Improve synchronization logic

Author: SalusaSecondus

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBEncryptor.java

@@ -23,7 +23,6 @@
 import java.nio.charset.Charset;
 import java.security.GeneralSecurityException;
 import java.security.PrivateKey;
-import java.security.SecureRandom;
 import java.security.SignatureException;
 import java.util.Arrays;
 import java.util.Collection;
@@ -43,6 +42,7 @@
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider;
 import com.amazonaws.services.dynamodbv2.datamodeling.internal.AttributeValueMarshaller;
 import com.amazonaws.services.dynamodbv2.datamodeling.internal.ByteBufferInputStream;
+import com.amazonaws.services.dynamodbv2.datamodeling.internal.Utils;
 import com.amazonaws.services.dynamodbv2.model.AttributeValue;
 
 /**
@@ -52,7 +52,6 @@
  * @author Greg Rubin 
  */
 public class DynamoDBEncryptor {
-    private static final SecureRandom rnd = new SecureRandom();
     private static final String DEFAULT_SIGNATURE_ALGORITHM = "SHA256withRSA";
     private static final String DEFAULT_METADATA_FIELD = "*amzn-ddb-map-desc*";
     private static final String DEFAULT_SIGNATURE_FIELD = "*amzn-ddb-map-sig*";
@@ -233,7 +232,7 @@ public Map<String, AttributeValue> decryptRecord(
         DecryptionMaterials materials;
         SecretKey decryptionKey;
 
-        DynamoDBSigner signer = DynamoDBSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, rnd);
+        DynamoDBSigner signer = DynamoDBSigner.getInstance(DEFAULT_SIGNATURE_ALGORITHM, Utils.getRng());
 
         if (itemAttributes.containsKey(materialDescriptionFieldName)) {
             materialDescription = unmarshallDescription(itemAttributes.get(materialDescriptionFieldName));
@@ -248,7 +247,7 @@ public Map<String, AttributeValue> decryptRecord(
         decryptionKey = materials.getDecryptionKey();
         if (materialDescription.containsKey(signingAlgorithmHeader)) {
             String signingAlg = materialDescription.get(signingAlgorithmHeader);
-            signer = DynamoDBSigner.getInstance(signingAlg, rnd);
+            signer = DynamoDBSigner.getInstance(signingAlg, Utils.getRng());
         }
 
         ByteBuffer signature;
@@ -309,7 +308,7 @@ public Map<String, AttributeValue> encryptRecord(
         // The description must be stored after encryption because its data
         // is necessary for proper decryption.
         final String signingAlgo = materialDescription.get(signingAlgorithmHeader);
-        DynamoDBSigner signer = DynamoDBSigner.getInstance(signingAlgo == null ? DEFAULT_SIGNATURE_ALGORITHM : signingAlgo, rnd);
+        DynamoDBSigner signer = DynamoDBSigner.getInstance(signingAlgo == null ? DEFAULT_SIGNATURE_ALGORITHM : signingAlgo, Utils.getRng());
 
         if (materials.getSigningKey() instanceof PrivateKey ) {
             materialDescription.put(signingAlgorithmHeader, signer.getSigningAlgorithm());
@@ -356,7 +355,7 @@ private void actualDecryption(Map<String, AttributeValue> itemAttributes,
                     }
                     byte[] iv = new byte[ivSize];
                     cipherText.get(iv);
-                    cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new IvParameterSpec(iv), rnd);
+                    cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new IvParameterSpec(iv), Utils.getRng());
                     plainText = ByteBuffer.allocate(
                             cipher.getOutputSize(cipherText.remaining()));
                     cipher.doFinal(cipherText, plainText);
@@ -406,8 +405,8 @@ private void actualEncryption(Map<String, AttributeValue> itemAttributes,
                     }
                     // Encryption format: <iv><ciphertext>
                     // Note a unique iv is generated per attribute
-                    byte[] iv = getRandom(ivSize);
-                    cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, new IvParameterSpec(iv), rnd);
+                    byte[] iv = Utils.getRandom(ivSize);
+                    cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, new IvParameterSpec(iv), Utils.getRng());
                     cipherText = ByteBuffer.allocate(ivSize + cipher.getOutputSize(plainText.remaining()));
                     cipherText.put(iv);
                     cipher.doFinal(plainText, cipherText);
@@ -535,12 +534,6 @@ protected static Map<String, String> unmarshallDescription(AttributeValue attrib
             attributeValue.getB().reset();
         }
     }
-
-    private static byte[] getRandom(int bytes) {
-        byte[] result = new byte[bytes];
-        rnd.nextBytes(result);
-        return result;
-    }
 
