Regarding Derby42 : Do not store the encryption key length and the encryption block size in service.properties:

[Sunitha Kambhampati]

Do not store the encryption key length and the encryption block size in 
service.properties for encrypted database when external key is used.

Regarding  fix for derby 42 
(http://nagoya.apache.org/jira/browse/DERBY-42 ):
1)The encryption key length is used only for error checking and the fix 
to not store this information is OK and simple. Also attached is patch 
to fix this first part .

2)However removing the encryption block size property is little more 
involved:
Currently,  the encryption block size is obtained during creation of the 
encrypted database and stored in service.properties.  On subsequent 
connections, this stored value is used for padding of logs.

One of the reason for storing this block size is because Cipher class 
description suggests that the getBlockSize() returns the default block 
size. Thus it is likely that the blocksize returned from this api might 
change and hence for subsequent connections, the logging system uses the 
stored encryption block size to do padding.

But in case of *external key*, if it is decided to remove storing the 
encryption block size, then
a) database created with previous versions ( ie before this fix) will 
work OK with this fix.  No issue with upgrade.
b) database *created* with version that has this fix will not work with 
previous versions since the previous version will try to get the 
encryption block size from the service.properties and will not find it.

So, because of  (b), the fix to remove encryption block size from 
service.properties will require the versioning numbers to change, is 
that right (?).

Any thoughts/comments
Thanks.
Sunitha.
ps: attached patch fixes the first part of derby42 -  do not store the 
encryption key length in service properties when external key is used


Index: java/engine/org/apache/derby/impl/services/jce/JCECipherFactory.java
===================================================================
--- java/engine/org/apache/derby/impl/services/jce/JCECipherFactory.java        
(revision 54990)
+++ java/engine/org/apache/derby/impl/services/jce/JCECipherFactory.java        
(working copy)
@@ -545,12 +545,6 @@
                                        throw 
StandardException.newException(SQLState.SERVICE_WRONG_BOOT_PASSWORD);
 
                                generatedKey = 
org.apache.derby.iapi.util.StringUtil.fromHexString(externalKey, 0, 
externalKey.length());
-                               if(create)
-                                  
properties.put(Attribute.CRYPTO_KEY_LENGTH,String.valueOf(generatedKey.length));
     
-                               else
-                                 // mismatch in encryptedKey used at creation 
versus at connecting again
-                                 if(generatedKey.length != encodedKeyLength && 
encodedKeyLength > 0)
-                                       throw 
StandardException.newException(SQLState.ENCRYPTION_BAD_EXTERNAL_KEY);
 
                        } else {