MOSIP-43972: make allowed sign algorithm as configurable (#506)

nagendra0721 · web-flow · commit b60f7c404d7a · 2025-12-12T18:23:37.000+05:30
Signed-off-by: nagendra0721 &lt;nagendra0718@gmail.com&gt;
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerConstants.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerConstants.java
@@ -80,11 +80,6 @@ public interface PartnerCertManagerConstants {
 	 */
 	int RSA_MIN_KEY_SIZE = 2048;
 
-	/**
-	 * The constant HASH_SHA2
-	 */
-	String HASH_SHA2 = "SHA2";
-
 	int YEAR_DAYS = 365;
 
     String GET_PARTNER_CERT = "GetPartnerCertificate";
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java
@@ -125,6 +125,8 @@ public class PartnerCertificateManagerServiceImpl implements PartnerCertificateM
     @Value("${mosip.kernel.partner.cacertificate.upload.minimumvalidity.month:12}")
     private int minValidity;
 
+    @Value("${mosip.kernel.partner.certificate.allowed.sign.algorithms:SHA256withRSA}")
+    private List<String> allowedSignAlgorithms;
 
     /**
      * Utility to generate Metadata
@@ -638,7 +640,7 @@ private void validateOtherPartnerCertParams(X509Certificate reqX509Cert, String
         }
 
         String signatureAlgorithm = reqX509Cert.getSigAlgName();
-        if (!signatureAlgorithm.toUpperCase().startsWith(PartnerCertManagerConstants.HASH_SHA2)) {
+        if (allowedSignAlgorithms.stream().noneMatch(signatureAlgorithm::equalsIgnoreCase)) {
             LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT,
                     PartnerCertManagerConstants.EMPTY, "Signature Algorithm not supported.");
             throw new PartnerCertManagerException(
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/constant/SignatureConstant.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/constant/SignatureConstant.java
@@ -134,4 +134,6 @@ private SignatureConstant() {
     public static final int CERTIFICATE_URL_TAG = 35;
 
     public static final int CLAIM169_TAG = 169;
+
+    public static final String RANDOM_UUID = "UUID";
 }
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/dto/CWTSignRequestDto.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/dto/CWTSignRequestDto.java
@@ -92,4 +92,10 @@ public class CWTSignRequestDto {
      */
     @ApiModelProperty(notes = "Not Before date in number of days", example = "1", required = false)
     private Integer notBeforeDays;
+
+    /**
+     * CWT Id
+     */
+    @ApiModelProperty(notes = "CWT Id", example = "123", required = false)
+    private String CWTId;
 }
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/util/SignatureUtil.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/signature/util/SignatureUtil.java
@@ -467,7 +467,10 @@ private CWTClaimsSetBuilder buildRegisteredCWTClaims(CWTSignRequestDto requestDt
         Date issuedAt = new Date();
         Date notBefore = DateUtils.addDays(issuedAt, notBeforeIndays);
         Date expire = DateUtils.addDays(notBefore, expireIndays);
-        String cwtUniqueId = UUID.randomUUID().toString();
+        String cwtId = requestDto.getCWTId() != null ? requestDto.getCWTId() : SignatureConstant.BLANK;
+        String cwtUniqueId = (cwtId.equalsIgnoreCase(SignatureConstant.RANDOM_UUID))
+                ? UUID.randomUUID().toString()
+                : cwtId;
 
         if (issuer != null && !issuer.isBlank()) {
             claimsSetBuilder.iss(issuer);
@@ -484,7 +487,9 @@ private CWTClaimsSetBuilder buildRegisteredCWTClaims(CWTSignRequestDto requestDt
         claimsSetBuilder.exp(expire);
         claimsSetBuilder.nbf(notBefore);
         claimsSetBuilder.iat(issuedAt);
-        claimsSetBuilder.cti(cwtUniqueId);
+
+        if (isDataValid(cwtUniqueId))
+            claimsSetBuilder.cti(cwtUniqueId);
 
         return claimsSetBuilder;
     }
diff --git a/kernel/kernel-keymanager-service/src/main/resources/application-local.properties b/kernel/kernel-keymanager-service/src/main/resources/application-local.properties
@@ -137,6 +137,9 @@ mosip.kernel.keymanager.signature.cwt.verify.iss.enable=true
 mosip.kernel.keymanager.signature.cwt.verify.sub.enable=true
 mosip.kernel.partner.trust.validate.domain.name=TRUST_CA
 
+# Partner certificate allowed sign algorithms
+mosip.kernel.partner.certificate.allowed.sign.algorithms=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withECDSA,SHA384withECDSA,SHA512withECDSA,Ed25519
+
 ##Adding controller props to local prop file
 mosip.role.keymanager.postcssign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT
 mosip.role.keymanager.postcsverifysign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT

Original file line number	Diff line number	Diff line change
`@@ -134,4 +134,6 @@ private SignatureConstant() {`
`134`	`134`	`public static final int CERTIFICATE_URL_TAG = 35;`
`135`	`135`
`136`	`136`	`public static final int CLAIM169_TAG = 169;`
	`137`	`+`
	`138`	`+ public static final String RANDOM_UUID = "UUID";`
`137`	`139`	`}`