[ceph.git] / ceph / src / arrow / go / parquet / internal / encryption / aes.go

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package encryption contains the internal helpers for the parquet AES encryption/decryption handling.
//
// Testing for this is done via integration testing at the top level parquet package via attempting to
// read and write encrypted files with different configurations to match test files in parquet-testing
package encryption

import (
	"bytes"
	"crypto/aes"
	"crypto/cipher"
	"crypto/rand"
	"encoding/binary"
	"io"

	"github.com/apache/arrow/go/v6/parquet"
	"golang.org/x/xerrors"
)

// important constants for handling the aes encryption
const (
	GcmTagLength = 16
	NonceLength  = 12

	gcmMode          = 0
	ctrMode          = 1
	ctrIVLen         = 16
	bufferSizeLength = 4
)

// Module constants for constructing the AAD bytes, the order here is
// important as the constants are set via iota.
const (
	FooterModule int8 = iota
	ColumnMetaModule
	DataPageModule
	DictPageModule
	DataPageHeaderModule
	DictPageHeaderModule
	ColumnIndexModule
	OffsetIndexModule
)

type aesEncryptor struct {
	mode                int
	ciphertextSizeDelta int
}

// NewAesEncryptor constructs an encryptor for the passed in cipher and whether
// or not it's being used to encrypt metadata.
func NewAesEncryptor(alg parquet.Cipher, metadata bool) *aesEncryptor {
	ret := &aesEncryptor{}
	ret.ciphertextSizeDelta = bufferSizeLength + NonceLength
	if metadata || alg == parquet.AesGcm {
		ret.mode = gcmMode
		ret.ciphertextSizeDelta += GcmTagLength
	} else {
		ret.mode = ctrMode
	}

	return ret
}

// CiphertextSizeDelta is the number of extra bytes that are part of the encrypted data
// above and beyond the plaintext value.
func (a *aesEncryptor) CiphertextSizeDelta() int { return a.ciphertextSizeDelta }

// SignedFooterEncrypt writes the signature for the provided footer bytes using the given key, AAD and nonce.
// It returns the number of bytes that were written to w.
func (a *aesEncryptor) SignedFooterEncrypt(w io.Writer, footer, key, aad, nonce []byte) int {
	if a.mode != gcmMode {
		panic("must use AES GCM (metadata) encryptor")
	}

	block, err := aes.NewCipher(key)
	if err != nil {
		panic(err)
	}

	aead, err := cipher.NewGCM(block)
	if err != nil {
		panic(err)
	}
	if aead.NonceSize() != NonceLength {
		panic(xerrors.Errorf("nonce size mismatch %d, %d", aead.NonceSize(), NonceLength))
	}
	if aead.Overhead() != GcmTagLength {
		panic(xerrors.Errorf("tagsize mismatch %d %d", aead.Overhead(), GcmTagLength))
	}

	ciphertext := aead.Seal(nil, nonce, footer, aad)
	bufferSize := uint32(len(ciphertext) + len(nonce))
	// data is written with a prefix of the size written as a little endian 32bit int.
	if err := binary.Write(w, binary.LittleEndian, bufferSize); err != nil {
		panic(err)
	}
	w.Write(nonce)
	w.Write(ciphertext)
	return bufferSizeLength + int(bufferSize)
}

// Encrypt calculates the ciphertext for src with the given key and aad, then writes it to w.
// Returns the total number of bytes written.
func (a *aesEncryptor) Encrypt(w io.Writer, src, key, aad []byte) int {
	block, err := aes.NewCipher(key)
	if err != nil {
		panic(err)
	}

	nonce := make([]byte, NonceLength)
	rand.Read(nonce)

	if a.mode == gcmMode {
		aead, err := cipher.NewGCM(block)
		if err != nil {
			panic(err)
		}
		if aead.NonceSize() != NonceLength {
			panic(xerrors.Errorf("nonce size mismatch %d, %d", aead.NonceSize(), NonceLength))
		}
		if aead.Overhead() != GcmTagLength {
			panic(xerrors.Errorf("tagsize mismatch %d %d", aead.Overhead(), GcmTagLength))
		}

