EncryptedInputStream fix

Author: rickle-msft

ChangeLog.txt

@@ -1,3 +1,7 @@
+XXXX.XX.XX Version X.X.X
+ * Fixed a bug in BlobInputStream that would return extra zeros at the end of the stream if the data was encrypted using client-side encryption.
+ * MD5 checks on BlobInputStream are skipped if data being downloaded is also being decrypted via client-side encryption, even if disableMd5Calculation is set to false. Previously this check would always fail as MD5 is calculated on cipher text on upload but was calculated on plaintext on download.
+
 2019.12.06 Version 8.6.0
  * Added the skipDecode flag to the generate sas method on CloudBlob. This flag allows the customer to skip the url decode that happens by default on the string to sign right before signing. This resolves some problems with custom values for some of the query parameters when used with third party clients.
 

microsoft-azure-storage-test/src/com/microsoft/azure/storage/TestHelper.java

@@ -283,10 +283,7 @@ public static void assertStreamsAreEqual(InputStream src, InputStream dst) throw
         }
 
         next = dst.read();
-        while (next != -1) {
-            assertEquals(0, next);
-            next = dst.read();
-        }
+        assertEquals(next, -1);
     }
 
     public static void assertStreamsAreEqualAtIndex(ByteArrayInputStream src, ByteArrayInputStream dst, int srcIndex,

microsoft-azure-storage/src/com/microsoft/azure/storage/blob/BlobInputStream.java

@@ -302,10 +302,19 @@ private synchronized void dispatchRead(final int readLength) throws IOException
         try {
             final byte[] byteBuffer = new byte[readLength];
 
-            this.parentBlobRef.downloadRangeInternal(this.currentAbsoluteReadPosition, (long) readLength, byteBuffer,
-                    0, this.accessCondition, this.options, this.opContext);
-
-            this.currentBuffer = new ByteArrayInputStream(byteBuffer);
+            int numBytes = this.parentBlobRef.downloadRangeInternal(this.currentAbsoluteReadPosition, (long) readLength,
+                    byteBuffer, 0, this.accessCondition, this.options, this.opContext);
+
+            /*
+            In the case of client-side decryption, we may get fewer bytes than we request at the end of the blob when
+            we remove padding. We want to ensure our data is the correct size, even in this case. Also, in this case,
+            we can no longer validate the MD5 because it was calculated on the ciphertext on upload, but this
+            inputstream calculates it on the plaintext.
+             */
+            if (numBytes < readLength && this.options.getEncryptionPolicy() != null) {
+                this.validateBlobMd5 = false;
+            }
+            this.currentBuffer = new ByteArrayInputStream(byteBuffer, 0, numBytes);
             this.bufferSize = readLength;
             this.bufferStartOffset = this.currentAbsoluteReadPosition;
         }

microsoft-azure-storage/src/com/microsoft/azure/storage/blob/CloudBlob.java

@@ -2644,7 +2644,8 @@ public final BlobInputStream openInputStream(final AccessCondition accessConditi
     }
 
     /**
-     * Opens a blob input stream to download the blob using the specified request options and operation context.
+     * Opens a blob input stream to download the blob using the specified request options and operation context. If
+     * the blob is decrypted as it is downloaded, the final MD5 validation will be skipped.
      * <p>
      * Use {@link #setStreamMinimumReadSizeInBytes(int)} to configure the read size.
      *