Java Code Examples for org.apache.hadoop.crypto.CryptoCodec

The following examples show how to use org.apache.hadoop.crypto.CryptoCodec. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop-ozone   Source File: OzoneKMSUtil.java    License: Apache License 2.0 6 votes vote down vote up
public static CryptoCodec getCryptoCodec(ConfigurationSource conf,
    FileEncryptionInfo feInfo) throws IOException {
  CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID " +
            suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  } else {
    Configuration hadoopConfig =
        LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
    CryptoCodec codec = CryptoCodec.getInstance(hadoopConfig, suite);
    if (codec == null) {
      throw new OMException("No configuration found for the cipher suite " +
              suite.getConfigSuffix() + " prefixed with " +
              "hadoop.security.crypto.codec.classes. Please see the" +
              " example configuration hadoop.security.crypto.codec.classes." +
              "EXAMPLE CIPHER SUITE at core-default.xml for details.",
              OMException.ResultCodes.UNKNOWN_CIPHER_SUITE);
    } else {
      return codec;
    }
  }
}
 
Example 2
Source Project: hadoop   Source File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataOutputStream with a CryptoOutputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param out
 * @return FSDataOutputStream
 * @throws IOException
 */
public static FSDataOutputStream wrapIfNecessary(Configuration conf,
    FSDataOutputStream out) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    out.write(ByteBuffer.allocate(8).putLong(out.getPos()).array());
    byte[] iv = createIV(conf);
    out.write(iv);
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV written to Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataOutputStream(out, CryptoCodec.getInstance(conf),
        getBufferSize(conf), getEncryptionKey(), iv);
  } else {
    return out;
  }
}
 
Example 3
Source Project: hadoop   Source File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given InputStream with a CryptoInputStream. The size of the data
 * buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * If the value of 'length' is > -1, The InputStream is additionally
 * wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
 * This means they will always try to read ahead if they can. The
 * LimitInputStream will ensure that the CryptoStream does not read past the
 * provided length from the given Input Stream.
 * 
 * @param conf
 * @param in
 * @param length
 * @return InputStream
 * @throws IOException
 */
public static InputStream wrapIfNecessary(Configuration conf, InputStream in,
    long length) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    int bufferSize = getBufferSize(conf);
    if (length > -1) {
      in = new LimitInputStream(in, length);
    }
    byte[] offsetArray = new byte[8];
    IOUtils.readFully(in, offsetArray, 0, 8);
    long offset = ByteBuffer.wrap(offsetArray).getLong();
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv, offset + cryptoPadding(conf));
  } else {
    return in;
  }
}
 
Example 4
Source Project: hadoop   Source File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param in
 * @return FSDataInputStream
 * @throws IOException
 */
public static FSDataInputStream wrapIfNecessary(Configuration conf,
    FSDataInputStream in) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    int bufferSize = getBufferSize(conf);
    // Not going to be used... but still has to be read...
    // Since the O/P stream always writes it..
    IOUtils.readFully(in, new byte[8], 0, 8);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv);
  } else {
    return in;
  }
}
 
Example 5
Source Project: hadoop   Source File: DataTransferSaslUtil.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 
Example 6
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example 7
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example 8
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example 9
Source Project: big-c   Source File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataOutputStream with a CryptoOutputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param out
 * @return FSDataOutputStream
 * @throws IOException
 */
public static FSDataOutputStream wrapIfNecessary(Configuration conf,
    FSDataOutputStream out) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    out.write(ByteBuffer.allocate(8).putLong(out.getPos()).array());
    byte[] iv = createIV(conf);
    out.write(iv);
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV written to Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataOutputStream(out, CryptoCodec.getInstance(conf),
        getBufferSize(conf), getEncryptionKey(), iv);
  } else {
    return out;
  }
}
 
Example 10
Source Project: big-c   Source File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given InputStream with a CryptoInputStream. The size of the data
 * buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * If the value of 'length' is > -1, The InputStream is additionally
 * wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
 * This means they will always try to read ahead if they can. The
 * LimitInputStream will ensure that the CryptoStream does not read past the
 * provided length from the given Input Stream.
 * 
 * @param conf
 * @param in
 * @param length
 * @return InputStream
 * @throws IOException
 */
public static InputStream wrapIfNecessary(Configuration conf, InputStream in,
    long length) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    int bufferSize = getBufferSize(conf);
    if (length > -1) {
      in = new LimitInputStream(in, length);
    }
    byte[] offsetArray = new byte[8];
    IOUtils.readFully(in, offsetArray, 0, 8);
    long offset = ByteBuffer.wrap(offsetArray).getLong();
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv, offset + cryptoPadding(conf));
  } else {
    return in;
  }
}
 
