Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1850888 Fix secure random initialization #1990

Merged
merged 1 commit into from
Dec 10, 2024
Merged

SNOW-1850888 Fix secure random initialization #1990

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 4 additions & 17 deletions src/main/java/net/snowflake/client/jdbc/cloud/storage/EncryptionProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,8 @@ public class EncryptionProvider {
private static final String FILE_CIPHER = "AES/CBC/PKCS5Padding";
private static final String KEY_CIPHER = "AES/ECB/PKCS5Padding";
private static final int BUFFER_SIZE = 2 * 1024 * 1024; // 2 MB
private static SecureRandom secRnd;
private static ThreadLocal<SecureRandom> secRnd =
new ThreadLocal<>().withInitial(SecureRandom::new);

/**
* Decrypt a InputStream
Expand Down Expand Up @@ -165,11 +166,11 @@ public static CipherInputStream encrypt(

// Create IV
ivData = new byte[blockSize];
getSecRnd().nextBytes(ivData);
secRnd.get().nextBytes(ivData);
final IvParameterSpec iv = new IvParameterSpec(ivData);

// Create file key
getSecRnd().nextBytes(fileKeyBytes);
secRnd.get().nextBytes(fileKeyBytes);
SecretKey fileKey = new SecretKeySpec(fileKeyBytes, 0, keySize, AES);

// Init cipher
Expand Down Expand Up @@ -199,18 +200,4 @@ public static CipherInputStream encrypt(

return cis;
}

/*
* getSecRnd
* Gets a random number for encryption purposes.
*/
private static synchronized SecureRandom getSecRnd()
throws NoSuchAlgorithmException, NoSuchProviderException {
if (secRnd == null) {
secRnd = SecureRandom.getInstance("SHA1PRNG");
byte[] bytes = new byte[10];
secRnd.nextBytes(bytes);
}
return secRnd;
}
}
21 changes: 5 additions & 16 deletions src/main/java/net/snowflake/client/jdbc/cloud/storage/GcmEncryptionProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,21 +36,10 @@ class GcmEncryptionProvider {
private static final String FILE_CIPHER = "AES/GCM/NoPadding";
private static final String KEY_CIPHER = "AES/GCM/NoPadding";
private static final int BUFFER_SIZE = 8 * 1024 * 1024; // 2 MB
private static final int blockSize;
private static final SecureRandom random;
private static final ThreadLocal<SecureRandom> random =
new ThreadLocal<>().withInitial(SecureRandom::new);
private static final Base64.Decoder base64Decoder = Base64.getDecoder();

static {
try {
Cipher fileCipher = Cipher.getInstance(FILE_CIPHER);
blockSize = fileCipher.getBlockSize();

random = SecureRandom.getInstance("SHA1PRNG");
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
throw new ExceptionInInitializerError(e);
}
}

static InputStream encrypt(
StorageObjectMetadata meta,
long originalContentLength,
Expand Down Expand Up @@ -86,9 +75,9 @@ static InputStream encrypt(

private static void initRandomIvsAndFileKey(
byte[] dataIvData, byte[] fileKeyIvData, byte[] fileKeyBytes) {
random.nextBytes(dataIvData);
random.nextBytes(fileKeyIvData);
random.nextBytes(fileKeyBytes);
random.get().nextBytes(dataIvData);
random.get().nextBytes(fileKeyIvData);
random.get().nextBytes(fileKeyBytes);
}

private static byte[] encryptKey(byte[] kekBytes, byte[] keyBytes, byte[] keyIvData, byte[] aad)
Expand Down
Loading