MOSIP-44825 (#537)

* Fixed the keymanager memory spike GC pressure issue

Signed-off-by: Dhanendra Sahu <dhanendra.tech@gmail.com>

* Fixed the keymanager memory spike GC pressure issue

Signed-off-by: Dhanendra Sahu <dhanendra.tech@gmail.com>

---------

Signed-off-by: Dhanendra Sahu <dhanendra.tech@gmail.com>

Author: dhanendra06

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/cryptomanager/util/CryptomanagerUtils.java

@@ -64,6 +64,12 @@ public class CryptomanagerUtils {
 
 	private static ObjectMapper mapper = JsonMapper.builder().addModule(new AfterburnerModule()).build();
 
+	// Single shared instance seeded once at JVM startup. SecureRandom.nextBytes()
+	// is thread-safe (synchronized internally). Static so it survives @RefreshScope
+	// bean recreation and avoids re-seeding overhead (and potential entropy
+	// starvation) at 150 new instances/sec under load.
+	private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
 	/** The Constant UTC_DATETIME_PATTERN. */
 	private static final String UTC_DATETIME_PATTERN = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
 
@@ -235,8 +241,7 @@ public byte[] concatCertThumbprint(byte[] certThumbprint, byte[] encryptedKey){
 
 	public byte[] generateRandomBytes(int size) {
 		byte[] randomBytes = new byte[size];
-		SecureRandom secureRandom = new SecureRandom();
-		secureRandom.nextBytes(randomBytes);
+		SECURE_RANDOM.nextBytes(randomBytes);
 		return randomBytes;
 	}
 

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/config/ReqResFilter.java

@@ -12,7 +12,6 @@
 import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.web.util.ContentCachingRequestWrapper;
-import org.springframework.web.util.ContentCachingResponseWrapper;
 
 /**
  * This class is for input logging of all parameters in HTTP requests
@@ -32,18 +31,17 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 			throws IOException, ServletException {
 		HttpServletRequest httpServletRequest = (HttpServletRequest) request;
 		HttpServletResponse httpServletResponse = (HttpServletResponse) response;
-		ContentCachingRequestWrapper requestWrapper = null;
-		ContentCachingResponseWrapper responseWrapper = null;
-
 		// Default processing for url ends with .stream
 		if (httpServletRequest.getRequestURI().endsWith(".stream")) {
 			chain.doFilter(request, response);
 			return;
 		}
-		requestWrapper = new ContentCachingRequestWrapper(httpServletRequest);
-		responseWrapper = new ContentCachingResponseWrapper(httpServletResponse);
-		chain.doFilter(requestWrapper, responseWrapper);
-		responseWrapper.copyBodyToResponse();
+		// Cache only the first 4096 bytes — sufficient for JSON metadata (id, version)
+		// without buffering the full encrypted payload in memory at high RPS.
+		ContentCachingRequestWrapper requestWrapper = new ContentCachingRequestWrapper(httpServletRequest, 4096);
+		// Pass the actual response directly; response body buffering is not required
+		// since ResponseBodyAdviceConfig only reads request metadata, not the response.
+		chain.doFilter(requestWrapper, httpServletResponse);
 
 	}
 

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/config/ResponseBodyAdviceConfig.java

@@ -1,5 +1,6 @@
 package io.mosip.kernel.keymanagerservice.config;
 
+import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletRequestWrapper;
 
@@ -36,9 +37,17 @@ public class ResponseBodyAdviceConfig implements ResponseBodyAdvice<ResponseWrap
 	@Autowired
 	private ObjectMapper objectMapper;
 
+	@PostConstruct
+	public void init() {
+		// Register JavaTimeModule once at startup on the shared singleton ObjectMapper.
+		// Registering per-request (150 RPS) creates object churn and mutates shared
+		// state concurrently — both corrected here.
+		objectMapper.registerModule(new JavaTimeModule());
+	}
+
 	/*
 	 * (non-Javadoc)
-	 * 
+	 *
 	 * @see
 	 * org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice#
 	 * supports(org.springframework.core.MethodParameter, java.lang.Class)
@@ -79,7 +88,6 @@ public ResponseWrapper<?> beforeBodyWrite(ResponseWrapper<?> body, MethodParamet
 								.getContentAsByteArray());
 			}
 
-			objectMapper.registerModule(new JavaTimeModule());
 			if (!EmptyCheckUtils.isNullEmpty(requestBody)) {
 				requestWrapper = objectMapper.readValue(requestBody, RequestWrapper.class);
 				body.setId(requestWrapper.getId());

