org.apache.hadoop.crypto.CipherOption Java Examples

The following examples show how to use org.apache.hadoop.crypto.CipherOption. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: PBHelper.java    From hadoop with Apache License 2.0 6 votes vote down vote up
public static CipherOptionProto convert(CipherOption option) {
  if (option != null) {
    CipherOptionProto.Builder builder = CipherOptionProto.
        newBuilder();
    if (option.getCipherSuite() != null) {
      builder.setSuite(convert(option.getCipherSuite()));
    }
    if (option.getInKey() != null) {
      builder.setInKey(ByteString.copyFrom(option.getInKey()));
    }
    if (option.getInIv() != null) {
      builder.setInIv(ByteString.copyFrom(option.getInIv()));
    }
    if (option.getOutKey() != null) {
      builder.setOutKey(ByteString.copyFrom(option.getOutKey()));
    }
    if (option.getOutIv() != null) {
      builder.setOutIv(ByteString.copyFrom(option.getOutIv()));
    }
    return builder.build();
  }
  return null;
}
 
Example #2
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 
Example #3
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Send SASL message and negotiated cipher option to client.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param option negotiated cipher option
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiatedCipherOption(
    OutputStream out, byte[] payload, CipherOption option) 
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (option != null) {
    builder.addCipherOption(PBHelper.convert(option));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 
Example #4
Source File: PBHelper.java    From big-c with Apache License 2.0 6 votes vote down vote up
public static CipherOptionProto convert(CipherOption option) {
  if (option != null) {
    CipherOptionProto.Builder builder = CipherOptionProto.
        newBuilder();
    if (option.getCipherSuite() != null) {
      builder.setSuite(convert(option.getCipherSuite()));
    }
    if (option.getInKey() != null) {
      builder.setInKey(ByteString.copyFrom(option.getInKey()));
    }
    if (option.getInIv() != null) {
      builder.setInIv(ByteString.copyFrom(option.getInIv()));
    }
    if (option.getOutKey() != null) {
      builder.setOutKey(ByteString.copyFrom(option.getOutKey()));
    }
    if (option.getOutIv() != null) {
      builder.setOutIv(ByteString.copyFrom(option.getOutIv()));
    }
    return builder.build();
  }
  return null;
}
 
Example #5
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Reads a SASL negotiation message and negotiation cipher options. 
 * 
 * @param in stream to read
 * @param cipherOptions list to store negotiation cipher options
 * @return byte[] SASL negotiation message
 * @throws IOException for any error
 */
public static byte[] readSaslMessageAndNegotiationCipherOptions(
    InputStream in, List<CipherOption> cipherOptions) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    List<CipherOptionProto> optionProtos = proto.getCipherOptionList();
    if (optionProtos != null) {
      for (CipherOptionProto optionProto : optionProtos) {
        cipherOptions.add(PBHelper.convert(optionProto));
      }
    }
    return proto.getPayload().toByteArray();
  }
}
 
Example #6
Source File: PBHelper.java    From big-c with Apache License 2.0 6 votes vote down vote up
public static CipherOption convert(CipherOptionProto proto) {
  if (proto != null) {
    CipherSuite suite = null;
    if (proto.getSuite() != null) {
      suite = convert(proto.getSuite());
    }
    byte[] inKey = null;
    if (proto.getInKey() != null) {
      inKey = proto.getInKey().toByteArray();
    }
    byte[] inIv = null;
    if (proto.getInIv() != null) {
      inIv = proto.getInIv().toByteArray();
    }
    byte[] outKey = null;
    if (proto.getOutKey() != null) {
      outKey = proto.getOutKey().toByteArray();
    }
    byte[] outIv = null;
    if (proto.getOutIv() != null) {
      outIv = proto.getOutIv().toByteArray();
    }
    return new CipherOption(suite, inKey, inIv, outKey, outIv);
  }
  return null;
}
 
