Re: [PR] HBASE-29368 [Precursor] Add API surface and refactoring for key management feature [hbase]

Thu, 08 Jan 2026 17:39:49 -0800 


virajjasani commented on code in PR #7584:
URL: https://github.com/apache/hbase/pull/7584#discussion_r2674517002


##########
hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java:
##########
@@ -490,36 +499,37 @@ public static void decryptWithSubjectKey(OutputStream 
out, InputStream in, int o
     if (key == null) {
       throw new IOException("No key found for subject '" + subject + "'");
     }
-    Decryptor d = cipher.getDecryptor();
-    d.setKey(key);
-    d.setIv(iv); // can be null
     try {
-      decrypt(out, in, outLen, d);
+      decryptWithGivenKey(key, out, in, outLen, cipher, iv);
     } catch (IOException e) {
       // If the current cipher algorithm fails to unwrap, try the alternate 
cipher algorithm, if one
       // is configured
       String alternateAlgorithm = 
conf.get(HConstants.CRYPTO_ALTERNATE_KEY_ALGORITHM_CONF_KEY);
       if (alternateAlgorithm != null) {
-        if (LOG.isDebugEnabled()) {
-          LOG.debug("Unable to decrypt data with current cipher algorithm '"
-            + conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, 
HConstants.CIPHER_AES)
-            + "'. Trying with the alternate cipher algorithm '" + 
alternateAlgorithm
-            + "' configured.");
-        }
+        LOG.debug(
+          "Unable to decrypt data with current cipher algorithm '{}'. "
+            + "Trying with the alternate cipher algorithm '{}' configured.",
+          conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, 
HConstants.CIPHER_AES),
+          alternateAlgorithm);
         Cipher alterCipher = Encryption.getCipher(conf, alternateAlgorithm);
         if (alterCipher == null) {
           throw new RuntimeException("Cipher '" + alternateAlgorithm + "' not 
available");
         }
-        d = alterCipher.getDecryptor();
-        d.setKey(key);
-        d.setIv(iv); // can be null
-        decrypt(out, in, outLen, d);
+        decryptWithGivenKey(key, out, in, outLen, alterCipher, iv);
       } else {
-        throw new IOException(e);
+        throw e;

Review Comment:
   I also thought that it should not be a problem, i was just curious if it 
breaks any exception catching and validation of the error message based on the 
current logic. If everything is fine, we are good.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to