Hashicorp Vault Integration - Java

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

https://developers.google.com/tink

Apache License 2.0

13.47k stars 1.18k forks source link

Hashicorp Vault Integration - Java #712

Closed JordanStopford closed 7 months ago

JordanStopford commented 1 year ago

Hi all,

This is my first pull request for this project so please bear with me...

This pull requests includes Hashicorp Vault integration, similar to the implementation already available for go.

If there's any other information needed or if I've missed anything please let me know.

Regards,

Jordan

juergw commented 1 year ago

I added some comments to the Python integration pull request.

JordanStopford commented 9 months ago

Hi @juergw I'm just coming back round to this now - what else needs to be done on the Java side to get this merged?

juergw commented 9 months ago

Sorry, but there will be some delay with this. While adding some integration tests using a real vault instance, I came across an issue that was not documented: the current implementation only works for keys that are derivable. Normal keys will simply ignore the parameter"associatedData", without an error. I have now added a warning to the code, see https://github.com/tink-crypto/tink-go-hcvault/commit/2102894269b5b0c7e952c9173143689adaed375c. The problem is that we are using the "context" parameter for associated data, and not the "associatedData" parameter that was later added, after our implementation was done. We are currently discussing how we should fix this. I think we will probably add a new API in Go that uses the "associatedData" parameter.

juergw commented 9 months ago

Another related issue is https://github.com/tink-crypto/tink-go/issues/7. It seems that our vault AEAD implementation in some situations may return an empty ciphertext without an error in some situations. I'd like to find the cause of that, and fix that first, too.

JordanStopford commented 6 months ago

Hi @juergw @morambro I think we needed to make the change to use the "associatedData" field instead of "context" here - does that still need to be done prior to the next release of tink? Thank you for accepting my changes for both Java and Python integrations of Hashicorp Vault :)

morambro commented 6 months ago

Hi @JordanStopford, regarding the releases:

We are going to create a separate repository for the HashiCorp Vault KMS Java extension, similar to others (e.g., https://github.com/tink-crypto/tink-java-awskms).
We are going to add the Python one to tink-crypto/tink-py after some refactoring.

NOTE: In the near future we are going to archive https://github.com/tink-crypto/tink (see https://github.com/tink-crypto/tink/issues/730).