fix: NanoTDF secure key from debug logging and iv conflict risk (#208)

jentfoo · web-flow · commit 6301d32c17b3 · 2024-11-05T09:45:47.000-07:00
This change is motivated from the CodeQL result: https://github.com/opentdf/java-sdk/security/code-scanning/1 Although that use of a static IV is deliberate, it helped highlight that we should ensure that there is no reuse of the IV when encrypting the data. In addition it was found that there were two places the key was logged, due to the sensitivity of the key this has been removed.
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java b/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java
@@ -88,7 +88,6 @@ public int createNanoTDF(ByteBuffer data, OutputStream outputStream,
         MessageDigest digest = MessageDigest.getInstance("SHA-256");
         byte[] hashOfSalt = digest.digest(MAGIC_NUMBER_AND_VERSION);
         byte[] key = ECKeyPair.calculateHKDF(hashOfSalt, symmetricKey);
-        logger.debug("createNanoTDF key is - {}", Base64.getEncoder().encodeToString(key));
 
         // Encrypt policy
         PolicyObject policyObject = createPolicyObject(nanoTDFConfig.attributes);
@@ -135,9 +134,11 @@ public int createNanoTDF(ByteBuffer data, OutputStream outputStream,
 
         // Encrypt the data
         byte[] actualIV = new byte[kIvPadding + kNanoTDFIvSize];
-        byte[] iv = new byte[kNanoTDFIvSize];
-        SecureRandom.getInstanceStrong().nextBytes(iv);
-        System.arraycopy(iv, 0, actualIV, kIvPadding, iv.length);
+        do {
+            byte[] iv = new byte[kNanoTDFIvSize];
+            SecureRandom.getInstanceStrong().nextBytes(iv);
+            System.arraycopy(iv, 0, actualIV, kIvPadding, iv.length);
+        } while (Arrays.equals(actualIV, kEmptyIV));	// if match, we need to retry to prevent key + iv reuse with the policy
 
         byte[] cipherData = gcm.encrypt(actualIV, authTagSize, data.array(), 0, dataSize);
 
@@ -173,7 +174,6 @@ public void readNanoTDF(ByteBuffer nanoTDF, OutputStream outputStream,
         byte[] key = kas.unwrapNanoTDF(header.getECCMode().getEllipticCurveType(),
                 base64HeaderData,
                 kasUrl);
-        logger.debug("readNanoTDF key is {}", Base64.getEncoder().encodeToString(key));
 
         byte[] payloadLengthBuf = new byte[4];
         nanoTDF.get(payloadLengthBuf, 1, 3);
