Java Code Examples for org.apache.hadoop.crypto.CryptoCodec#getInstance()

The following examples show how to use org.apache.hadoop.crypto.CryptoCodec#getInstance() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop-ozone   File: OzoneKMSUtil.java    License: Apache License 2.0 6 votes vote down vote up
public static CryptoCodec getCryptoCodec(ConfigurationSource conf,
    FileEncryptionInfo feInfo) throws IOException {
  CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID " +
            suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  } else {
    Configuration hadoopConfig =
        LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
    CryptoCodec codec = CryptoCodec.getInstance(hadoopConfig, suite);
    if (codec == null) {
      throw new OMException("No configuration found for the cipher suite " +
              suite.getConfigSuffix() + " prefixed with " +
              "hadoop.security.crypto.codec.classes. Please see the" +
              " example configuration hadoop.security.crypto.codec.classes." +
              "EXAMPLE CIPHER SUITE at core-default.xml for details.",
              OMException.ResultCodes.UNKNOWN_CIPHER_SUITE);
    } else {
      return codec;
    }
  }
}
 
Example 2
Source Project: hadoop   File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataOutputStream with a CryptoOutputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param out
 * @return FSDataOutputStream
 * @throws IOException
 */
public static FSDataOutputStream wrapIfNecessary(Configuration conf,
    FSDataOutputStream out) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    out.write(ByteBuffer.allocate(8).putLong(out.getPos()).array());
    byte[] iv = createIV(conf);
    out.write(iv);
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV written to Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataOutputStream(out, CryptoCodec.getInstance(conf),
        getBufferSize(conf), getEncryptionKey(), iv);
  } else {
    return out;
  }
}
 
Example 3
Source Project: hadoop   File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given InputStream with a CryptoInputStream. The size of the data
 * buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * If the value of 'length' is > -1, The InputStream is additionally
 * wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
 * This means they will always try to read ahead if they can. The
 * LimitInputStream will ensure that the CryptoStream does not read past the
 * provided length from the given Input Stream.
 * 
 * @param conf
 * @param in
 * @param length
 * @return InputStream
 * @throws IOException
 */
public static InputStream wrapIfNecessary(Configuration conf, InputStream in,
    long length) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    int bufferSize = getBufferSize(conf);
    if (length > -1) {
      in = new LimitInputStream(in, length);
    }
    byte[] offsetArray = new byte[8];
    IOUtils.readFully(in, offsetArray, 0, 8);
    long offset = ByteBuffer.wrap(offsetArray).getLong();
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv, offset + cryptoPadding(conf));
  } else {
    return in;
  }
}
 
Example 4
Source Project: hadoop   File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param in
 * @return FSDataInputStream
 * @throws IOException
 */
public static FSDataInputStream wrapIfNecessary(Configuration conf,
    FSDataInputStream in) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    int bufferSize = getBufferSize(conf);
    // Not going to be used... but still has to be read...
    // Since the O/P stream always writes it..
    IOUtils.readFully(in, new byte[8], 0, 8);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv);
  } else {
    return in;
  }
}
 
Example 5
Source Project: hadoop   File: DataTransferSaslUtil.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 
Example 6
Source Project: hadoop   File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example 7
/**
 * O
 * btain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
                                          FileEncryptionInfo feInfo) throws IOException {
    final CipherSuite suite = feInfo.getCipherSuite();
    if (suite.equals(CipherSuite.UNKNOWN)) {
        throw new IOException("NameNode specified unknown CipherSuite with ID "
                + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
    }
    final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
    if (codec == null) {
        throw new UnknownCipherSuiteException(
                "No configuration found for the cipher suite "
                        + suite.getConfigSuffix() + " prefixed with "
                        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
                        + ". Please see the example configuration "
                        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
                        + "at core-default.xml for details.");
    }
    return codec;
}
 
Example 8
Source Project: big-c   File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataOutputStream with a CryptoOutputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param out
 * @return FSDataOutputStream
 * @throws IOException
 */
public static FSDataOutputStream wrapIfNecessary(Configuration conf,
    FSDataOutputStream out) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    out.write(ByteBuffer.allocate(8).putLong(out.getPos()).array());
    byte[] iv = createIV(conf);
    out.write(iv);
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV written to Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataOutputStream(out, CryptoCodec.getInstance(conf),
        getBufferSize(conf), getEncryptionKey(), iv);
  } else {
    return out;
  }
}
 
Example 9
Source Project: big-c   File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given InputStream with a CryptoInputStream. The size of the data
 * buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * If the value of 'length' is > -1, The InputStream is additionally
 * wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
 * This means they will always try to read ahead if they can. The
 * LimitInputStream will ensure that the CryptoStream does not read past the
 * provided length from the given Input Stream.
 * 
 * @param conf
 * @param in
 * @param length
 * @return InputStream
 * @throws IOException
 */
public static InputStream wrapIfNecessary(Configuration conf, InputStream in,
    long length) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    int bufferSize = getBufferSize(conf);
    if (length > -1) {
      in = new LimitInputStream(in, length);
    }
    byte[] offsetArray = new byte[8];
    IOUtils.readFully(in, offsetArray, 0, 8);
    long offset = ByteBuffer.wrap(offsetArray).getLong();
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv, offset + cryptoPadding(conf));
  } else {
    return in;
  }
}
 
