Skip to content

Initial add of cached key decryptor #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
coltfred wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Initial add of cached key decryptor #157

coltfred wants to merge 3 commits into from

Conversation

@coltfred
Copy link
Member

@coltfred coltfred commented Jan 22, 2026

This is a strawman implementation of the idea of caching a DEK for reuse for a short period of time.

TODO:

  • Add the encryptor counterpart.
  • Decide if we should zero the DEK the caller sends in to the decryptor to ensure proper disposal
  • Add reporting of DEK usage on close

@coltfred coltfred mentioned this pull request Jan 22, 2026
Open
giarc3
giarc3 reviewed Jan 22, 2026
View reviewed changes
src/main/java/com/ironcorelabs/tenantsecurity/kms/v1/CachedKeyDecryptor.java
Comment on lines +190 to +200
private CompletableFuture<PlaintextDocument> decryptFields(Map<String, byte[]> document,
String documentEdek) {
// Check closed/expired state again before starting decryption
if (closed.get()) {
return CompletableFuture.failedFuture(new TscException(
TenantSecurityErrorCodes.DOCUMENT_DECRYPT_FAILED, "CachedKeyDecryptor has been closed"));
}
if (isExpired()) {
return CompletableFuture.failedFuture(new TscException(
TenantSecurityErrorCodes.DOCUMENT_DECRYPT_FAILED, "CachedKeyDecryptor has expired"));
}
Copy link
Member

@giarc3 giarc3 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-checking these feels really unnecessary to me. If you're following the calls from decrypt, there's not really any code between the check and the re-check, right? Or we could remove the checks from decrypt and only have them here

src/main/java/com/ironcorelabs/tenantsecurity/kms/v1/CachedKeyDecryptor.java
Comment on lines +202 to +215
// Parallel decrypt each field
Map<String, CompletableFuture<byte[]>> decryptOps = document.entrySet().stream()
.collect(Collectors.toMap(Map.Entry::getKey,
entry -> CompletableFuture.supplyAsync(
() -> CryptoUtils.decryptDocument(entry.getValue(), dek).join(),
encryptionExecutor)));

// Join all futures and build result
return CompletableFutures.tryCatchNonFatal(() -> {
Map<String, byte[]> decryptedBytes = decryptOps.entrySet().stream()
.collect(Collectors.toMap(Map.Entry::getKey, entry -> entry.getValue().join()));
return new PlaintextDocument(decryptedBytes, documentEdek);
});
}
Copy link
Member

@giarc3 giarc3 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bummer that this has to just be duplicated code

src/main/java/com/ironcorelabs/tenantsecurity/kms/v1/CachedKeyDecryptor.java
Comment on lines +165 to +180
if (closed.get()) {
return CompletableFuture.failedFuture(new TscException(
TenantSecurityErrorCodes.DOCUMENT_DECRYPT_FAILED, "CachedKeyDecryptor has been closed"));
}
if (isExpired()) {
return CompletableFuture.failedFuture(new TscException(
TenantSecurityErrorCodes.DOCUMENT_DECRYPT_FAILED, "CachedKeyDecryptor has expired"));
}

// Validate EDEK matches
if (!this.edek.equals(edek)) {
return CompletableFuture
.failedFuture(new TscException(TenantSecurityErrorCodes.DOCUMENT_DECRYPT_FAILED,
"Provided EDEK does not match the cached EDEK. "
+ "This decryptor can only decrypt documents with matching EDEKs."));
}
Copy link
Member

@giarc3 giarc3 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These checks should probably move to a function

src/main/java/com/ironcorelabs/tenantsecurity/kms/v1/TenantSecurityClient.java
* This is the recommended pattern for using cached decryptors with CompletableFuture composition:
*
* <pre>
* client.withCachedDecryptor(edek, metadata, decryptor -&gt;
Copy link
Member

@giarc3 giarc3 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is the > escaped here and below?

Copy link
Member Author

@coltfred coltfred Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you put a > inside a javadoc comment you have use the html escape for it. We've been really bad at putting examples on our other functions so you haven't seen it much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@giarc3 giarc3 giarc3 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@coltfred coltfred

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@coltfred @giarc3