From 6301d32c17b31c710073d898edcc2fb4ff1d3e36 Mon Sep 17 00:00:00 2001
From: Mike Jensen <jentfoo@users.noreply.github.com>
Date: Tue, 5 Nov 2024 09:45:47 -0700
Subject: [PATCH] fix: NanoTDF secure key from debug logging and iv conflict
 risk (#208)

This change is motivated from the CodeQL result:
https://github.com/opentdf/java-sdk/security/code-scanning/1

Although that use of a static IV is deliberate, it helped highlight that
we should ensure that there is no reuse of the IV when encrypting the
data.

In addition it was found that there were two places the key was logged,
due to the sensitivity of the key this has been removed.
---
 sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java b/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java
index 75d0e734..39170b97 100644
--- a/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java
+++ b/sdk/src/main/java/io/opentdf/platform/sdk/NanoTDF.java
@@ -88,7 +88,6 @@ public int createNanoTDF(ByteBuffer data, OutputStream outputStream,
         MessageDigest digest = MessageDigest.getInstance("SHA-256");
         byte[] hashOfSalt = digest.digest(MAGIC_NUMBER_AND_VERSION);
         byte[] key = ECKeyPair.calculateHKDF(hashOfSalt, symmetricKey);
-        logger.debug("createNanoTDF key is - {}", Base64.getEncoder().encodeToString(key));
 
         // Encrypt policy
         PolicyObject policyObject = createPolicyObject(nanoTDFConfig.attributes);
@@ -135,9 +134,11 @@ public int createNanoTDF(ByteBuffer data, OutputStream outputStream,
 
         // Encrypt the data
         byte[] actualIV = new byte[kIvPadding + kNanoTDFIvSize];
-        byte[] iv = new byte[kNanoTDFIvSize];
-        SecureRandom.getInstanceStrong().nextBytes(iv);
-        System.arraycopy(iv, 0, actualIV, kIvPadding, iv.length);
+        do {
+            byte[] iv = new byte[kNanoTDFIvSize];
+            SecureRandom.getInstanceStrong().nextBytes(iv);
+            System.arraycopy(iv, 0, actualIV, kIvPadding, iv.length);
+        } while (Arrays.equals(actualIV, kEmptyIV));	// if match, we need to retry to prevent key + iv reuse with the policy
 
         byte[] cipherData = gcm.encrypt(actualIV, authTagSize, data.array(), 0, dataSize);
 
@@ -173,7 +174,6 @@ public void readNanoTDF(ByteBuffer nanoTDF, OutputStream outputStream,
         byte[] key = kas.unwrapNanoTDF(header.getECCMode().getEllipticCurveType(),
                 base64HeaderData,
                 kasUrl);
-        logger.debug("readNanoTDF key is {}", Base64.getEncoder().encodeToString(key));
 
         byte[] payloadLengthBuf = new byte[4];
         nanoTDF.get(payloadLengthBuf, 1, 3);