Re: [PR] Manifest list encryption [iceberg]

[via GitHub]

rdblue commented on code in PR #7770:
URL: https://github.com/apache/iceberg/pull/7770#discussion_r1676561882


##########
core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java:
##########
@@ -71,30 +70,35 @@ public static KeyManagementClient 
createKmsClient(Map<String, String> catalogPro
   }
 
   public static EncryptionManager createEncryptionManager(
-      Map<String, String> tableProperties, KeyManagementClient kmsClient) {
+      String tableKeyId, int dekLength, KeyManagementClient kmsClient) {
     Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null");
-    String tableKeyId = 
tableProperties.get(TableProperties.ENCRYPTION_TABLE_KEY);
 
     if (null == tableKeyId) {
       // Unencrypted table
       return PlaintextEncryptionManager.instance();
     }
 
-    int dataKeyLength =
-        PropertyUtil.propertyAsInt(
-            tableProperties,
-            TableProperties.ENCRYPTION_DEK_LENGTH,
-            TableProperties.ENCRYPTION_DEK_LENGTH_DEFAULT);
-
     Preconditions.checkState(
-        dataKeyLength == 16 || dataKeyLength == 24 || dataKeyLength == 32,
+        dekLength == 16 || dekLength == 24 || dekLength == 32,
         "Invalid data key length: %s (must be 16, 24, or 32)",
-        dataKeyLength);
+        dekLength);
 
-    return new StandardEncryptionManager(tableKeyId, dataKeyLength, kmsClient);
+    return new StandardEncryptionManager(tableKeyId, dekLength, kmsClient);
   }
 
   public static EncryptedOutputFile plainAsEncryptedOutput(OutputFile 
encryptingOutputFile) {
     return new BaseEncryptedOutputFile(encryptingOutputFile, 
EncryptionKeyMetadata.empty());
   }
+
+  public static EncryptionKeyMetadata createKeyMetadata(ByteBuffer key, 
ByteBuffer aadPrefix) {
+    Preconditions.checkState(
+        key.arrayOffset() == 0, "Invalid key array offset {}", 
key.arrayOffset());
+    Preconditions.checkState(
+        aadPrefix.arrayOffset() == 0, "Invalid aad array offset {}", 
aadPrefix.arrayOffset());
+    return new StandardKeyMetadata(key.array(), aadPrefix.array());
+  }
+
+  public static NativeEncryptionKeyMetadata parseKeyMetadata(ByteBuffer 
keyMetadataBytes) {

Review Comment:
   I don't think this method is necessary. `EncryptingFileIO` should decrypt 
the key and call `wrap`, passing in the decrypted key metadata buffer instead.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org