search

hpgrahsl / kryptonite-for-kafka

Kryptonite for Kafka is a client-side 🔒 field level 🔓 cryptography library for Apache Kafka® offering a Kafka Connect SMT, ksqlDB UDFs, and a standalone HTTP API service. It's an ! UNOFFICIAL ! community project
83 stars 6 forks source link

keyId and primaryKeyId generated from Tinkey fails with Kryptonite v0.4.1 if the number is greater than 2147483647 #16

Closed joshuagrisham-karolinska closed 11 months ago

joshuagrisham-karolinska commented 11 months ago

We are working on an implementation of some Connectors using v0.4.1 of this Kryptonite SMT (really cool project!) but ran into a problem.

When using Google's Tinkey CLI's create-keyset function to generate our key material, it seems that it creates some kind of random number for the keyId and primaryKeyId fields (not 100% sure if there is any logic behind it or not).

(for example like this:)

tinkey create-keyset --key-template AES128_GCM --out-format json --out some_example_keyset.json

Then we ran into an issue just using the value from Tinkey straight away if ID number was higher than 2147483647. Some errors popped up in the Connect server like this:

org.apache.kafka.connect.errors.ConnectException: org.apache.kafka.common.config.ConfigException: Invalid value com.fasterxml.jackson.databind.JsonMappingException: Numeric value (3015563227) out of range of int (-2147483648 - 2147483647)
at [Source: (String)"[{"identifier":"test.20231204","material":{"key":[{"keyData":{"keyMaterialType":"SYMMETRIC","typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"***"},"keyId":3015563227,"outputPrefixType":"TINK","status":"ENABLED"}],"primaryKeyId":3015563227}}]"; line: 1, column: 216] (through reference chain: java.util.HashSet[0]->com.github.hpgrahsl.kryptonite.config.DataKeyConfig["material"]->com.github.hpgrahsl.kryptonite.config.TinkKeyConfig["key"]->java.util.HashSet[0]->com.github.hpgrahsl.kryptonite.config.TinkKeyConfig$KeyConfig["keyId"]) for configuration Numeric value (3015563227) out of range of int (-2147483648 - 2147483647)
at [Source: (String)"[{"identifier":"test.20231204","material":{"key":[{"keyData":{"keyMaterialType":"SYMMETRIC","typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey","value":"***"},"keyId":3015563227,"outputPrefixType":"TINK","status":"ENABLED"}],"primaryKeyId":3015563227}}]"; line: 1, column: 216] (through reference chain: java.util.HashSet[0]->com.github.hpgrahsl.kryptonite.config.DataKeyConfig["material"]->com.github.hpgrahsl.kryptonite.config.TinkKeyConfig["key"]->java.util.HashSet[0]->com.github.hpgrahsl.kryptonite.config.TinkKeyConfig$KeyConfig["keyId"])

But then if we re-generate a new keyset which happens to have less than 2147483647 for its ID, then it seems to work ok.

My assumption/hope is if the data type for these TinkKeyConfig properties can be swapped from int to something else, that this would be an easy fix? 👼

hpgrahsl commented 11 months ago

THX for reporting this. I'll take a closer look but you are probably right. The data type needs to be adapted in order to allow for numeric key IDs beyond the int range. Most likely this will be fixed in the next patch release.

hpgrahsl commented 11 months ago

As usual I'm always curious to learn what you are actually doing with the library. That said @joshuagrisham-karolinska I'd be happy to learn more about your use case. Feel free to reach out anytime!

hpgrahsl commented 11 months ago

@joshuagrisham-karolinska Find the patch release here https://github.com/hpgrahsl/kryptonite-for-kafka/releases/tag/v0.4.2 Give it a try and let me know if this solves the reported issue.