		ciphertext := aead.Seal(nil, nonce, src, aad)
		bufferSize := len(ciphertext) + len(nonce)
		// data is written with a prefix of the size written as a little endian 32bit int.
		if err := binary.Write(w, binary.LittleEndian, uint32(bufferSize)); err != nil {
			panic(err)
		}
		w.Write(nonce)
		w.Write(ciphertext)
		return bufferSizeLength + bufferSize
	}

	// Parquet CTR IVs are comprised of a 12-byte nonce and a 4-byte initial
	// counter field.
	// The first 31 bits of the initial counter field are set to 0, the last bit
	// is set to 1.
	iv := make([]byte, ctrIVLen)
	copy(iv, nonce)
	iv[ctrIVLen-1] = 1

	bufferSize := NonceLength + len(src)
	// data is written with a prefix of the size written as a little endian 32bit int.
	if err := binary.Write(w, binary.LittleEndian, uint32(bufferSize)); err != nil {
		panic(err)
	}
	w.Write(nonce)
	cipher.StreamWriter{S: cipher.NewCTR(block, iv), W: w}.Write(src)
	return bufferSizeLength + bufferSize
}

type aesDecryptor struct {
	mode                int
	ciphertextSizeDelta int
}

// newAesDecryptor constructs and returns a decryptor for the given cipher type and whether or
// not it is intended to be used for decrypting metadata.
func newAesDecryptor(alg parquet.Cipher, metadata bool) *aesDecryptor {
	ret := &aesDecryptor{}
	ret.ciphertextSizeDelta = bufferSizeLength + NonceLength
	if metadata || alg == parquet.AesGcm {
		ret.mode = gcmMode
		ret.ciphertextSizeDelta += GcmTagLength
	} else {
		ret.mode = ctrMode
	}

	return ret
}

// CiphertextSizeDelta is the number of bytes in the ciphertext that will not exist in the
// plaintext due to be used for the decryption. The total size - the CiphertextSizeDelta is
// the length of the plaintext after decryption.
func (a *aesDecryptor) CiphertextSizeDelta() int { return a.ciphertextSizeDelta }

// Decrypt returns the plaintext version of the given ciphertext when decrypted
// with the provided key and AAD security bytes.
func (a *aesDecryptor) Decrypt(cipherText, key, aad []byte) []byte {
	block, err := aes.NewCipher(key)
	if err != nil {
		panic(err)
	}

	writtenCiphertextLen := binary.LittleEndian.Uint32(cipherText)
	cipherLen := writtenCiphertextLen + bufferSizeLength
	nonce := cipherText[bufferSizeLength : bufferSizeLength+NonceLength]

	if a.mode == gcmMode {
		aead, err := cipher.NewGCM(block)
		if err != nil {
			panic(err)
		}

		plain, err := aead.Open(nil, nonce, cipherText[bufferSizeLength+NonceLength:cipherLen], aad)
		if err != nil {
			panic(err)
		}
		return plain
	}

	// Parquet CTR IVs are comprised of a 12-byte nonce and a 4-byte initial
	// counter field.
	// The first 31 bits of the initial counter field are set to 0, the last bit
	// is set to 1.
	iv := make([]byte, ctrIVLen)
	copy(iv, nonce)
	iv[ctrIVLen-1] = 1

	stream := cipher.NewCTR(block, iv)
	dst := make([]byte, len(cipherText)-bufferSizeLength-NonceLength)
	stream.XORKeyStream(dst, cipherText[bufferSizeLength+NonceLength:])
	return dst
}

