Merge remote-tracking branch 'origin/main' into srm-UID2-6479-change-ecdh-crypto-to-accp

RSam25 · RSam25 · commit 3b284b84d4bd · 2026-01-13T09:41:38.000+11:00
diff --git a/.trivyignore b/.trivyignore
@@ -18,4 +18,7 @@ CVE-2025-64720 exp:2026-06-05
 CVE-2025-65018 exp:2026-06-05
 
 # UID2-6385
-CVE-2025-66293 exp:2026-06-15
+CVE-2025-66293 exp:2026-06-15
+
+# UID2-6481
+CVE-2025-68973 exp:2026-06-15
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.63.7-alpha-281-SNAPSHOT</version>
+    <version>5.63.11</version>
   
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/scripts/gcp-oidc/terraform/main.tf b/scripts/gcp-oidc/terraform/main.tf
@@ -108,7 +108,7 @@ resource "google_compute_instance_template" "uid_operator" {
       tee-container-log-redirect     = true
       tee-restart-policy             = "Never"
       tee-env-DEPLOYMENT_ENVIRONMENT = var.uid_deployment_env
-      tee-env-API_TOKEN_SECRET_NAME  = var.uid_operator_key_secret_name
+      tee-env-API_TOKEN_SECRET_NAME  = module.secret-manager.secret_versions[0]
       tee-env-CORE_BASE_URL          = var.uid_deployment_env == "integ" ? "https://core-integ.uidapi.com" : "https://core-prod.uidapi.com"
       tee-env-OPTOUT_BASE_URL        = var.uid_deployment_env == "integ" ? "https://optout-integ.uidapi.com" : "https://optout-prod.uidapi.com"
     },
diff --git a/src/main/java/com/uid2/operator/service/CryptoProviderService.java b/src/main/java/com/uid2/operator/service/CryptoProviderService.java
@@ -35,6 +35,11 @@ private static String initEcdhProvider() {
         return null;
     }
 
+    /**
+     * Create ECDH Key Agreement using ACCP if available, fall back to SunEC if not
+     * @return ECDH KeyAgreement
+     * @throws NoSuchAlgorithmException
+     */
     public static KeyAgreement createKeyAgreement() throws  NoSuchAlgorithmException {
         if (ECDH_PROVIDER_NAME != null) {
             try {
diff --git a/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java b/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java
@@ -408,7 +408,7 @@ private void handleClientSideTokenGenerateImpl(RoutingContext rc) throws NoSuchA
             return;
         }
 
-        // Perform key agreement (uses cached provider: ACCP > SunEC)
+        // Perform key agreement
         final KeyAgreement ka = CryptoProviderService.createKeyAgreement();
         ka.init(clientSideKeypair.getPrivateKey());
         ka.doPhase(clientPublicKey, true);

Original file line number	Diff line number	Diff line change
`@@ -408,7 +408,7 @@ private void handleClientSideTokenGenerateImpl(RoutingContext rc) throws NoSuchA`
`408`	`408`	`return;`
`409`	`409`	`}`
`410`	`410`
`411`		`- // Perform key agreement (uses cached provider: ACCP > SunEC)`
	`411`	`+ // Perform key agreement`
`412`	`412`	`final KeyAgreement ka = CryptoProviderService.createKeyAgreement();`
`413`	`413`	`ka.init(clientSideKeypair.getPrivateKey());`
`414`	`414`	`ka.doPhase(clientPublicKey, true);`