SNOW-1786192 Use 12 bytes as IV length for GCM

snowflakedb · Nov 5, 2024 · ca65ef0 · ca65ef0
1 parent fd0ddd5
commit ca65ef0
Showing 1 changed file with 22 additions and 20 deletions.
diff --git a/src/main/java/net/snowflake/client/jdbc/cloud/storage/GcmEncryptionProvider.java b/src/main/java/net/snowflake/client/jdbc/cloud/storage/GcmEncryptionProvider.java
@@ -3,9 +3,17 @@
  */
 package net.snowflake.client.jdbc.cloud.storage;
 
-import static java.nio.file.StandardOpenOption.CREATE;
-import static java.nio.file.StandardOpenOption.READ;
+import net.snowflake.client.jdbc.MatDesc;
+import net.snowflake.common.core.RemoteStoreFileEncryptionMaterial;
 
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.CipherInputStream;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -18,19 +26,13 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Base64;
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.CipherInputStream;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.GCMParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-import net.snowflake.client.jdbc.MatDesc;
-import net.snowflake.common.core.RemoteStoreFileEncryptionMaterial;
+
+import static java.nio.file.StandardOpenOption.CREATE;
+import static java.nio.file.StandardOpenOption.READ;
 
 class GcmEncryptionProvider {
-  private static final int TAG_LENGTH = 128;
+  private static final int TAG_LENGTH_IN_BITS = 128;
+  private static final int IV_LENGTH_IN_BYTES = 12;
   private static final String AES = "AES";
   private static final String FILE_CIPHER = "AES/GCM/NoPadding";
   private static final String KEY_CIPHER = "AES/GCM/NoPadding";
@@ -64,8 +66,8 @@ static InputStream encrypt(
     byte[] kek = base64Decoder.decode(encMat.getQueryStageMasterKey());
     int keySize = kek.length;
     byte[] keyBytes = new byte[keySize];
-    byte[] dataIvBytes = new byte[blockSize];
-    byte[] keyIvBytes = new byte[blockSize];
+    byte[] dataIvBytes = new byte[IV_LENGTH_IN_BYTES];
+    byte[] keyIvBytes = new byte[IV_LENGTH_IN_BYTES];
     initRandomIvsAndFileKey(dataIvBytes, keyIvBytes, keyBytes);
     byte[] encryptedKey = encryptKey(kek, keyBytes, keyIvBytes, keyAad);
     CipherInputStream cis = encryptContent(src, keyBytes, dataIvBytes, dataAad);
@@ -94,7 +96,7 @@ private static byte[] encryptKey(byte[] kekBytes, byte[] keyBytes, byte[] keyIvD
       throws InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException,
           BadPaddingException, NoSuchPaddingException, NoSuchAlgorithmException {
     SecretKey kek = new SecretKeySpec(kekBytes, 0, kekBytes.length, AES);
-    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH, keyIvData);
+    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, keyIvData);
     Cipher keyCipher = Cipher.getInstance(KEY_CIPHER);
     keyCipher.init(Cipher.ENCRYPT_MODE, kek, gcmParameterSpec);
     if (aad != null) {
@@ -108,7 +110,7 @@ private static CipherInputStream encryptContent(
       throws InvalidKeyException, InvalidAlgorithmParameterException, NoSuchPaddingException,
           NoSuchAlgorithmException {
     SecretKey fileKey = new SecretKeySpec(keyBytes, 0, keyBytes.length, AES);
-    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH, dataIvBytes);
+    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, dataIvBytes);
     Cipher fileCipher = Cipher.getInstance(FILE_CIPHER);
     fileCipher.init(Cipher.ENCRYPT_MODE, fileKey, gcmParameterSpec);
     if (aad != null) {
@@ -180,7 +182,7 @@ private static CipherInputStream decryptContentFromStream(
       InputStream inputStream, byte[] ivBytes, byte[] fileKeyBytes, byte[] aad)
       throws InvalidKeyException, InvalidAlgorithmParameterException, NoSuchPaddingException,
           NoSuchAlgorithmException {
-    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH, ivBytes);
+    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, ivBytes);
     SecretKey fileKey = new SecretKeySpec(fileKeyBytes, AES);
     Cipher fileCipher = Cipher.getInstance(FILE_CIPHER);
     fileCipher.init(Cipher.DECRYPT_MODE, fileKey, gcmParameterSpec);
@@ -195,7 +197,7 @@ private static void decryptContentFromFile(
       throws InvalidKeyException, InvalidAlgorithmParameterException, IOException,
           NoSuchPaddingException, NoSuchAlgorithmException {
     SecretKey fileKey = new SecretKeySpec(fileKeyBytes, AES);
-    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH, cekIvBytes);
+    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, cekIvBytes);
     byte[] buffer = new byte[BUFFER_SIZE];
     Cipher fileCipher = Cipher.getInstance(FILE_CIPHER);
     fileCipher.init(Cipher.DECRYPT_MODE, fileKey, gcmParameterSpec);
@@ -224,7 +226,7 @@ private static byte[] decryptKey(byte[] kekBytes, byte[] ivBytes, byte[] keyByte
       throws InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException,
           BadPaddingException, NoSuchPaddingException, NoSuchAlgorithmException {
     SecretKey kek = new SecretKeySpec(kekBytes, 0, kekBytes.length, AES);
-    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH, ivBytes);
+    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_IN_BITS, ivBytes);
     Cipher keyCipher = Cipher.getInstance(KEY_CIPHER);
     keyCipher.init(Cipher.DECRYPT_MODE, kek, gcmParameterSpec);
     if (aad != null) {