Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce shouldEncrypt in PutRequestOptions for clients to not encrypt self key/shared key data #1401

Closed
murali-shris opened this issue Sep 19, 2024 · 2 comments · Fixed by #1398
Assignees
Labels
enhancement New feature or request

Comments

@murali-shris
Copy link
Member

murali-shris commented Sep 19, 2024

Is your feature request related to a problem? Please describe.

  • Currently isEncrypted in metadata is set to false even though data is encrypted.
  • Client don't have control if they choose not to encrypt data for self key/shared key

Describe the solution you'd like

  • Introduce a flag shouldEncrypt in PutRequestOptions which will be true by default
  • New client can still see old data which can be encrypted with isEncrypted=false. Handle this scenario while decrypting

Describe alternatives you've considered

No response

Additional context

No response

@murali-shris murali-shris added the enhancement New feature or request label Sep 19, 2024
@murali-shris murali-shris self-assigned this Sep 19, 2024
@murali-shris
Copy link
Member Author

murali-shris commented Sep 19, 2024

@gkc
For self key /shared key, data will be encrypted but metadata.isEncrypted = false.
Once we merge the changes for this feature, there are two scenario while decrypting
i) new data - data will be encrypted. metadata.isEncrypted = true
ii) old data - data will be encrypted. metadata.isEncrypted = false

I have implemented the below approach for backward compatibility in GetResponseTransformer
i) if key is public, do not call decryption service
ii) if metadata.isEncrypted=true, call decryption service
iii) if metadata is not set or metadata.isEncrypted=false, try decrypting the data(may be old data). if decryption passes, then return decrypted value. If decryption fails, then return actual value.

https://github.com/atsign-foundation/at_client_sdk/pull/1398/files#diff-4565ef50d8f9949de083fc75b9212acc31ae9463627cac423497f138664565d3
Another implementation which I had i mind (but yet to implement). If decryption passes for scenario iii) update metadata.isEncrypted = true in metadata. So old keys with isEncrypted=false, will eventually be migrated.

Please let me know your thoughts

@gkc
Copy link
Contributor

gkc commented Sep 19, 2024

Discussed on call

@murali-shris murali-shris changed the title Introduce isEncrypted in PutRequestOptions for clients to not encrypt self key/shared key data Introduce shouldEncrypt in PutRequestOptions for clients to not encrypt self key/shared key data Sep 25, 2024
@gkc gkc closed this as completed in #1398 Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants