java source code of EncryptionProvider

snowflake-jdbc-master
- .github
  - actions
    - gajira-issue-update
      - dist
      - action.js
      - action.yml
    - gajira-create
      - dist
      - common
        net
        client.js
        Jira.js
      - action.js
      - README.md
      - action.yml
      - index.js
  - workflows
    - jira_issue.yml
    - parameters_aws.json.gpg
    - jira_comment.yml
    - build-test.yml
    - parameters_gcp.json.gpg
- src
  - main
    - resources
      - net
        snowflake
        client
        jdbc
        jdbc_error_messages.properties
        jdbc_error_messages_fr.properties
        version.properties
      - META-INF
        services
        java.nio.file.spi.FileTypeDetector
        java.sql.Driver
        com.boomi.Dependencies
    - javadoc
      - overview.html
      - licenses.html
    - java
      - net
        snowflake
        client
        jdbc
        DBMetadataResultSetMetadata.java
        SnowflakeResultSetSerializableV1.java
        OCSPErrorCode.java
        SnowflakeDatabaseMetaDataQueryResultSet.java
        MatDesc.java
        SnowflakeConnectionV1.java
        SnowflakeDriver.java
        SnowflakeStatementV1.java
        SnowflakeResultSetMetaData.java
        SnowflakeStatement.java
        JsonResultChunk.java
        SnowflakeResultSetMetaDataV1.java
        SnowflakeClob.java
        SnowflakeColumnMetadata.java
        FileBackedOutputStream.java
        ResultJsonParserV2.java
        SnowflakeFileTransferConfig.java
        SnowflakeFileTransferAgent.java
        SnowflakeConnectString.java
        SnowflakePreparedStatement.java
        SnowflakeReauthenticationRequest.java
        SnowflakeBasicDataSource.java
        SnowflakeFileTransferMetadata.java
        SnowflakeType.java
        cloud
        storage
        SnowflakeGCSClient.java
        SnowflakeS3Client.java
        CommonObjectMetadata.java
        S3ObjectMetadata.java
        StorageProviderException.java
        StorageObjectMetadata.java
        StorageObjectSummaryCollection.java
        EncryptionProvider.java
        StorageObjectSummary.java
        AzureObjectSummariesIterator.java
        S3StorageObjectMetadata.java
        S3ObjectSummariesIterator.java
        GcsObjectSummariesIterator.java
        SnowflakeStorageClient.java
        StageInfo.java
        SnowflakeAzureClient.java
        StorageClientFactory.java
        telemetryOOB
        TelemetryThreadPool.java
        TelemetryService.java
        TelemetryEvent.java
        ArrowResultChunk.java
        SnowflakeResultChunk.java
        SnowflakeFixedView.java
        RestRequest.java
        SnowflakeResultSetSerializable.java
        SnowflakeConnection.java
        SnowflakeResultSetV1.java
        SnowflakeDatabaseMetaData.java
        SnowflakeDatabaseMetaDataResultSet.java
        SnowflakeBaseResultSet.java
        SnowflakeCallableStatementV1.java
        SnowflakePreparedStatementV1.java
        SnowflakeUtil.java
        SFAsyncResultSet.java
        ErrorCode.java
        SnowflakeCallableStatement.java
        SnowflakeSQLException.java
        SnowflakeChunkDownloader.java
        telemetry
        TelemetryField.java
        TelemetryClient.java
        TelemetryData.java
        TelemetryUtil.java
        NoOpTelemetryClient.java
        Telemetry.java
        SnowflakeParameterMetadata.java
        SnowflakeFileTransferMetadataV1.java
        SnowflakeResultSet.java
        SnowflakeSimulatedUploadFailure.java
        log
        JDK14JCLWrapper.java
        SFLogger.java
        ArgSupplier.java
        SLF4JJCLWrapper.java
        SFLoggerFactory.java
        SFLoggerUtil.java
        SLF4JLogger.java
        JDK14Logger.java
        SFFormatter.java
        util
        DecorrelatedJitterBackoff.java
        SFPair.java
        SFTimestamp.java
        VariableTypeArray.java
        SecretDetector.java
        pooling
        LogicalConnection.java
        SnowflakePooledConnection.java
        SnowflakeConnectionPoolDataSource.java
        loader
        BufferStage.java
        LoaderFactory.java
        Operation.java
        FileUploader.java
        OnError.java
        Utils.java
        PutQueue.java
        LoadingError.java
        StreamLoader.java
        LoadResultListener.java
        ProcessQueue.java
        Loader.java
        LoaderProperty.java
        core
        SFStatementType.java
        IncidentUtil.java
        HostSpecSSD.java
        SFLoginOutput.java
        Incident.java
        SFSessionProperty.java