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/helper/PrivateKeyDecryptorHelper.java

@@ -8,11 +8,15 @@
 import java.security.cert.Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
-import java.util.Map;
 import java.util.Objects;
-import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.TimeUnit;
 
+import jakarta.annotation.PostConstruct;
+
+import org.cache2k.Cache;
+import org.cache2k.Cache2kBuilder;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
 import io.mosip.kernel.core.crypto.exception.InvalidDataException;
@@ -33,7 +37,7 @@
 
 /**
  * Private key decryption Helper class for Keymanager
- * 
+ *
  * @author Mahammed Taheer
  * @since 1.2.1
  *
@@ -43,9 +47,29 @@ public class PrivateKeyDecryptorHelper {
 
     private static final Logger LOGGER = KeymanagerLogger.getLogger(PrivateKeyDecryptorHelper.class);
 
-    private Map<String, io.mosip.kernel.keymanagerservice.entity.KeyStore> cacheKeyStore = new ConcurrentHashMap<>();
+    /**
+     * Holds the DB KeyStore entry and its resolved referenceId together so that
+     * both are always evicted atomically. Using two separate maps would allow
+     * LRU eviction to evict one without the other, causing spurious
+     * APP_ID_REFERENCE_ID_NOT_MATCHING exceptions.
+     */
+    private static final class CacheEntry {
+        final KeyStore keyStore;
+        final String refId;
+        CacheEntry(KeyStore keyStore, String refId) {
+            this.keyStore = keyStore;
+            this.refId = refId;
+        }
+    }
+
+    // Replaces the previous unbounded ConcurrentHashMaps (cacheKeyStore +
+    // cacheReferenceIds). Bounded by entryCapacity so memory does not grow
+    // indefinitely as new partner certificates are registered over time.
+    private Cache<String, CacheEntry> cacheDecryptData = null;
 
-	private Map<String, String> cacheReferenceIds = new ConcurrentHashMap<>();
+    // Reuses the same property as keyAliasCache for consistent cache lifecycle.
+    @Value("${mosip.kernel.keymanager.key.cache.expire.inMins:1440}")
+    private long cacheExpireInMins;
 
     /**
 	 * Utility to generate Metadata
@@ -59,35 +83,45 @@ public class PrivateKeyDecryptorHelper {
     @Autowired
 	private ECKeyStore keyStore;
 
+    @PostConstruct
+    public void init() {
+        cacheDecryptData = new Cache2kBuilder<String, CacheEntry>() {}
+            // hashCode suffix prevents name collision in test contexts where the Spring
+            // context is reloaded multiple times within the same JVM.
+            .name("privateKeyDecryptorData-" + this.hashCode())
+            .expireAfterWrite(cacheExpireInMins, TimeUnit.MINUTES)
+            // 1000 entries covers large MOSIP deployments with many partner certificates
+            // while bounding the heap footprint (~3-5 KB per entry × 1000 = ~3-5 MB max).
+            .entryCapacity(1000)
+            .build();
+    }
+
     public KeyStore getDBKeyStoreData (String certThumbprintHex, String applicationId, String referenceId) {
 
-        KeyStore dbKeyStore = cacheKeyStore.getOrDefault(certThumbprintHex, null);
-
-		String appIdRefIdKey = applicationId + KeymanagerConstant.HYPHEN + referenceId;
-		String compMasterKeyRefId = applicationId + KeymanagerConstant.HYPHEN + KeymanagerConstant.COMPONENT_MASTER_KEY_DUMMY_REF; 
-		if(Objects.isNull(dbKeyStore)) {
-			dbKeyStore = dbHelper.getKeyAlias(certThumbprintHex, appIdRefIdKey, applicationId, referenceId);
-			cacheKeyStore.put(certThumbprintHex, dbKeyStore);
-			// Added condition to handle issue related to decryption error with Master key.
-			if (Objects.isNull(dbKeyStore.getPrivateKey())) {
-				cacheReferenceIds.put(certThumbprintHex, compMasterKeyRefId);
-			} else {
-				cacheReferenceIds.put(certThumbprintHex, appIdRefIdKey);
-			}
-		}
+        String appIdRefIdKey = applicationId + KeymanagerConstant.HYPHEN + referenceId;
+        String compMasterKeyRefId = applicationId + KeymanagerConstant.HYPHEN + KeymanagerConstant.COMPONENT_MASTER_KEY_DUMMY_REF;
+
+        CacheEntry cacheEntry = cacheDecryptData.get(certThumbprintHex);
+        if (Objects.isNull(cacheEntry)) {
+            KeyStore dbKeyStore = dbHelper.getKeyAlias(certThumbprintHex, appIdRefIdKey, applicationId, referenceId);
+            // Added condition to handle issue related to decryption error with Master key.
+            String refIdToCache = Objects.isNull(dbKeyStore.getPrivateKey()) ? compMasterKeyRefId : appIdRefIdKey;
+            cacheEntry = new CacheEntry(dbKeyStore, refIdToCache);
+            cacheDecryptData.put(certThumbprintHex, cacheEntry);
+        }
 
