xanderbailey commented on PR #2383: URL: https://github.com/apache/iceberg-rust/pull/2383#issuecomment-4382775664
> 1. Missing KEY_TIMESTAMP on a KEK should fail-fast, not silently pass None AAD > encryption_manager.rs:500-503 (in decrypt_dek) and the symmetric wrap site (:350-352): > > let aad = kek.properties().get(KEK_CREATED_AT_PROPERTY).map(|ts| ts.as_bytes()); > Java asserts Preconditions.checkState(keyEncryptionKeyTimestamp != null, "Key encryption key must be timestamped") (EncryptionUtil.java:161-162). Here a KEK missing the timestamp silently passes None on both wrap and unwrap — the pair roundtrips, but the tampering defense is gone. And if one side has the property and the other doesn't, you get a generic AES-GCM auth failure instead of a clear "corrupted KEK" error. > > Suggest: require the property in both paths and return ErrorKind::DataInvalid with a clear message if it's missing. create_kek always sets it, so the only way to hit this is a malformed table — which is exactly the case we want to surface loudly. [7f0ffcc](https://github.com/apache/iceberg-rust/pull/2383/commits/7f0ffcc9cc83e5d23084b582754d47f7a2db25ac) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
