Skip to content

fix: have export call encrypt instead of encapsulate #2709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 11, 2025
Merged

fix: have export call encrypt instead of encapsulate #2709

merged 1 commit into from
Sep 11, 2025

Conversation

strantalis
Copy link
Member

Proposed Changes

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@strantalis strantalis requested a review from a team as a code owner September 10, 2025 18:22
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @strantalis, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a functional correction in the key export mechanism, ensuring that the appropriate encryption method is utilized. It also introduces a safeguard to protect the integrity of sensitive key data during export operations, thereby enhancing the overall security and reliability of the key management process.

Highlights

  • Corrected Encryption Method Call: The Export method within AESProtectedKey now correctly invokes the Encrypt method on the Encapsulator interface instead of Encapsulate, aligning with the intended encryption process for key data.
  • Enhanced Key Data Safety: A defensive copy of the raw key data (k.rawKey) is now created before being passed to the Encrypt method. This prevents potential unintended modifications to the original key material during the export process.
  • Test Suite Alignment: The mockEncapsulator in the test suite has been updated to reflect the change in method invocation, switching from encapsulateFunc to encryptFunc, ensuring the tests accurately validate the new behavior.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Key bytes now secured,Encrypt's call, a safer path,Data flows with grace.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors AESProtectedKey.Export to use encapsulator.Encrypt instead of encapsulator.Encapsulate. This change improves decoupling by passing the raw key data directly, rather than the ProtectedKey object. The implementation correctly creates a defensive copy of the key before encryption. The corresponding unit test is also updated appropriately. The changes are sound and I have no further recommendations.

@strantalis strantalis mentioned this pull request Sep 11, 2025
Merged
3 tasks
dmihalcik-virtru
dmihalcik-virtru approved these changes Sep 11, 2025
View reviewed changes
Copy link
Member

@dmihalcik-virtru dmihalcik-virtru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing this is to enable other Encapsulators (than OCEncapsulator) to work with AESProtectedKey type keys? At first it seemed to me that you should first try down-casting to OCEncapsulator and using its Encapsulate method, then using Encrypt only if that doesn't work, if only to make it clear when the rawKey escapes 'our' code, but that just seems like this with extra steps, so this is fine.

@strantalis strantalis added this pull request to the merge queue Sep 11, 2025
Merged via the queue into opentdf:main with commit cdff893 Sep 11, 2025
35 checks passed
@strantalis strantalis deleted the dspx-1474/ocrypto-export-encrypt branch September 11, 2025 16:08
@opentdf-automation opentdf-automation bot mentioned this pull request Sep 11, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Sep 11, 2025
@opentdf-automation
chore(main): release lib/ocrypto 0.6.0 (#2711)
cbcba29 
🤖 I have created a release *beep* *boop*
---


##
[0.6.0](lib/ocrypto/v0.5.0...lib/ocrypto/v0.6.0)
(2025-09-11)


### Bug Fixes

* have export call encrypt instead of encapsulate
([#2709](#2709))
([cdff893](cdff893))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biscoe916 biscoe916 biscoe916 approved these changes

@dmihalcik-virtru dmihalcik-virtru dmihalcik-virtru approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

comp:lib:ocrypto size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@strantalis @biscoe916 @dmihalcik-virtru