impl aes-siv

Signed-off-by: tabVersion <[email protected]>
risingwavelabs · May 28, 2024 · af892fa · af892fa
1 parent f475dbc
commit af892fa
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 14 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/meta/Cargo.toml b/src/meta/Cargo.toml
@@ -14,13 +14,15 @@ ignored = ["workspace-hack"]
 normal = ["workspace-hack"]
 
 [dependencies]
+aes-siv = "0.7"
 anyhow = "1"
 arc-swap = "1"
 assert_matches = "1"
 async-trait = "0.1"
 aws-config = { workspace = true }
 aws-sdk-ec2 = { workspace = true }
 base64-url = { version = "3.0.0" }
+bincode = "1.3"
 bytes = { version = "1", features = ["serde"] }
 chrono = "0.4"
 clap = { workspace = true }

diff --git a/src/meta/src/rpc/ddl_controller.rs b/src/meta/src/rpc/ddl_controller.rs
@@ -18,9 +18,12 @@ use std::num::NonZeroUsize;
 use std::sync::Arc;
 use std::time::Duration;
 
+use aes_siv::aead::generic_array::GenericArray;
+use aes_siv::aead::Aead;
+use aes_siv::{Aes128SivAead, KeyInit};
 use anyhow::Context;
 use itertools::Itertools;
-use rand::Rng;
+use rand::{Rng, RngCore};
 use risingwave_common::config::DefaultParallelism;
 use risingwave_common::hash::{ParallelUnitMapping, VirtualNode};
 use risingwave_common::system_param::reader::SystemParamsRead;
@@ -58,6 +61,7 @@ use risingwave_pb::stream_plan::{
     Dispatcher, DispatcherType, FragmentTypeFlag, MergeNode, PbStreamFragmentGraph,
     StreamFragmentGraph as StreamFragmentGraphProto,
 };
+use serde::{Deserialize, Serialize};
 use thiserror_ext::AsReport;
 use tokio::sync::Semaphore;
 use tokio::time::sleep;
@@ -156,6 +160,12 @@ pub enum DdlCommand {
     DropSubscription(SubscriptionId, DropMode),
 }
 
+#[derive(Deserialize, Serialize)]
+struct SecretEncryption {
+    nonce: [u8; 16],
+    ciphertext: Vec<u8>,
+}
+
 impl DdlCommand {
     fn allow_in_recovery(&self) -> bool {
         match self {
@@ -620,16 +630,34 @@ impl DdlController {
         // The 'secret' part of the request we receive from the frontend is in plaintext;
         // here, we need to encrypt it before storing it in the catalog.
 
-        let encrypted_payload = simplestcrypt::encrypt_and_serialize(
-            self.env.opts.secret_store_private_key.as_slice(),
-            secret.get_value().as_slice(),
-        )
-        .map_err(|e| {
-            MetaError::from(MetaErrorInner::InvalidParameter(format!(
-                "failed to encrypt secret {}: {:?}",
-                secret.name, e
-            )))
-        })?;
+        let encrypted_payload = {
+            let data = secret.get_value().as_slice();
+            let key = self.env.opts.secret_store_private_key.as_slice();
+            let encrypt_key = {
+                let mut k = key[..(std::cmp::min(key.len(), 32))].to_vec();
+                k.resize_with(32, || 0);
+                k
+            };
+
+            let mut rng = rand::thread_rng();
+            let mut nonce: [u8; 16] = [0; 16];
+            rng.fill_bytes(&mut nonce);
+            let nonce_array = GenericArray::from_slice(&nonce);
+            let cipher = Aes128SivAead::new(encrypt_key.as_slice().into());
+
+            let ciphertext = cipher.encrypt(nonce_array, data).map_err(|e| {
+                MetaError::from(MetaErrorInner::InvalidParameter(format!(
+                    "failed to encrypt secret {}: {:?}",
+                    secret.name, e
+                )))
+            })?;
+            bincode::serialize(&SecretEncryption { nonce, ciphertext }).map_err(|e| {
+                MetaError::from(MetaErrorInner::InvalidParameter(format!(
+                    "failed to serialize secret {}: {:?}",
+                    secret.name, e
+                )))
+            })?
+        };
         secret.value = encrypted_payload;
 
         match &self.metadata_manager {