move kms changes to another pr

apache · Dec 22, 2022 · c87ef1b · c87ef1b
1 parent 69f5569
commit c87ef1b
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 67 deletions.
diff --git a/api/src/main/java/org/apache/iceberg/encryption/KmsClient.java b/api/src/main/java/org/apache/iceberg/encryption/KmsClient.java
@@ -34,7 +34,7 @@ public interface KmsClient extends Serializable {
    * @param wrappingKeyId a key ID that represents a wrapping key stored in KMS
    * @return wrapped key material
    */
-  ByteBuffer wrapKey(ByteBuffer key, String wrappingKeyId);
+  String wrapKey(ByteBuffer key, String wrappingKeyId);
 
   /**
    * Some KMS systems support generation of secret keys inside the KMS server.
@@ -69,10 +69,10 @@ default KeyGenerationResult generateKey(String wrappingKeyId) {
    * @param wrappingKeyId a key ID that represents a wrapping key stored in KMS
    * @return raw key bytes
    */
-  ByteBuffer unwrapKey(ByteBuffer wrappedKey, String wrappingKeyId);
+  ByteBuffer unwrapKey(String wrappedKey, String wrappingKeyId);
 
   /**
-   * Initialize the KMS client with given properties.
+   * Initialize the KMS client with given properties
    *
    * @param properties kms client properties
    */
@@ -84,9 +84,9 @@ default KeyGenerationResult generateKey(String wrappingKeyId) {
    */
   class KeyGenerationResult {
     private final ByteBuffer key;
-    private final ByteBuffer wrappedKey;
+    private final String wrappedKey;
 
-    public KeyGenerationResult(ByteBuffer key, ByteBuffer wrappedKey) {
+    public KeyGenerationResult(ByteBuffer key, String wrappedKey) {
       this.key = key;
       this.wrappedKey = wrappedKey;
     }
@@ -95,7 +95,7 @@ public ByteBuffer key() {
       return key;
     }
 
-    public ByteBuffer wrappedKey() {
+    public String wrappedKey() {
       return wrappedKey;
     }
   }

diff --git a/core/src/main/java/org/apache/iceberg/encryption/KmsUtil.java b/core/src/main/java/org/apache/iceberg/encryption/KmsUtil.java
diff --git a/core/src/test/java/org/apache/iceberg/encryption/kms/KeyStoreKmsClient.java b/core/src/test/java/org/apache/iceberg/encryption/kms/KeyStoreKmsClient.java
@@ -41,20 +41,20 @@ public class KeyStoreKmsClient extends MemoryMockKMS {
 
   // Path to keystore file. Preferably kept in volatile storage, such as ramdisk. Don't store with
   // data.
-  public static final String KEYSTORE_FILE_PATH_PROP = "kms.client.keystore.path";
+  public static final String KEYSTORE_FILE_PATH_PROP = "keystore.kms.client.file.path";
 
   // Credentials (such as keystore password) must never be kept in a persistent storage.
   // In this class, the password is passed as a system environment variable.
   public static final String KEYSTORE_PASSWORD_ENV_VAR = "KEYSTORE_PASSWORD";
 
   @Override
-  public ByteBuffer wrapKey(ByteBuffer key, String wrappingKeyId) {
+  public String wrapKey(ByteBuffer key, String wrappingKeyId) {
     // keytool keeps key names in lower case
     return super.wrapKey(key, wrappingKeyId.toLowerCase());
   }
 
   @Override
-  public ByteBuffer unwrapKey(ByteBuffer wrappedKey, String wrappingKeyId) {
+  public ByteBuffer unwrapKey(String wrappedKey, String wrappingKeyId) {
     // keytool keeps key names in lower case
     return super.unwrapKey(wrappedKey, wrappingKeyId.toLowerCase());
   }

diff --git a/core/src/test/java/org/apache/iceberg/encryption/kms/MemoryMockKMS.java b/core/src/test/java/org/apache/iceberg/encryption/kms/MemoryMockKMS.java
@@ -19,6 +19,7 @@
 package org.apache.iceberg.encryption.kms;
 
 import java.nio.ByteBuffer;
+import java.util.Base64;
 import java.util.Map;
 import org.apache.iceberg.encryption.Ciphers;
 import org.apache.iceberg.encryption.KmsClient;
@@ -29,26 +30,27 @@ public abstract class MemoryMockKMS implements KmsClient {
   protected Map<String, byte[]> masterKeys;
 
   @Override
-  public ByteBuffer wrapKey(ByteBuffer key, String wrappingKeyId) {
+  public String wrapKey(ByteBuffer key, String wrappingKeyId) {
     byte[] wrappingKey = masterKeys.get(wrappingKeyId);
     if (null == wrappingKey) {
       throw new RuntimeException(
           "Cannot wrap, because wrapping key " + wrappingKeyId + " is not found");
     }
     Ciphers.AesGcmEncryptor keyEncryptor = new Ciphers.AesGcmEncryptor(wrappingKey);
     byte[] encryptedKey = keyEncryptor.encrypt(key.array(), null);
-    return ByteBuffer.wrap(encryptedKey);
+    return Base64.getEncoder().encodeToString(encryptedKey);
   }
 
   @Override
-  public ByteBuffer unwrapKey(ByteBuffer wrappedKey, String wrappingKeyId) {
+  public ByteBuffer unwrapKey(String wrappedKey, String wrappingKeyId) {
+    byte[] encryptedKey = Base64.getDecoder().decode(wrappedKey);
     byte[] wrappingKey = masterKeys.get(wrappingKeyId);
     if (null == wrappingKey) {
       throw new RuntimeException(
           "Cannot unwrap, because wrapping key " + wrappingKeyId + " is not found");
     }
     Ciphers.AesGcmDecryptor keyDecryptor = new Ciphers.AesGcmDecryptor(wrappingKey);
-    byte[] key = keyDecryptor.decrypt(wrappedKey.array(), null);
+    byte[] key = keyDecryptor.decrypt(encryptedKey, null);
     return ByteBuffer.wrap(key);
   }
 }