Example #7
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Send a SASL negotiation message and negotiation cipher options to server.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param options cipher options to negotiate
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiationCipherOptions(
    OutputStream out, byte[] payload, List<CipherOption> options)
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (options != null) {
    builder.addAllCipherOption(PBHelper.convertCipherOptions(options));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 
Example #8
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Read SASL message and negotiated cipher option from server.
 * 
 * @param in stream to read
 * @return SaslResponseWithNegotiatedCipherOption SASL message and 
 * negotiated cipher option
 * @throws IOException for any error
 */
public static SaslResponseWithNegotiatedCipherOption
    readSaslMessageAndNegotiatedCipherOption(InputStream in)
        throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    byte[] response = proto.getPayload().toByteArray();
    List<CipherOption> options = PBHelper.convertCipherOptionProtos(
        proto.getCipherOptionList());
    CipherOption option = null;
    if (options != null && !options.isEmpty()) {
      option = options.get(0);
    }
    return new SaslResponseWithNegotiatedCipherOption(response, option);
  }
}
 
Example #9
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Encrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing server
 * @return CipherOption negotiated cipher option which contains the 
 * encrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption wrap(CipherOption option, SaslParticipant sasl) 
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.wrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.wrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 
Example #10
Source File: PBHelper.java    From hadoop with Apache License 2.0 6 votes vote down vote up
public static CipherOption convert(CipherOptionProto proto) {
  if (proto != null) {
    CipherSuite suite = null;
    if (proto.getSuite() != null) {
      suite = convert(proto.getSuite());
    }
    byte[] inKey = null;
    if (proto.getInKey() != null) {
      inKey = proto.getInKey().toByteArray();
    }
    byte[] inIv = null;
    if (proto.getInIv() != null) {
      inIv = proto.getInIv().toByteArray();
    }
    byte[] outKey = null;
    if (proto.getOutKey() != null) {
      outKey = proto.getOutKey().toByteArray();
    }
    byte[] outIv = null;
    if (proto.getOutIv() != null) {
      outIv = proto.getOutIv().toByteArray();
    }
    return new CipherOption(suite, inKey, inIv, outKey, outIv);
  }
  return null;
}
 
Example #11
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing client
 * @return CipherOption negotiated cipher option which contains the 
 * decrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption unwrap(CipherOption option, SaslParticipant sasl)
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.unwrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.unwrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 
Example #12
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Encrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing server
 * @return CipherOption negotiated cipher option which contains the 
 * encrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption wrap(CipherOption option, SaslParticipant sasl) 
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.wrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.wrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 
Example #13
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Read SASL message and negotiated cipher option from server.
 * 
 * @param in stream to read
 * @return SaslResponseWithNegotiatedCipherOption SASL message and 
 * negotiated cipher option
 * @throws IOException for any error
 */
public static SaslResponseWithNegotiatedCipherOption
    readSaslMessageAndNegotiatedCipherOption(InputStream in)
        throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    byte[] response = proto.getPayload().toByteArray();
    List<CipherOption> options = PBHelper.convertCipherOptionProtos(
        proto.getCipherOptionList());
    CipherOption option = null;
    if (options != null && !options.isEmpty()) {
      option = options.get(0);
    }
    return new SaslResponseWithNegotiatedCipherOption(response, option);
  }
}
 
Example #14
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Send a SASL negotiation message and negotiation cipher options to server.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param options cipher options to negotiate
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiationCipherOptions(
    OutputStream out, byte[] payload, List<CipherOption> options)
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (options != null) {
    builder.addAllCipherOption(PBHelper.convertCipherOptions(options));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 
Example #15
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 
Example #16
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Send SASL message and negotiated cipher option to client.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param option negotiated cipher option
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiatedCipherOption(
    OutputStream out, byte[] payload, CipherOption option) 
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (option != null) {
    builder.addCipherOption(PBHelper.convert(option));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 
Example #17
Source File: FanOutOneBlockAsyncDFSOutputSaslHelper.java    From hbase with Apache License 2.0 6 votes vote down vote up
private void sendSaslMessage(ChannelHandlerContext ctx, byte[] payload,
    List<CipherOption> options) throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    BuilderPayloadSetter.wrapAndSetPayload(builder, payload);
  }
  if (options != null) {
    builder.addAllCipherOption(PBHelperClient.convertCipherOptions(options));
  }
  DataTransferEncryptorMessageProto proto = builder.build();
  int size = proto.getSerializedSize();
  size += CodedOutputStream.computeRawVarint32Size(size);
  ByteBuf buf = ctx.alloc().buffer(size);
  proto.writeDelimitedTo(new ByteBufOutputStream(buf));
  ctx.write(buf);
}
 