// CreateModuleAad creates the section AAD security bytes for the file, module, row group, column and page.
//
// This should be used for being passed to the encryptor and decryptor whenever requesting AAD bytes.
func CreateModuleAad(fileAad string, moduleType int8, rowGroupOrdinal, columnOrdinal, pageOrdinal int16) string {
	buf := bytes.NewBuffer([]byte(fileAad))
	buf.WriteByte(byte(moduleType))

	if moduleType == FooterModule {
		return buf.String()
	}

	binary.Write(buf, binary.LittleEndian, rowGroupOrdinal)
	binary.Write(buf, binary.LittleEndian, columnOrdinal)
	if DataPageModule != moduleType && DataPageHeaderModule != moduleType {
		return buf.String()
	}

	binary.Write(buf, binary.LittleEndian, pageOrdinal)
	return buf.String()
}

// CreateFooterAad takes an aadPrefix and constructs the security AAD bytes for encrypting
// and decrypting the parquet footer bytes.
func CreateFooterAad(aadPrefix string) string {
	return CreateModuleAad(aadPrefix, FooterModule, -1, -1, -1)
}

// QuickUpdatePageAad updates aad with the new page ordinal, modifying the
// last two bytes of aad.
func QuickUpdatePageAad(aad []byte, newPageOrdinal int16) {
	binary.LittleEndian.PutUint16(aad[len(aad)-2:], uint16(newPageOrdinal))
}
Commit	Line	Data
1d09f67e TL	1	// Licensed to the Apache Software Foundation (ASF) under one
	2	// or more contributor license agreements. See the NOTICE file
	3	// distributed with this work for additional information
	4	// regarding copyright ownership. The ASF licenses this file
	5	// to you under the Apache License, Version 2.0 (the
	6	// "License"); you may not use this file except in compliance
	7	// with the License. You may obtain a copy of the License at
	8	//
	9	// http://www.apache.org/licenses/LICENSE-2.0
	10	//
	11	// Unless required by applicable law or agreed to in writing, software
	12	// distributed under the License is distributed on an "AS IS" BASIS,
	13	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	// See the License for the specific language governing permissions and
	15	// limitations under the License.
	16
	17	// Package encryption contains the internal helpers for the parquet AES encryption/decryption handling.
	18	//
	19	// Testing for this is done via integration testing at the top level parquet package via attempting to
	20	// read and write encrypted files with different configurations to match test files in parquet-testing
	21	package encryption
	22
	23	import (
	24	"bytes"
	25	"crypto/aes"
	26	"crypto/cipher"
	27	"crypto/rand"
	28	"encoding/binary"
	29	"io"
	30
	31	"github.com/apache/arrow/go/v6/parquet"
	32	"golang.org/x/xerrors"
	33	)
	34
	35	// important constants for handling the aes encryption
	36	const (
	37	GcmTagLength = 16
	38	NonceLength = 12
	39
	40	gcmMode = 0
	41	ctrMode = 1
	42	ctrIVLen = 16
	43	bufferSizeLength = 4
	44	)
	45
	46	// Module constants for constructing the AAD bytes, the order here is
	47	// important as the constants are set via iota.
	48	const (
	49	FooterModule int8 = iota
	50	ColumnMetaModule
	51	DataPageModule
	52	DictPageModule
	53	DataPageHeaderModule
	54	DictPageHeaderModule
	55	ColumnIndexModule
	56	OffsetIndexModule
	57	)
	58
	59	type aesEncryptor struct {
	60	mode int
	61	ciphertextSizeDelta int
	62	}
	63
	64	// NewAesEncryptor constructs an encryptor for the passed in cipher and whether
65	// or not it's being used to encrypt metadata.
66	func NewAesEncryptor(alg parquet.Cipher, metadata bool) *aesEncryptor {
