Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(secret): use aws-lc-rs to replace aes-gcm crate #20091

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+18 −88
Open

refactor(secret): use aws-lc-rs to replace aes-gcm crate #20091

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
36c5c94
init
yuhao-su Jan 9, 2025
217426a
Merge branch 'main' of github.com:singularity-data/risingwave into yu…
yuhao-su Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 2 additions & 73 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/common/secret/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ repository = { workspace = true }


[dependencies]
aes-gcm = "0.10"
aws-lc-rs = "1.6"
anyhow = "1"
bincode = "1"
parking_lot = { workspace = true }
Expand Down
29 changes: 15 additions & 14 deletions src/common/secret/src/encryption.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

use aes_gcm::aead::generic_array::GenericArray;
use aes_gcm::aead::{Aead, AeadCore, KeyInit, OsRng};
use aes_gcm::Aes128Gcm;
use aws_lc_rs::aead::{Aad, Nonce, RandomizedNonceKey, AES_128_GCM};
use serde::{Deserialize, Serialize};

use super::{SecretError, SecretResult};
Expand All @@ -28,25 +26,28 @@ pub struct SecretEncryption {
impl SecretEncryption {
pub fn encrypt(key: &[u8], plaintext: &[u8]) -> SecretResult<Self> {
let encrypt_key = Self::fill_key(key);
let nonce_array = Aes128Gcm::generate_nonce(&mut OsRng);
let cipher = Aes128Gcm::new(encrypt_key.as_slice().into());
let ciphertext = cipher
.encrypt(&nonce_array, plaintext)
let nonce_key = RandomizedNonceKey::new(&AES_128_GCM, &encrypt_key)
.map_err(|_| SecretError::AesError)?;
let mut in_out = plaintext.to_vec();
let nonce = nonce_key
.seal_in_place_append_tag(Aad::empty(), &mut in_out)
.map_err(|_| SecretError::AesError)?;
Ok(Self {
nonce: nonce_array.into(),
ciphertext,
nonce: *nonce.as_ref(),
ciphertext: in_out,
})
}

pub fn decrypt(&self, key: &[u8]) -> SecretResult<Vec<u8>> {
let decrypt_key = Self::fill_key(key);
let nonce_array = GenericArray::from_slice(&self.nonce);
let cipher = Aes128Gcm::new(decrypt_key.as_slice().into());
let plaintext = cipher
.decrypt(nonce_array, self.ciphertext.as_slice())
let nonce_key = RandomizedNonceKey::new(&AES_128_GCM, &decrypt_key)
.map_err(|_| SecretError::AesError)?;
let mut in_out = self.ciphertext.clone();
let nonce = Nonce::assume_unique_for_key(self.nonce);
let plaintext = nonce_key
.open_in_place(nonce, Aad::empty(), &mut in_out)
.map_err(|_| SecretError::AesError)?;
Ok(plaintext)
Ok(plaintext.to_vec())
}

fn fill_key(key: &[u8]) -> Vec<u8> {
Expand Down
Loading