Java Code Examples for org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion

The following examples show how to use org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop-ozone   Source File: OzoneKMSUtil.java    License: Apache License 2.0 6 votes vote down vote up
public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(
    FileEncryptionInfo feInfo, KeyProvider keyProvider) throws IOException {
  if (keyProvider == null) {
    throw new IOException("No KeyProvider is configured, " +
        "cannot access an encrypted file");
  } else {
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());

    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(keyProvider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException gse) {
      throw new IOException(gse);
    }
  }
}
 
Example 2
Source Project: hadoop-ozone   Source File: KeyManagerImpl.java    License: Apache License 2.0 6 votes vote down vote up
private EncryptedKeyVersion generateEDEK(
    final String ezKeyName) throws IOException {
  if (ezKeyName == null) {
    return null;
  }
  long generateEDEKStartTime = monotonicNow();
  EncryptedKeyVersion edek = SecurityUtil.doAsLoginUser(
      new PrivilegedExceptionAction<EncryptedKeyVersion>() {
        @Override
        public EncryptedKeyVersion run() throws IOException {
          try {
            return getKMSProvider().generateEncryptedKey(ezKeyName);
          } catch (GeneralSecurityException e) {
            throw new IOException(e);
          }
        }
      });
  long generateEDEKTime = monotonicNow() - generateEDEKStartTime;
  LOG.debug("generateEDEK takes {} ms", generateEDEKTime);
  Preconditions.checkNotNull(edek);
  return edek;
}
 
Example 3
Source Project: hadoop   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example 4
Source Project: hadoop   Source File: KMSClientProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void fillQueueForKey(String keyName,
    Queue<EncryptedKeyVersion> keyQueue, int numEKVs) throws IOException {
  checkNotNull(keyName, "keyName");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_GENERATE);
  params.put(KMSRESTConstants.EEK_NUM_KEYS, "" + numEKVs);
  URL url = createURL(KMSRESTConstants.KEY_RESOURCE, keyName,
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_GET);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  List response = call(conn, null,
      HttpURLConnection.HTTP_OK, List.class);
  List<EncryptedKeyVersion> ekvs =
      parseJSONEncKeyVersion(keyName, response);
  keyQueue.addAll(ekvs);
}
 
Example 5
Source Project: hadoop   Source File: LoadBalancingKMSClientProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public EncryptedKeyVersion
    generateEncryptedKey(final String encryptionKeyName)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<EncryptedKeyVersion>() {
      @Override
      public EncryptedKeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.generateEncryptedKey(encryptionKeyName);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException) we.getCause();
  }
}
 
Example 6
Source Project: hadoop   Source File: LoadBalancingKMSClientProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public KeyVersion
    decryptEncryptedKey(final EncryptedKeyVersion encryptedKeyVersion)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<KeyVersion>() {
      @Override
      public KeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.decryptEncryptedKey(encryptedKeyVersion);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException)we.getCause();
  }
}
 
Example 7
Source Project: big-c   Source File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example 8
Source Project: big-c   Source File: KMSClientProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public void fillQueueForKey(String keyName,
    Queue<EncryptedKeyVersion> keyQueue, int numEKVs) throws IOException {
  checkNotNull(keyName, "keyName");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_GENERATE);
  params.put(KMSRESTConstants.EEK_NUM_KEYS, "" + numEKVs);
  URL url = createURL(KMSRESTConstants.KEY_RESOURCE, keyName,
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_GET);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  List response = call(conn, null,
      HttpURLConnection.HTTP_OK, List.class);
  List<EncryptedKeyVersion> ekvs =
      parseJSONEncKeyVersion(keyName, response);
  keyQueue.addAll(ekvs);
}
 
Example 9
Source Project: big-c   Source File: LoadBalancingKMSClientProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public EncryptedKeyVersion
    generateEncryptedKey(final String encryptionKeyName)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<EncryptedKeyVersion>() {
      @Override
      public EncryptedKeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.generateEncryptedKey(encryptionKeyName);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException) we.getCause();
  }
}
 
