(tsfile) branch develop updated: generate main key (#519)

Thu, 14 Aug 2025 00:16:55 -0700 

This is an automated email from the ASF dual-hosted git repository.

jiangtian pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/tsfile.git


The following commit(s) were added to refs/heads/develop by this push:
     new 38a847dd generate main key (#519)
38a847dd is described below

commit 38a847ddae3e26030208fbee9bcbc61e98e342f9
Author: jintao zhu <[email protected]>
AuthorDate: Thu Aug 14 15:16:31 2025 +0800

    generate main key (#519)
    
    * add save_encrypt_key option
    
    * review codes
---
 .../apache/tsfile/common/conf/TSFileConfig.java    | 15 ++++++-
 .../org/apache/tsfile/encrypt/EncryptUtils.java    | 48 ++--------------------
 .../tsfile/file/metadata/TsFileMetadata.java       |  8 ++++
 .../apache/tsfile/read/UnClosedTsFileReader.java   |  2 +-
 4 files changed, 25 insertions(+), 48 deletions(-)

diff --git 
a/java/tsfile/src/main/java/org/apache/tsfile/common/conf/TSFileConfig.java 
b/java/tsfile/src/main/java/org/apache/tsfile/common/conf/TSFileConfig.java
index 709af3c0..eb49b718 100644
--- a/java/tsfile/src/main/java/org/apache/tsfile/common/conf/TSFileConfig.java
+++ b/java/tsfile/src/main/java/org/apache/tsfile/common/conf/TSFileConfig.java
@@ -174,11 +174,14 @@ public class TSFileConfig implements Serializable {
   private CompressionType compressor = CompressionType.LZ4;
 
   /** encryptKey, this should be 16 bytes String. */
-  private byte[] encryptKey = 
"abcdefghijklmnop".getBytes(TSFileConfig.STRING_CHARSET);
+  private byte[] encryptKey;
 
   /** Data encryption method, default encryptType is "UNENCRYPTED". */
   private String encryptType = "UNENCRYPTED";
 
+  /** Salt for encrypt, this should be 16 bytes String. */
+  private byte[] encryptSalt = EncryptUtils.generateSalt();
+
   /** Line count threshold for checking page memory occupied size. */
   private int pageCheckSizeThreshold = 100;
 
@@ -277,7 +280,15 @@ public class TSFileConfig implements Serializable {
   }
 
   public void setEncryptKeyFromToken(String token) {
-    this.encryptKey = EncryptUtils.getEncryptKeyFromToken(token);
+    this.encryptKey = EncryptUtils.getEncryptKeyFromToken(token, encryptSalt);
+  }
+
+  public void setEncryptSalt(byte[] encryptSalt) {
+    this.encryptSalt = encryptSalt;
+  }
+
+  public byte[] getEncryptSalt() {
+    return this.encryptSalt;
   }
 
   public int getGroupSizeInByte() {
diff --git 
a/java/tsfile/src/main/java/org/apache/tsfile/encrypt/EncryptUtils.java 
b/java/tsfile/src/main/java/org/apache/tsfile/encrypt/EncryptUtils.java
index a6216754..97b7ad57 100644
--- a/java/tsfile/src/main/java/org/apache/tsfile/encrypt/EncryptUtils.java
+++ b/java/tsfile/src/main/java/org/apache/tsfile/encrypt/EncryptUtils.java
@@ -28,9 +28,6 @@ import org.slf4j.LoggerFactory;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 
-import java.io.BufferedReader;
-import java.io.FileReader;
-import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
@@ -43,8 +40,6 @@ public class EncryptUtils {
 
   private static final Logger logger = 
LoggerFactory.getLogger(EncryptUtils.class);
 
-  private static final String defaultKey = "abcdefghijklmnop";
-
   private static final String encryptClassPrefix = 
"org.apache.tsfile.encrypt.";
 
   private static volatile String normalKeyStr;
@@ -81,47 +76,10 @@ public class EncryptUtils {
     }
   }
 
