Fixed the keymanager performance issue (#540)

dhanendra06 · web-flow · commit eb03caef3999 · 2026-04-07T22:08:22.000+07:00
Signed-off-by: Dhanendra Sahu &lt;dhanendra.tech@gmail.com&gt;
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/cryptomanager/util/CryptomanagerUtils.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/cryptomanager/util/CryptomanagerUtils.java
@@ -64,6 +64,12 @@ public class CryptomanagerUtils {
 
 	private static ObjectMapper mapper = JsonMapper.builder().addModule(new AfterburnerModule()).build();
 
+	// Single shared instance seeded once at JVM startup. SecureRandom.nextBytes()
+	// is thread-safe (synchronized internally). Static so it survives @RefreshScope
+	// bean recreation and avoids re-seeding overhead (and potential entropy
+	// starvation) at 150 new instances/sec under load.
+	private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
 	/** The Constant UTC_DATETIME_PATTERN. */
 	private static final String UTC_DATETIME_PATTERN = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
 
@@ -235,8 +241,7 @@ public byte[] concatCertThumbprint(byte[] certThumbprint, byte[] encryptedKey){
 
 	public byte[] generateRandomBytes(int size) {
 		byte[] randomBytes = new byte[size];
-		SecureRandom secureRandom = new SecureRandom();
-		secureRandom.nextBytes(randomBytes);
+		SECURE_RANDOM.nextBytes(randomBytes);
 		return randomBytes;
 	}
 
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/config/ReqResFilter.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/config/ReqResFilter.java
@@ -12,7 +12,6 @@
 import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.web.util.ContentCachingRequestWrapper;
-import org.springframework.web.util.ContentCachingResponseWrapper;
 
 /**
  * This class is for input logging of all parameters in HTTP requests
@@ -32,18 +31,17 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 			throws IOException, ServletException {
 		HttpServletRequest httpServletRequest = (HttpServletRequest) request;
 		HttpServletResponse httpServletResponse = (HttpServletResponse) response;
-		ContentCachingRequestWrapper requestWrapper = null;
-		ContentCachingResponseWrapper responseWrapper = null;
-
 		// Default processing for url ends with .stream
 		if (httpServletRequest.getRequestURI().endsWith(".stream")) {
 			chain.doFilter(request, response);
 			return;
 		}
-		requestWrapper = new ContentCachingRequestWrapper(httpServletRequest);
-		responseWrapper = new ContentCachingResponseWrapper(httpServletResponse);
-		chain.doFilter(requestWrapper, responseWrapper);
-		responseWrapper.copyBodyToResponse();
+		// Cache only the first 4096 bytes — sufficient for JSON metadata (id, version)
+		// without buffering the full encrypted payload in memory at high RPS.
+		ContentCachingRequestWrapper requestWrapper = new ContentCachingRequestWrapper(httpServletRequest, 4096);
+		// Pass the actual response directly; response body buffering is not required
+		// since ResponseBodyAdviceConfig only reads request metadata, not the response.
+		chain.doFilter(requestWrapper, httpServletResponse);
 
 	}
 
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/config/ResponseBodyAdviceConfig.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/config/ResponseBodyAdviceConfig.java
@@ -1,5 +1,6 @@
 package io.mosip.kernel.keymanagerservice.config;
 
+import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletRequestWrapper;
 
@@ -14,14 +15,14 @@
 import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
 import org.springframework.web.util.ContentCachingRequestWrapper;
 
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 
-import io.mosip.kernel.core.http.RequestWrapper;
 import io.mosip.kernel.core.http.ResponseFilter;
 import io.mosip.kernel.core.http.ResponseWrapper;
 import io.mosip.kernel.core.logger.spi.Logger;
-import io.mosip.kernel.core.util.EmptyCheckUtils;
 
 /**
  * @author Bal Vikash Sharma
@@ -36,6 +37,14 @@ public class ResponseBodyAdviceConfig implements ResponseBodyAdvice<ResponseWrap
 	@Autowired
 	private ObjectMapper objectMapper;
 
+	@PostConstruct
+	public void init() {
+		// Register JavaTimeModule once at startup on the shared singleton ObjectMapper.
+		// Registering per-request (150 RPS) creates object churn and mutates shared
+		// state concurrently — both corrected here.
+		objectMapper.registerModule(new JavaTimeModule());
+	}
+
 	/*
 	 * (non-Javadoc)
 	 * 
@@ -63,27 +72,21 @@ public ResponseWrapper<?> beforeBodyWrite(ResponseWrapper<?> body, MethodParamet
 			MediaType selectedContentType, Class<? extends HttpMessageConverter<?>> selectedConverterType,
 			ServerHttpRequest request, ServerHttpResponse response) {
 
-		RequestWrapper<?> requestWrapper = null;
-		String requestBody = null;
-
 		try {
 			HttpServletRequest httpServletRequest = ((ServletServerHttpRequest) request).getServletRequest();
 
+			byte[] cachedBody = null;
 			if (httpServletRequest instanceof ContentCachingRequestWrapper) {
-				requestBody = new String(((ContentCachingRequestWrapper) httpServletRequest).getContentAsByteArray());
+				cachedBody = ((ContentCachingRequestWrapper) httpServletRequest).getContentAsByteArray();
 			} else if (httpServletRequest instanceof HttpServletRequestWrapper
 					&& ((HttpServletRequestWrapper) httpServletRequest)
-							.getRequest() instanceof ContentCachingRequestWrapper) {
-				requestBody = new String(
-						((ContentCachingRequestWrapper) ((HttpServletRequestWrapper) httpServletRequest).getRequest())
-								.getContentAsByteArray());
+					.getRequest() instanceof ContentCachingRequestWrapper) {
+				cachedBody = ((ContentCachingRequestWrapper) ((HttpServletRequestWrapper) httpServletRequest).getRequest())
+						.getContentAsByteArray();
 			}
 
-			objectMapper.registerModule(new JavaTimeModule());
-			if (!EmptyCheckUtils.isNullEmpty(requestBody)) {
-				requestWrapper = objectMapper.readValue(requestBody, RequestWrapper.class);
-				body.setId(requestWrapper.getId());
-				body.setVersion(requestWrapper.getVersion());
+			if (cachedBody != null && cachedBody.length > 0) {
+				extractAndSetIdVersion(body, cachedBody);
 			}
 			body.setErrors(null);
 			return body;
@@ -93,4 +96,42 @@ public ResponseWrapper<?> beforeBodyWrite(ResponseWrapper<?> body, MethodParamet
 		return body;
 	}
 
-}
+	/**
+	 * Extracts only the top-level "id" and "version" fields from the cached
+	 * (possibly truncated) request body using a streaming JSON parser.
+	 *
+	 * ReqResFilter caps the cached body at 4096 bytes. A full ObjectMapper.readValue()
+	 * fails with JsonEOFException when the encrypted "data" field spans the truncation
+	 * boundary (column 4097). The streaming parser reads token-by-token and stops as
+	 * soon as both fields are found — which happens within the first ~100 bytes since
+	 * "id" and "version" are always the first two fields in the MOSIP RequestWrapper
+	 * JSON envelope — long before any truncation can occur.
+	 */
+	private void extractAndSetIdVersion(ResponseWrapper<?> body, byte[] cachedBody) {
+		try (JsonParser parser = objectMapper.getFactory().createParser(cachedBody)) {
+			String id = null;
+			String version = null;
+			JsonToken token;
+			while ((token = parser.nextToken()) != null) {
+				if (id != null && version != null) break;
+				if (token == JsonToken.FIELD_NAME) {
+					String fieldName = parser.getCurrentName();
+					token = parser.nextToken();
+					if ("id".equals(fieldName) && token == JsonToken.VALUE_STRING) {
+						id = parser.getText();
+					} else if ("version".equals(fieldName) && token == JsonToken.VALUE_STRING) {
+						version = parser.getText();
+					} else if (token == JsonToken.START_OBJECT || token == JsonToken.START_ARRAY) {
+						if (id != null && version != null) break;
+						parser.skipChildren();
+					}
+				}
+			}
+			if (id != null) body.setId(id);
+			if (version != null) body.setVersion(version);
+		} catch (Exception e) {
+			mosipLogger.debug("", "", "", "Could not extract id/version from cached request body: " + e.getMessage());
+		}
+	}
+
+}
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/exception/KeymanagerExceptionHandler.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/exception/KeymanagerExceptionHandler.java
@@ -1,8 +1,8 @@
 /*
- * 
- * 
- * 
- * 
+ *
+ *
+ *
+ *
  */
 package io.mosip.kernel.keymanagerservice.exception;
 
@@ -12,9 +12,11 @@
 import java.time.format.DateTimeParseException;
 import java.util.List;
 
