Initial #9
Initial #9
Conversation
encmod/src/main/java/io/strimzi/kafka/topicenc/EncryptionModule.java
Outdated
Show resolved
Hide resolved
encmod/src/main/java/io/strimzi/kafka/topicenc/EncryptionModule.java
Outdated
Show resolved
Hide resolved
encmod/src/main/java/io/strimzi/kafka/topicenc/EncryptionModule.java
Outdated
Show resolved
Hide resolved
encmod/src/main/java/io/strimzi/kafka/topicenc/policy/JsonPolicyRepo.java
Outdated
Show resolved
Hide resolved
vertx-proxy/src/main/java/io/strimzi/kafka/proxy/vertx/MessageHandler.java
Outdated
Show resolved
Hide resolved
|
Thanks @tombentley for the first pass and resulting suggestions, all of which I have committed. |
| public static final String AES_GCM_PADDING = AES + "/GCM/PKCS5Padding"; | ||
| public static final String AES256_GCM_NOPADDING = "AES_256/GCM/NoPadding"; |
There was a problem hiding this comment.
Do both of these have the property that size(plaintext) == size (ciphertext)?
There was a problem hiding this comment.
size (ciphertext) = size(plaintext) + len(GCM authtag) where len(GCM authtag) = 16
There was a problem hiding this comment.
AES GCM is essentially a streaming cipher without padding. The cipher "AES/GCM/PKCS5Padding" is from a different crypto provider I was testing and can be removed. Most Java crypto providers do not support this cipher. When it is supported by a crypto provider, my understanding is that "AES/GCM/PKCS5Padding" is effectively AES GCM NoPadding.
For our purposes, we can assume no padding for AES GCM encryption (although there is always a 16 byte authentication tag, as mentioned above).
| // encrypt record value: | ||
| byte[] plaintext = new byte[record.valueSize()]; | ||
| record.value().get(plaintext); | ||
| EncData ciphertext = encrypter.encrypt(plaintext); |
There was a problem hiding this comment.
I was thinking about topic encryption and the fact that it can increase the size of messages, both due to padding in the cipher (possibly, see https://github.com/strimzi/topic-encryption/pull/9/files#r850136676) and also for including things like the IV. If the proxy and the broker had the same max.message.size then it would mean the proxy might accept a message, but the broker reject it because of size inflation caused by the proxy. You could get away with just configuring the proxy with a smaller max.message.size than the broker if you could assume the inflation is a constant for a whole batch. But right now encryption is per-message. Which means for small messages the extra IV data could result in a large proportional increase in batch size, even in the absence of padding from the encryption algorithm.
There was a problem hiding this comment.
Valid points.
In the existing scheme, the encryption metadata stored with each message, in bytes:
- 2 (version)
- 2 (IV length)
- 16 (IV)
- 2 (ciphertext length)
- 16 (GCM authentication tag)
Total: 38 bytes "overhead" per encrypted message.
There was a problem hiding this comment.
I have created issue #15
| @@ -38,3 +38,7 @@ classes/ | |||
| # MacOS | |||
| .DS_Store | |||
|
|
|||
| # config files | |||
| vertx-proxy/src/main/resources/config.json | |||
There was a problem hiding this comment.
Should this really be excluded?
There was a problem hiding this comment.
The config file could contain credentials as we integrate with key management systems. Excluding the config file, at least for the time being, is a defensive action to prevent credentials being accidentally pushed into github in the future.
encmod/src/main/java/io/strimzi/kafka/topicenc/EncryptionModule.java
Outdated
Show resolved
Hide resolved
encmod/src/main/java/io/strimzi/kafka/topicenc/EncryptionModule.java
Outdated
Show resolved
Hide resolved
| Buffer rawMsg; | ||
| ByteBuffer payload; |
There was a problem hiding this comment.
these members are accessed directly by subclasses. Either protected or default visibility
| public static final String LISTENING_PORT = "listening_port"; | ||
| public static final String KAFKA_BROKERS = "kafka_broker"; | ||
| public static final String POLICY_REPO = "policy_repo"; |
There was a problem hiding this comment.
If they're just constants why not declare them on the outer class?
There was a problem hiding this comment.
I anticipate many config params and use static classes as a way to group related constants as opposed to maintaining a long list of constants. But I am perfectly willing to forego the inner class for now and address large number of constants when we cross that bridge.
vertx-proxy/src/main/java/io/strimzi/kafka/proxy/vertx/Config.java
Outdated
Show resolved
Hide resolved
vertx-proxy/src/main/java/io/strimzi/kafka/proxy/vertx/KafkaProxyVerticle.java
Outdated
Show resolved
Hide resolved
vertx-proxy/src/main/java/io/strimzi/kafka/proxy/vertx/KafkaReqMsg.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
…comment corrections Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
….java Co-authored-by: Tom Bentley <[email protected]> Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
…comment corrections Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
Signed-off-by: Chris Giblin <[email protected]>
|
Closing this PR because numerous ongoing commits and a rebase error have made this PR too unwieldy. |
Initial commit for review