67	ret := &aesEncryptor{}
68	ret.ciphertextSizeDelta = bufferSizeLength + NonceLength
69	if metadata \|\| alg == parquet.AesGcm {
70	ret.mode = gcmMode
71	ret.ciphertextSizeDelta += GcmTagLength
72	} else {
73	ret.mode = ctrMode
74	}
75
76	return ret
77	}
78
79	// CiphertextSizeDelta is the number of extra bytes that are part of the encrypted data
80	// above and beyond the plaintext value.
81	func (a *aesEncryptor) CiphertextSizeDelta() int { return a.ciphertextSizeDelta }
82
83	// SignedFooterEncrypt writes the signature for the provided footer bytes using the given key, AAD and nonce.
84	// It returns the number of bytes that were written to w.
85	func (a *aesEncryptor) SignedFooterEncrypt(w io.Writer, footer, key, aad, nonce []byte) int {
86	if a.mode != gcmMode {
87	panic("must use AES GCM (metadata) encryptor")
88	}
89
90	block, err := aes.NewCipher(key)
91	if err != nil {
92	panic(err)
93	}
94
95	aead, err := cipher.NewGCM(block)
96	if err != nil {
97	panic(err)
98	}
99	if aead.NonceSize() != NonceLength {
100	panic(xerrors.Errorf("nonce size mismatch %d, %d", aead.NonceSize(), NonceLength))
101	}
102	if aead.Overhead() != GcmTagLength {
103	panic(xerrors.Errorf("tagsize mismatch %d %d", aead.Overhead(), GcmTagLength))
104	}
105
106	ciphertext := aead.Seal(nil, nonce, footer, aad)
107	bufferSize := uint32(len(ciphertext) + len(nonce))
108	// data is written with a prefix of the size written as a little endian 32bit int.
109	if err := binary.Write(w, binary.LittleEndian, bufferSize); err != nil {
110	panic(err)
111	}
112	w.Write(nonce)
113	w.Write(ciphertext)
114	return bufferSizeLength + int(bufferSize)
115	}
116
117	// Encrypt calculates the ciphertext for src with the given key and aad, then writes it to w.
118	// Returns the total number of bytes written.
119	func (a *aesEncryptor) Encrypt(w io.Writer, src, key, aad []byte) int {
120	block, err := aes.NewCipher(key)
121	if err != nil {
122	panic(err)
123	}
124
125	nonce := make([]byte, NonceLength)
126	rand.Read(nonce)
127
128	if a.mode == gcmMode {
129	aead, err := cipher.NewGCM(block)
130	if err != nil {
131	panic(err)
132	}
133	if aead.NonceSize() != NonceLength {
134	panic(xerrors.Errorf("nonce size mismatch %d, %d", aead.NonceSize(), NonceLength))
135	}
136	if aead.Overhead() != GcmTagLength {
137	panic(xerrors.Errorf("tagsize mismatch %d %d", aead.Overhead(), GcmTagLength))
138	}
139
140	ciphertext := aead.Seal(nil, nonce, src, aad)
141	bufferSize := len(ciphertext) + len(nonce)
142	// data is written with a prefix of the size written as a little endian 32bit int.
143	if err := binary.Write(w, binary.LittleEndian, uint32(bufferSize)); err != nil {
144	panic(err)
145	}
146	w.Write(nonce)
147	w.Write(ciphertext)
148	return bufferSizeLength + bufferSize
149	}
150
151	// Parquet CTR IVs are comprised of a 12-byte nonce and a 4-byte initial
152	// counter field.
153	// The first 31 bits of the initial counter field are set to 0, the last bit
154	// is set to 1.
155	iv := make([]byte, ctrIVLen)
156	copy(iv, nonce)
157	iv[ctrIVLen-1] = 1
158
159	bufferSize := NonceLength + len(src)
160	// data is written with a prefix of the size written as a little endian 32bit int.
161	if err := binary.Write(w, binary.LittleEndian, uint32(bufferSize)); err != nil {
162	panic(err)
163	}
164	w.Write(nonce)
165	cipher.StreamWriter{S: cipher.NewCTR(block, iv), W: w}.Write(src)
166	return bufferSizeLength + bufferSize
167	}
168
169	type aesDecryptor struct {
170	mode int