Example 10
Source Project: big-c   Source File: LoadBalancingKMSClientProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Override
public KeyVersion
    decryptEncryptedKey(final EncryptedKeyVersion encryptedKeyVersion)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<KeyVersion>() {
      @Override
      public KeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.decryptEncryptedKey(encryptedKeyVersion);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException)we.getCause();
  }
}
 
Example 11
Source Project: hadoop   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
private static List<EncryptedKeyVersion>
    parseJSONEncKeyVersion(String keyName, List valueList) {
  List<EncryptedKeyVersion> ekvs = new LinkedList<EncryptedKeyVersion>();
  if (!valueList.isEmpty()) {
    for (Object values : valueList) {
      Map valueMap = (Map) values;

      String versionName = checkNotNull(
              (String) valueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] iv = Base64.decodeBase64(checkNotNull(
              (String) valueMap.get(KMSRESTConstants.IV_FIELD),
              KMSRESTConstants.IV_FIELD));

      Map encValueMap = checkNotNull((Map)
              valueMap.get(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD),
              KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD);

      String encVersionName = checkNotNull((String)
              encValueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] encKeyMaterial = Base64.decodeBase64(checkNotNull((String)
              encValueMap.get(KMSRESTConstants.MATERIAL_FIELD),
              KMSRESTConstants.MATERIAL_FIELD));

      ekvs.add(new KMSEncryptedKeyVersion(keyName, versionName, iv,
          encVersionName, encKeyMaterial));
    }
  }
  return ekvs;
}
 
Example 12
Source Project: hadoop   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(
    String encryptionKeyName) throws IOException, GeneralSecurityException {
  try {
    return encKeyVersionQueue.getNext(encryptionKeyName);
  } catch (ExecutionException e) {
    if (e.getCause() instanceof SocketTimeoutException) {
      throw (SocketTimeoutException)e.getCause();
    }
    throw new IOException(e);
  }
}
 
Example 13
Source Project: hadoop   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example 14
Source Project: hadoop   Source File: TestKeyProviderCryptoExtension.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testEncryptDecrypt() throws Exception {
  // Get an EEK
  KeyProviderCryptoExtension.EncryptedKeyVersion eek =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  final byte[] encryptedKeyIv = eek.getEncryptedKeyIv();
  final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion()
      .getMaterial();
  // Decrypt it manually
  Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
  cipher.init(Cipher.DECRYPT_MODE,
      new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
      new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
          .deriveIV(encryptedKeyIv)));
  final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);

  // Test the createForDecryption factory method
  EncryptedKeyVersion eek2 =
      EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(),
          eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
          eek.getEncryptedKeyVersion().getMaterial());

  // Decrypt it with the API
  KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
  final byte[] apiMaterial = decryptedKey.getMaterial();

  assertArrayEquals("Wrong key material from decryptEncryptedKey",
      manualMaterial, apiMaterial);
}
 
Example 15
Source Project: hadoop   Source File: KMSServerJSONUtils.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
public static Map toJSON(EncryptedKeyVersion encryptedKeyVersion) {
  Map json = new LinkedHashMap();
  if (encryptedKeyVersion != null) {
    json.put(KMSRESTConstants.VERSION_NAME_FIELD,
        encryptedKeyVersion.getEncryptionKeyVersionName());
    json.put(KMSRESTConstants.IV_FIELD,
        Base64.encodeBase64URLSafeString(
            encryptedKeyVersion.getEncryptedKeyIv()));
    json.put(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD,
        toJSON(encryptedKeyVersion.getEncryptedKeyVersion()));
  }
  return json;
}
 
Example 16
Source Project: big-c   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
private static List<EncryptedKeyVersion>
    parseJSONEncKeyVersion(String keyName, List valueList) {
  List<EncryptedKeyVersion> ekvs = new LinkedList<EncryptedKeyVersion>();
  if (!valueList.isEmpty()) {
    for (Object values : valueList) {
      Map valueMap = (Map) values;

      String versionName = checkNotNull(
              (String) valueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] iv = Base64.decodeBase64(checkNotNull(
              (String) valueMap.get(KMSRESTConstants.IV_FIELD),
              KMSRESTConstants.IV_FIELD));

