Description:
This task focuses on enhancing the performance of the Key Manager component in MOSIP to reliably support a target throughput of 500,000 packets per day. The objective is to optimize key management operations and system efficiency to handle sustained high-volume workloads without compromising security or stability.
The implementation involves identifying bottlenecks and applying optimizations across cryptographic operations, memory handling, caching, and concurrency management. These improvements will be validated through comprehensive performance testing to ensure the system meets the desired throughput benchmarks.
All validated changes should be merged into the release/1.4.x branch following standard review and release practices.
Key Areas of Enhancement:
- ThreadLocal JCA Object Reuse
JCA objects such as Cipher, KeyFactory, MessageDigest, SecureRandom, KeyGenerator, CertPathValidator, and CertificateFactory are expensive to instantiate due to provider lookups and SPI loading.
- Introduced ThreadLocal caching to reuse these objects per thread and eliminate repeated allocations under concurrent load
- Applied across:
- CryptoCore — Cipher, SecretKeyFactory, SecureRandom
- ZKCryptoManagerServiceImpl — Cipher, MessageDigest
- SignatureServiceImpl — KeyFactory, MessageDigest
- RandomKeysGenerator — KeyGenerator, Cipher, SecureRandom
- PartnerCertificateManagerServiceImpl — CertPathValidator, CertificateFactory
- Ensured proper cleanup using @PreDestroy to prevent memory leaks in thread-pooled environments
- Multi-Layer Caching
- Implemented certificate path caching (Cache2k with TTL and ~2000 entries) to avoid repeated PKIX chain validations
- Introduced domain index caching using DN and SKI for constant-time issuer lookup
- Added ConcurrentHashMap-based caches in SignatureServiceImpl for:
- Decoded PublicKey objects
- Parsed X509Certificate objects
- JWS headers
- Certificate trust validation results
- Byte Array Copy Optimization
- Replaced Arrays.copyOfRange() with System.arraycopy() in performance-critical paths
- Applied across components such as CryptomanagerServiceImpl, ClientCryptoFacade, SessionKeyDecryptorHelper, KeymanagerUtil, and CryptomanagerUtils
- Reduced unnecessary array allocations and minimized bounds-check overhead
Acceptance Criteria:
- System successfully processes 500,000 packets per day under performance test conditions
- ThreadLocal reuse implemented and validated without memory leaks
- Multi-layer caching reduces redundant cryptographic and certificate validation overhead
- Byte array optimizations reduce memory footprint and improve execution speed
- Performance benchmarks demonstrate measurable improvement over baseline
- No functional or security regressions observed
- Code reviewed and merged into release/1.4.x branch
- Documentation updated to reflect performance enhancements and configurations
Description:
This task focuses on enhancing the performance of the Key Manager component in MOSIP to reliably support a target throughput of 500,000 packets per day. The objective is to optimize key management operations and system efficiency to handle sustained high-volume workloads without compromising security or stability.
The implementation involves identifying bottlenecks and applying optimizations across cryptographic operations, memory handling, caching, and concurrency management. These improvements will be validated through comprehensive performance testing to ensure the system meets the desired throughput benchmarks.
All validated changes should be merged into the release/1.4.x branch following standard review and release practices.
Key Areas of Enhancement:
JCA objects such as Cipher, KeyFactory, MessageDigest, SecureRandom, KeyGenerator, CertPathValidator, and CertificateFactory are expensive to instantiate due to provider lookups and SPI loading.
Acceptance Criteria: