I have two Spring Boot V3 apps in Java 21 that communicate over Kafka using envelop-encryption.
The producer uses Google Tink AeadGcm to encrypt the data. Then, the DEK is encrypted with a KEK, encoded in Base64, and sent as a Kafka header.
The consumer receives the encryptedDek, decodes it from Base64 to bytes and decrypts it. Then, the consumer should create an Aead object by using the DEK to decrypt the data.
I am facing the issue that the consumer keeps throwing javax.crypto.AEADBadTagException: Tag mismatch and I believe the issue may be related to how I extract the raw key (DEK) from the Aead object. Hence the question: how to properly extract in bytes format the raw key from an Aead object so that I can send it over the network?
Thank you for your time and experience
Solution found: the DEK itself is not extractable from the Aead object but if you need (like in my case) to send it over the network, you can serialize the whole KeysetHandle object containing the DEK, as shown below:
@SneakyThrows
private synchronized void setPlainTextDek(final KeysetHandle keysetHandle) {
final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
CleartextKeysetHandle.write(keysetHandle, BinaryKeysetWriter.withOutputStream(outputStream));
this.plainTextDek = outputStream.toByteArray();
}
Then in the consumer, you can create an Aead object from the KeysetHandle as follows:
final ByteArrayInputStream inputStream = new ByteArrayInputStream(decryptedDek);
final KeysetHandle keysetHandle = CleartextKeysetHandle.read(BinaryKeysetReader.withInputStream(inputStream));
return keysetHandle.getPrimitive(Aead.class);