Example 11
Source Project: big-c   Source File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param in
 * @return FSDataInputStream
 * @throws IOException
 */
public static FSDataInputStream wrapIfNecessary(Configuration conf,
    FSDataInputStream in) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    int bufferSize = getBufferSize(conf);
    // Not going to be used... but still has to be read...
    // Since the O/P stream always writes it..
    IOUtils.readFully(in, new byte[8], 0, 8);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv);
  } else {
    return in;
  }
}
 
Example 12
Source Project: big-c   Source File: DataTransferSaslUtil.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 
Example 13
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example 14
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example 15
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example 16
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
        throws IOException {
    final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
    if (feInfo != null) {
        // File is encrypted, wrap the stream in a crypto stream.
        // Currently only one version, so no special logic based on the version #
        getCryptoProtocolVersion(feInfo);
        final CryptoCodec codec = getCryptoCodec(getConfiguration(), feInfo);
        final KeyProvider.KeyVersion decrypted = decryptEncryptedDataEncryptionKey(dfsis, feInfo);
        final CryptoInputStream cryptoIn =
                new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
                        feInfo.getIV());
        return new HdfsDataInputStream(cryptoIn);
    } else {
        // No FileEncryptionInfo so no encryption.
        return new HdfsDataInputStream(dfsis);
    }
}
 
Example 17
/**
 * O
 * btain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
                                          FileEncryptionInfo feInfo) throws IOException {
    final CipherSuite suite = feInfo.getCipherSuite();
    if (suite.equals(CipherSuite.UNKNOWN)) {
        throw new IOException("NameNode specified unknown CipherSuite with ID "
                + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
    }
    final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
    if (codec == null) {
        throw new UnknownCipherSuiteException(
                "No configuration found for the cipher suite "
                        + suite.getConfigSuffix() + " prefixed with "
                        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
                        + ". Please see the example configuration "
                        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
                        + "at core-default.xml for details.");
    }
    return codec;
}
 
Example 18
Source Project: hadoop   Source File: CryptoUtils.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This method creates and initializes an IV (Initialization Vector)
 * 
 * @param conf
 * @return byte[]
 * @throws IOException
 */
public static byte[] createIV(Configuration conf) throws IOException {
  CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
  if (isEncryptedSpillEnabled(conf)) {
    byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    cryptoCodec.generateSecureRandom(iv);
    return iv;
  } else {
    return null;
  }
}
 
Example 19
Source Project: hadoop   Source File: DataTransferSaslUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example 20
Source Project: hadoop   Source File: TestHdfsCryptoStreams.java    License: Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void init() throws Exception {
  Configuration conf = new HdfsConfiguration();
  dfsCluster = new MiniDFSCluster.Builder(conf).build();
  dfsCluster.waitClusterUp();
  fs = dfsCluster.getFileSystem();
  codec = CryptoCodec.getInstance(conf);
}
 
Example 21
Source Project: hadoop   Source File: KeyProviderCryptoExtension.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
    throws IOException, GeneralSecurityException {
  // Fetch the encryption key
  KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName);
  Preconditions.checkNotNull(encryptionKey,
      "No KeyVersion exists for key '%s' ", encryptionKeyName);
  // Generate random bytes for new key and IV

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  final byte[] newKey = new byte[encryptionKey.getMaterial().length];
  cc.generateSecureRandom(newKey);
  final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()];
  cc.generateSecureRandom(iv);
  // Encryption key IV is derived from new key's IV
  final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
  Encryptor encryptor = cc.createEncryptor();
  encryptor.init(encryptionKey.getMaterial(), encryptionIV);
  int keyLen = newKey.length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(newKey);
  bbIn.flip();
  encryptor.encrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] encryptedKey = new byte[keyLen];
  bbOut.get(encryptedKey);    
  return new EncryptedKeyVersion(encryptionKeyName,
      encryptionKey.getVersionName(), iv,
      new KeyVersion(encryptionKey.getName(), EEK, encryptedKey));
}
 
Example 22
Source Project: hadoop   Source File: KeyProviderCryptoExtension.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
    GeneralSecurityException {
  // Fetch the encryption key material
  final String encryptionKeyVersionName =
      encryptedKeyVersion.getEncryptionKeyVersionName();
  final KeyVersion encryptionKey =
      keyProvider.getKeyVersion(encryptionKeyVersionName);
  Preconditions.checkNotNull(encryptionKey,
      "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
  Preconditions.checkArgument(
          encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
                .equals(KeyProviderCryptoExtension.EEK),
            "encryptedKey version name must be '%s', is '%s'",
            KeyProviderCryptoExtension.EEK,
            encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
        );

  // Encryption key IV is determined from encrypted key's IV
  final byte[] encryptionIV =
      EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv());

