Use readFully() to read bytes from CipherInputStream (#30640)

Changes how data is read from CipherInputStream in
 KeyStoreWrapper. Instead of using `read()` and checking that the 
bytes read are what we expect, use `readFully()` which will read 
exactly the number of bytes while keep reading until the end of 
the stream or throw an `EOFException` if not all bytes can be read.

This approach keeps the simplicity of using CipherInputStream while
working as expected with both JCE and BCFIPS Security Providers.

See also: #28515

Author: jkakavas

server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java

@@ -31,6 +31,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.DataInputStream;
 import java.io.DataOutputStream;
+import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.ByteBuffer;
@@ -318,38 +319,39 @@ public void decrypt(char[] password) throws GeneralSecurityException, IOExceptio
              DataInputStream input = new DataInputStream(bytesStream)) {
             int saltLen = input.readInt();
             salt = new byte[saltLen];
-            if (input.read(salt) != saltLen) {
-                throw new SecurityException("Keystore has been corrupted or tampered with");
-            }
+            input.readFully(salt);
             int ivLen = input.readInt();
             iv = new byte[ivLen];
-            if (input.read(iv) != ivLen) {
-                throw new SecurityException("Keystore has been corrupted or tampered with");
-            }
+            input.readFully(iv);
             int encryptedLen = input.readInt();
             encryptedBytes = new byte[encryptedLen];
-            if (input.read(encryptedBytes) != encryptedLen) {
+            input.readFully(encryptedBytes);
+            if (input.read() != -1) {
                 throw new SecurityException("Keystore has been corrupted or tampered with");
             }
+        } catch (EOFException e) {
+            throw new SecurityException("Keystore has been corrupted or tampered with", e);
         }
 
         Cipher cipher = createCipher(Cipher.DECRYPT_MODE, password, salt, iv);
         try (ByteArrayInputStream bytesStream = new ByteArrayInputStream(encryptedBytes);
              CipherInputStream cipherStream = new CipherInputStream(bytesStream, cipher);
              DataInputStream input = new DataInputStream(cipherStream)) {
-
             entries.set(new HashMap<>());
             int numEntries = input.readInt();
             while (numEntries-- > 0) {
                 String setting = input.readUTF();
                 EntryType entryType = EntryType.valueOf(input.readUTF());
                 int entrySize = input.readInt();
                 byte[] entryBytes = new byte[entrySize];
-                if (input.read(entryBytes) != entrySize) {
-                    throw new SecurityException("Keystore has been corrupted or tampered with");
-                }
+                input.readFully(entryBytes);
                 entries.get().put(setting, new Entry(entryType, entryBytes));
             }
+            if (input.read() != -1) {
+                throw new SecurityException("Keystore has been corrupted or tampered with");
+            }
+        } catch (EOFException e) {
+            throw new SecurityException("Keystore has been corrupted or tampered with", e);
         }
     }
 
@@ -361,7 +363,6 @@ private byte[] encrypt(char[] password, byte[] salt, byte[] iv) throws GeneralSe
         Cipher cipher = createCipher(Cipher.ENCRYPT_MODE, password, salt, iv);
         try (CipherOutputStream cipherStream = new CipherOutputStream(bytes, cipher);
              DataOutputStream output = new DataOutputStream(cipherStream)) {
-
             output.writeInt(entries.get().size());
             for (Map.Entry<String, Entry> mapEntry : entries.get().entrySet()) {
                 output.writeUTF(mapEntry.getKey());
@@ -371,7 +372,6 @@ private byte[] encrypt(char[] password, byte[] salt, byte[] iv) throws GeneralSe
                 output.write(entry.bytes);
             }
         }
-
         return bytes.toByteArray();
     }
 

server/src/test/java/org/elasticsearch/common/settings/KeyStoreWrapperTests.java

@@ -19,30 +19,33 @@
 
 package org.elasticsearch.common.settings;
 