      Map encValueMap = checkNotNull((Map)
              valueMap.get(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD),
              KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD);

      String encVersionName = checkNotNull((String)
              encValueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] encKeyMaterial = Base64.decodeBase64(checkNotNull((String)
              encValueMap.get(KMSRESTConstants.MATERIAL_FIELD),
              KMSRESTConstants.MATERIAL_FIELD));

      ekvs.add(new KMSEncryptedKeyVersion(keyName, versionName, iv,
          encVersionName, encKeyMaterial));
    }
  }
  return ekvs;
}
 
Example 17
Source Project: big-c   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(
    String encryptionKeyName) throws IOException, GeneralSecurityException {
  try {
    return encKeyVersionQueue.getNext(encryptionKeyName);
  } catch (ExecutionException e) {
    if (e.getCause() instanceof SocketTimeoutException) {
      throw (SocketTimeoutException)e.getCause();
    }
    throw new IOException(e);
  }
}
 
Example 18
Source Project: big-c   Source File: KMSClientProvider.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example 19
Source Project: big-c   Source File: TestKeyProviderCryptoExtension.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testEncryptDecrypt() throws Exception {
  // Get an EEK
  KeyProviderCryptoExtension.EncryptedKeyVersion eek =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  final byte[] encryptedKeyIv = eek.getEncryptedKeyIv();
  final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion()
      .getMaterial();
  // Decrypt it manually
  Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
  cipher.init(Cipher.DECRYPT_MODE,
      new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
      new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
          .deriveIV(encryptedKeyIv)));
  final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);

  // Test the createForDecryption factory method
  EncryptedKeyVersion eek2 =
      EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(),
          eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
          eek.getEncryptedKeyVersion().getMaterial());

  // Decrypt it with the API
  KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
  final byte[] apiMaterial = decryptedKey.getMaterial();

  assertArrayEquals("Wrong key material from decryptEncryptedKey",
      manualMaterial, apiMaterial);
}
 
Example 20
Source Project: big-c   Source File: KMSServerJSONUtils.java    License: Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
public static Map toJSON(EncryptedKeyVersion encryptedKeyVersion) {
  Map json = new LinkedHashMap();
  if (encryptedKeyVersion != null) {
    json.put(KMSRESTConstants.VERSION_NAME_FIELD,
        encryptedKeyVersion.getEncryptionKeyVersionName());
    json.put(KMSRESTConstants.IV_FIELD,
        Base64.encodeBase64URLSafeString(
            encryptedKeyVersion.getEncryptedKeyIv()));
    json.put(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD,
        toJSON(encryptedKeyVersion.getEncryptedKeyVersion()));
  }
  return json;
}
 
Example 21
Source Project: hadoop   Source File: KMSClientProvider.java    License: Apache License 2.0 4 votes vote down vote up
public KMSClientProvider(URI uri, Configuration conf) throws IOException {
  super(conf);
  kmsUrl = createServiceURL(extractKMSPath(uri));
  if ("https".equalsIgnoreCase(new URL(kmsUrl).getProtocol())) {
    sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    try {
      sslFactory.init();
    } catch (GeneralSecurityException ex) {
      throw new IOException(ex);
    }
  }
  int timeout = conf.getInt(TIMEOUT_ATTR, DEFAULT_TIMEOUT);
  authRetry = conf.getInt(AUTH_RETRY, DEFAULT_AUTH_RETRY);
  configurator = new TimeoutConnConfigurator(timeout, sslFactory);
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(
              CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          new EncryptedQueueRefiller());
  authToken = new DelegationTokenAuthenticatedURL.Token();
  actualUgi =
      (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
      UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
          .getCurrentUser().getRealUser() : UserGroupInformation
          .getCurrentUser();
}
 
Example 22
Source Project: hadoop   Source File: TestKeyProviderCryptoExtension.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void testGenerateEncryptedKey() throws Exception {
  // Generate a new EEK and check it
  KeyProviderCryptoExtension.EncryptedKeyVersion ek1 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  assertEquals("Version name of EEK should be EEK",
      KeyProviderCryptoExtension.EEK,
      ek1.getEncryptedKeyVersion().getVersionName());
  assertEquals("Name of EEK should be encryption key name",
      ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName());
  assertNotNull("Expected encrypted key material",
      ek1.getEncryptedKeyVersion().getMaterial());
  assertEquals("Length of encryption key material and EEK material should "
          + "be the same", encryptionKey.getMaterial().length,
      ek1.getEncryptedKeyVersion().getMaterial().length
  );

  // Decrypt EEK into an EK and check it
  KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
  assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
  assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length);
  if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal encryption key material");
  }
  if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(),
      encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal decrypted key material");
  }
  // Decrypt it again and it should be the same
  KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
  assertArrayEquals(k1.getMaterial(), k1a.getMaterial());

  // Generate another EEK and make sure it's different from the first
  KeyProviderCryptoExtension.EncryptedKeyVersion ek2 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
  if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) {
    fail("Generated EEKs should have different material!");
  }
  if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) {
    fail("Generated EEKs should have different IVs!");
  }
}
 
Example 23
Source Project: hadoop   Source File: TestKeyAuthorizationKeyProvider.java    License: Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example 24
Source Project: big-c   Source File: KMSClientProvider.java    License: Apache License 2.0 4 votes vote down vote up
public KMSClientProvider(URI uri, Configuration conf) throws IOException {
  super(conf);
  kmsUrl = createServiceURL(extractKMSPath(uri));
  if ("https".equalsIgnoreCase(new URL(kmsUrl).getProtocol())) {
    sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    try {
      sslFactory.init();
    } catch (GeneralSecurityException ex) {
      throw new IOException(ex);
    }
  }
  int timeout = conf.getInt(TIMEOUT_ATTR, DEFAULT_TIMEOUT);
  authRetry = conf.getInt(AUTH_RETRY, DEFAULT_AUTH_RETRY);
  configurator = new TimeoutConnConfigurator(timeout, sslFactory);
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(
              CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          new EncryptedQueueRefiller());
  authToken = new DelegationTokenAuthenticatedURL.Token();
  actualUgi =
      (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
      UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
          .getCurrentUser().getRealUser() : UserGroupInformation
          .getCurrentUser();
}
 
Example 25
Source Project: big-c   Source File: TestKeyProviderCryptoExtension.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void testGenerateEncryptedKey() throws Exception {
  // Generate a new EEK and check it
  KeyProviderCryptoExtension.EncryptedKeyVersion ek1 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  assertEquals("Version name of EEK should be EEK",
      KeyProviderCryptoExtension.EEK,
      ek1.getEncryptedKeyVersion().getVersionName());
  assertEquals("Name of EEK should be encryption key name",
      ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName());
  assertNotNull("Expected encrypted key material",
      ek1.getEncryptedKeyVersion().getMaterial());
  assertEquals("Length of encryption key material and EEK material should "
          + "be the same", encryptionKey.getMaterial().length,
      ek1.getEncryptedKeyVersion().getMaterial().length
  );

  // Decrypt EEK into an EK and check it
  KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
  assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
  assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length);
  if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal encryption key material");
  }
  if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(),
      encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal decrypted key material");
  }
  // Decrypt it again and it should be the same
  KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
  assertArrayEquals(k1.getMaterial(), k1a.getMaterial());

  // Generate another EEK and make sure it's different from the first
  KeyProviderCryptoExtension.EncryptedKeyVersion ek2 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
  if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) {
    fail("Generated EEKs should have different material!");
  }
  if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) {
    fail("Generated EEKs should have different IVs!");
  }
}
 
Example 26
Source Project: big-c   Source File: TestKeyAuthorizationKeyProvider.java    License: Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example 27
Source Project: ranger   Source File: KMS.java    License: Apache License 2.0 4 votes vote down vote up
@Override
public EncryptedKeyVersion run() throws Exception {
  return provider.reencryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(keyName,versionName, iv, KeyProviderCryptoExtension.EEK,
    encMaterial));
}
 
Example 28
Source Project: ranger   Source File: TestKeyAuthorizationKeyProvider.java    License: Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}