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  Decryptor decryptor = cc.createDecryptor();
  decryptor.init(encryptionKey.getMaterial(), encryptionIV);
  final KeyVersion encryptedKV =
      encryptedKeyVersion.getEncryptedKeyVersion();
  int keyLen = encryptedKV.getMaterial().length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(encryptedKV.getMaterial());
  bbIn.flip();
  decryptor.decrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] decryptedKey = new byte[keyLen];
  bbOut.get(decryptedKey);
  return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
}
 
Example 23
Source Project: big-c   Source File: CryptoUtils.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This method creates and initializes an IV (Initialization Vector)
 * 
 * @param conf
 * @return byte[]
 * @throws IOException
 */
public static byte[] createIV(Configuration conf) throws IOException {
  CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
  if (isEncryptedSpillEnabled(conf)) {
    byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    cryptoCodec.generateSecureRandom(iv);
    return iv;
  } else {
    return null;
  }
}
 
Example 24
Source Project: big-c   Source File: DataTransferSaslUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example 25
Source Project: big-c   Source File: TestHdfsCryptoStreams.java    License: Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void init() throws Exception {
  Configuration conf = new HdfsConfiguration();
  dfsCluster = new MiniDFSCluster.Builder(conf).build();
  dfsCluster.waitClusterUp();
  fs = dfsCluster.getFileSystem();
  codec = CryptoCodec.getInstance(conf);
}
 
Example 26
Source Project: big-c   Source File: KeyProviderCryptoExtension.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
    throws IOException, GeneralSecurityException {
  // Fetch the encryption key
  KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName);
  Preconditions.checkNotNull(encryptionKey,
      "No KeyVersion exists for key '%s' ", encryptionKeyName);
  // Generate random bytes for new key and IV

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  final byte[] newKey = new byte[encryptionKey.getMaterial().length];
  cc.generateSecureRandom(newKey);
  final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()];
  cc.generateSecureRandom(iv);
  // Encryption key IV is derived from new key's IV
  final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
  Encryptor encryptor = cc.createEncryptor();
  encryptor.init(encryptionKey.getMaterial(), encryptionIV);
  int keyLen = newKey.length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(newKey);
  bbIn.flip();
  encryptor.encrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] encryptedKey = new byte[keyLen];
  bbOut.get(encryptedKey);    
  return new EncryptedKeyVersion(encryptionKeyName,
      encryptionKey.getVersionName(), iv,
      new KeyVersion(encryptionKey.getName(), EEK, encryptedKey));
}
 
Example 27
Source Project: big-c   Source File: KeyProviderCryptoExtension.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
    GeneralSecurityException {
  // Fetch the encryption key material
  final String encryptionKeyVersionName =
      encryptedKeyVersion.getEncryptionKeyVersionName();
  final KeyVersion encryptionKey =
      keyProvider.getKeyVersion(encryptionKeyVersionName);
  Preconditions.checkNotNull(encryptionKey,
      "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
  Preconditions.checkArgument(
          encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
                .equals(KeyProviderCryptoExtension.EEK),
            "encryptedKey version name must be '%s', is '%s'",
            KeyProviderCryptoExtension.EEK,
            encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
        );

  // Encryption key IV is determined from encrypted key's IV
  final byte[] encryptionIV =
      EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv());

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  Decryptor decryptor = cc.createDecryptor();
  decryptor.init(encryptionKey.getMaterial(), encryptionIV);
  final KeyVersion encryptedKV =
      encryptedKeyVersion.getEncryptedKeyVersion();
  int keyLen = encryptedKV.getMaterial().length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(encryptedKV.getMaterial());
  bbIn.flip();
  decryptor.decrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] decryptedKey = new byte[keyLen];
  bbOut.get(decryptedKey);
  return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
}
 
Example 28
Source Project: hadoop   Source File: CryptoUtils.java    License: Apache License 2.0 4 votes vote down vote up
public static int cryptoPadding(Configuration conf) {
  // Sizeof(IV) + long(start-offset)
  return isEncryptedSpillEnabled(conf) ? CryptoCodec.getInstance(conf)
      .getCipherSuite().getAlgorithmBlockSize() + 8 : 0;
}
 
Example 29
Source Project: hadoop   Source File: CryptoFSDataInputStream.java    License: Apache License 2.0 4 votes vote down vote up
public CryptoFSDataInputStream(FSDataInputStream in, CryptoCodec codec, 
    int bufferSize, byte[] key, byte[] iv) throws IOException {
  super(new CryptoInputStream(in, codec, bufferSize, key, iv)); 
}
 
Example 30
Source Project: hadoop   Source File: CryptoFSDataInputStream.java    License: Apache License 2.0 4 votes vote down vote up
public CryptoFSDataInputStream(FSDataInputStream in, CryptoCodec codec, 
    byte[] key, byte[] iv) throws IOException {
  super(new CryptoInputStream(in, codec, key, iv)); 
}