171	ciphertextSizeDelta int
172	}
173
174	// newAesDecryptor constructs and returns a decryptor for the given cipher type and whether or
175	// not it is intended to be used for decrypting metadata.
176	func newAesDecryptor(alg parquet.Cipher, metadata bool) *aesDecryptor {
177	ret := &aesDecryptor{}
178	ret.ciphertextSizeDelta = bufferSizeLength + NonceLength
179	if metadata \|\| alg == parquet.AesGcm {
180	ret.mode = gcmMode
181	ret.ciphertextSizeDelta += GcmTagLength
182	} else {
183	ret.mode = ctrMode
184	}
185
186	return ret
187	}
188
189	// CiphertextSizeDelta is the number of bytes in the ciphertext that will not exist in the
190	// plaintext due to be used for the decryption. The total size - the CiphertextSizeDelta is
191	// the length of the plaintext after decryption.
192	func (a *aesDecryptor) CiphertextSizeDelta() int { return a.ciphertextSizeDelta }
193
194	// Decrypt returns the plaintext version of the given ciphertext when decrypted
195	// with the provided key and AAD security bytes.
196	func (a *aesDecryptor) Decrypt(cipherText, key, aad []byte) []byte {
197	block, err := aes.NewCipher(key)
198	if err != nil {
199	panic(err)
200	}
201
202	writtenCiphertextLen := binary.LittleEndian.Uint32(cipherText)
203	cipherLen := writtenCiphertextLen + bufferSizeLength
204	nonce := cipherText[bufferSizeLength : bufferSizeLength+NonceLength]
205
206	if a.mode == gcmMode {
207	aead, err := cipher.NewGCM(block)
208	if err != nil {
209	panic(err)
210	}
211
212	plain, err := aead.Open(nil, nonce, cipherText[bufferSizeLength+NonceLength:cipherLen], aad)
213	if err != nil {
214	panic(err)
215	}
216	return plain
217	}
218
219	// Parquet CTR IVs are comprised of a 12-byte nonce and a 4-byte initial
220	// counter field.
221	// The first 31 bits of the initial counter field are set to 0, the last bit
222	// is set to 1.
223	iv := make([]byte, ctrIVLen)
224	copy(iv, nonce)
225	iv[ctrIVLen-1] = 1
226
227	stream := cipher.NewCTR(block, iv)
228	dst := make([]byte, len(cipherText)-bufferSizeLength-NonceLength)
229	stream.XORKeyStream(dst, cipherText[bufferSizeLength+NonceLength:])
230	return dst
231	}
232
233	// CreateModuleAad creates the section AAD security bytes for the file, module, row group, column and page.
234	//
235	// This should be used for being passed to the encryptor and decryptor whenever requesting AAD bytes.
236	func CreateModuleAad(fileAad string, moduleType int8, rowGroupOrdinal, columnOrdinal, pageOrdinal int16) string {
237	buf := bytes.NewBuffer([]byte(fileAad))
238	buf.WriteByte(byte(moduleType))
239
240	if moduleType == FooterModule {
241	return buf.String()
242	}
243
244	binary.Write(buf, binary.LittleEndian, rowGroupOrdinal)
245	binary.Write(buf, binary.LittleEndian, columnOrdinal)
246	if DataPageModule != moduleType && DataPageHeaderModule != moduleType {
247	return buf.String()
248	}
249
250	binary.Write(buf, binary.LittleEndian, pageOrdinal)
251	return buf.String()
252	}
253
254	// CreateFooterAad takes an aadPrefix and constructs the security AAD bytes for encrypting
255	// and decrypting the parquet footer bytes.
256	func CreateFooterAad(aadPrefix string) string {
257	return CreateModuleAad(aadPrefix, FooterModule, -1, -1, -1)
258	}
259
260	// QuickUpdatePageAad updates aad with the new page ordinal, modifying the
261	// last two bytes of aad.
262	func QuickUpdatePageAad(aad []byte, newPageOrdinal int16) {
263	binary.LittleEndian.PutUint16(aad[len(aad)-2:], uint16(newPageOrdinal))
264	}