bugfix: Fix slow AES encryption (#746)

* bugfix: Fix slow AES encryption

* Fix copyright headers

Author: florianrusch-zf

edc-controlplane/edc-controlplane-memory-hashicorp-vault/src/main/docker/Dockerfile

@@ -1,4 +1,5 @@
 #
+#  Copyright (c) 2023 ZF Friedrichshafen AG
 #  Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
 #  Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
 #
@@ -64,6 +65,6 @@ CMD ["java", \
      "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \
      "-Dotel.metrics.exporter=prometheus", \
      "-Dotel.exporter.prometheus.port=9090", \
-     "-Djava.security.edg=file:/dev/.urandom", \
+     "-Djava.security.egd=file:/dev/urandom", \
      "-jar", \
      "edc-controlplane.jar"]

edc-controlplane/edc-controlplane-memory/src/main/docker/Dockerfile

@@ -1,4 +1,5 @@
 #
+#  Copyright (c) 2023 ZF Friedrichshafen AG
 #  Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
 #  Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
 #
@@ -64,6 +65,6 @@ CMD ["java", \
      "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \
      "-Dotel.metrics.exporter=prometheus", \
      "-Dotel.exporter.prometheus.port=9090", \
-     "-Djava.security.edg=file:/dev/.urandom", \
+     "-Djava.security.egd=file:/dev/urandom", \
      "-jar", \
      "edc-controlplane.jar"]

edc-controlplane/edc-controlplane-postgresql-hashicorp-vault/src/main/docker/Dockerfile

@@ -1,4 +1,5 @@
 #
+#  Copyright (c) 2023 ZF Friedrichshafen AG
 #  Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
 #  Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
 #
@@ -64,6 +65,6 @@ CMD ["java", \
      "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \
      "-Dotel.metrics.exporter=prometheus", \
      "-Dotel.exporter.prometheus.port=9090", \
-     "-Djava.security.edg=file:/dev/.urandom", \
+     "-Djava.security.egd=file:/dev/urandom", \
      "-jar", \
      "edc-controlplane.jar"]

edc-controlplane/edc-controlplane-postgresql/src/main/docker/Dockerfile

@@ -1,4 +1,5 @@
 #
+#  Copyright (c) 2023 ZF Friedrichshafen AG
 #  Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
 #  Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
 #
@@ -64,6 +65,6 @@ CMD ["java", \
      "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \
      "-Dotel.metrics.exporter=prometheus", \
      "-Dotel.exporter.prometheus.port=9090", \
-     "-Djava.security.edg=file:/dev/.urandom", \
+     "-Djava.security.egd=file:/dev/urandom", \
      "-jar", \
      "edc-controlplane.jar"]

edc-dataplane/edc-dataplane-azure-vault/src/main/docker/Dockerfile

@@ -1,4 +1,5 @@
 #
+#  Copyright (c) 2023 ZF Friedrichshafen AG
 #  Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
 #  Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
 #
@@ -64,6 +65,6 @@ CMD ["java", \
      "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \
      "-Dotel.metrics.exporter=prometheus", \
      "-Dotel.exporter.prometheus.port=9090", \
-     "-Djava.security.edg=file:/dev/.urandom", \
+     "-Djava.security.egd=file:/dev/urandom", \
      "-jar", \
      "edc-dataplane.jar"]

edc-dataplane/edc-dataplane-hashicorp-vault/src/main/docker/Dockerfile

@@ -1,4 +1,5 @@
 #
+#  Copyright (c) 2023 ZF Friedrichshafen AG
 #  Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
 #  Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
 #
@@ -64,6 +65,6 @@ CMD ["java", \
      "-Dotel.javaagent.configuration-file=/app/opentelemetry.properties", \
      "-Dotel.metrics.exporter=prometheus", \
      "-Dotel.exporter.prometheus.port=9090", \
-     "-Djava.security.edg=file:/dev/.urandom", \
+     "-Djava.security.egd=file:/dev/urandom", \
      "-jar", \
      "edc-dataplane.jar"]

edc-extensions/data-encryption/src/main/java/org/eclipse/tractusx/edc/data/encryption/algorithms/aes/AesAlgorithm.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 ZF Friedrichshafen AG
  * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
  * Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
  *
@@ -22,33 +23,45 @@
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import lombok.NonNull;
+import lombok.SneakyThrows;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.eclipse.tractusx.edc.data.encryption.algorithms.CryptoAlgorithm;
 import org.eclipse.tractusx.edc.data.encryption.data.CryptoDataFactory;
 import org.eclipse.tractusx.edc.data.encryption.data.DecryptedData;
 import org.eclipse.tractusx.edc.data.encryption.data.EncryptedData;
 import org.eclipse.tractusx.edc.data.encryption.key.AesKey;
 import org.eclipse.tractusx.edc.data.encryption.util.ArrayUtil;
+import org.jetbrains.annotations.NotNull;
 
 public class AesAlgorithm implements CryptoAlgorithm<AesKey> {
 
   private static final String AES_GCM = "AES/GCM/NoPadding";
   private static final String AES = "AES";
   private static final Object MONITOR = new Object();
 
+  private final SecureRandom secureRandom;
+
   @NonNull private final CryptoDataFactory cryptoDataFactory;
   private AesInitializationVectorIterator initializationVectorIterator;
 