+import javax.crypto.Cipher;
+import javax.crypto.CipherOutputStream;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
 import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
-import java.nio.CharBuffer;
-import java.nio.charset.CharsetEncoder;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.FileSystem;
 import java.nio.file.Path;
 import java.security.KeyStore;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
 
 import org.apache.lucene.codecs.CodecUtil;
 import org.apache.lucene.store.IOContext;
 import org.apache.lucene.store.IndexOutput;
 import org.apache.lucene.store.SimpleFSDirectory;
+import org.elasticsearch.common.Randomness;
 import org.elasticsearch.core.internal.io.IOUtils;
-import org.elasticsearch.bootstrap.BootstrapSettings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.hamcrest.Matchers;
@@ -121,6 +124,149 @@ public void testUpgradeNoop() throws Exception {
         assertEquals(seed.toString(), keystore.getString(KeyStoreWrapper.SEED_SETTING.getKey()).toString());
     }
 
+    public void testFailWhenCannotConsumeSecretStream() throws Exception {
+        Path configDir = env.configFile();
+        SimpleFSDirectory directory = new SimpleFSDirectory(configDir);
+        try (IndexOutput indexOutput = directory.createOutput("elasticsearch.keystore", IOContext.DEFAULT)) {
+            CodecUtil.writeHeader(indexOutput, "elasticsearch.keystore", 3);
+            indexOutput.writeByte((byte) 0); // No password
+            SecureRandom random = Randomness.createSecure();
+            byte[] salt = new byte[64];
+            random.nextBytes(salt);
+            byte[] iv = new byte[12];
+            random.nextBytes(iv);
+            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+            CipherOutputStream cipherStream = getCipherStream(bytes, salt, iv);
+            DataOutputStream output = new DataOutputStream(cipherStream);
+            // Indicate that the secret string is longer than it is so readFully() fails
+            possiblyAlterSecretString(output, -4);
+            cipherStream.close();
+            final byte[] encryptedBytes = bytes.toByteArray();
+            possiblyAlterEncryptedBytes(indexOutput, salt, iv, encryptedBytes, 0);
+            CodecUtil.writeFooter(indexOutput);
+        }
+
+        KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
+        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(new char[0]));
+        assertThat(e.getMessage(), containsString("Keystore has been corrupted or tampered with"));
+        assertThat(e.getCause(), instanceOf(EOFException.class));
+    }
+
+    public void testFailWhenCannotConsumeEncryptedBytesStream() throws Exception {
+        Path configDir = env.configFile();
+        SimpleFSDirectory directory = new SimpleFSDirectory(configDir);
+        try (IndexOutput indexOutput = directory.createOutput("elasticsearch.keystore", IOContext.DEFAULT)) {
+            CodecUtil.writeHeader(indexOutput, "elasticsearch.keystore", 3);
+            indexOutput.writeByte((byte) 0); // No password
+            SecureRandom random = Randomness.createSecure();
+            byte[] salt = new byte[64];
+            random.nextBytes(salt);
+            byte[] iv = new byte[12];
+            random.nextBytes(iv);
+            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+            CipherOutputStream cipherStream = getCipherStream(bytes, salt, iv);
+            DataOutputStream output = new DataOutputStream(cipherStream);
+
+            possiblyAlterSecretString(output, 0);
+            cipherStream.close();
+            final byte[] encryptedBytes = bytes.toByteArray();
+            // Indicate that the encryptedBytes is larger than it is so readFully() fails
+            possiblyAlterEncryptedBytes(indexOutput, salt, iv, encryptedBytes, -12);
+            CodecUtil.writeFooter(indexOutput);
+        }
+
+        KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
+        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(new char[0]));
+        assertThat(e.getMessage(), containsString("Keystore has been corrupted or tampered with"));
+        assertThat(e.getCause(), instanceOf(EOFException.class));
+    }
+
+    public void testFailWhenSecretStreamNotConsumed() throws Exception {
+        Path configDir = env.configFile();
+        SimpleFSDirectory directory = new SimpleFSDirectory(configDir);
+        try (IndexOutput indexOutput = directory.createOutput("elasticsearch.keystore", IOContext.DEFAULT)) {
+            CodecUtil.writeHeader(indexOutput, "elasticsearch.keystore", 3);
+            indexOutput.writeByte((byte) 0); // No password
+            SecureRandom random = Randomness.createSecure();
+            byte[] salt = new byte[64];
+            random.nextBytes(salt);
+            byte[] iv = new byte[12];
+            random.nextBytes(iv);
+            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+            CipherOutputStream cipherStream = getCipherStream(bytes, salt, iv);
+            DataOutputStream output = new DataOutputStream(cipherStream);
+            // So that readFully during decryption will not consume the entire stream
+            possiblyAlterSecretString(output, 4);
+            cipherStream.close();
+            final byte[] encryptedBytes = bytes.toByteArray();
+            possiblyAlterEncryptedBytes(indexOutput, salt, iv, encryptedBytes, 0);
+            CodecUtil.writeFooter(indexOutput);
+        }
+
+        KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
+        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(new char[0]));
+        assertThat(e.getMessage(), containsString("Keystore has been corrupted or tampered with"));
+    }
+
+    public void testFailWhenEncryptedBytesStreamIsNotConsumed() throws Exception {
+        Path configDir = env.configFile();
+        SimpleFSDirectory directory = new SimpleFSDirectory(configDir);
+        try (IndexOutput indexOutput = directory.createOutput("elasticsearch.keystore", IOContext.DEFAULT)) {
+            CodecUtil.writeHeader(indexOutput, "elasticsearch.keystore", 3);
+            indexOutput.writeByte((byte) 0); // No password
+            SecureRandom random = Randomness.createSecure();
+            byte[] salt = new byte[64];
+            random.nextBytes(salt);
+            byte[] iv = new byte[12];
+            random.nextBytes(iv);
+            ByteArrayOutputStream bytes = new ByteArrayOutputStream();
+            CipherOutputStream cipherStream = getCipherStream(bytes, salt, iv);
+            DataOutputStream output = new DataOutputStream(cipherStream);
+            possiblyAlterSecretString(output, 0);
+            cipherStream.close();
+            final byte[] encryptedBytes = bytes.toByteArray();
+            possiblyAlterEncryptedBytes(indexOutput, salt, iv, encryptedBytes, randomIntBetween(2, encryptedBytes.length));
+            CodecUtil.writeFooter(indexOutput);
+        }
+
+        KeyStoreWrapper keystore = KeyStoreWrapper.load(configDir);
+        SecurityException e = expectThrows(SecurityException.class, () -> keystore.decrypt(new char[0]));
+        assertThat(e.getMessage(), containsString("Keystore has been corrupted or tampered with"));
+    }
+
+    private CipherOutputStream getCipherStream(ByteArrayOutputStream bytes, byte[] salt, byte[] iv) throws Exception {
+        PBEKeySpec keySpec = new PBEKeySpec(new char[0], salt, 10000, 128);
+        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
+        SecretKey secretKey = keyFactory.generateSecret(keySpec);
+        SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");
+        GCMParameterSpec spec = new GCMParameterSpec(128, iv);
+        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+        cipher.init(Cipher.ENCRYPT_MODE, secret, spec);
+        cipher.updateAAD(salt);
+        return new CipherOutputStream(bytes, cipher);
+    }
+
+    private void possiblyAlterSecretString(DataOutputStream output, int truncLength) throws Exception {
+        byte[] secret_value = "super_secret_value".getBytes(StandardCharsets.UTF_8);
+        output.writeInt(1); // One entry
+        output.writeUTF("string_setting");
+        output.writeUTF("STRING");
+        output.writeInt(secret_value.length - truncLength);
+        output.write(secret_value);
+    }
+
+    private void possiblyAlterEncryptedBytes(IndexOutput indexOutput, byte[] salt, byte[] iv, byte[] encryptedBytes, int
+        truncEncryptedDataLength)
+        throws Exception {
+        indexOutput.writeInt(4 + salt.length + 4 + iv.length + 4 + encryptedBytes.length);
+        indexOutput.writeInt(salt.length);
+        indexOutput.writeBytes(salt, salt.length);
+        indexOutput.writeInt(iv.length);
+        indexOutput.writeBytes(iv, iv.length);
+        indexOutput.writeInt(encryptedBytes.length - truncEncryptedDataLength);
+        indexOutput.writeBytes(encryptedBytes, encryptedBytes.length);
+    }
+
     public void testUpgradeAddsSeed() throws Exception {
         KeyStoreWrapper keystore = KeyStoreWrapper.create();
         keystore.remove(KeyStoreWrapper.SEED_SETTING.getKey());