smaheshwar-pltr commented on code in PR #7770: URL: https://github.com/apache/iceberg/pull/7770#discussion_r1844220351
########## core/src/main/java/org/apache/iceberg/encryption/EncryptionUtil.java: ########## @@ -70,31 +75,93 @@ public static KeyManagementClient createKmsClient(Map<String, String> catalogPro return kmsClient; } + /** + * @deprecated will be removed in 2.0.0. use {@link #createEncryptionManager(String, int, + * KeyManagementClient)} instead. + */ + @Deprecated public static EncryptionManager createEncryptionManager( Map<String, String> tableProperties, KeyManagementClient kmsClient) { - Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null"); String tableKeyId = tableProperties.get(TableProperties.ENCRYPTION_TABLE_KEY); - - if (null == tableKeyId) { - // Unencrypted table - return PlaintextEncryptionManager.instance(); - } - int dataKeyLength = PropertyUtil.propertyAsInt( tableProperties, TableProperties.ENCRYPTION_DEK_LENGTH, TableProperties.ENCRYPTION_DEK_LENGTH_DEFAULT); + return createEncryptionManager(tableKeyId, dataKeyLength, kmsClient); + } + + public static EncryptionManager createEncryptionManager( + String tableKeyId, int dataKeyLength, KeyManagementClient kmsClient) { + Preconditions.checkArgument(kmsClient != null, "Invalid KMS client: null"); + + if (null == tableKeyId) { + // Unencrypted table + return PlaintextEncryptionManager.instance(); + } + Preconditions.checkState( dataKeyLength == 16 || dataKeyLength == 24 || dataKeyLength == 32, "Invalid data key length: %s (must be 16, 24, or 32)", dataKeyLength); - return new StandardEncryptionManager(tableKeyId, dataKeyLength, kmsClient); + return new StandardEncryptionManager(tableKeyId, dataKeyLength, ImmutableList.of(), kmsClient); } public static EncryptedOutputFile plainAsEncryptedOutput(OutputFile encryptingOutputFile) { return new BaseEncryptedOutputFile(encryptingOutputFile, EncryptionKeyMetadata.empty()); } + + /** + * Decrypt the key metadata for a snapshot. + * + * <p>Encryption for snapshot key metadata is only available for tables using standard encryption. + * + * @param manifestList a ManifestListFile + * @param em the table's EncryptionManager + * @return a decrypted key metadata buffer + */ + public static ByteBuffer decryptSnapshotKeyMetadata( + ManifestListFile manifestList, EncryptionManager em) { + Preconditions.checkState( + em instanceof StandardEncryptionManager, + "Snapshot key metadata encryption requires a StandardEncryptionManager"); + ByteBuffer unwrappedKey = + ((StandardEncryptionManager) em).unwrapKey(manifestList.keyMetadataKeyId()); + return decryptSnapshotKeyMetadata( + unwrappedKey, manifestList.snapshotId(), manifestList.encryptedKeyMetadata()); + } + + private static ByteBuffer decryptSnapshotKeyMetadata( + ByteBuffer key, long snapshotId, ByteBuffer encryptedKeyMetadata) { + Ciphers.AesGcmDecryptor decryptor = new Ciphers.AesGcmDecryptor(ByteBuffers.toByteArray(key)); + byte[] keyMetadataBytes = ByteBuffers.toByteArray(encryptedKeyMetadata); + byte[] decryptedKeyMetadata = decryptor.decrypt(keyMetadataBytes, snapshotIdAsAAD(snapshotId)); + return ByteBuffer.wrap(decryptedKeyMetadata); + } + + /** + * Encrypts the key metadata for a snapshot. + * + * <p>Encryption for snapshot key metadata is only available for tables using standard encryption. + * + * @param key unwrapped snapshot key bytes + * @param snapshotId ID of the table snapshot + * @param keyMetadata unencrypted EncryptionKeyMetadata + * @return a Pair of the key ID used to encrypt and the encrypted key metadata Review Comment: ```suggestion * @return the encrypted key metadata ``` (nit) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org