Example 10
Source Project: big-c   File: CryptoUtils.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param in
 * @return FSDataInputStream
 * @throws IOException
 */
public static FSDataInputStream wrapIfNecessary(Configuration conf,
    FSDataInputStream in) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    int bufferSize = getBufferSize(conf);
    // Not going to be used... but still has to be read...
    // Since the O/P stream always writes it..
    IOUtils.readFully(in, new byte[8], 0, 8);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv);
  } else {
    return in;
  }
}
 
Example 11
Source Project: big-c   File: DFSClient.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example 12
Source Project: hadoop   File: CryptoUtils.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This method creates and initializes an IV (Initialization Vector)
 * 
 * @param conf
 * @return byte[]
 * @throws IOException
 */
public static byte[] createIV(Configuration conf) throws IOException {
  CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
  if (isEncryptedSpillEnabled(conf)) {
    byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    cryptoCodec.generateSecureRandom(iv);
    return iv;
  } else {
    return null;
  }
}
 
Example 13
Source Project: hadoop   File: DataTransferSaslUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example 14
Source Project: hadoop   File: TestHdfsCryptoStreams.java    License: Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void init() throws Exception {
  Configuration conf = new HdfsConfiguration();
  dfsCluster = new MiniDFSCluster.Builder(conf).build();
  dfsCluster.waitClusterUp();
  fs = dfsCluster.getFileSystem();
  codec = CryptoCodec.getInstance(conf);
}
 
Example 15
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
    throws IOException, GeneralSecurityException {
  // Fetch the encryption key
  KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName);
  Preconditions.checkNotNull(encryptionKey,
      "No KeyVersion exists for key '%s' ", encryptionKeyName);
  // Generate random bytes for new key and IV

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  final byte[] newKey = new byte[encryptionKey.getMaterial().length];
  cc.generateSecureRandom(newKey);
  final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()];
  cc.generateSecureRandom(iv);
  // Encryption key IV is derived from new key's IV
  final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
  Encryptor encryptor = cc.createEncryptor();
  encryptor.init(encryptionKey.getMaterial(), encryptionIV);
  int keyLen = newKey.length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(newKey);
  bbIn.flip();
  encryptor.encrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] encryptedKey = new byte[keyLen];
  bbOut.get(encryptedKey);    
  return new EncryptedKeyVersion(encryptionKeyName,
      encryptionKey.getVersionName(), iv,
      new KeyVersion(encryptionKey.getName(), EEK, encryptedKey));
}
 
Example 16
Source Project: big-c   File: CryptoUtils.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * This method creates and initializes an IV (Initialization Vector)
 * 
 * @param conf
 * @return byte[]
 * @throws IOException
 */
public static byte[] createIV(Configuration conf) throws IOException {
  CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
  if (isEncryptedSpillEnabled(conf)) {
    byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    cryptoCodec.generateSecureRandom(iv);
    return iv;
  } else {
    return null;
  }
}
 
Example 17
Source Project: big-c   File: DataTransferSaslUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example 18
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
    GeneralSecurityException {
  // Fetch the encryption key material
  final String encryptionKeyVersionName =
      encryptedKeyVersion.getEncryptionKeyVersionName();
  final KeyVersion encryptionKey =
      keyProvider.getKeyVersion(encryptionKeyVersionName);
  Preconditions.checkNotNull(encryptionKey,
      "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
  Preconditions.checkArgument(
          encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
                .equals(KeyProviderCryptoExtension.EEK),
            "encryptedKey version name must be '%s', is '%s'",
            KeyProviderCryptoExtension.EEK,
            encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
        );

  // Encryption key IV is determined from encrypted key's IV
  final byte[] encryptionIV =
      EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv());

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  Decryptor decryptor = cc.createDecryptor();
  decryptor.init(encryptionKey.getMaterial(), encryptionIV);
  final KeyVersion encryptedKV =
      encryptedKeyVersion.getEncryptedKeyVersion();
  int keyLen = encryptedKV.getMaterial().length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(encryptedKV.getMaterial());
  bbIn.flip();
  decryptor.decrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] decryptedKey = new byte[keyLen];
  bbOut.get(decryptedKey);
  return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
}
 
Example 19
Source Project: big-c   File: TestHdfsCryptoStreams.java    License: Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void init() throws Exception {
  Configuration conf = new HdfsConfiguration();
  dfsCluster = new MiniDFSCluster.Builder(conf).build();
  dfsCluster.waitClusterUp();
  fs = dfsCluster.getFileSystem();
  codec = CryptoCodec.getInstance(conf);
}
 
Example 20
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
    throws IOException, GeneralSecurityException {
  // Fetch the encryption key
  KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName);
  Preconditions.checkNotNull(encryptionKey,
      "No KeyVersion exists for key '%s' ", encryptionKeyName);
  // Generate random bytes for new key and IV

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  final byte[] newKey = new byte[encryptionKey.getMaterial().length];
  cc.generateSecureRandom(newKey);
  final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()];
  cc.generateSecureRandom(iv);
  // Encryption key IV is derived from new key's IV
  final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
  Encryptor encryptor = cc.createEncryptor();
  encryptor.init(encryptionKey.getMaterial(), encryptionIV);
  int keyLen = newKey.length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(newKey);
  bbIn.flip();
  encryptor.encrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] encryptedKey = new byte[keyLen];
  bbOut.get(encryptedKey);    
  return new EncryptedKeyVersion(encryptionKeyName,
      encryptionKey.getVersionName(), iv,
      new KeyVersion(encryptionKey.getName(), EEK, encryptedKey));
}