Skip to content

Commit

Permalink
Use Google Tink format for DEKs (#3) (#2277)
Browse files Browse the repository at this point in the history 
* Use Google Tink format for DEKs

* Fix test
  • Loading branch information
@rayokota
rayokota authored Aug 6, 2024
1 parent 2cbbaaa commit e7ffcd8
Show file tree
Hide file tree
Showing 7 changed files with 1,162 additions and 6 deletions.
1 change: 1 addition & 0 deletions src/Confluent.SchemaRegistry.Encryption/Confluent.SchemaRegistry.Encryption.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
</ItemGroup>

<ItemGroup>
<PackageReference Include="Google.Protobuf" Version="3.26.1" />
<PackageReference Include="HKDF.Standard" Version="2.0.0" />
<PackageReference Include="Miscreant" Version="0.3.3" />
</ItemGroup>
Expand Down
38 changes: 33 additions & 5 deletions src/Confluent.SchemaRegistry.Encryption/Cryptor.cs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
using System;
using System.IO;
using System.Security.Cryptography;
using Google.Crypto.Tink;
using Google.Protobuf;
using Miscreant;

namespace Confluent.SchemaRegistry.Encryption
Expand Down Expand Up @@ -40,32 +42,58 @@ public int KeySize()

public byte[] GenerateKey()
{
return Aead.GenerateNonce(KeySize());
byte[] rawKey = Aead.GenerateNonce(KeySize());
switch (DekFormat)
{
case DekFormat.AES256_SIV:
AesSivKey aesSiv = new AesSivKey();
aesSiv.Version = 0;
aesSiv.KeyValue = ByteString.CopyFrom(rawKey);
return aesSiv.ToByteArray();
case DekFormat.AES128_GCM:
case DekFormat.AES256_GCM:
AesGcmKey aesGcm = new AesGcmKey();
aesGcm.Version = 0;
aesGcm.KeyValue = ByteString.CopyFrom(rawKey);
return aesGcm.ToByteArray();
default:
throw new ArgumentException();
}
}

public byte[] Encrypt(byte[] key, byte[] plaintext)
{
byte[] rawKey;
switch (DekFormat)
{
case DekFormat.AES256_SIV:
return EncryptWithAesSiv(key, plaintext);
AesSivKey aesSiv = AesSivKey.Parser.ParseFrom(key);
rawKey = aesSiv.KeyValue.ToByteArray();
return EncryptWithAesSiv(rawKey, plaintext);
case DekFormat.AES128_GCM:
case DekFormat.AES256_GCM:
return EncryptWithAesGcm(key, plaintext);
AesGcmKey aesGcm = AesGcmKey.Parser.ParseFrom(key);
rawKey = aesGcm.KeyValue.ToByteArray();
return EncryptWithAesGcm(rawKey, plaintext);
default:
throw new ArgumentException();
}
}

public byte[] Decrypt(byte[] key, byte[] ciphertext)
{
byte[] rawKey;
switch (DekFormat)
{
case DekFormat.AES256_SIV:
return DecryptWithAesSiv(key, ciphertext);
AesSivKey aesSiv = AesSivKey.Parser.ParseFrom(key);
rawKey = aesSiv.KeyValue.ToByteArray();
return DecryptWithAesSiv(rawKey, ciphertext);
case DekFormat.AES128_GCM:
case DekFormat.AES256_GCM:
return DecryptWithAesGcm(key, ciphertext);
AesGcmKey aesGcm = AesGcmKey.Parser.ParseFrom(key);
rawKey = aesGcm.KeyValue.ToByteArray();
return DecryptWithAesGcm(rawKey, ciphertext);
default:
throw new ArgumentException();
}
Expand Down
9 changes: 8 additions & 1 deletion src/Confluent.SchemaRegistry.Encryption/LocalKmsClient.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using Google.Crypto.Tink;
using Google.Protobuf;

namespace Confluent.SchemaRegistry.Encryption
{
Expand All @@ -20,7 +22,12 @@ public LocalKmsClient(string secret)
}
Secret = secret;
cryptor = new Cryptor(DekFormat.AES256_GCM);
key = Hkdf.DeriveKey(HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes(secret), cryptor.KeySize());
byte[] rawKey = Hkdf.DeriveKey(
HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes(secret), cryptor.KeySize());
AesGcmKey aesGcm = new AesGcmKey();
aesGcm.Version = 0;
aesGcm.KeyValue = ByteString.CopyFrom(rawKey);
key = aesGcm.ToByteArray();
}

public bool DoesSupport(string uri)
Expand Down
Loading

0 comments on commit e7ffcd8

Please sign in to comment.