[GitHub] [spark] MaxGekk commented on a diff in pull request #40704: [SPARK-43038][SQL] Support the CBC mode by `aes_encrypt()`/`aes_decrypt()`

Wed, 12 Apr 2023 02:54:23 -0700 


MaxGekk commented on code in PR #40704:
URL: https://github.com/apache/spark/pull/40704#discussion_r1163901646


##########
sql/catalyst/src/main/java/org/apache/spark/sql/catalyst/expressions/ExpressionImplUtils.java:
##########
@@ -115,11 +128,70 @@ private static byte[] aesInternal(
           cipher.init(Cipher.DECRYPT_MODE, secretKey, parameterSpec);
           return cipher.doFinal(input, GCM_IV_LEN, input.length - GCM_IV_LEN);
         }
+      } else if (mode.equalsIgnoreCase("CBC") &&
+          (padding.equalsIgnoreCase("PKCS") || 
padding.equalsIgnoreCase("DEFAULT"))) {
+        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+        if (opmode == Cipher.ENCRYPT_MODE) {
+          byte[] salt = new byte[CBC_SALT_LEN];
+          secureRandom.nextBytes(salt);
+          final byte[] keyAndIv = getKeyAndIv(key, salt);
+          final byte[] keyValue = Arrays.copyOfRange(keyAndIv, 0, key.length);
+          final byte[] iv = Arrays.copyOfRange(keyAndIv, key.length, 
key.length + CBC_IV_LEN);
+          cipher.init(
+            Cipher.ENCRYPT_MODE,
+            new SecretKeySpec(keyValue, "AES"),
+            new IvParameterSpec(iv));
+          byte[] encrypted = cipher.doFinal(input, 0, input.length);
+          ByteBuffer byteBuffer = ByteBuffer.allocate(
+            SALTED_MAGIC.length + CBC_SALT_LEN + encrypted.length);
+          byteBuffer.put(SALTED_MAGIC);
+          byteBuffer.put(salt);
+          byteBuffer.put(encrypted);
+          return byteBuffer.array();
+        } else {
+          assert(opmode == Cipher.DECRYPT_MODE);
+          final byte[] shouldBeMagic = Arrays.copyOfRange(input, 0, 
SALTED_MAGIC.length);
+          if (!Arrays.equals(shouldBeMagic, SALTED_MAGIC)) {
+            throw QueryExecutionErrors.aesInvalidSalt(shouldBeMagic);
+          }
+          final byte[] salt = Arrays.copyOfRange(
+            input, SALTED_MAGIC.length, SALTED_MAGIC.length + CBC_SALT_LEN);
+          final byte[] keyAndIv = getKeyAndIv(key, salt);
+          final byte[] keyValue = Arrays.copyOfRange(keyAndIv, 0, key.length);
+          final byte[] iv = Arrays.copyOfRange(keyAndIv, key.length, 
key.length + CBC_IV_LEN);
+          cipher.init(
+            Cipher.DECRYPT_MODE,
+            new SecretKeySpec(keyValue, "AES"),
+            new IvParameterSpec(iv, 0, CBC_IV_LEN));
+          return cipher.doFinal(input, CBC_IV_LEN, input.length - CBC_IV_LEN);
+        }
       } else {
         throw QueryExecutionErrors.aesModeUnsupportedError(mode, padding);
       }
     } catch (GeneralSecurityException e) {

Review Comment:
   Yep, this is from `java.security`:
   ```java
   public class NoSuchAlgorithmException extends GeneralSecurityException {
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to