All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.amazonaws.athena.connector.lambda.security.AesGcmBlockCrypto Maven / Gradle / Ivy

package com.amazonaws.athena.connector.lambda.security;

/*-
 * #%L
 * Amazon Athena Query Federation SDK
 * %%
 * Copyright (C) 2019 Amazon Web Services
 * %%
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * #L%
 */

import com.amazonaws.athena.connector.lambda.data.Block;
import com.amazonaws.athena.connector.lambda.data.BlockAllocator;
import com.amazonaws.athena.connector.lambda.data.RecordBatchSerDe;
import org.apache.arrow.vector.types.pojo.Schema;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;

/**
 * Implementation of BlockCrypto which uses AES-GCM for encrypting and decrypting blocks.
 *
 * @see BlockCrypto
 */
public class AesGcmBlockCrypto
        implements BlockCrypto
{
    private static final Logger logger = LoggerFactory.getLogger(AesGcmBlockCrypto.class);
    protected static final int GCM_TAG_LENGTH_BITS = 16 * 8;
    protected static final int NONCE_BYTES = 12;
    protected static final int KEY_BYTES = 32;
    protected static final String KEYSPEC = "AES";
    protected static final String ALGO = "AES/GCM/NoPadding";
    protected static final String ALGO_BC = "BC";

    private final RecordBatchSerDe serDe;
    private final BlockAllocator allocator;

    static {
        Security.addProvider(new BouncyCastleProvider());
    }

    public AesGcmBlockCrypto(BlockAllocator allocator)
    {
        this.serDe = new RecordBatchSerDe(allocator);
        this.allocator = allocator;
    }

    public byte[] encrypt(EncryptionKey key, Block block)
    {
        try {
            ByteArrayOutputStream out = new ByteArrayOutputStream();
            serDe.serialize(block.getRecordBatch(), out);

            Cipher cipher = makeCipher(Cipher.ENCRYPT_MODE, key);
            return cipher.doFinal(out.toByteArray());
        }
        catch (BadPaddingException | IllegalBlockSizeException | IOException ex) {
            throw new RuntimeException(ex);
        }
    }

    public Block decrypt(EncryptionKey key, byte[] bytes, Schema schema)
    {
        try {
            Cipher cipher = makeCipher(Cipher.DECRYPT_MODE, key);
            byte[] clear = cipher.doFinal(bytes);

            Block resultBlock = allocator.createBlock(schema);
            resultBlock.loadRecordBatch(serDe.deserialize(clear));

            return resultBlock;
        }
        catch (BadPaddingException | IllegalBlockSizeException | IOException ex) {
            throw new RuntimeException(ex);
        }
    }

    public byte[] decrypt(EncryptionKey key, byte[] bytes)
    {
        try {
            Cipher cipher = makeCipher(Cipher.DECRYPT_MODE, key);
            return cipher.doFinal(bytes);
        }
        catch (BadPaddingException | IllegalBlockSizeException ex) {
            throw new RuntimeException(ex);
        }
    }

    private Cipher makeCipher(int mode, EncryptionKey key)
    {
        if (key.getNonce().length != NONCE_BYTES) {
            throw new RuntimeException("Expected " + NONCE_BYTES + " nonce bytes but found " + key.getNonce().length);
        }

        logger.debug("Cipher key bytes length: " + key.getKey().length);
        if (key.getKey() == null || key.getKey().length == 0) {
            throw new RuntimeException("Invalid key");
        }

        GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH_BITS, key.getNonce());
        SecretKeySpec secretKeySpec = new SecretKeySpec(key.getKey(), KEYSPEC);

        try {
            Cipher cipher = Cipher.getInstance(ALGO, ALGO_BC);
            cipher.init(mode, secretKeySpec, spec);
            return cipher;
        }
        catch (NoSuchAlgorithmException | InvalidKeyException | InvalidAlgorithmParameterException
                | NoSuchProviderException | NoSuchPaddingException ex) {
            throw new RuntimeException(ex);
        }
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy