| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This resolves two issues:
* `javax.crypto.OutputCipherStream` swallows MAC tag mismatch exceptions
when the stream is closed, which means that corruptions (intentional
or not) are not caught. This is documented behavior, but still very
surprising and a rather questionable default. BC's interchangeable
`CipherOutputStream` throws as expected. To avoid regressions, add an
explicit test that both ciphertext and MAC tag corruptions are propagated.
* The default-provided `AES/GCM/NoPadding` `Cipher` instance will not emit
decrypted plaintext per `update()` chunk, but buffer everything until
`doFinal()` is invoked when the stream is closed. This means that decrypting
very large ciphertexts can blow up memory usage since internal output
buffers are reallocated and increased per iteration...! Instead use an
explicit BC `GCMBlockCipher` which has the expected behavior (and actually
lets cipher streams, well, _stream_). Add an `AeadCipher` abstraction to
avoid leaking BC APIs outside the security module.
|
|
|
|
|
|
|
|
|
| |
Adds underlying support--and tooling--for resealing a token for
another recipient. This allows for delegating decryption to another
party without having to reveal the private key of the original
recipient (or having to send the raw underlying secret key over a
potentially insecure channel). Key ID can/should change as part of
this operation.
|
| |
|
|
|
|
|
|
|
|
| |
* Base62 minimizes extra size overhead relative to Base64.
* Base58 removes ambiguous characters from key encodings.
Common for both bases is that they do not emit any characters that
interfer with easily selecting them on web pages or in the CLI.
|
|
|
|
|
|
|
|
| |
Currently supports converting from and to any combination of
base {16, 58, 62, 64}. Input is read from STDIN and is intentionally
limited in length due to the algorithmic complexity of base
conversions that are not a power of two. Converted value is
written to STDOUT.
|
|
|
|
| |
Enforces invariants and avoids having to pass raw byte arrays around.
|
|
|
|
| |
Dumps key version, ID and HPKE components
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes key IDs vastly more expressive. Max size is 255 bytes,
and UTF-8 form is enforced by checking that the byte sequence can be
identity-transformed to and from a string with UTF-8 encoding.
In addition, we now protect the integrity of the key ID by supplying
it as the AAD parameter to the key sealing and opening operations.
Reduce v1 token max length of `enc` part to 255, since this is always
an X25519 public key, which is never bigger than 32 bytes (but may
be _less_ if the random `BigInteger` is small enough, so we still have
to encode the length).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Useful for avoiding the need for intermediate files, such as when
piping the output of decryption to a Zstd decompressor.
Adds stdio support to:
* Encryption input
* Decryption input
* Decryption output
Specified by substituting the file name with a single `-` character.
|
|
|
|
|
|
|
| |
Adds support for:
* X25519 key pair generation
* HPKE stream encryption with public key and token generation
* HPKE stream decryption with private key
|
|
|
|
|
| |
* remove now-duplicated code
* prefer using ${VESPA_HOME} environment variable
|
| |
|
| |
|
|
|
|
| |
magic conversions.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Streaming search still uses this to ensure low latencies, and
we don't have a replacement for priorities for this use case yet.
|
|
|
|
| |
Add dependency on 'jetty-http' with scope test instead of adding false dependencies with 'container-test'.
|
|
|
|
| |
Also remove deprecated and unsupported header-only visitor parameter
|
| |
|
|
|
|
|
|
|
| |
Load types have not been properly supported for some time, so remove
the remaining API surfaces exposing them. Since load type config was
the last remaining use of <clients> in services.xml, remove that one
as well.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
- From maven-shade-plugin 3.3.0 (needed for JDK 17), the DRP
is installed and used instead of the ordinary pom.xml, causing
transitive dependencies to disappear for dependent modules.
|
|
|
|
|
|
|
|
|
|
|
| |
Load types have not been used in practice for years, and supporting
them in backend metrics etc. has long since been lacking. Prepare for
removing these on Vespa 8.
Most callsites are unchanged, aside from presumed safe changes such
as constructors used by dependency injection. Have added new overloads
without load types where these did not already exist to allow for
an orderly transition.
|
|
|
|
|
| |
This is functionality that made more sense when we had spinning drives
and no async write scheduling in the backend. Going away on Vespa 8.
|
|
|
|
|
|
| |
* should have same behavior in Java and C++
* extend unit tests to verify
* note various places where we want to change the default on Vespa 8 branch
|
|
|
|
| |
- Removes 223 build warnings (out of 562 for building non-test code)
|
| |
|
|
|
|
| |
- Generate countless warnings for duplicates and breaking encapsulation.
|
| |
|
|
|
|
|
| |
* these were stricter than in parent, but to simplify
we can just use compiler args from parent
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
* these tools are also in the category where users
will consider any INFO level message noise.
Since they don't use the vespa LogSetup, just
increase the threshold programmatically.
|
| |
|
| |
|
| |
|
|
|
|
| |
-direct route
|
|
|
|
| |
This reverts commit 75b2e4c11ea6463c335f1c77dab3fdb5493e5600.
|
| |
|
| |
|