From 46ac07de27cd37ad80084ee30a5fee9160024cee Mon Sep 17 00:00:00 2001 From: Dhanendra Sahu Date: Tue, 12 May 2026 15:44:46 +0530 Subject: [PATCH 1/5] Added HSM interaction DEBUG logger Signed-off-by: Dhanendra Sahu --- .../hsm/impl/pkcs/PKCS11KeyStoreImpl.java | 41 ++++++++++++++++--- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java index e50e4944..b62ea002 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java @@ -250,7 +250,9 @@ private KeyStore getKeystoreInstance(String keystoreType, Provider provider) { public List getAllAlias() { Enumeration enumeration = null; try { + long startTime = System.currentTimeMillis(); enumeration = keyStore.aliases(); + LOGGER.debug("sessionId", "KeyStoreImpl","getAllAlias", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (KeyStoreException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage(), e); @@ -268,7 +270,9 @@ public List getAllAlias() { public Key getKey(String alias) { Key key = null; try { + long startTime = System.currentTimeMillis(); key = keyStore.getKey(alias, keystorePwdCharArr); + LOGGER.debug("sessionId", "KeyStoreImpl","getKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (UnrecoverableKeyException | KeyStoreException | NoSuchAlgorithmException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage(), e); @@ -296,15 +300,19 @@ public PrivateKeyEntry getAsymmetricKey(String alias) { Exception exp = null; do { try { - if (keyStore.entryInstanceOf(alias, PrivateKeyEntry.class)) { + long startTime = System.currentTimeMillis(); + boolean isPrivateKeyEntry = keyStore.entryInstanceOf(alias, PrivateKeyEntry.class); + if (isPrivateKeyEntry) { LOGGER.debug("sessionId", "KeyStoreImpl", "getAsymmetricKey", "alias is instanceof keystore"); ProtectionParameter password = getPasswordProtection(); privateKeyEntry = (PrivateKeyEntry) keyStore.getEntry(alias, password); + LOGGER.debug("sessionId", "KeyStoreImpl","getAsymmetricKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); if (privateKeyEntry != null) { LOGGER.debug("sessionId", "KeyStoreImpl", "getAsymmetricKey", "privateKeyEntry is not null"); break; } } else { + LOGGER.debug("sessionId", "KeyStoreImpl","getAsymmetricKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); throw new NoSuchSecurityProviderException(KeymanagerErrorCode.NO_SUCH_ALIAS.getErrorCode(), KeymanagerErrorCode.NO_SUCH_ALIAS.getErrorMessage() + alias); } @@ -413,15 +421,19 @@ public SecretKey getSymmetricKey(String alias) { Exception exp = null; do { try { - if (keyStore.entryInstanceOf(alias, SecretKeyEntry.class)) { + long startTime = System.currentTimeMillis(); + boolean isSecretKeyEntry = keyStore.entryInstanceOf(alias, SecretKeyEntry.class); + if (isSecretKeyEntry) { ProtectionParameter password = getPasswordProtection(); SecretKeyEntry retrivedSecret = (SecretKeyEntry) keyStore.getEntry(alias, password); secretKey = retrivedSecret.getSecretKey(); + LOGGER.debug("sessionId", "KeyStoreImpl","getSymmetricKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); if (secretKey != null) { LOGGER.debug("sessionId", "KeyStoreImpl", "getSymmetricKey", "secretKey is not null"); break; } } else { + LOGGER.debug("sessionId", "KeyStoreImpl","getSymmetricKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); throw new NoSuchSecurityProviderException(KeymanagerErrorCode.NO_SUCH_ALIAS.getErrorCode(), KeymanagerErrorCode.NO_SUCH_ALIAS.getErrorMessage() + alias); } @@ -457,7 +469,9 @@ public SecretKey getSymmetricKey(String alias) { @Override public void deleteKey(String alias) { try { + long startTime = System.currentTimeMillis(); keyStore.deleteEntry(alias); + LOGGER.debug("sessionId", "KeyStoreImpl","deleteKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (KeyStoreException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage(), e); @@ -468,8 +482,10 @@ private void storeCertificate(String alias, Certificate[] chain, PrivateKey priv PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(privateKey, chain); ProtectionParameter password = getPasswordProtection(); try { + long startTime = System.currentTimeMillis(); keyStore.setEntry(alias, privateKeyEntry, password); keyStore.store(null, keystorePwdCharArr); + LOGGER.debug("sessionId", "KeyStoreImpl","storeCertificate", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage()); @@ -530,8 +546,10 @@ public void generateAndStoreSymmetricKey(String alias) { SecretKeyEntry secret = new SecretKeyEntry(secretKey); ProtectionParameter password = getPasswordProtection(); try { + long startTime = System.currentTimeMillis(); keyStore.setEntry(alias, secret, password); keyStore.store(null, keystorePwdCharArr); + LOGGER.debug("sessionId", "KeyStoreImpl","generateAndStoreSymmetricKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage(), e); @@ -542,7 +560,10 @@ private KeyPair generateRSAKeyPair() { try { KeyPairGenerator generator = KeyPairGenerator.getInstance(asymmetricKeyAlgorithm, provider); generator.initialize(asymmetricKeyLength, secureRandom); - return generator.generateKeyPair(); + long startTime = System.currentTimeMillis(); + KeyPair keyPair = generator.generateKeyPair(); + LOGGER.debug("sessionId", "KeyStoreImpl","generateRSAKeyPair", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); + return keyPair; } catch (java.security.NoSuchAlgorithmException e) { throw new io.mosip.kernel.core.exception.NoSuchAlgorithmException( KeyGeneratorExceptionConstant.MOSIP_NO_SUCH_ALGORITHM_EXCEPTION.getErrorCode(), @@ -558,7 +579,10 @@ private KeyPair generateECKeyPair(String ecCurve) { } KeyPairGenerator generator = KeyPairGenerator.getInstance(asymmetricECKeyAlgorithm, provider); generator.initialize(new ECGenParameterSpec(ecCurve), secureRandom); - return generator.generateKeyPair(); + long startTime = System.currentTimeMillis(); + KeyPair keyPair = generator.generateKeyPair(); + LOGGER.debug("sessionId", "KeyStoreImpl","generateECKeyPair", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); + return keyPair; } catch (java.security.NoSuchAlgorithmException | InvalidAlgorithmParameterException e) { throw new io.mosip.kernel.core.exception.NoSuchAlgorithmException( KeyGeneratorExceptionConstant.MOSIP_NO_SUCH_ALGORITHM_EXCEPTION.getErrorCode(), @@ -570,13 +594,16 @@ private SecretKey generateSymmetricKey() { try { KeyGenerator generator = KeyGenerator.getInstance(symmetricKeyAlgorithm, provider); generator.init(symmetricKeyLength, secureRandom); - return generator.generateKey(); + long startTime = System.currentTimeMillis(); + SecretKey secretKey = generator.generateKey(); + LOGGER.debug("sessionId", "KeyStoreImpl","generateSymmetricKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); + return secretKey; } catch (java.security.NoSuchAlgorithmException e) { throw new io.mosip.kernel.core.exception.NoSuchAlgorithmException( KeyGeneratorExceptionConstant.MOSIP_NO_SUCH_ALGORITHM_EXCEPTION.getErrorCode(), KeyGeneratorExceptionConstant.MOSIP_NO_SUCH_ALGORITHM_EXCEPTION.getErrorMessage(), e); } - + } @Override @@ -584,8 +611,10 @@ public void storeCertificate(String alias, PrivateKey privateKey, Certificate ce try { PrivateKeyEntry privateKeyEntry = new PrivateKeyEntry(privateKey, new Certificate[] {certificate}); ProtectionParameter password = getPasswordProtection(); + long startTime = System.currentTimeMillis(); keyStore.setEntry(alias, privateKeyEntry, password); keyStore.store(null, keystorePwdCharArr); + LOGGER.debug("sessionId", "KeyStoreImpl","storeCertificate", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage(), e); From e4697e904998c185e48c378ca4fcdb16586dae24 Mon Sep 17 00:00:00 2001 From: Dhanendra Sahu Date: Wed, 13 May 2026 17:17:04 +0530 Subject: [PATCH 2/5] Update the code based on review comments Signed-off-by: Dhanendra Sahu --- .../kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java | 4 ---- 1 file changed, 4 deletions(-) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java index b62ea002..6999db9b 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java @@ -250,9 +250,7 @@ private KeyStore getKeystoreInstance(String keystoreType, Provider provider) { public List getAllAlias() { Enumeration enumeration = null; try { - long startTime = System.currentTimeMillis(); enumeration = keyStore.aliases(); - LOGGER.debug("sessionId", "KeyStoreImpl","getAllAlias", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (KeyStoreException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage(), e); @@ -469,9 +467,7 @@ public SecretKey getSymmetricKey(String alias) { @Override public void deleteKey(String alias) { try { - long startTime = System.currentTimeMillis(); keyStore.deleteEntry(alias); - LOGGER.debug("sessionId", "KeyStoreImpl","deleteKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); } catch (KeyStoreException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorCode(), KeymanagerErrorCode.KEYSTORE_PROCESSING_ERROR.getErrorMessage() + e.getMessage(), e); From 863b5cf33b525723e90f505281c15efc25110631 Mon Sep 17 00:00:00 2001 From: Dhanendra Sahu Date: Wed, 13 May 2026 18:29:15 +0530 Subject: [PATCH 3/5] Update the code based on review comments Signed-off-by: Dhanendra Sahu --- .../kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java index 6999db9b..111a8d24 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/impl/pkcs/PKCS11KeyStoreImpl.java @@ -424,8 +424,8 @@ public SecretKey getSymmetricKey(String alias) { if (isSecretKeyEntry) { ProtectionParameter password = getPasswordProtection(); SecretKeyEntry retrivedSecret = (SecretKeyEntry) keyStore.getEntry(alias, password); - secretKey = retrivedSecret.getSecretKey(); LOGGER.debug("sessionId", "KeyStoreImpl","getSymmetricKey", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); + secretKey = retrivedSecret.getSecretKey(); if (secretKey != null) { LOGGER.debug("sessionId", "KeyStoreImpl", "getSymmetricKey", "secretKey is not null"); break; From 72c750a70eeafadd9cda799810b863425b34ea82 Mon Sep 17 00:00:00 2001 From: Dhanendra Sahu Date: Mon, 18 May 2026 12:25:35 +0530 Subject: [PATCH 4/5] Updated the code based on review comments Signed-off-by: Dhanendra Sahu --- .../kernel/keymanager/hsm/util/CertificateUtility.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java index 93c6ae93..3e712c5a 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java @@ -14,9 +14,12 @@ import javax.security.auth.x500.X500Principal; +import io.mosip.kernel.core.logger.spi.Logger; +import io.mosip.kernel.keymanager.hsm.impl.pkcs.PKCS11KeyStoreImpl; import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant; import io.mosip.kernel.keymanagerservice.dto.ExtendedCertificateParameters; import io.mosip.kernel.keymanagerservice.dto.SubjectAlternativeNamesDto; +import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger; import org.bouncycastle.asn1.*; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500NameBuilder; @@ -45,7 +48,8 @@ */ public class CertificateUtility { - + private static final Logger LOGGER = KeymanagerLogger.getLogger(CertificateUtility.class); + /** * Private constructor for CertificateUtility */ @@ -123,7 +127,9 @@ private static X509Certificate generateX509Certificate(PrivateKey signPrivateKey certBuilder.addExtension(Extension.basicConstraints, true, basicConstraints); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, certExtUtils.createSubjectKeyIdentifier(publicKey)); certBuilder.addExtension(Extension.keyUsage, true, keyUsage); + long startTime = System.currentTimeMillis(); X509CertificateHolder certHolder = certBuilder.build(certContentSigner); + LOGGER.debug("sessionId", "CertificateUtility","generateX509Certificate", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); return new JcaX509CertificateConverter().getCertificate(certHolder); } catch (OperatorCreationException | NoSuchAlgorithmException | CertificateException | IOException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.CERTIFICATE_PROCESSING_ERROR.getErrorCode(), From 94c08c17c534b31e34912c86e9c346d357d89edf Mon Sep 17 00:00:00 2001 From: Dhanendra Sahu Date: Mon, 18 May 2026 15:16:42 +0530 Subject: [PATCH 5/5] Updated the code based on review comments Signed-off-by: Dhanendra Sahu --- .../io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java index 3e712c5a..82024c1d 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanager/hsm/util/CertificateUtility.java @@ -153,7 +153,9 @@ private static X509Certificate generateX509Certificate(PrivateKey signPrivateKey if (altNames != null && altNames.length > 0) { certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(altNames)); } + long startTime = System.currentTimeMillis(); X509CertificateHolder certHolder = certBuilder.build(certContentSigner); + LOGGER.debug("sessionId", "CertificateUtility","generateX509Certificate", "HSM interaction time(ms): " + (System.currentTimeMillis() - startTime)); return new JcaX509CertificateConverter().getCertificate(certHolder); } catch (OperatorCreationException | NoSuchAlgorithmException | CertificateException | IOException e) { throw new KeystoreProcessingException(KeymanagerErrorCode.CERTIFICATE_PROCESSING_ERROR.getErrorCode(),