDH using default provider (SunEC)"); + LOGGER.info("Using platform default crypto provider"); return null; } /** - * Create ECDH Key Agreement using ACCP if available, fall back to SunEC if not + * Create ECDH Key Agreement. Uses ACCP when installed as default; otherwise platform default (e.g. SunEC). * @return ECDH KeyAgreement * @throws NoSuchAlgorithmException */ - public static KeyAgreement createKeyAgreement() throws NoSuchAlgorithmException { - if (ECDH_PROVIDER_NAME != null) { + public static KeyAgreement createKeyAgreement() throws NoSuchAlgorithmException { + if (ACCP_PROVIDER_NAME != null) { try { - return KeyAgreement.getInstance("ECDH", ECDH_PROVIDER_NAME); + return KeyAgreement.getInstance("ECDH", ACCP_PROVIDER_NAME); } catch (NoSuchProviderException e) { - LOGGER.info("{} is not available: {}", ECDH_PROVIDER_NAME, e.getMessage()); + LOGGER.info("{} is not available: {}", ACCP_PROVIDER_NAME, e.getMessage()); } } return KeyAgreement.getInstance("ECDH"); From 0ba17fc9b4b61e048953826333f18291b098755e Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Fri, 13 Feb 2026 00:48:36 +0000 Subject: [PATCH 04/13] [CI Pipeline] Released Snapshot version: 5.65.2-alpha-305-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 820dd2639..524c8851d 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.65.1-alpha-304-SNAPSHOT + 5.65.2-alpha-305-SNAPSHOT UTF-8 From b25f313647022129188e3958074962567d52f6dc Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Fri, 13 Feb 2026 11:55:15 +1100 Subject: [PATCH 05/13] Adapted Dockerfile commands for ubi --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 56a39ee97..1ed6c2e68 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ COPY ./conf/*.xml /app/conf/ RUN tar xzvf /app/static.tar.gz --no-same-owner --no-same-permissions && rm -f /app/static.tar.gz -RUN adduser -D uid2-operator && mkdir -p /opt/uid2 && chmod 777 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating +RUN useradd -r uid2-operator && mkdir -p /opt/uid2 && chmod -R 777 /opt/uid2 && mkdir -p /app && chmod -R 705 /app && mkdir -p /app/file-uploads && chmod -R 777 /app/file-uploads && mkdir -p /app/pod_terminating && chmod -R 777 /app/pod_terminating USER uid2-operator CMD java \ From 30138341e776e8b2cc68465f429d5f3bf5bf6228 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Fri, 13 Feb 2026 00:58:49 +0000 Subject: [PATCH 06/13] [CI Pipeline] Released Snapshot version: 5.65.3-alpha-306-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 524c8851d..8fa6ed28f 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.65.2-alpha-305-SNAPSHOT + 5.65.3-alpha-306-SNAPSHOT UTF-8 From 85b2e4c5cd441a24575b505786c8e605c33cde86 Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Tue, 17 Feb 2026 15:24:27 +1100 Subject: [PATCH 07/13] Added early exit instead of exception handling on hot path --- Dockerfile | 5 ++++- .../java/com/uid2/operator/util/RoutingContextUtil.java | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1ed6c2e68..510175b67 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,8 @@ # sha from https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine-3.23/images/sha256-693c22ea458d62395bac47a2da405d0d18c77b205211ceec4846a550a37684b6 -FROM eclipse-temurin:21-jdk-ubi10-minimal +FROM eclipse-temurin:21-jdk-alpine + +# For Amazon Corretto Crypto Provider +RUN apk add --no-cache gcompat WORKDIR /app EXPOSE 8080 diff --git a/src/main/java/com/uid2/operator/util/RoutingContextUtil.java b/src/main/java/com/uid2/operator/util/RoutingContextUtil.java index e6f69e51a..1cd8307d2 100644 --- a/src/main/java/com/uid2/operator/util/RoutingContextUtil.java +++ b/src/main/java/com/uid2/operator/util/RoutingContextUtil.java @@ -20,7 +20,13 @@ public static String getApiContact(RoutingContext rc, IAuthorizableProvider auth try { final String authHeaderValue = rc.request().getHeader("Authorization"); final String authKey = extractBearerToken(authHeaderValue); + if (authKey == null) { + return UNKNOWN; + } final IAuthorizable profile = authKeyStore.get(authKey); + if (profile == null) { + return UNKNOWN; + } String apiContact = profile.getContact(); return apiContact == null ? UNKNOWN : apiContact; } catch (Exception ex) { From fd252cdd39c68afa27c2642bf35528304099dcea Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Tue, 17 Feb 2026 15:27:14 +1100 Subject: [PATCH 08/13] Reverted changes to Crypto --- .../service/CryptoProviderService.java | 35 +++++++++++-------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/src/main/java/com/uid2/operator/service/CryptoProviderService.java b/src/main/java/com/uid2/operator/service/CryptoProviderService.java index 38dd0b614..c9fee2df3 100644 --- a/src/main/java/com/uid2/operator/service/CryptoProviderService.java +++ b/src/main/java/com/uid2/operator/service/CryptoProviderService.java @@ -7,38 +7,45 @@ import javax.crypto.KeyAgreement; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; +import