Using ByteByffer instead of ByteArrayInput/OutputStreams

Author: WesleyRosenblum

src/main/java/com/amazonaws/encryptionsdk/internal/AesGcmJceKeyCipher.java

@@ -16,15 +16,10 @@
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
-import java.io.IOException;
+import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
 import java.security.InvalidKeyException;
 import java.security.Key;
-import java.security.SecureRandom;
 import java.util.Map;
 
 /**
@@ -34,54 +29,46 @@ class AesGcmJceKeyCipher extends JceKeyCipher {
     private static final int NONCE_LENGTH = 12;
     private static final int TAG_LENGTH = 128;
     private static final String TRANSFORMATION = "AES/GCM/NoPadding";
-    private final SecureRandom rnd = new SecureRandom();
 
     AesGcmJceKeyCipher(SecretKey key) {
         super(key, key);
     }
 
     private static byte[] specToBytes(final GCMParameterSpec spec) {
         final byte[] nonce = spec.getIV();
-        final ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        try (final DataOutputStream dos = new DataOutputStream(baos)) {
-            dos.writeInt(spec.getTLen());
-            dos.writeInt(nonce.length);
-            dos.write(nonce);
-            dos.close();
-            baos.close();
-        } catch (final IOException ex) {
-            throw new AssertionError("Impossible exception", ex);
-        }
-        return baos.toByteArray();
+        final byte[] result = new byte[Integer.BYTES + Integer.BYTES + nonce.length];
+        final ByteBuffer buffer = ByteBuffer.wrap(result);
+        buffer.putInt(spec.getTLen());
+        buffer.putInt(nonce.length);
+        buffer.put(nonce);
+        return result;
     }
 
     private static GCMParameterSpec bytesToSpec(final byte[] data, final int offset) throws InvalidKeyException {
-        final ByteArrayInputStream bais = new ByteArrayInputStream(data, offset, data.length - offset);
-        try (final DataInputStream dis = new DataInputStream(bais)) {
-            final int tagLen = dis.readInt();
-            final int nonceLen = dis.readInt();
+        final ByteBuffer buffer = ByteBuffer.wrap(data, offset, data.length - offset);
 
-            if (tagLen != TAG_LENGTH) {
-                throw new InvalidKeyException(String.format("Authentication tag length must be %s", TAG_LENGTH));
-            }
+        final int tagLen = buffer.getInt();
+        final int nonceLen = buffer.getInt();
 
-            if (nonceLen != NONCE_LENGTH) {
-                throw new InvalidKeyException(String.format("Initialization vector (IV) length must be %s", NONCE_LENGTH));
-            }
+        if (tagLen != TAG_LENGTH) {
+            throw new InvalidKeyException(String.format("Authentication tag length must be %s", TAG_LENGTH));
+        }
 
-            final byte[] nonce = new byte[nonceLen];
-            dis.readFully(nonce);
-            return new GCMParameterSpec(tagLen, nonce);
-        } catch (final IOException ex) {
-            throw new AssertionError("Impossible exception", ex);
+        if (nonceLen != NONCE_LENGTH || buffer.remaining() != NONCE_LENGTH) {
+            throw new InvalidKeyException(String.format("Initialization vector (IV) length must be %s", NONCE_LENGTH));
         }
+
+        final byte[] nonce = new byte[nonceLen];
+        buffer.get(nonce);
+
+        return new GCMParameterSpec(tagLen, nonce);
     }
 
     @Override
     WrappingData buildWrappingCipher(final Key key, final Map<String, String> encryptionContext)
             throws GeneralSecurityException {
         final byte[] nonce = new byte[NONCE_LENGTH];
-        rnd.nextBytes(nonce);
+        Utils.getSecureRandom().nextBytes(nonce);
         final GCMParameterSpec spec = new GCMParameterSpec(TAG_LENGTH, nonce);
         final Cipher cipher = Cipher.getInstance(TRANSFORMATION);
         cipher.init(Cipher.ENCRYPT_MODE, key, spec);

src/main/java/com/amazonaws/encryptionsdk/internal/JceKeyCipher.java

@@ -90,9 +90,14 @@ public EncryptedDataKey encryptKey(final byte[] key, final String keyName, final
             final Cipher cipher = wData.cipher;
             final byte[] encryptedKey = cipher.doFinal(key);
 
-            final byte[] provInfo = new byte[keyNameBytes.length + wData.extraInfo.length];
-            System.arraycopy(keyNameBytes, 0, provInfo, 0, keyNameBytes.length);
-            System.arraycopy(wData.extraInfo, 0, provInfo, keyNameBytes.length, wData.extraInfo.length);
+            final byte[] provInfo;
+            if (wData.extraInfo.length == 0) {
+                provInfo = keyNameBytes;
+            } else {
+                provInfo = new byte[keyNameBytes.length + wData.extraInfo.length];
+                System.arraycopy(keyNameBytes, 0, provInfo, 0, keyNameBytes.length);
+                System.arraycopy(wData.extraInfo, 0, provInfo, keyNameBytes.length, wData.extraInfo.length);
+            }
 
             return new KeyBlob(keyNamespace, provInfo, encryptedKey);
         } catch (final GeneralSecurityException gsex) {

src/main/java/com/amazonaws/encryptionsdk/internal/RsaJceKeyCipher.java

@@ -101,8 +101,7 @@ Cipher buildUnwrappingCipher(Key key, byte[] extraInfo, int offset, Map<String,
         if (extraInfo.length != offset) {
             throw new IllegalArgumentException("Extra info must be empty for RSA keys");
         }
-        // We require BouncyCastle to avoid some bugs in the default Java implementation
-        // of OAEP.
+
         final Cipher cipher = Cipher.getInstance(transformation_);
         cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec_);
         return cipher;

src/main/java/com/amazonaws/encryptionsdk/internal/Utils.java

@@ -314,6 +314,7 @@ public static byte[] bigIntegerToByteArray(final BigInteger bigInteger, final in
 
     /**
      * Returns true if the prefix of the given length for the input arrays are equal.
+     * This method will return as soon as the first difference is found, and is thus not constant-time.
      *
      * @param a      The first array.
      * @param b      The second array.

src/main/java/com/amazonaws/encryptionsdk/jce/JceMasterKey.java

@@ -28,7 +28,6 @@
 import java.security.Key;
 import java.security.PrivateKey;
 import java.security.PublicKey;
-import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -40,7 +39,6 @@
  * {@link #getInstance(PublicKey, PrivateKey, String, String, String)}.
  */
 public class JceMasterKey extends MasterKey<JceMasterKey> {
-    private final SecureRandom rnd = new SecureRandom();
     private final String providerName_;
     private final String keyId_;
     private final byte[] keyIdBytes_;
@@ -110,7 +108,7 @@ public String getKeyId() {
     public DataKey<JceMasterKey> generateDataKey(final CryptoAlgorithm algorithm,
             final Map<String, String> encryptionContext) {
         final byte[] rawKey = new byte[algorithm.getDataKeyLength()];
-        rnd.nextBytes(rawKey);
+        Utils.getSecureRandom().nextBytes(rawKey);
         EncryptedDataKey encryptedDataKey = jceKeyCipher_.encryptKey(rawKey, keyId_, providerName_, encryptionContext);
         return new DataKey<>(new SecretKeySpec(rawKey, algorithm.getDataKeyAlgo()),
                 encryptedDataKey.getEncryptedDataKey(), encryptedDataKey.getProviderInformation(), this);