Example #18
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Reads a SASL negotiation message and negotiation cipher options. 
 * 
 * @param in stream to read
 * @param cipherOptions list to store negotiation cipher options
 * @return byte[] SASL negotiation message
 * @throws IOException for any error
 */
public static byte[] readSaslMessageAndNegotiationCipherOptions(
    InputStream in, List<CipherOption> cipherOptions) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    List<CipherOptionProto> optionProtos = proto.getCipherOptionList();
    if (optionProtos != null) {
      for (CipherOptionProto optionProto : optionProtos) {
        cipherOptions.add(PBHelper.convert(optionProto));
      }
    }
    return proto.getPayload().toByteArray();
  }
}
 
Example #19
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing client
 * @return CipherOption negotiated cipher option which contains the 
 * decrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption unwrap(CipherOption option, SaslParticipant sasl)
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.unwrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.unwrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 
Example #20
Source File: FanOutOneBlockAsyncDFSOutputSaslHelper.java    From hbase with Apache License 2.0 5 votes vote down vote up
private List<CipherOption> getCipherOptions() throws IOException {
  // Negotiate cipher suites if configured. Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (StringUtils.isBlank(cipherSuites)) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
      DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  return Collections.singletonList(new CipherOption(CipherSuite.AES_CTR_NOPADDING));
}
 
Example #21
Source File: PBHelper.java    From big-c with Apache License 2.0 5 votes vote down vote up
public static List<CipherOptionProto> convertCipherOptions(
    List<CipherOption> options) {
  if (options != null) {
    List<CipherOptionProto> protos = 
        Lists.newArrayListWithCapacity(options.size());
    for (CipherOption option : options) {
      protos.add(convert(option));
    }
    return protos;
  }
  return null;
}
 
Example #22
Source File: PBHelper.java    From big-c with Apache License 2.0 5 votes vote down vote up
public static List<CipherOption> convertCipherOptionProtos(
    List<CipherOptionProto> protos) {
  if (protos != null) {
    List<CipherOption> options = 
        Lists.newArrayListWithCapacity(protos.size());
    for (CipherOptionProto proto : protos) {
      options.add(convert(proto));
    }
    return options;
  }
  return null;
}
 
Example #23
Source File: FanOutOneBlockAsyncDFSOutputSaslHelper.java    From hbase with Apache License 2.0 5 votes vote down vote up
private CipherOption getCipherOption(DataTransferEncryptorMessageProto proto,
    boolean isNegotiatedQopPrivacy, SaslClient saslClient) throws IOException {
  List<CipherOption> cipherOptions =
      PBHelperClient.convertCipherOptionProtos(proto.getCipherOptionList());
  if (cipherOptions == null || cipherOptions.isEmpty()) {
    return null;
  }
  CipherOption cipherOption = cipherOptions.get(0);
  return isNegotiatedQopPrivacy ? unwrap(cipherOption, saslClient) : cipherOption;
}
 
Example #24
Source File: FanOutOneBlockAsyncDFSOutputSaslHelper.java    From hbase with Apache License 2.0 5 votes vote down vote up
private CipherOption unwrap(CipherOption option, SaslClient saslClient) throws IOException {
  byte[] inKey = option.getInKey();
  if (inKey != null) {
    inKey = saslClient.unwrap(inKey, 0, inKey.length);
  }
  byte[] outKey = option.getOutKey();
  if (outKey != null) {
    outKey = saslClient.unwrap(outKey, 0, outKey.length);
  }
  return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(), outKey,
      option.getOutIv());
}
 