java.security.Security; public class CryptoProviderService { private static final Logger LOGGER = LoggerFactory.getLogger(CryptoProviderService.class); - // ACCP provider name when available (after install()); null otherwise - private static final String ACCP_PROVIDER_NAME = initAccpAsDefault(); + // ECDH provider selection: tries ACCP first, falls back to default (SunEC) + private static final String ECDH_PROVIDER_NAME = initEcdhProvider(); - private static String initAccpAsDefault() { + private static String initEcdhProvider() { + // Try ACCP (Amazon Corretto Crypto Provider) first try { - AmazonCorrettoCryptoProvider.install(); - if (AmazonCorrettoCryptoProvider.INSTANCE.getLoadingError() == null) { - LOGGER.info("AmazonCorrettoCryptoProvider installed as default for all crypto"); - return AmazonCorrettoCryptoProvider.PROVIDER_NAME; - } + // Add ACCP at lowest priority so it doesn't become default for other algorithms + Security.addProvider(AmazonCorrettoCryptoProvider.INSTANCE); + + // Verify it works for ECDH + KeyAgreement ka = KeyAgreement.getInstance("ECDH", AmazonCorrettoCryptoProvider.PROVIDER_NAME); + LOGGER.info("ECDH using AmazonCorrettoCryptoProvider (added at lowest priority)"); + return AmazonCorrettoCryptoProvider.PROVIDER_NAME; } catch (Throwable e) { + // ACCP not available LOGGER.info("AmazonCorrettoCryptoProvider is not available: {}", e.getMessage()); } - LOGGER.info("Using platform default crypto provider"); + + // Fall back to default provider + LOGGER.info("ECDH using default provider (SunEC)"); return null; } /** - * Create ECDH Key Agreement. Uses ACCP when installed as default; otherwise platform default (e.g. SunEC). + * Create ECDH Key Agreement using ACCP if available, fall back to SunEC if not * @return ECDH KeyAgreement * @throws NoSuchAlgorithmException */ - public static KeyAgreement createKeyAgreement() throws NoSuchAlgorithmException { - if (ACCP_PROVIDER_NAME != null) { + public static KeyAgreement createKeyAgreement() throws NoSuchAlgorithmException { + if (ECDH_PROVIDER_NAME != null) { try { - return KeyAgreement.getInstance("ECDH", ACCP_PROVIDER_NAME); + return KeyAgreement.getInstance("ECDH", ECDH_PROVIDER_NAME); } catch (NoSuchProviderException e) { - LOGGER.info("{} is not available: {}", ACCP_PROVIDER_NAME, e.getMessage()); + LOGGER.info("{} is not available: {}", ECDH_PROVIDER_NAME, e.getMessage()); } } return KeyAgreement.getInstance("ECDH"); From bd88d986d6d5b48da3bb300d63208f8faf2a4091 Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Tue, 17 Feb 2026 04:31:18 +0000 Subject: [PATCH 09/13] [CI Pipeline] Released Snapshot version: 5.66.3-alpha-308-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index afed05e39..c4d3d8bb6 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.66.2 + 5.66.3-alpha-308-SNAPSHOT UTF-8 From 6ea2bf09239c101c78d8869256da8350d2f5510e Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Tue, 17 Feb 2026 15:34:36 +1100 Subject: [PATCH 10/13] Fixed dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 510175b67..7346b0715 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,7 +23,7 @@ COPY ./conf/*.xml /app/conf/ RUN tar xzvf /app/static.tar.gz --no-same-owner --no-same-permissions && rm -f /app/static.tar.gz -RUN useradd -r uid2-operator && mkdir -p /opt/uid2 && chmod -R 777 /opt/uid2 && mkdir -p /app && chmod -R 705 /app && mkdir -p /app/file-uploads && chmod -R 777 /app/file-uploads && mkdir -p /app/pod_terminating && chmod -R 777 /app/pod_terminating +RUN adduser -D uid2-operator && mkdir -p /opt/uid2 && chmod 777 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating USER uid2-operator CMD java \ From 32a4d923b53d2b05b47842ca72cc2d96b7f7724d Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Tue, 17 Feb 2026 04:39:36 +0000 Subject: [PATCH 11/13] [CI Pipeline] Released Snapshot version: 5.66.4-alpha-309-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index c4d3d8bb6..0d0181156 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.66.3-alpha-308-SNAPSHOT + 5.66.4-alpha-309-SNAPSHOT UTF-8 From f6812acfbf5f73fdb50e134b8a91936ca69aac51 Mon Sep 17 00:00:00 2001 From: Samin Rahman Date: Wed, 18 Feb 2026 13:34:02 +1100 Subject: [PATCH 12/13] Bumped shared version --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 0d0181156..d7b20daa1 100644 --- a/pom.xml +++ b/pom.xml @@ -23,7 +23,7 @@ 2.1.0 2.1.19 2.1.9 - 11.4.4 + 11.4.5-alpha-341-SNAPSHOT ${project.version} 21 21 From 62aebf939b9af2bdc94c2bd3321b80ac8cf7941f Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Wed, 18 Feb 2026 02:37:47 +0000 Subject: [PATCH 13/13] [CI Pipeline] Released Snapshot version: 5.66.5-alpha-310-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d7b20daa1..362bad889 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-operator - 5.66.4-alpha-309-SNAPSHOT + 5.66.5-alpha-310-SNAPSHOT UTF-8