        SFTrustManager.java
        SFFixedViewResultSet.java
        SFOCSPException.java
        SecureStorageLinuxManager.java
        SFBaseResultSet.java
        arrow
        BitToBooleanConverter.java
        ArrowResultChunkIndexSorter.java
        DecimalToScaledFixedConverter.java
        VarBinaryToBinaryConverter.java
        TwoFieldStructToTimestampLTZConverter.java
        BigIntToScaledFixedConverter.java
        VarCharConverter.java
        IntToScaledFixedConverter.java
        ArrowVectorConverter.java
        BigIntToFixedConverter.java
        SmallIntToFixedConverter.java
        AbstractArrowVectorConverter.java
        TwoFieldStructToTimestampTZConverter.java
        TwoFieldStructToTimestampNTZConverter.java
        IntToFixedConverter.java
        ArrowResultUtil.java
        DateConverter.java
        DoubleToRealConverter.java
        BigIntToTimestampNTZConverter.java
        BigIntToTimestampLTZConverter.java
        TinyIntToFixedConverter.java
        BigIntToTimeConverter.java
        TinyIntToScaledFixedConverter.java
        ThreeFieldStructToTimestampTZConverter.java
        SmallIntToScaledFixedConverter.java
        IntToTimeConverter.java
        ResultUtil.java
        Event.java
        SFResultSet.java
        SecureStorageWindowsManager.java
        OCSPTelemetryData.java
        SessionUtil.java
        SessionUtilExternalBrowser.java
        SSDKeyManager.java
        SFStatementMetaData.java
        OCSPMode.java
        SFSession.java
        HeartbeatBackground.java
        QueryResultFormat.java
        Constants.java
        CredentialManager.java
        SFChildResult.java
        SSDPubKey.java
        DownloaderMetrics.java
        SFJsonResultSet.java
        SFLoginInput.java
        QueryExecDTO.java
        bind
        BindException.java
        BindUploader.java
        StmtUtil.java
        MetaDataOfBinds.java
        ParameterBindingDTO.java
        SSDManager.java
        SFResultSetMetaData.java
        SFArrowResultSet.java
        SFException.java
        HttpUtil.java
        ChunkDownloader.java
        EventUtil.java
        SFResultSetFactory.java
        SecureStorageAppleManager.java
        IncidentV2DTO.java
        DataConversionContext.java
        SFPubKeysInternal.java
        SecureStorageManager.java
        QueryStatus.java
        SFSSLConnectionSocketFactory.java
        SessionUtilKeyPair.java
        SFStatement.java
        BasicEvent.java
        AssertUtil.java
        KeyUpdSSD.java
        EventHandler.java
        FileCacheManager.java
        FileTypeDetector.java
        ObjectMapperFactory.java
      - com
        snowflake
        client
        jdbc
        SnowflakeDriver.java
  - test
    - resources
      - logback-test.xml
      - rsa_key.pub
      - net
        snowflake
        client
        jdbc
        test_copy.csv
        boomi.policy
        jenkins_it_logging.properties
        .gitignore
        travis_it_logging.properties
      - parameters.json
      - rsa_key.p8
      - rsa_key.pem
      - invalid_private_key.pem
      - encrypted_rsa_key.p8
      - revoked_certs.pem
      - encrypted_rsa_key.pub
      - .gitignore
      - orders_100.csv
      - orders_101.csv
    - java
      - net
        snowflake
        client
        RunningNotOnTestaccount.java
        jdbc
        StatementFeatureNotSupportedIT.java
        ResultSetArrowForce0MultiTimeZone.java
        ServiceNameTest.java
        ConnectionWithOCSPModeIT.java
        SnowflakeConnectionV1Test.java
        PreparedStatement0IT.java
        PreparedMultiStmtIT.java
        PutUnescapeBackslashIT.java
        DellBoomiCloudIT.java
        DatabaseMetaDataIT.java
        BaseJDBCTest.java
        ResultSetAsyncIT.java
        ConnectionIT.java
        ResultSetFeatureNotSupportedIT.java
        BindingDataIT.java
        ArrowResultChunkTest.java
        CallableStatementIT.java
        CustomProxyIT.java
        StatementIT.java
        ResultSetArrowForceTZMultiTimeZoneIT.java
        ResultSetJsonVsArrowMultiTZIT.java
        ResultSetArrowForceLTZMultiTimeZoneIT.java
        ConnectionPoolingIT.java
        ResultSetArrowIT.java
        ConnectionManual.java
        HeartbeatIT.java
        FileUploaderExpandFileNamesTest.java
        ConnectionAlreadyClosedIT.java
        BindUploaderIT.java
        PreparedStatementArrow2IT.java
        OpenGroupCLIFuncIT.java
        telemetryOOB
        TelemetryServiceIT.java
        ResultSetIT.java
        MultiStatementIT.java
