private ByteBuf getKeyAndDecryptData(MessageMetadata msgMetadata, ByteBuf payload) { ByteBuf decryptedData = null; List<EncryptionKeys> encKeys = msgMetadata.getEncryptionKeysList(); // Go through all keys to retrieve data key from cache for (int i = 0; i < encKeys.size(); i++) { byte[] msgDataKey = encKeys.get(i).getValue().toByteArray(); byte[] keyDigest = digest.digest(msgDataKey); SecretKey storedSecretKey = dataKeyCache.getIfPresent(ByteBuffer.wrap(keyDigest)); if (storedSecretKey != null) { // Taking a small performance hit here if the hash collides. When it // retruns a different key, decryption fails. At this point, we would // call decryptDataKey to refresh the cache and come here again to decrypt. decryptedData = decryptData(storedSecretKey, msgMetadata, payload); // If decryption succeeded, data is non null if (decryptedData != null) { break; } } else { // First time, entry won't be present in cache log.debug("{} Failed to decrypt data or data key is not in cache. Will attempt to refresh", logCtx); } } return decryptedData; }
public ByteBuf decrypt(MessageMetadata msgMetadata, ByteBuf payload, CryptoKeyReader keyReader) { // If dataKey is present, attempt to decrypt using the existing key if (dataKey != null) { ByteBuf decryptedData = getKeyAndDecryptData(msgMetadata, payload); // If decryption succeeded, data is non null if (decryptedData != null) { return decryptedData; } } // dataKey is null or decryption failed. Attempt to regenerate data key List<EncryptionKeys> encKeys = msgMetadata.getEncryptionKeysList(); EncryptionKeys encKeyInfo = encKeys.stream().filter(kbv -> { byte[] encDataKey = kbv.getValue().toByteArray(); List<KeyValue> encKeyMeta = kbv.getMetadataList(); return decryptDataKey(kbv.getKey(), encDataKey, encKeyMeta, keyReader); }).findFirst().orElse(null); if (encKeyInfo == null || dataKey == null) { // Unable to decrypt data key return null; } return getKeyAndDecryptData(msgMetadata, payload); }
public Builder mergeFrom(org.apache.pulsar.common.api.proto.PulsarApi.EncryptionKeys other) { if (other == org.apache.pulsar.common.api.proto.PulsarApi.EncryptionKeys.getDefaultInstance()) return this; if (other.hasKey()) { setKey(other.getKey()); } if (other.hasValue()) { setValue(other.getValue()); } if (!other.metadata_.isEmpty()) { if (metadata_.isEmpty()) { metadata_ = other.metadata_; bitField0_ = (bitField0_ & ~0x00000004); } else { ensureMetadataIsMutable(); metadata_.addAll(other.metadata_); } } return this; }
.collect( Collectors.toMap(EncryptionKeys::getKey, e -> new EncryptionKey(e.getValue().toByteArray(), e.getMetadataList() != null ? e.getMetadataList().stream().collect(
private ByteBuf getKeyAndDecryptData(MessageMetadata msgMetadata, ByteBuf payload) { ByteBuf decryptedData = null; List<EncryptionKeys> encKeys = msgMetadata.getEncryptionKeysList(); // Go through all keys to retrieve data key from cache for (int i = 0; i < encKeys.size(); i++) { byte[] msgDataKey = encKeys.get(i).getValue().toByteArray(); byte[] keyDigest = digest.digest(msgDataKey); SecretKey storedSecretKey = dataKeyCache.getIfPresent(ByteBuffer.wrap(keyDigest)); if (storedSecretKey != null) { // Taking a small performance hit here if the hash collides. When it // retruns a different key, decryption fails. At this point, we would // call decryptDataKey to refresh the cache and come here again to decrypt. decryptedData = decryptData(storedSecretKey, msgMetadata, payload); // If decryption succeeded, data is non null if (decryptedData != null) { break; } } else { // First time, entry won't be present in cache log.debug("{} Failed to decrypt data or data key is not in cache. Will attempt to refresh", logCtx); } } return decryptedData; }
public ByteBuf decrypt(MessageMetadata msgMetadata, ByteBuf payload, CryptoKeyReader keyReader) { // If dataKey is present, attempt to decrypt using the existing key if (dataKey != null) { ByteBuf decryptedData = getKeyAndDecryptData(msgMetadata, payload); // If decryption succeeded, data is non null if (decryptedData != null) { return decryptedData; } } // dataKey is null or decryption failed. Attempt to regenerate data key List<EncryptionKeys> encKeys = msgMetadata.getEncryptionKeysList(); EncryptionKeys encKeyInfo = encKeys.stream().filter(kbv -> { byte[] encDataKey = kbv.getValue().toByteArray(); List<KeyValue> encKeyMeta = kbv.getMetadataList(); return decryptDataKey(kbv.getKey(), encDataKey, encKeyMeta, keyReader); }).findFirst().orElse(null); if (encKeyInfo == null || dataKey == null) { // Unable to decrypt data key return null; } return getKeyAndDecryptData(msgMetadata, payload); }
public Builder mergeFrom(org.apache.pulsar.common.api.proto.PulsarApi.EncryptionKeys other) { if (other == org.apache.pulsar.common.api.proto.PulsarApi.EncryptionKeys.getDefaultInstance()) return this; if (other.hasKey()) { setKey(other.getKey()); } if (other.hasValue()) { setValue(other.getValue()); } if (!other.metadata_.isEmpty()) { if (metadata_.isEmpty()) { metadata_ = other.metadata_; bitField0_ = (bitField0_ & ~0x00000004); } else { ensureMetadataIsMutable(); metadata_.addAll(other.metadata_); } } return this; }
public Builder clearValue() { bitField0_ = (bitField0_ & ~0x00000002); value_ = getDefaultInstance().getValue(); return this; }
.collect( Collectors.toMap(EncryptionKeys::getKey, e -> new EncryptionKey(e.getValue().toByteArray(), e.getMetadataList() != null ? e.getMetadataList().stream().collect(
public Builder clearValue() { bitField0_ = (bitField0_ & ~0x00000002); value_ = getDefaultInstance().getValue(); return this; }