Skip to content

Added RSA encryption #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 36 commits into
base: trunk
Choose a base branch
from
Open

Added RSA encryption #327

wants to merge 36 commits into from

Conversation

@svats0001
Copy link
Contributor

@svats0001 svats0001 commented Oct 3, 2025
edited
Loading

#326 @jchrys

Motivation:
To use RSA encryption when using the caching_sha2_password authentication type when SSLMode is disabled instead of throwing R2dbcPermissionDeniedException.

Modification:
MySqlAuthProvider - added RSA encryption method that returns encrypted bytes.
InitFlow - added serverRSAPublicKeyFile field to HandshakeExchangeable and invoked RSA encryption method after AuthUtils.authentication if SSL not completed and SSL necessary and serverRSAPublicKeyFile not null.
MySqlConnectionConfiguration - Added nullable serverRSAPublicKeyFile field.
MySqlConnectionFactory - Added serverRSAPublicKeyFile field to relevant constructor invocations inside getMySqlConnection.
MySqlConnectionFactoryProvider - Added option for serverRSAPublicKeyFile.
MySqlConnectionFactoryProviderTest - Added unit test to check if MySqlConnectionFactory is returned from ConnectionFactoryOptions containing serverRSAPublicKeyFile.
SslTunnelIntegrationTest - Added unit test to check if correct exceptions are thrown or if MySqlConnectionFactory is returned depending on various combinations of SSL and serverRSAPublicKeyFile in MySqlConnectionConfiguration and getting MySqlConnectionFactory from it.

Result:
When a serverRSAPublicKeyFile is provided and SSL is disabled and the caching_sha2_password authentication type is used by the MySql server and you're in full authentication phase, a R2dbcPermissionDeniedException will not be thrown and instead the password will be encrypted with RSA. Drawbacks are that RSA encryption method introduces many additional possible exceptions if specified file path is invalid or public key can't be read properly etc.

EDIT: Will fix checks/test on Monday

@svats0001 svats0001 force-pushed the rsa_caching_sha2_password branch 2 times, most recently from 8be6b8e to a2dcff0 Compare October 8, 2025 06:13
@svats0001
Copy link
Contributor Author

@jchrys I tried my hand at adding an option for RSA encryption for #326. Let me know if it's appropriate.

@jchrys jchrys self-requested a review October 8, 2025 09:17
@jchrys jchrys self-assigned this Oct 8, 2025
@jchrys jchrys added the enhancement New feature or request label Oct 8, 2025
jchrys
jchrys reviewed Oct 12, 2025
View reviewed changes
Copy link
Collaborator

@jchrys jchrys left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. this is major feature 👍 Overall LGTM. I’ve left a few comments. If feasible, please add a minimal integration test

@svats0001
Added RSA encryption feature
55c239f 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Added RSA encryption
5ff5535 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed checkstyle
11aa574 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed checkstyle
f5f3f0c 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Changed path.of to paths.get
f6e9ad0 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed checkstyle
478a3de 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Changed server version for SSL test
072d5de 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Changed server version for SSL test
5cfab46 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Changed server version for SSL test
7fc6b24 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Put test in RSAEncryptionTest
2da6fa0 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Changed RSA to Rsa and fixed test
36fd7e6 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Changed RSA to Rsa and fixed test
d911718 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Made fixes and added to integration test
02ee7ab 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Made fixes and added to integration test
77642d9 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Made fixes and added to integration test
8272fde 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
a7057a6 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
cd87331 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
f1b6af9 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
d51ee4a 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
6836ed7 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
6088a73 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
5313bfd 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Fixed integration test
0ded89c 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001 svats0001 force-pushed the rsa_caching_sha2_password branch from 8d39e66 to 0ded89c Compare October 17, 2025 04:20
@svats0001
Copy link
Contributor Author

@jchrys I've made those changes you suggested. I was unable to figure out how to configure the integration tests and get them working with the test container so I've removed them. It's not ideal but if it's completely necessary then I can try to work on the tests in the future when I have time but otherwise I think it's ready.

jchrys
jchrys requested changes Oct 19, 2025
View reviewed changes
Copy link
Collaborator

@jchrys jchrys left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some testing and debugging—please take a look at my comments and let me know once you’ve fixed them so I can review again.

@svats0001
Added xor as part of rsa encryption
06f7b3d 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Added xor as part of rsa encryption
d550808 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Added xor as part of rsa encryption
4b4fe51 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Added xor as part of rsa encryption
0882a08 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
retrigger checks
7025c71 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Took substring of public key and created buffer in XOR
304865b 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Took substring of public key and created buffer in XOR
426223d 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Copy link
Contributor Author

@jchrys Ready for review again with changes.

@svats0001
Took substring of public key and created buffer in XOR
5e73651 
Signed-off-by: S V <vats02581@gmail.com>
jchrys
jchrys reviewed Oct 26, 2025
View reviewed changes
Copy link
Collaborator

@jchrys jchrys left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. I’ll run comprehensive test next week and post comment then; feel free to keep refining meanwhile.

@svats0001
Added exception handling
c9ade53 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Added exception handling
8c71026 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Retrigger checks
1124bfc 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Retrigger checks
56cf15e 
Signed-off-by: S V <vats02581@gmail.com>
@svats0001
Retrigger checks
960dab5 
Signed-off-by: S V <vats02581@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jchrys jchrys jchrys requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@jchrys jchrys

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@svats0001 @jchrys