     private static byte[] toByteArray(ByteBuffer buffer) {
         if (buffer.hasArray()) {

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/DynamoDBSigner.java

@@ -39,6 +39,7 @@
 import javax.crypto.spec.SecretKeySpec;
 
 import com.amazonaws.services.dynamodbv2.datamodeling.internal.AttributeValueMarshaller;
+import com.amazonaws.services.dynamodbv2.datamodeling.internal.Utils;
 import com.amazonaws.services.dynamodbv2.model.AttributeValue;
 
 /**
@@ -77,7 +78,7 @@ static DynamoDBSigner getInstance(String signingAlgorithm, SecureRandom rnd) {
      */
     private DynamoDBSigner(String signingAlgorithm, SecureRandom rnd) {
         if (rnd == null) {
-            rnd = new SecureRandom();
+            rnd = Utils.getRng();
         }
         this.rnd = rnd;
         this.signingAlgorithm = signingAlgorithm;

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/materials/WrappedRawMaterials.java

@@ -19,7 +19,6 @@
 import java.security.Key;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 import java.util.Collections;
 import java.util.Map;
 
@@ -30,6 +29,7 @@
 import javax.crypto.SecretKey;
 
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.DelegatedKey;
+import com.amazonaws.services.dynamodbv2.datamodeling.internal.Utils;
 import com.amazonaws.util.Base64;
 
 /**
@@ -63,7 +63,6 @@ public class WrappedRawMaterials extends AbstractRawMaterials {
      */
     public  static final String ENVELOPE_KEY = "amzn-ddb-env-key";
     private static final String DEFAULT_ALGORITHM = "AES/256";
-    private static final SecureRandom rand = new SecureRandom();
 
     protected final Key wrappingKey;
     protected final Key unwrappingKey;
@@ -151,7 +150,7 @@ public byte[] wrapKey(SecretKey key, String wrappingAlg) throws NoSuchAlgorithmE
             return ((DelegatedKey)wrappingKey).wrap(key, null, wrappingAlg);
         } else {
             Cipher cipher = Cipher.getInstance(wrappingAlg);
-            cipher.init(Cipher.WRAP_MODE, wrappingKey, rand);
+            cipher.init(Cipher.WRAP_MODE, wrappingKey, Utils.getRng());
             byte[] encryptedKey = cipher.wrap(key);
             return encryptedKey;
         }
@@ -164,7 +163,7 @@ protected SecretKey unwrapKey(Map<String, String> description, byte[] encryptedK
                     description.get(CONTENT_KEY_ALGORITHM), Cipher.SECRET_KEY, null, wrappingAlgorithm);
         } else {
             Cipher cipher = Cipher.getInstance(wrappingAlgorithm);
-            cipher.init(Cipher.UNWRAP_MODE, unwrappingKey, rand);
+            cipher.init(Cipher.UNWRAP_MODE, unwrappingKey, Utils.getRng());
             return (SecretKey) cipher.unwrap(encryptedKey,
                     description.get(CONTENT_KEY_ALGORITHM), Cipher.SECRET_KEY);
         }
@@ -183,9 +182,9 @@ protected SecretKey generateContentKey(final String algorithm) throws NoSuchAlgo
         }
 
         if (keyLen > 0) {
-            kg.init(keyLen, rand);
+            kg.init(keyLen, Utils.getRng());
         } else {
-            kg.init(rand);
+            kg.init(Utils.getRng());
         }
         return kg.generateKey();
     }

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/MostRecentProvider.java

@@ -12,11 +12,14 @@
  */
 package com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers;
 