-		String cachedRefId = cacheReferenceIds.getOrDefault(certThumbprintHex, null);
-		if (!appIdRefIdKey.equals(cachedRefId) && !compMasterKeyRefId.equals(cachedRefId)){
+        String cachedRefId = cacheEntry.refId;
+        if (!appIdRefIdKey.equals(cachedRefId) && !compMasterKeyRefId.equals(cachedRefId)){
             LOGGER.error(KeymanagerConstant.SESSIONID, this.getClass().getSimpleName(), KeymanagerConstant.EMPTY,
                 "Application Id & Reference ID not matching with the input thumbprint value(decrypt).");
             throw new KeymanagerServiceException(KeymanagerErrorConstant.APP_ID_REFERENCE_ID_NOT_MATCHING.getErrorCode(),
                 KeymanagerErrorConstant.APP_ID_REFERENCE_ID_NOT_MATCHING.getErrorMessage());
         }
-        return dbKeyStore;
+        return cacheEntry.keyStore;
     }
 
     public Object[] getKeyObjects(KeyStore dbKeyStore, boolean fetchMasterKey) {
-		
+
 		String ksAlias = dbKeyStore.getAlias();
 
 		String privateKeyObj = dbKeyStore.getPrivateKey();
@@ -105,21 +139,21 @@ public Object[] getKeyObjects(KeyStore dbKeyStore, boolean fetchMasterKey) {
 			Certificate masterCert = masterKeyEntry.getCertificate();
 			return new Object[] {masterPrivateKey, masterCert};
 		}
-			
+
 		String masterKeyAlias = dbKeyStore.getMasterAlias();
-		
+
 		if (ksAlias.equals(masterKeyAlias) || privateKeyObj.equals(KeymanagerConstant.KS_PK_NA)) {
 			LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, null,
 					"Not Allowed to perform decryption with other domain key.");
 			throw new KeymanagerServiceException(KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorCode(),
 					KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorMessage());
 		}
-		
+
 		PrivateKeyEntry masterKeyEntry = keyStore.getAsymmetricKey(dbKeyStore.getMasterAlias());
 		PrivateKey masterPrivateKey = masterKeyEntry.getPrivateKey();
 		PublicKey masterPublicKey = masterKeyEntry.getCertificate().getPublicKey();
 		try {
-			byte[] decryptedPrivateKey = keymanagerUtil.decryptKey(CryptoUtil.decodeURLSafeBase64(dbKeyStore.getPrivateKey()), 
+			byte[] decryptedPrivateKey = keymanagerUtil.decryptKey(CryptoUtil.decodeURLSafeBase64(dbKeyStore.getPrivateKey()),
 												masterPrivateKey, masterPublicKey);
 			KeyFactory keyFactory = KeyFactory.getInstance(KeymanagerConstant.RSA);
 			PrivateKey privateKey = keyFactory.generatePrivate(new PKCS8EncodedKeySpec(decryptedPrivateKey));
@@ -131,5 +165,5 @@ public Object[] getKeyObjects(KeyStore dbKeyStore, boolean fetchMasterKey) {
 					KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorMessage() + e.getMessage(), e);
 		}
 	}
-    
+
 }

kernel/kernel-keymanager-service/src/test/java/io/mosip/kernel/keymanagerservice/test/controller/KeymanagerControllerTest.java

@@ -462,7 +462,7 @@ public void testGenerateMasterKeyWithCertificate() throws Exception {
         KeyPairGenerateRequestDto keyPairDto = new KeyPairGenerateRequestDto();
         keyPairDto.setApplicationId("TEST");
         keyPairDto.setReferenceId("");
-        keyPairDto.setForce(true);
+        keyPairDto.setForce(false);
         request.setRequest(keyPairDto);
 
         mockMvc.perform(post("/generateMasterKey/CERTIFICATE")