Added ACCP Provider and ecdh caching

Author: RSam25

Dockerfile

@@ -1,6 +1,8 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-f599f6fa11f007b6dcf6e85ec2c372c1eba2b6940a7828eb6e665665ea5edd1c
 FROM eclipse-temurin@sha256:243e711289b0f17e05a4df60454bbb1b8ed7b126db4de2d5535da994b7417111
 
+RUN apk add --no-cache gcompat
+
 WORKDIR /app
 EXPOSE 8080
 

pom.xml

@@ -18,6 +18,7 @@
         <vertx.verticle>com.uid2.operator.vertx.UIDOperatorVerticle</vertx.verticle>
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.12.2</micrometer.version>
+        <accp.version>2.3.3</accp.version>
         <enclave-api.version>2.1.6</enclave-api.version>
         <enclave-aws.version>2.1.0</enclave-aws.version>
         <enclave-azure.version>2.1.19</enclave-azure.version> 
@@ -203,6 +204,13 @@
             <version>5.12.0</version>
             <scope>test</scope>
         </dependency>
+        <!-- ACCP - Amazon Corretto Crypto Provider -->
+        <dependency>
+            <groupId>software.amazon.cryptools</groupId>
+            <artifactId>AmazonCorrettoCryptoProvider</artifactId>
+            <version>${accp.version}</version>
+            <classifier>linux-x86_64</classifier>
+        </dependency>
     </dependencies>
 
     <profiles>

src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java

@@ -91,6 +91,42 @@ public class UIDOperatorVerticle extends AbstractVerticle {
     private static final ObjectMapper OBJECT_MAPPER = Mapper.getApiInstance();
     private static final long SECOND_IN_MILLIS = 1000;
 
+    // ECDH provider selection: tries ACCP first, falls back to default (SunEC)
+    private static final String ECDH_PROVIDER_NAME = initEcdhProvider();
+    private static final ThreadLocal<KeyAgreement> THREAD_LOCAL_KEY_AGREEMENT = ThreadLocal.withInitial(() -> {
+        try {
+            return createKeyAgreement();
+        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+            throw new RuntimeException("Failed to create KeyAgreement", e);
+        }
+    });
+
+    private static String initEcdhProvider() {
+        // Try ACCP (Amazon Corretto Crypto Provider) first
+        try {
+            KeyAgreement ka = KeyAgreement.getInstance("ECDH", "AmazonCorrettoCryptoProvider");
+            LOGGER.info("ECDH using AmazonCorrettoCryptoProvider");
+            return "AmazonCorrettoCryptoProvider";
+        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+            // ACCP not available, fall through
+        }
+
+        // Fall back to default provider (SunEC on most JDKs)
+        LOGGER.info("ECDH using default provider (SunEC)");
+        return null;
+    }
+
+    private static KeyAgreement createKeyAgreement() throws NoSuchAlgorithmException, NoSuchProviderException {
+        if (ECDH_PROVIDER_NAME != null) {
+            return KeyAgreement.getInstance("ECDH", ECDH_PROVIDER_NAME);
+        }
+        return KeyAgreement.getInstance("ECDH");
+    }
+
+    private static KeyAgreement getKeyAgreement() {
+        return THREAD_LOCAL_KEY_AGREEMENT.get();
+    }
+
     private static final String REQUEST = "request";
     private final HealthComponent healthComponent = HealthManager.instance.registerComponent("http-server");
     private final Cipher aesGcm;
@@ -408,8 +444,8 @@ private void handleClientSideTokenGenerateImpl(RoutingContext rc) throws NoSuchA
             return;
         }
 
-        // Perform key agreement
-        final KeyAgreement ka = KeyAgreement.getInstance("ECDH");
+        // Perform key agreement (uses cached provider: ACCP > Conscrypt > SunEC)
+        final KeyAgreement ka = getKeyAgreement();
         ka.init(clientSideKeypair.getPrivateKey());
         ka.doPhase(clientPublicKey, true);