Example #25
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example #26
Source File: PBHelper.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public static List<CipherOption> convertCipherOptionProtos(
    List<CipherOptionProto> protos) {
  if (protos != null) {
    List<CipherOption> options = 
        Lists.newArrayListWithCapacity(protos.size());
    for (CipherOptionProto proto : protos) {
      options.add(convert(proto));
    }
    return options;
  }
  return null;
}
 
Example #27
Source File: PBHelper.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public static List<CipherOptionProto> convertCipherOptions(
    List<CipherOption> options) {
  if (options != null) {
    List<CipherOptionProto> protos = 
        Lists.newArrayListWithCapacity(options.size());
    for (CipherOption option : options) {
      protos.add(convert(option));
    }
    return protos;
  }
  return null;
}
 
Example #28
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example #29
Source File: SaslDataTransferServer.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * This method actually executes the server-side SASL handshake.
 *
 * @param underlyingOut connection output stream
 * @param underlyingIn connection input stream
 * @param saslProps properties of SASL negotiation
 * @param callbackHandler for responding to SASL callbacks
 * @return new pair of streams, wrapped after SASL negotiation
 * @throws IOException for any error
 */
private IOStreamPair doSaslHandshake(OutputStream underlyingOut,
    InputStream underlyingIn, Map<String, String> saslProps,
    CallbackHandler callbackHandler) throws IOException {

  DataInputStream in = new DataInputStream(underlyingIn);
  DataOutputStream out = new DataOutputStream(underlyingOut);

  SaslParticipant sasl = SaslParticipant.createServerSaslParticipant(saslProps,
    callbackHandler);

  int magicNumber = in.readInt();
  if (magicNumber != SASL_TRANSFER_MAGIC_NUMBER) {
    throw new InvalidMagicNumberException(magicNumber, 
        dnConf.getEncryptDataTransfer());
  }
  try {
    // step 1
    byte[] remoteResponse = readSaslMessage(in);
    byte[] localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);
    sendSaslMessage(out, localResponse);

    // step 2 (server-side only)
    List<CipherOption> cipherOptions = Lists.newArrayList();
    remoteResponse = readSaslMessageAndNegotiationCipherOptions(
        in, cipherOptions);
    localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);

    // SASL handshake is complete
    checkSaslComplete(sasl, saslProps);

    CipherOption cipherOption = null;
    if (sasl.isNegotiatedQopPrivacy()) {
      // Negotiate a cipher option
      cipherOption = negotiateCipherOption(dnConf.getConf(), cipherOptions);
      if (cipherOption != null) {
        if (LOG.isDebugEnabled()) {
          LOG.debug("Server using cipher suite " + 
              cipherOption.getCipherSuite().getName());
        }
      }
    }

    // If negotiated cipher option is not null, wrap it before sending.
    sendSaslMessageAndNegotiatedCipherOption(out, localResponse, 
        wrap(cipherOption, sasl));

    // If negotiated cipher option is not null, we will use it to create 
    // stream pair.
    return cipherOption != null ? createStreamPair(
        dnConf.getConf(), cipherOption, underlyingOut, underlyingIn, true) : 
          sasl.createStreamPair(out, in);
  } catch (IOException ioe) {
    if (ioe instanceof SaslException &&
        ioe.getCause() != null &&
        ioe.getCause() instanceof InvalidEncryptionKeyException) {
      // This could just be because the client is long-lived and hasn't gotten
      // a new encryption key from the NN in a while. Upon receiving this
      // error, the client will get a new encryption key from the NN and retry
      // connecting to this DN.
      sendInvalidKeySaslErrorMessage(out, ioe.getCause().getMessage());
    } else {
      sendGenericSaslErrorMessage(out, ioe.getMessage());
    }
    throw ioe;
  }
}
 
Example #30
Source File: SaslResponseWithNegotiatedCipherOption.java    From big-c with Apache License 2.0 4 votes vote down vote up
public SaslResponseWithNegotiatedCipherOption(byte[] payload, 
    CipherOption cipherOption) {
  this.payload = payload;
  this.cipherOption = cipherOption;
}