        PreparedStatement1IT.java
        PreparedStatementLargeUpdateIt.java
        PreparedMultiStmtArrowIT.java
        GCPLargeResult.java
        SessionVariablesIT.java
        RestRequestIT.java
        MultiStatementArrowIT.java
        StatementAlreadyClosedIT.java
        SnowflakeDriverIT.java
        PutFileWithSpaceIncluded.java
        ConnectionFeatureNotSupportedIT.java
        PreparedStatement2IT.java
        DatabaseMetaDataInternalIT.java
        StreamIT.java
        ResultSetJsonVsArrowIT.java
        SnowflakeDriverConnectionStressTest.java
        FileUploaderMimeTypeToCompressionTypeTest.java
        ClientMemoryLimitParallelIT.java
        ResultSetAlreadyClosedIT.java
        SSOConnectionTest.java
        StatementArrowIT.java
        ResultSetMultiTimeZoneIT.java
        telemetry
        TelemetryTest.java
        TelemetryIT.java
        PreparedStatementFeatureNotSupportedIT.java
        StatementLargeUpdateIT.java
        SnowflakeResultSetSerializableIT.java
        SnowflakeDriverTest.java
        ResultJsonParserV2IT.java
        SnowflakeResultSetSerializableArrowIT.java
        PreparedStatementArrow1IT.java
        SnowflakeBasicDataSourceTest.java
        TestUtil.java
        category
        TestCategoryConnection.java
        TestCategoryResultSet.java
        TestCategoryStatement.java
        TestCategoryCore.java
        TestCategoryOthers.java
        TestCategoryArrow.java
        TestCategoryLoader.java
        AbstractDriverIT.java
        log
        SLF4JLoggerIT.java
        SFFormatterTest.java
        AbstractLoggerIT.java
        JDK14LoggerIT.java
        util
        SecretDetectorTest.java
        RunningOnTestaccount.java
        RunningOnGithubAction.java
        pooling
        ConnectionPoolingDataSourceIT.java
        loader
        FlatfileReadMultithreadIT.java
        LoaderBase.java
        LoaderIT.java
        OnErrorTest.java
        TestDataConfigBuilder.java
        LoaderMultipleBatchIT.java
        LoaderTimestampIT.java
        ConditionalIgnoreRule.java
        core
        arrow
        IntToTimeConverterTest.java
        TwoFieldStructToTimestampTZConverterTest.java
        VarBinaryToBinaryConverterTest.java
        BaseConverterTest.java
        TwoFieldStructToTimestampLTZConverterTest.java
        BitToBooleanConverterTest.java
        ThreeFieldStructToTimestampTZConverterTest.java
        IntToFixedConverterTest.java
        TwoFieldStructToTimestampNTZConverterTest.java
        BigIntToFixedConverterTest.java
        TinyIntToFixedConverterTest.java
        BigIntToTimeConverterTest.java
        BigIntToTimestampLTZConverterTest.java
        VarCharConverterTest.java
        SmallIntToFixedConverterTest.java
        DoubleToRealConverterTest.java
        ArrowResultUtilTest.java
        BigIntToTimestampNTZConverterTest.java
        DateConverterTest.java
        SFSessionPropertyTest.java
        SFTrustManagerIT.java
        SecureStorageManagerTest.java
        BaseIncidentTest.java
        SessionUtilTest.java
        SessionUtilExternalBrowserTest.java
        SFTrustManagerPowerMockIT.java
        SFArrowResultSetIT.java
        IncidentTests.java
        SFTrustManagerTest.java
        .gitignore
      - com
        snowflake
        client
        jdbc
        SnowflakeDriverIT.java
- pom.xml
- dependencies
  - arrow-memory-0.15.1.jar
  - arrow-format-0.15.1.jar
- README.rst
- CHANGELOG.rst
- intellij-codestyle.xml
- public_pom.xml
- scripts
  - _init.sh
  - format_code.sh
- ci
  - _init.sh
  - test.sh
  - container
    - __pycache__
      - sf_test_utils.cpython-36.pyc
    - sf_test_utils.py
    - download_artifact.sh
    - build_component.sh
    - create_schema.py
    - upload_artifact.sh
    - test_component.sh
    - wss.sh
    - hang_webserver.py
    - drop_schema.py
  - scripts
    - login_internal_docker.sh
    - login_docker.sh
    - check_content.sh
    - set_git_info.sh
  - image
    - update.sh
    - Dockerfile.jdbc-centos6-default-test
    - scripts
      - python3.6.sh
      - entrypoint.sh
      - git.sh
      - aws.sh
      - pip.sh
      - npmrc
    - .gitignore
    - build.sh
  - build.sh
- FIPS
  - src
    - test
      - java
        net
        snowflake
        client
        jdbc
        ConnectionFipsIT.java
        category
        TestCategoryFips.java
        AbstractDriverIT.java
        RunningOnGithubActions.java
        ConditionalIgnoreRule.java
  - pom.xml
  - public_pom.xml
  - scripts
    - check_content.sh
  - .gitignore
- .gitignore
- LICENSE.txt

/*
 * Copyright (c) 2012-2019 Snowflake Computing Inc. All rights reserved.
 */
package net.snowflake.client.jdbc.cloud.storage;

import com.amazonaws.util.Base64;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import net.snowflake.client.jdbc.MatDesc;
import net.snowflake.common.core.RemoteStoreFileEncryptionMaterial;

import static java.nio.file.StandardOpenOption.CREATE;
import static java.nio.file.StandardOpenOption.READ;

/**
 * Handles encryption and decryption using AES.
 *
 * @author ppaulus
 */
public class EncryptionProvider
{
  private final static String AES = "AES";
  private final static String FILE_CIPHER = "AES/CBC/PKCS5Padding";
  private final static String KEY_CIPHER = "AES/ECB/PKCS5Padding";
  private final static int BUFFER_SIZE = 2 * 1024 * 1024; // 2 MB
  private static SecureRandom secRnd;

  /**
   * Decrypt a InputStream
   */
  public static InputStream decryptStream(InputStream inputStream,
                                          String keyBase64,
                                          String ivBase64,
                                          RemoteStoreFileEncryptionMaterial encMat)
  throws NoSuchPaddingException, NoSuchAlgorithmException,
         InvalidKeyException, BadPaddingException, IllegalBlockSizeException,
         InvalidAlgorithmParameterException
  {
    byte[] decodedKey = Base64.decode(encMat.getQueryStageMasterKey());

    byte[] keyBytes = Base64.decode(keyBase64);

    byte[] ivBytes = Base64.decode(ivBase64);

    SecretKey queryStageMasterKey =
        new SecretKeySpec(decodedKey, 0, decodedKey.length, AES);

    Cipher keyCipher = Cipher.getInstance(KEY_CIPHER);

    keyCipher.init(Cipher.DECRYPT_MODE, queryStageMasterKey);

    byte[] fileKeyBytes = keyCipher.doFinal(keyBytes);

    SecretKey fileKey =
        new SecretKeySpec(fileKeyBytes, 0, decodedKey.length, AES);

    Cipher dataCipher = Cipher.getInstance(FILE_CIPHER);

    IvParameterSpec ivy = new IvParameterSpec(ivBytes);

    dataCipher.init(Cipher.DECRYPT_MODE, fileKey, ivy);

    return new CipherInputStream(inputStream, dataCipher);

  }

  /*
   * decrypt
   * Decrypts a file given the key and iv. Uses AES decryption.
   */
  public static void decrypt(File file,
                             String keyBase64,
                             String ivBase64,
                             RemoteStoreFileEncryptionMaterial encMat)
  throws NoSuchAlgorithmException,
         NoSuchPaddingException,
         InvalidKeyException,
         IllegalBlockSizeException,
         BadPaddingException,
         InvalidAlgorithmParameterException,
         IOException
  {
    byte[] keyBytes = Base64.decode(keyBase64);
    byte[] ivBytes = Base64.decode(ivBase64);
    byte[] qsmkBytes = Base64.decode(encMat.getQueryStageMasterKey());
    final SecretKey fileKey;

    // Decrypt file key
    {
      final Cipher keyCipher = Cipher.getInstance(KEY_CIPHER);
      SecretKey queryStageMasterKey =
          new SecretKeySpec(qsmkBytes, 0, qsmkBytes.length, AES);
      keyCipher.init(Cipher.DECRYPT_MODE, queryStageMasterKey);
      byte[] fileKeyBytes = keyCipher.doFinal(keyBytes);

      // NB: we assume qsmk.length == fileKey.length
      //     (fileKeyBytes.length may be bigger due to padding)
      fileKey = new SecretKeySpec(fileKeyBytes, 0, qsmkBytes.length, AES);
    }

    // Decrypt file
    {
      final Cipher fileCipher = Cipher.getInstance(FILE_CIPHER);
      final IvParameterSpec iv = new IvParameterSpec(ivBytes);
      final byte[] buffer = new byte[BUFFER_SIZE];
      fileCipher.init(Cipher.DECRYPT_MODE, fileKey, iv);

      long totalBytesRead = 0;
      // Overwrite file contents buffer-wise with decrypted data
      try (InputStream is = Files.newInputStream(file.toPath(), READ);
           InputStream cis = new CipherInputStream(is, fileCipher);
           OutputStream os = Files.newOutputStream(file.toPath(), CREATE);)
      {
        int bytesRead;
        while ((bytesRead = cis.read(buffer)) > -1)
        {
          os.write(buffer, 0, bytesRead);
          totalBytesRead += bytesRead;
        }
      }

      // Discard any padding that the encrypted file had
      try (FileChannel fc = new FileOutputStream(file, true).getChannel())
      {
        fc.truncate(totalBytesRead);
      }
    }
  }

  /*
   * encrypt
   * Encrypts a file using AES encryption. The key and iv are generated.
   * The matdesc field is added to the metadata object.
   * The key and iv are added to the JSON block in the encryptionData
   * metadata object.
   */
  public static CipherInputStream encrypt(StorageObjectMetadata meta,
                                          long originalContentLength,
                                          InputStream src,
                                          RemoteStoreFileEncryptionMaterial encMat,
                                          SnowflakeStorageClient client)
  throws InvalidKeyException,
         InvalidAlgorithmParameterException,
         NoSuchAlgorithmException,
         NoSuchProviderException,
         NoSuchPaddingException,
         FileNotFoundException,
         IllegalBlockSizeException,
         BadPaddingException
  {
    final byte[] decodedKey = Base64.decode(encMat.getQueryStageMasterKey());
    final int keySize = decodedKey.length;
    final byte[] fileKeyBytes = new byte[keySize];
    final byte[] ivData;
    final CipherInputStream cis;
    final int blockSz;
    {
      final Cipher fileCipher = Cipher.getInstance(FILE_CIPHER);
      blockSz = fileCipher.getBlockSize();

      // Create IV
      ivData = new byte[blockSz];
      getSecRnd().nextBytes(ivData);
      final IvParameterSpec iv = new IvParameterSpec(ivData);

      // Create file key
      getSecRnd().nextBytes(fileKeyBytes);
      SecretKey fileKey = new SecretKeySpec(fileKeyBytes, 0, keySize, AES);

      // Init cipher
      fileCipher.init(Cipher.ENCRYPT_MODE, fileKey, iv);

      // Create encrypting input stream
      cis = new CipherInputStream(src, fileCipher);
    }

    // Encrypt the file key with the QRMK
    {
      final Cipher keyCipher = Cipher.getInstance(KEY_CIPHER);
      SecretKey queryStageMasterKey =
          new SecretKeySpec(decodedKey, 0, keySize, AES);

      // Init cipher
      keyCipher.init(Cipher.ENCRYPT_MODE, queryStageMasterKey);
      byte[] encKeK = keyCipher.doFinal(fileKeyBytes);

      // Store metadata
      MatDesc matDesc =
          new MatDesc(encMat.getSmkId(), encMat.getQueryId(), keySize * 8);
      // Round up length to next multiple of the block size
      // Sizes that are multiples of the block size need to be padded to next
      // multiple
      long contentLength = ((originalContentLength + blockSz) / blockSz) * blockSz;
      client.addEncryptionMetadata(meta, matDesc, ivData, encKeK, contentLength);
    }

    return cis;
  }

  /*
   * getSecRnd
   * Gets a random number for encryption purposes.
   */
  private static synchronized SecureRandom getSecRnd()
  throws NoSuchAlgorithmException,
         NoSuchProviderException
  {
    if (secRnd == null)
    {
      secRnd = SecureRandom.getInstance("SHA1PRNG");
      byte[] bytes = new byte[10];
      secRnd.nextBytes(bytes);
    }
    return secRnd;
  }

}