-  public AesAlgorithm(CryptoDataFactory cryptoDataFactory) {
+  @SneakyThrows
+  public AesAlgorithm(@NotNull CryptoDataFactory cryptoDataFactory) {
     this.cryptoDataFactory = cryptoDataFactory;
-    this.initializationVectorIterator = new AesInitializationVectorIterator();
+
+    // We use new SecureRandom() and not SecureRandom.getInstanceStrong(), as the second one
+    // would use a blocking algorithm, which leads to an increased encryption time of up to 3
+    // minutes. Since we have already used /dev/urandom, which only provides pseudo-randomness and
+    // is also non-blocking, switching to a non-blocking algorithm should not matter here either.
+    this.secureRandom = new SecureRandom();
+    this.initializationVectorIterator = new AesInitializationVectorIterator(this.secureRandom);
   }
 
   @Override
@@ -59,7 +72,7 @@ public synchronized EncryptedData encrypt(DecryptedData data, AesKey key)
     final byte[] initializationVector;
     synchronized (MONITOR) {
       if (!initializationVectorIterator.hasNext()) {
-        initializationVectorIterator = new AesInitializationVectorIterator();
+        initializationVectorIterator = new AesInitializationVectorIterator(this.secureRandom);
       }
 
       initializationVector = initializationVectorIterator.next();
@@ -92,4 +105,8 @@ public DecryptedData decrypt(EncryptedData data, AesKey key)
     byte[] decryptedData = cipher.doFinal(encrypted);
     return cryptoDataFactory.decryptedFromBytes(decryptedData);
   }
+
+  public String getAlgorithm() {
+    return this.secureRandom.getAlgorithm();
+  }
 }

edc-extensions/data-encryption/src/main/java/org/eclipse/tractusx/edc/data/encryption/algorithms/aes/AesInitializationVectorIterator.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 ZF Friedrichshafen AG
  * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
  * Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
  *
@@ -29,12 +30,14 @@ public class AesInitializationVectorIterator implements Iterator<byte[]> {
 
   public static final int RANDOM_SIZE = 12;
   public static final int COUNTER_SIZE = 4;
-  public static final int VECTOR_SIZE = RANDOM_SIZE + COUNTER_SIZE;
 
   private final ByteCounter counter;
 
-  public AesInitializationVectorIterator() {
-    counter = new ByteCounter(COUNTER_SIZE);
+  private SecureRandom secureRandom;
+
+  public AesInitializationVectorIterator(SecureRandom secureRandom) {
+    this.counter = new ByteCounter(COUNTER_SIZE);
+    this.secureRandom = secureRandom;
   }
 
   public AesInitializationVectorIterator(ByteCounter byteCounter) {
@@ -60,9 +63,8 @@ public byte[] next() {
 
   @SneakyThrows
   public byte[] getNextRandom() {
-    SecureRandom random = SecureRandom.getInstanceStrong();
     byte[] newVector = new byte[RANDOM_SIZE];
-    random.nextBytes(newVector);
+    secureRandom.nextBytes(newVector);
     return newVector;
   }
 }

edc-extensions/data-encryption/src/main/java/org/eclipse/tractusx/edc/data/encryption/encrypter/DataEncrypterFactory.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 ZF Friedrichshafen AG
  * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
  * Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
  *
@@ -20,11 +21,12 @@
 
 package org.eclipse.tractusx.edc.data.encryption.encrypter;
 
+import static java.lang.String.format;
+
 import lombok.RequiredArgsConstructor;
 import org.eclipse.edc.connector.transfer.dataplane.spi.security.DataEncrypter;
 import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.security.Vault;
-import org.eclipse.tractusx.edc.data.encryption.algorithms.CryptoAlgorithm;
 import org.eclipse.tractusx.edc.data.encryption.algorithms.aes.AesAlgorithm;
 import org.eclipse.tractusx.edc.data.encryption.data.CryptoDataFactory;
 import org.eclipse.tractusx.edc.data.encryption.data.CryptoDataFactoryImpl;
@@ -67,8 +69,12 @@ public DataEncrypter createAesEncrypter(AesDataEncrypterConfiguration configurat
     }
 
     final CryptoDataFactory cryptoDataFactory = new CryptoDataFactoryImpl();
-    final CryptoAlgorithm<AesKey> algorithm = new AesAlgorithm(cryptoDataFactory);
+    final AesAlgorithm algorithm = new AesAlgorithm(cryptoDataFactory);
 
+    monitor.debug(
+        format(
+            "AES algorithm was initialised with SecureRandom algorithm '%s'",
+            algorithm.getAlgorithm()));
     return new AesDataEncrypterImpl(algorithm, monitor, keyProvider, algorithm, cryptoDataFactory);
   }
 }

edc-extensions/data-encryption/src/test/java/org/eclipse/tractusx/edc/data/encryption/algorithms/aes/AesInitializationVectorIteratorTest.java

@@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2023 ZF Friedrichshafen AG
  * Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH
  * Copyright (c) 2021,2022 Contributors to the Eclipse Foundation
  *
@@ -19,6 +20,7 @@
  */
 package org.eclipse.tractusx.edc.data.encryption.algorithms.aes;
 
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.NoSuchElementException;
@@ -34,7 +36,8 @@ class AesInitializationVectorIteratorTest {
   @SneakyThrows
   void testDistinctVectors() {
     final int vectorCount = 100;
-    AesInitializationVectorIterator iterator = new AesInitializationVectorIterator();
+    final SecureRandom secureRandom = new SecureRandom();
+    AesInitializationVectorIterator iterator = new AesInitializationVectorIterator(secureRandom);
 
     List<byte[]> vectors = new ArrayList<>();
     for (var i = 0; i < vectorCount; i++) {