-import com.amazonaws.services.dynamodbv2.datamodeling.internal.LRUCache;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.concurrent.locks.ReentrantLock;
+
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.EncryptionContext;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.DecryptionMaterials;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.materials.EncryptionMaterials;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.store.ProviderStore;
+import com.amazonaws.services.dynamodbv2.datamodeling.internal.LRUCache;
 
 /**
  * This meta-Provider encrypts data with the most recent version of keying materials from a
@@ -25,14 +28,14 @@
  * is not currently configurable.
  */
 public class MostRecentProvider implements EncryptionMaterialsProvider {
-    private final Object lock;
+    private static final long MILLI_TO_NANO = 1000000L;
+    private static final long TTL_GRACE_IN_NANO = 500 * MILLI_TO_NANO;
+    private final ReentrantLock lock = new ReentrantLock(true);
     private final ProviderStore keystore;
     private final String materialName;
-    private final long ttlInMillis;
+    private final long ttlInNanos;
     private final LRUCache<EncryptionMaterialsProvider> cache;
-    private EncryptionMaterialsProvider currentProvider;
-    private long currentVersion;
-    private long lastUpdated;
+    private final AtomicReference<State> state = new AtomicReference<>(new State());
 
     /**
      * Creates a new {@link MostRecentProvider}.
@@ -43,30 +46,45 @@ public class MostRecentProvider implements EncryptionMaterialsProvider {
     public MostRecentProvider(final ProviderStore keystore, final String materialName, final long ttlInMillis) {
         this.keystore = checkNotNull(keystore, "keystore must not be null");
         this.materialName = checkNotNull(materialName, "materialName must not be null");
-        this.ttlInMillis = ttlInMillis;
+        this.ttlInNanos = ttlInMillis * MILLI_TO_NANO;
         this.cache = new LRUCache<EncryptionMaterialsProvider>(1000);
-        this.lock = new Object();
-        currentProvider = null;
-        currentVersion = -1;
-        lastUpdated = 0;
     }
 
     @Override
     public EncryptionMaterials getEncryptionMaterials(EncryptionContext context) {
-        synchronized (lock) {
-            if ((System.currentTimeMillis() - lastUpdated) > ttlInMillis) {
-                long newVersion = keystore.getMaxVersion(materialName);
-                if (newVersion < 0) {
-                    currentVersion = 0;
-                    currentProvider = keystore.getOrCreate(materialName, currentVersion);
-                } else if (newVersion != currentVersion) {
-                    currentVersion = newVersion;
-                    currentProvider = keystore.getProvider(materialName, currentVersion);
-                    cache.add(Long.toString(currentVersion), currentProvider);
-                }
-                lastUpdated = System.currentTimeMillis();
+        State s = state.get();
+        if (System.nanoTime() - s.lastUpdated <= ttlInNanos) {
+            return s.provider.getEncryptionMaterials(context);
+        }
+        if (s.provider == null || System.nanoTime() - s.lastUpdated > ttlInNanos + TTL_GRACE_IN_NANO) {
+            // Either we don't have a provider at all, or we're more than 500 milliseconds past
+            // our update time. Either way, grab the lock and force an update.
+            lock.lock();
+        } else if (!lock.tryLock()) {
+            // If we can't get the lock immediately, just use the current provider
+            return s.provider.getEncryptionMaterials(context);
+        }
+
+        try {
+            final long newVersion = keystore.getMaxVersion(materialName);
+            final long currentVersion;
+            final EncryptionMaterialsProvider currentProvider;
+            if (newVersion < 0) {
+                currentVersion = 0;
+                currentProvider = keystore.getOrCreate(materialName, currentVersion);
+                s = new State(currentProvider, currentVersion);
+                state.set(s);
+            } else if (newVersion != s.currentVersion) {
+                currentVersion = newVersion;
+                currentProvider = keystore.getProvider(materialName, currentVersion);
+                cache.add(Long.toString(currentVersion), currentProvider);
+                s = new State(currentProvider, currentVersion);
+                state.set(s);
             }
-            return currentProvider.getEncryptionMaterials(context);
+
+            return s.provider.getEncryptionMaterials(context);
+        } finally {
+            lock.unlock();
         }
     }
 