+import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.HttpServletRequest;
 
-import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.exc.InvalidFormatException;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
@@ -44,7 +46,6 @@
 import io.mosip.kernel.core.signatureutil.exception.ParseResponseException;
 import io.mosip.kernel.core.signatureutil.exception.SignatureUtilClientException;
 import io.mosip.kernel.core.signatureutil.exception.SignatureUtilException;
-import io.mosip.kernel.core.util.EmptyCheckUtils;
 import io.mosip.kernel.cryptomanager.constant.CryptomanagerErrorCode;
 import io.mosip.kernel.cryptomanager.exception.CryptoManagerSerivceException;
 import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant;
@@ -72,9 +73,17 @@ public class KeymanagerExceptionHandler {
 	@Autowired
 	private ObjectMapper objectMapper;
 
+	@PostConstruct
+	public void init() {
+		// Register JavaTimeModule once at startup. The original code called
+		// registerModule() inside setErrors() which runs on every exception path,
+		// mutating the shared ObjectMapper bean concurrently and creating garbage.
+		objectMapper.registerModule(new JavaTimeModule());
+	}
+
 	@ExceptionHandler(NullDataException.class)
 	public ResponseEntity<ResponseWrapper<ServiceError>> nullDataException(HttpServletRequest httpServletRequest,
-			final NullDataException e) throws IOException {
+																		   final NullDataException e) throws IOException {
 		ExceptionUtils.logRootCause(e);
 		return new ResponseEntity<>(
 				getErrorResponse(httpServletRequest, e.getErrorCode(), e.getErrorText(), HttpStatus.OK), HttpStatus.OK);
@@ -367,17 +376,44 @@ private ResponseWrapper<ServiceError> getErrorResponse(HttpServletRequest httpSe
 	private ResponseWrapper<ServiceError> setErrors(HttpServletRequest httpServletRequest) throws IOException {
 		ResponseWrapper<ServiceError> responseWrapper = new ResponseWrapper<>();
 		responseWrapper.setResponsetime(LocalDateTime.now(ZoneId.of("UTC")));
-		String requestBody = null;
+
+		byte[] cachedBody = null;
 		if (httpServletRequest instanceof ContentCachingRequestWrapper) {
-			requestBody = new String(((ContentCachingRequestWrapper) httpServletRequest).getContentAsByteArray());
+			cachedBody = ((ContentCachingRequestWrapper) httpServletRequest).getContentAsByteArray();
 		}
-		if (EmptyCheckUtils.isNullEmpty(requestBody)) {
+		if (cachedBody == null || cachedBody.length == 0) {
 			return responseWrapper;
 		}
-		objectMapper.registerModule(new JavaTimeModule());
-		JsonNode reqNode = objectMapper.readTree(requestBody);
-		responseWrapper.setId(reqNode.path("id").asText());
-		responseWrapper.setVersion(reqNode.path("version").asText());
+
+		// Use a streaming JSON parser to extract only the top-level "id" and "version"
+		// fields. The cached body is capped at 4096 bytes (ReqResFilter) so a full
+		// readTree() fails with JsonEOFException when the encrypted "data" field
+		// crosses the truncation boundary. The streaming parser stops as soon as both
+		// fields are found — within the first ~100 bytes — before any truncation.
+		try (JsonParser parser = objectMapper.getFactory().createParser(cachedBody)) {
+			String id = null;
+			String version = null;
+			JsonToken token;
+			while ((token = parser.nextToken()) != null) {
+				if (id != null && version != null) break;
+				if (token == JsonToken.FIELD_NAME) {
+					String fieldName = parser.getCurrentName();
+					token = parser.nextToken();
+					if ("id".equals(fieldName) && token == JsonToken.VALUE_STRING) {
+						id = parser.getText();
+					} else if ("version".equals(fieldName) && token == JsonToken.VALUE_STRING) {
+						version = parser.getText();
+					} else if (token == JsonToken.START_OBJECT || token == JsonToken.START_ARRAY) {
+						if (id != null && version != null) break;
+						parser.skipChildren();
+					}
+				}
+			}
+			if (id != null) responseWrapper.setId(id);
+			if (version != null) responseWrapper.setVersion(version);
+		} catch (Exception e) {
+			// Best-effort: truncated or malformed body won't affect error response structure
+		}
 		return responseWrapper;
 	}
 	
diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/helper/PrivateKeyDecryptorHelper.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/helper/PrivateKeyDecryptorHelper.java
