Merge pull request #526 from rickle-msft/encryptedInputStream

Encrypted input stream

ChangeLog.txt

@@ -1,4 +1,6 @@
 XXXX.XX.XX Version X.X.X
+ * Fixed a bug in BlobInputStream that would return extra zeros at the end of the stream if the data was encrypted using client-side encryption.
+ * MD5 checks on BlobInputStream are skipped if data being downloaded is also being decrypted via client-side encryption, even if disableMd5Calculation is set to false. Previously this check would always fail as MD5 is calculated on cipher text on upload but was calculated on plaintext on download.
  * Added a workaround to a JDK bug that would ignore connection timeouts on retries, causing hangs in some scenarios. This requires defaulting setting https keep-alive on all sockets. It can be disabled via BlobRequestOptions.
 
 2019.12.06 Version 8.6.0

microsoft-azure-storage-test/src/com/microsoft/azure/storage/TestHelper.java

@@ -283,10 +283,7 @@ public static void assertStreamsAreEqual(InputStream src, InputStream dst) throw
         }
 
         next = dst.read();
-        while (next != -1) {
-            assertEquals(0, next);
-            next = dst.read();
-        }
+        assertEquals(next, -1);
     }
 
     public static void assertStreamsAreEqualAtIndex(ByteArrayInputStream src, ByteArrayInputStream dst, int srcIndex,

microsoft-azure-storage/src/com/microsoft/azure/storage/blob/BlobInputStream.java

@@ -302,10 +302,19 @@ private synchronized void dispatchRead(final int readLength) throws IOException
         try {
             final byte[] byteBuffer = new byte[readLength];
 
-            this.parentBlobRef.downloadRangeInternal(this.currentAbsoluteReadPosition, (long) readLength, byteBuffer,
-                    0, this.accessCondition, this.options, this.opContext);
-
-            this.currentBuffer = new ByteArrayInputStream(byteBuffer);
+            int numBytes = this.parentBlobRef.downloadRangeInternal(this.currentAbsoluteReadPosition, (long) readLength,
+                    byteBuffer, 0, this.accessCondition, this.options, this.opContext);
+
+            /*
+            In the case of client-side decryption, we may get fewer bytes than we request at the end of the blob when
+            we remove padding. We want to ensure our data is the correct size, even in this case. Also, in this case,
+            we can no longer validate the MD5 because it was calculated on the ciphertext on upload, but this
+            inputstream calculates it on the plaintext.
+             */
+            if (numBytes < readLength && this.options.getEncryptionPolicy() != null) {
+                this.validateBlobMd5 = false;
+            }
+            this.currentBuffer = new ByteArrayInputStream(byteBuffer, 0, numBytes);
             this.bufferSize = readLength;
             this.bufferStartOffset = this.currentAbsoluteReadPosition;
         }

microsoft-azure-storage/src/com/microsoft/azure/storage/blob/CloudBlob.java

@@ -2644,7 +2644,8 @@ public final BlobInputStream openInputStream(final AccessCondition accessConditi
     }
 
     /**
-     * Opens a blob input stream to download the blob using the specified request options and operation context.
+     * Opens a blob input stream to download the blob using the specified request options and operation context. If
+     * the blob is decrypted as it is downloaded, the final MD5 validation will be skipped.
      * <p>
      * Use {@link #setStreamMinimumReadSizeInBytes(int)} to configure the read size.
      *