Re: Transparent column encryption - Mailing list pgsql-hackers

On 28.10.22 12:16, Jehan-Guillaume de Rorthais wrote:
> I did a review of the documentation and usability.

I have incorporated some of your feedback into the v11 patch I just posted.

> # Applying patch
> 
>    The patch applied on top of f13b2088fa2 without trouble. Notice a small
>    warning during compilation:
>    
>      colenccmds.c:134:27: warning: ‘encval’ may be used uninitialized
>    
>    A simple fix could be:
>    
>      +++ b/src/backend/commands/colenccmds.c
>      @@ -119,2 +119,3
>                      encval = defGetString(encvalEl);
>      +               *encval_p = encval;
>              }
>      @@ -132,4 +133,2
>                      *alg_p = alg;
>      -       if (encval_p)
>      -               *encval_p = encval;
>       }

fixed

> # Documentation
> 
>    * In page "create_column_encryption_key.sgml", both encryption algorithms for
>      a CMK are declared as the default one:
> 
>      +     <para>
>      +      The encryption algorithm that was used to encrypt the key material of
>      +      this column encryption key.  Supported algorithms are:
>      +      <itemizedlist>
>      +       <listitem>
>      +        <para><literal>RSAES_OAEP_SHA_1</literal> (default)</para>
>      +       </listitem>
>      +       <listitem>
>      +        <para><literal>RSAES_OAEP_SHA_256</literal> (default)</para>
>      +       </listitem>
>      +      </itemizedlist>
>      +     </para>
>    
>      As far as I understand the code, I suppose RSAES_OAEP_SHA_1 should be the
>      default.

fixed

>    I believe two information should be clearly shown to user somewhere in
>    chapter 5.5 instead of being buried deep in documentation:
>   
>    * «COPY does not support column decryption», currently buried in pg_dump page
>    * «When transparent column encryption is enabled, the client encoding must
>      match the server encoding», currently buried in the protocol description
>      page.
> 
>    * In the libpq doc of PQexecPrepared2, "paramForceColumnEncryptions" might
>      deserve a little more detail about the array format, like «0 means "don't
>      enforce" and anything else enforce the encryption is enabled on this
>      column». By the way, maybe this array could be an array of boolean?
> 
>    * In chapter 55.2.5 (protocol-flow) is stated: «when column encryption is
>      used, the plaintext is always in text format (not binary format).». Does it
>      means parameter "resultFormat" in "PQexecPrepared2" should always be 0? If
>      yes, is it worth keeping this argument? Moreover, this format constraint
>      should probably be explained in the libpq page as well.

I will keep these suggestions around.  Some of these things will 
probably change again, so I'll make sure to update the documentation 
when I touch it again.

> # Protocol
> 
>    * In the ColumnEncryptionKey message, it seems the field holding the length
>      key material is redundant with the message length itself, as all other
>      fields have a known size. The key material length is the message length -
>      (4+4+4+2). For comparison, the AuthenticationSASLContinue message has a
>      variable data size but rely only on the message length without additional
>      field.

I find that weird, though.  An explicit length seems better.  Things 
like AuthenticationSASLContinue only work if they have exactly one 
variable-length data item.

>    * I wonder if encryption related fields in ParameterDescription and
>      RowDescription could be optional somehow? The former might be quite large
>      when using a lot of parameters (like, imagine a large and ugly
>      "IN($1...$N)"). On the other hand, these messages are not sent in high
>      frequency anyway...

They are only used if you turn on the column_encryption protocol option. 
  Or did you mean make them optional even then?

> # libpq
> 
>    Would it be possible to have an encryption-ready PQexecParams() equivalent
>    of what PQprepare/describe/exec do?

I plan to do that.

> # psql
> 
>    * You already mark \d in the TODO. But having some psql command to list the
>      known CEK/CMK might be useful as well.

right

>    * about write queries using psql, would it be possible to use psql
>      parameters? Eg.:
> 
>        => \set c1 myval
>        => INSERT INTO mytable VALUES (:'c1') \gencr

No, because those are resolved by psql before libpq sees them.

> # Manual tests
> 
>    * The lookup error message is shown twice for some reason:
> 
>        => select * from test_tce;
>        no CMK lookup found for realm ""
>        
>        no CMK lookup found for realm ""
> 
>      It might worth adding the column name and the CMK/CEK names related to each
>      error message? Last, notice the useless empty line between messages.

I'll look into that.

>    * When "DROP IF EXISTS" a missing CEK or CMK, the command raise an
>      "unrecognized object type":
> 
>        => DROP COLUMN MASTER KEY IF EXISTS noexists;
>        ERROR:  unrecognized object type: 10
>        => DROP COLUMN ENCRYPTION KEY IF EXISTS noexists;
>        ERROR:  unrecognized object type: 8

fixed

>    * I was wondering what "pg_typeof" should return. It currently returns
>      "pg_encrypted_*". If this is supposed to be transparent from the client
>      perspective, shouldn't it return "attrealtypid" when the field is encrypted?

Interesting question.  Need to think about it.  I'm not sure what the 
purpose of pg_typeof really is.  The only use I can recall is for pgTAP.

>    * any reason to not support altering the CMK realm?

This could be added.  I have that in my notes.