[GitHub] [james-project] chibenwa commented on a change in pull request #342: JAMES-3524 Write an AESBlobStoreDAO based on (feu) AESPayloadCodec

[GitBox]

chibenwa commented on a change in pull request #342:
URL: https://github.com/apache/james-project/pull/342#discussion_r602883271



##########
File path: 
server/blob/blob-aes/src/main/java/org/apache/james/blob/aes/AESBlobStoreDAO.java
##########
@@ -41,71 +36,54 @@
 import com.github.fge.lambdas.Throwing;
 import com.google.common.base.Preconditions;
 import com.google.common.io.ByteSource;
-import com.google.crypto.tink.Aead;
-import com.google.crypto.tink.aead.AeadConfig;
-import com.google.crypto.tink.subtle.AesGcmJce;
+import com.google.common.io.FileBackedOutputStream;
+import com.google.crypto.tink.subtle.AesGcmHkdfStreaming;
 
 import reactor.core.publisher.Mono;
-import reactor.core.scheduler.Schedulers;
 
 public class AESBlobStoreDAO implements BlobStoreDAO {
-    private static final byte[] EMPTY_ASSOCIATED_DATA = new byte[0];
-    private static final int PBKDF2_ITERATIONS = 65536;
-    private static final int KEY_SIZE = 256;
-    private static final String SECRET_KEY_FACTORY_ALGORITHM = 
"PBKDF2WithHmacSHA256";
-
     private final BlobStoreDAO underlying;
-    private final Aead aead;
+    private final AesGcmHkdfStreaming streamingAead;
 
     public AESBlobStoreDAO(BlobStoreDAO underlying, CryptoConfig cryptoConfig) 
{
         this.underlying = underlying;
-
-        try {
-            AeadConfig.register();
-
-            SecretKey secretKey = deriveKey(cryptoConfig);
-            aead = new AesGcmJce(secretKey.getEncoded());
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException("Error while starting AESPayloadCodec", 
e);
-        }
+        this.streamingAead = 
PBKDF2StreamingAeadFactory.newAesGcmHkdfStreaming(cryptoConfig);
     }
 
-    private static SecretKey deriveKey(CryptoConfig cryptoConfig) throws 
NoSuchAlgorithmException, InvalidKeySpecException {
-        byte[] saltBytes = cryptoConfig.salt();
-        SecretKeyFactory skf = 
SecretKeyFactory.getInstance(SECRET_KEY_FACTORY_ALGORITHM);
-        PBEKeySpec spec = new PBEKeySpec(cryptoConfig.password(), saltBytes, 
PBKDF2_ITERATIONS, KEY_SIZE);
-        return skf.generateSecret(spec);
-    }
-
-    public byte[] encrypt(byte[] input) {
-        try {
-            return aead.encrypt(input, EMPTY_ASSOCIATED_DATA);
-        } catch (GeneralSecurityException e) {
+    public FileBackedOutputStream encrypt(InputStream input) {
+        try (FileBackedOutputStream encryptedContent = new 
FileBackedOutputStream(100 * 1024)) {

Review comment:
       Very true




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org