Moved crypto code to a service and updated ACCP

Author: RSam25

Dockerfile

@@ -1,5 +1,5 @@
 # sha from https://hub.docker.com/layers/library/eclipse-temurin/21.0.9_10-jre-alpine-3.23/images/sha256-f599f6fa11f007b6dcf6e85ec2c372c1eba2b6940a7828eb6e665665ea5edd1c
-FROM eclipse-temurin@sha256:243e711289b0f17e05a4df60454bbb1b8ed7b126db4de2d5535da994b7417111
+FROM eclipse-temurin@sha256:89517925fa675c6c4b770bee7c44d38a7763212741b0d6fca5a5103caab21a97
 
 RUN apk add --no-cache gcompat
 
@@ -20,12 +20,16 @@ COPY ./target/${JAR_NAME}-${JAR_VERSION}-static.tar.gz /app/static.tar.gz
 COPY ./conf/default-config.json /app/conf/
 COPY ./conf/*.xml /app/conf/
 
+# Fix CVE-2025-68973: Update gnupg to patched version
+RUN apk update && apk upgrade gnupg && rm -rf /var/cache/apk/*
+
 RUN tar xzvf /app/static.tar.gz --no-same-owner --no-same-permissions && rm -f /app/static.tar.gz
 
 RUN adduser -D uid2-operator && mkdir -p /opt/uid2 && chmod 777 -R /opt/uid2 && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads && mkdir -p /app/pod_terminating && chmod 777 -R /app/pod_terminating
 USER uid2-operator
 
 CMD java \
+    -XX:+UnlockDiagnosticVMOptions -XX:+DebugNonSafepoints \
     -XX:MaxRAMPercentage=95 -XX:-UseCompressedOops -XX:+PrintFlagsFinal -XX:-OmitStackTraceInFastThrow \
     -Djava.security.egd=file:/dev/./urandom \
     -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \

pom.xml

@@ -18,7 +18,7 @@
         <vertx.verticle>com.uid2.operator.vertx.UIDOperatorVerticle</vertx.verticle>
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.12.2</micrometer.version>
-        <accp.version>2.3.3</accp.version>
+        <accp.version>2.5.0</accp.version>
         <enclave-api.version>2.1.6</enclave-api.version>
         <enclave-aws.version>2.1.0</enclave-aws.version>
         <enclave-azure.version>2.1.19</enclave-azure.version> 

src/main/java/com/uid2/operator/service/CryptoProviderService.java

@@ -0,0 +1,50 @@
+package com.uid2.operator.service;
+
+import com.uid2.operator.vertx.UIDOperatorVerticle;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.crypto.KeyAgreement;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+
+public class CryptoProviderService {
+    private static final Logger LOGGER = LoggerFactory.getLogger(CryptoProviderService.class);
+
+    // ECDH provider selection: tries ACCP first, falls back to default (SunEC)
+    private static final String ECDH_PROVIDER_NAME = initEcdhProvider();
+    private static final ThreadLocal<KeyAgreement> THREAD_LOCAL_KEY_AGREEMENT = ThreadLocal.withInitial(() -> {
+        try {
+            return createKeyAgreement();
+        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+            throw new RuntimeException("Failed to create KeyAgreement", e);
+        }
+    });
+
+    private static String initEcdhProvider() {
+        // Try ACCP (Amazon Corretto Crypto Provider) first
+        try {
+            KeyAgreement ka = KeyAgreement.getInstance("ECDH", "AmazonCorrettoCryptoProvider");
+            LOGGER.info("ECDH using AmazonCorrettoCryptoProvider");
+            return "AmazonCorrettoCryptoProvider";
+        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+            // ACCP not available, fall through
+            LOGGER.info("AmazonCorrettoCryptoProvider is not available");
+        }
+
+        // Fall back to default provider (SunEC on most JDKs)
+        LOGGER.info("ECDH using default provider (SunEC)");
+        return null;
+    }
+
+    private static KeyAgreement createKeyAgreement() throws NoSuchAlgorithmException, NoSuchProviderException {
+        if (ECDH_PROVIDER_NAME != null) {
+            return KeyAgreement.getInstance("ECDH", ECDH_PROVIDER_NAME);
+        }
+        return KeyAgreement.getInstance("ECDH");
+    }
+
+    public static KeyAgreement getKeyAgreement() {
+        return THREAD_LOCAL_KEY_AGREEMENT.get();
+    }
+}

src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java

@@ -91,42 +91,6 @@ public class UIDOperatorVerticle extends AbstractVerticle {
     private static final ObjectMapper OBJECT_MAPPER = Mapper.getApiInstance();
     private static final long SECOND_IN_MILLIS = 1000;
 
-    // ECDH provider selection: tries ACCP first, falls back to default (SunEC)
-    private static final String ECDH_PROVIDER_NAME = initEcdhProvider();
-    private static final ThreadLocal<KeyAgreement> THREAD_LOCAL_KEY_AGREEMENT = ThreadLocal.withInitial(() -> {
-        try {
-            return createKeyAgreement();
-        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
-            throw new RuntimeException("Failed to create KeyAgreement", e);
-        }
-    });
-
-    private static String initEcdhProvider() {
-        // Try ACCP (Amazon Corretto Crypto Provider) first
-        try {
-            KeyAgreement ka = KeyAgreement.getInstance("ECDH", "AmazonCorrettoCryptoProvider");
-            LOGGER.info("ECDH using AmazonCorrettoCryptoProvider");
-            return "AmazonCorrettoCryptoProvider";
-        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
-            // ACCP not available, fall through
-        }
-
-        // Fall back to default provider (SunEC on most JDKs)
-        LOGGER.info("ECDH using default provider (SunEC)");
-        return null;
-    }
-
-    private static KeyAgreement createKeyAgreement() throws NoSuchAlgorithmException, NoSuchProviderException {
-        if (ECDH_PROVIDER_NAME != null) {
-            return KeyAgreement.getInstance("ECDH", ECDH_PROVIDER_NAME);
-        }
-        return KeyAgreement.getInstance("ECDH");
-    }
-
-    private static KeyAgreement getKeyAgreement() {
-        return THREAD_LOCAL_KEY_AGREEMENT.get();
-    }
-
     private static final String REQUEST = "request";
     private final HealthComponent healthComponent = HealthManager.instance.registerComponent("http-server");
     private final Cipher aesGcm;
@@ -444,8 +408,8 @@ private void handleClientSideTokenGenerateImpl(RoutingContext rc) throws NoSuchA
             return;
         }
 
-        // Perform key agreement (uses cached provider: ACCP > Conscrypt > SunEC)
-        final KeyAgreement ka = getKeyAgreement();
+        // Perform key agreement (uses cached provider: ACCP > SunEC)
+        final KeyAgreement ka = CryptoProviderService.getKeyAgreement();
         ka.init(clientSideKeypair.getPrivateKey());
         ka.doPhase(clientPublicKey, true);