GCM encryption stream

[ggershinsky]

Implements #2060

Besides encrypting and signing metadata (avro, json, puffin), this stream can also encrypt Avro data.

[jackye1995]

looks like we should make these variables in a shared util class, instead of importing this from the output stream to the input stream

[jackye1995]

nit: newline after control statement

[jackye1995]

Did a comparison against my internal impl, mostly look correct to me. Will take another look after all the remaining methods are implemented.

[flyrain]

Can we make it final?

[ggershinsky]

sure, will change in the next commit

[flyrain]

It is not used anywhere. Do we need it?

[flyrain]

Oh, there is a TODO item referring it in the method read, never mind.

[flyrain]

Both plainStreamSize and fileAadPrefix could be final.

[flyrain]

Do we need it to be public since the class itself is public? Or we can have a builder.

[ggershinsky]

Always created by an AesGcmInputFile in the same package.

[flyrain]

Nit: make it final.

[flyrain]

These fields can be final.

[flyrain]

Thanks @ggershinsky for the patch. Can we add a unit test for these two classes?

[liujinhui1994]

@ggershinsky Is this PR still going on?

[ggershinsky]

same as in #2639 (comment)

[ggershinsky]

Thanks @ggershinsky for the patch. Can we add a unit test for these two classes?

done

[flyrain]

Should we set the length if field plaintextLength is -1? Looks like this method is valid only after newStream() is called.

if(plaintextLength == -1) {
this.newStream();
}

[RussellSpitzer]

When do we close the stream in this case? Or do we just make and close it in that case?

[ggershinsky]

Both suggestions sound good to me.

[flyrain]

Minor suggestion: Would it be a bit easier to understand if message is "Should read toLoad data, but only get loaded data"?

[flyrain]

The massage could be

"The seeking position " + newPos + " has reached or exceeded the max stream size "  + plainStreamSize.

[flyrain]

Looks like we don't have to implement it, the abstract class InputStream has the same logic.

[flyrain]

Can we add message like, "Failed to create file: %s", targetFile.location()?

[flyrain]

Can we add message like, "Failed to create or overwrite file: %s", targetFile.location()?

[flyrain]

Make it a final static field?

[flyrain]

It can be a final field.

[flyrain]

How about a message like this?

"Wrong length of encrypted output:  expected " + (positionInBuffer + GCM_TAG_LENGTH)) + " but " + encrypted;

[flyrain]

This can go to a common place as well since both classes need it. We may have a util class, e.g. GcmUtil

[flyrain]

Add message for easier debugging?

new IOException("Failed to get an instance of GCM cipher",  e)

[flyrain]

They can be in the same line.
IIUC, this means the stream length is not long enough. Can we say something like "The stream length should be at least " + AesGcmOutputStream.PREFIX_LENGTH?

[RussellSpitzer]

Aren't we also in danger of the read being less than prefix bytes?

[flyrain]

Can we rename it to lastCipherBlockSize to make it more readable?

[flyrain]

final as well.

[RussellSpitzer]

I like this, could I ask for just 4 more test cases

Empty File (no bits)
File that aligns perfectly with encryption Chunk Size
File that is exactly one byte to larger than the aligned and one that is one byte smaller than the aligned file. (we probably hit this unaligned version with the testFileSize below but just to make sure)

[ggershinsky]

Sure, will add

[RussellSpitzer]

Instead of "file with wrong magic string" -> "Cannot read unencrypted file, missing header containing: ..."?

[RussellSpitzer]

Constant for this?

[ggershinsky]

Yep. We actually already have a Ciphers class; let's re-use it (with some additions) for all GCM-related things

[ggershinsky]

I had a lot of comments, so I went ahead and implemented most of them on top of this. I think it simplified how the input stream works quite a bit and I fixed a lot of the comments that I made. Please see ggershinsky#6.

Thanks! Merged the PR.

[rdblue]

When I was refactoring, there was a bug that I fixed when the block for plainStreamPosition didn't match currentPlainBlockIndex. I ended up fixing the problem by setting currentPlainBlockIndex = -1 in a place that I had missed. Now that I'm thinking about it more, I think the right solution is actually to update the check here instead. That way the bytes available will only be non-zero if the current block matches the position.

Here's a diff that does what I'm talking about and still passes tests:

diff --git a/core/src/main/java/org/apache/iceberg/encryption/AesGcmInputStream.java b/core/src/main/java/org/apache/iceberg/encryption/AesGcmInputStream.java
index a63134f31d..88e9b36c25 100644
--- a/core/src/main/java/org/apache/iceberg/encryption/AesGcmInputStream.java
+++ b/core/src/main/java/org/apache/iceberg/encryption/AesGcmInputStream.java
@@ -97,7 +97,7 @@ public class AesGcmInputStream extends SeekableInputStream {
   }
 
   private int availableInCurrentBlock() {
-    if (currentPlainBlockIndex < 0) {
+    if (blockIndex(plainStreamPosition) != currentPlainBlockIndex) {
       return 0;
     }
 
@@ -130,10 +130,6 @@ public class AesGcmInputStream extends SeekableInputStream {
         remainingBytesToRead -= bytesToCopy;
         resultBufferOffset += bytesToCopy;
         this.plainStreamPosition += bytesToCopy;
-        if (blockIndex(plainStreamPosition) != currentPlainBlockIndex) {
-          // invalidate the current block
-          this.currentPlainBlockIndex = -1;
-        }
 
       } else if (available() > 0) {
         decryptBlock(blockIndex(plainStreamPosition));
@@ -157,10 +153,6 @@ public class AesGcmInputStream extends SeekableInputStream {
     }
 
     this.plainStreamPosition = newPos;
-    if (blockIndex(plainStreamPosition) != currentPlainBlockIndex) {
-      // invalidate the current block
-      this.currentPlainBlockIndex = -1;
-    }
   }
 
   @Override
@@ -177,10 +169,6 @@ public class AesGcmInputStream extends SeekableInputStream {
     }
 
     this.plainStreamPosition += n;
-    if (blockIndex(plainStreamPosition) != currentPlainBlockIndex) {
-      // invalidate the current block
-      this.currentPlainBlockIndex = -1;
-    }
 
     return n;
   }

[ggershinsky]

SGTM. Applied this change.

[rdblue]

Shouldn't this always be targetStream.pos() + positionInBuffer?

[ggershinsky]

this value is returned by

@Override
  public long getPos() throws IOException {
    return streamPosition;
  }

so is not related directly to targetStream.pos() and positionInBuffer.
I'll rename positionInBuffer to positionInPlainBlock, and plainBlockBuffer to plainBlock, to make the naming more consistent.

[rdblue]

I don't see why what I said wouldn't always be true. If so, we could eliminate this extra state.

[rdblue]

I think this can be more clear because it doesn't tell the reader that the encryption didn't work right.

Instead, how about Failed to encrypt block: expected %s encrypted bytes but produced %s bytes?

[rdblue]

@ggershinsky, I opened ggershinsky#8 with the remaining changes for this PR.

The main change is to write an empty block for empty files. Otherwise an attacker could replace a valid file with an empty file without detection.

[ggershinsky]

Cool! LGTM. This could have been detected via external check of details (such as the file length, stored in parent metadata), but I agree doing this in the stream is cleaner and more reliable. Thanks for the PR, merged.