-  public static String getEncryptKeyFromPath(String path) {
-    if (path == null) {
-      return defaultKey;
-    }
-    if (path.isEmpty()) {
-      return defaultKey;
-    }
-    try (BufferedReader br = new BufferedReader(new FileReader(path))) {
-      StringBuilder sb = new StringBuilder();
-      String line;
-      boolean first = true;
-      while ((line = br.readLine()) != null) {
-        if (first) {
-          sb.append(line);
-          first = false;
-        } else {
-          sb.append("\n").append(line);
-        }
-      }
-      String str = sb.toString();
-      if (str.isEmpty()) {
-        return defaultKey;
-      }
-      if (str.length() != 16) {
-        throw new EncryptException(
-            "The length of the key("
-                + str
-                + ") in the file is not 16 bytes, please check the key file:"
-                + path);
-      }
-      return str;
-    } catch (IOException e) {
-      throw new EncryptException("Read main encrypt key error", e);
-    }
-  }
-
-  public static byte[] getEncryptKeyFromToken(String token) {
+  public static byte[] getEncryptKeyFromToken(String token, byte[] salt) {
     if (token == null || token.trim().isEmpty()) {
-      return defaultKey.getBytes();
+      return generateSalt();
     }
-    byte[] salt = generateSalt();
     try {
       return deriveKeyInternal(token.getBytes(), salt, ITERATION_COUNT, dkLen);
     } catch (NoSuchAlgorithmException | InvalidKeyException e) {
@@ -184,7 +142,7 @@ public class EncryptUtils {
     return Mac.getInstance(HMAC_ALGORITHM).getMacLength();
   }
 
-  private static byte[] generateSalt() {
+  public static byte[] generateSalt() {
     byte[] salt = new byte[SALT_LENGTH];
     new SecureRandom().nextBytes(salt);
     return salt;
diff --git 
a/java/tsfile/src/main/java/org/apache/tsfile/file/metadata/TsFileMetadata.java 
b/java/tsfile/src/main/java/org/apache/tsfile/file/metadata/TsFileMetadata.java
index c0e6b464..5c77055c 100644
--- 
a/java/tsfile/src/main/java/org/apache/tsfile/file/metadata/TsFileMetadata.java
+++ 
b/java/tsfile/src/main/java/org/apache/tsfile/file/metadata/TsFileMetadata.java
@@ -35,6 +35,7 @@ import java.nio.ByteBuffer;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Objects;
 import java.util.TreeMap;
 
 /** TSFileMetaData collects all metadata info and saves in its data structure. 
*/
@@ -154,6 +155,13 @@ public class TsFileMetadata {
         if (propertiesMap.get("encryptKey") == null || 
propertiesMap.get("encryptKey").isEmpty()) {
           throw new EncryptException("TsfileMetadata null encryptKey while 
encryptLevel is 2");
         }
+        if (Objects.equals(
+                TSFileDescriptor.getInstance().getConfig().getEncryptType(),
+                "org.apache.tsfile.encrypt.UNENCRYPTED")
+            || Objects.equals(
+                TSFileDescriptor.getInstance().getConfig().getEncryptType(), 
"UNENCRYPTED")) {
+          throw new EncryptException("fail to decrypt encrypted tsfile in 
unencrypted system");
+        }
         IDecryptor decryptor =
             IDecryptor.getDecryptor(
                 propertiesMap.get("encryptType"),
diff --git 
a/java/tsfile/src/main/java/org/apache/tsfile/read/UnClosedTsFileReader.java 
b/java/tsfile/src/main/java/org/apache/tsfile/read/UnClosedTsFileReader.java
index f21b9713..ce76fbc8 100644
--- a/java/tsfile/src/main/java/org/apache/tsfile/read/UnClosedTsFileReader.java
+++ b/java/tsfile/src/main/java/org/apache/tsfile/read/UnClosedTsFileReader.java
@@ -40,7 +40,7 @@ public class UnClosedTsFileReader extends 
TsFileSequenceReader {
 
   // ioSizeRecorder can be null
   public UnClosedTsFileReader(
-      String file, EncryptParameter decryptParam, LongConsumer ioSizeRecorder) 
throws IOException {
+      String file, EncryptParameter encryptParam, LongConsumer ioSizeRecorder) 
throws IOException {
     super(file, false, ioSizeRecorder);
     this.encryptParam = encryptParam;
   }

Reply via email to