@@ -86,11 +104,7 @@ public DecryptionMaterials getDecryptionMaterials(EncryptionContext context) {
      */
     @Override
     public void refresh() {
-        synchronized (lock) {
-            lastUpdated = 0;
-            currentVersion = -1;
-            currentProvider = null;
-        }
+        state.set(new State());
         cache.clear();
     }
 
@@ -99,27 +113,23 @@ public String getMaterialName() {
     }
 
     public long getTtlInMills() {
-        return ttlInMillis;
+        return ttlInNanos / MILLI_TO_NANO;
     }
 
     /**
      * The current version of the materials being used for encryption. Returns -1 if we do not
      * currently have a current version.
      */
     public long getCurrentVersion() {
-        synchronized (lock) {
-            return currentVersion;
-        }
+        return state.get().currentVersion;
     }
 
     /**
      * The last time the current version was updated. Returns 0 if we do not currently have a
      * current version.
      */
     public long getLastUpdated() {
-        synchronized (lock) {
-            return lastUpdated;
-        }
+        return state.get().lastUpdated / MILLI_TO_NANO;
     }
 
     private static <V> V checkNotNull(final V ref, final String errMsg) {
@@ -129,4 +139,20 @@ private static <V> V checkNotNull(final V ref, final String errMsg) {
             return ref;
         }
     }
+
+    private static class State {
+        public final EncryptionMaterialsProvider provider;
+        public final long currentVersion;
+        public final long lastUpdated;
+
+        public State() {
+            this(null, -1);
+        }
+
+        public State(EncryptionMaterialsProvider provider, long currentVersion) {
+            this.provider = provider;
+            this.currentVersion = currentVersion;
+            this.lastUpdated = currentVersion == -1 ? 0 : System.nanoTime();
+        }
+    }
 }

src/main/java/com/amazonaws/services/dynamodbv2/datamodeling/encryption/providers/store/MetaStore.java

@@ -14,7 +14,6 @@
 
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
-import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -32,6 +31,7 @@
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.EncryptionContext;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.EncryptionMaterialsProvider;
 import com.amazonaws.services.dynamodbv2.datamodeling.encryption.providers.WrappedMaterialsProvider;
+import com.amazonaws.services.dynamodbv2.datamodeling.internal.Utils;
 import com.amazonaws.services.dynamodbv2.model.AttributeDefinition;
 import com.amazonaws.services.dynamodbv2.model.AttributeValue;
 import com.amazonaws.services.dynamodbv2.model.ComparisonOperator;
@@ -70,7 +70,6 @@ public class MetaStore extends ProviderStore {
     private static final String DEFAULT_HASH_KEY = "N";
     private static final String DEFAULT_RANGE_KEY = "V";
 
-    private final SecureRandom rng = new SecureRandom();
     private final Map<String, ExpectedAttributeValue> doesNotExist;
     private final String tableName;
     private final AmazonDynamoDB ddb;
@@ -106,12 +105,8 @@ public EncryptionMaterialsProvider getProvider(final String materialName, final
 
     @Override
     public EncryptionMaterialsProvider getOrCreate(final String materialName, final long nextId) {
-        final byte[] rawEncKey = new byte[32];
-        rng.nextBytes(rawEncKey);
-        final byte[] rawIntKey = new byte[32];
-        rng.nextBytes(rawIntKey);
-        final SecretKeySpec encryptionKey = new SecretKeySpec(rawEncKey, DEFAULT_ENCRYPTION);
-        final SecretKeySpec integrityKey = new SecretKeySpec(rawIntKey, DEFAULT_INTEGRITY);
+        final SecretKeySpec encryptionKey = new SecretKeySpec(Utils.getRandom(32), DEFAULT_ENCRYPTION);
+        final SecretKeySpec integrityKey = new SecretKeySpec(Utils.getRandom(32), DEFAULT_INTEGRITY);
         final Map<String, AttributeValue> ciphertext = conditionalPut(encryptKeys(materialName,
                 nextId, encryptionKey, integrityKey));
         return decryptProvider(ciphertext);