org.apache.hadoop.crypto.CryptoCodec Java Examples

The following examples show how to use org.apache.hadoop.crypto.CryptoCodec. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: OzoneKMSUtil.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
public static CryptoCodec getCryptoCodec(ConfigurationSource conf,
    FileEncryptionInfo feInfo) throws IOException {
  CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID " +
            suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  } else {
    Configuration hadoopConfig =
        LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
    CryptoCodec codec = CryptoCodec.getInstance(hadoopConfig, suite);
    if (codec == null) {
      throw new OMException("No configuration found for the cipher suite " +
              suite.getConfigSuffix() + " prefixed with " +
              "hadoop.security.crypto.codec.classes. Please see the" +
              " example configuration hadoop.security.crypto.codec.classes." +
              "EXAMPLE CIPHER SUITE at core-default.xml for details.",
              OMException.ResultCodes.UNKNOWN_CIPHER_SUITE);
    } else {
      return codec;
    }
  }
}
 
Example #2
Source File: CryptoUtils.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given InputStream with a CryptoInputStream. The size of the data
 * buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * If the value of 'length' is > -1, The InputStream is additionally
 * wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
 * This means they will always try to read ahead if they can. The
 * LimitInputStream will ensure that the CryptoStream does not read past the
 * provided length from the given Input Stream.
 * 
 * @param conf
 * @param in
 * @param length
 * @return InputStream
 * @throws IOException
 */
public static InputStream wrapIfNecessary(Configuration conf, InputStream in,
    long length) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    int bufferSize = getBufferSize(conf);
    if (length > -1) {
      in = new LimitInputStream(in, length);
    }
    byte[] offsetArray = new byte[8];
    IOUtils.readFully(in, offsetArray, 0, 8);
    long offset = ByteBuffer.wrap(offsetArray).getLong();
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv, offset + cryptoPadding(conf));
  } else {
    return in;
  }
}
 
Example #3
Source File: CryptoUtils.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataOutputStream with a CryptoOutputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param out
 * @return FSDataOutputStream
 * @throws IOException
 */
public static FSDataOutputStream wrapIfNecessary(Configuration conf,
    FSDataOutputStream out) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    out.write(ByteBuffer.allocate(8).putLong(out.getPos()).array());
    byte[] iv = createIV(conf);
    out.write(iv);
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV written to Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataOutputStream(out, CryptoCodec.getInstance(conf),
        getBufferSize(conf), getEncryptionKey(), iv);
  } else {
    return out;
  }
}
 
Example #4
Source File: CryptoUtils.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param in
 * @return FSDataInputStream
 * @throws IOException
 */
public static FSDataInputStream wrapIfNecessary(Configuration conf,
    FSDataInputStream in) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    int bufferSize = getBufferSize(conf);
    // Not going to be used... but still has to be read...
    // Since the O/P stream always writes it..
    IOUtils.readFully(in, new byte[8], 0, 8);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv);
  } else {
    return in;
  }
}
 
Example #5
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 
Example #6
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example #7
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example #8
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example #9
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoOutputStream if the underlying file is
 * encrypted.
 */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos,
    FileSystem.Statistics statistics, long startPos) throws IOException {
  final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoOutputStream cryptoOut =
        new CryptoOutputStream(dfsos, codec,
            decrypted.getMaterial(), feInfo.getIV(), startPos);
    return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
  } else {
    // No FileEncryptionInfo present so no encryption.
    return new HdfsDataOutputStream(dfsos, statistics, startPos);
  }
}
 
Example #10
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps the stream in a CryptoInputStream if the underlying file is
 * encrypted.
 */
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
    throws IOException {
  final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
  if (feInfo != null) {
    // File is encrypted, wrap the stream in a crypto stream.
    // Currently only one version, so no special logic based on the version #
    getCryptoProtocolVersion(feInfo);
    final CryptoCodec codec = getCryptoCodec(conf, feInfo);
    final KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
    final CryptoInputStream cryptoIn =
        new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
            feInfo.getIV());
    return new HdfsDataInputStream(cryptoIn);
  } else {
    // No FileEncryptionInfo so no encryption.
    return new HdfsDataInputStream(dfsis);
  }
}
 
Example #11
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
    FileEncryptionInfo feInfo) throws IOException {
  final CipherSuite suite = feInfo.getCipherSuite();
  if (suite.equals(CipherSuite.UNKNOWN)) {
    throw new IOException("NameNode specified unknown CipherSuite with ID "
        + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
  }
  final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
  if (codec == null) {
    throw new UnknownCipherSuiteException(
        "No configuration found for the cipher suite "
        + suite.getConfigSuffix() + " prefixed with "
        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
        + ". Please see the example configuration "
        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
        + "at core-default.xml for details.");
  }
  return codec;
}
 
Example #12
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 
Example #13
Source File: ProxiedDFSClient.java    From spliceengine with GNU Affero General Public License v3.0 6 votes vote down vote up
public HdfsDataInputStream createWrappedInputStream(DFSInputStream dfsis)
        throws IOException {
    final FileEncryptionInfo feInfo = dfsis.getFileEncryptionInfo();
    if (feInfo != null) {
        // File is encrypted, wrap the stream in a crypto stream.
        // Currently only one version, so no special logic based on the version #
        getCryptoProtocolVersion(feInfo);
        final CryptoCodec codec = getCryptoCodec(getConfiguration(), feInfo);
        final KeyProvider.KeyVersion decrypted = decryptEncryptedDataEncryptionKey(dfsis, feInfo);
        final CryptoInputStream cryptoIn =
                new CryptoInputStream(dfsis, codec, decrypted.getMaterial(),
                        feInfo.getIV());
        return new HdfsDataInputStream(cryptoIn);
    } else {
        // No FileEncryptionInfo so no encryption.
        return new HdfsDataInputStream(dfsis);
    }
}
 
Example #14
Source File: CryptoUtils.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param in
 * @return FSDataInputStream
 * @throws IOException
 */
public static FSDataInputStream wrapIfNecessary(Configuration conf,
    FSDataInputStream in) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    int bufferSize = getBufferSize(conf);
    // Not going to be used... but still has to be read...
    // Since the O/P stream always writes it..
    IOUtils.readFully(in, new byte[8], 0, 8);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv);
  } else {
    return in;
  }
}
 
Example #15
Source File: CryptoUtils.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given InputStream with a CryptoInputStream. The size of the data
 * buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * If the value of 'length' is > -1, The InputStream is additionally
 * wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
 * This means they will always try to read ahead if they can. The
 * LimitInputStream will ensure that the CryptoStream does not read past the
 * provided length from the given Input Stream.
 * 
 * @param conf
 * @param in
 * @param length
 * @return InputStream
 * @throws IOException
 */
public static InputStream wrapIfNecessary(Configuration conf, InputStream in,
    long length) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    int bufferSize = getBufferSize(conf);
    if (length > -1) {
      in = new LimitInputStream(in, length);
    }
    byte[] offsetArray = new byte[8];
    IOUtils.readFully(in, offsetArray, 0, 8);
    long offset = ByteBuffer.wrap(offsetArray).getLong();
    CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
    byte[] iv = 
        new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    IOUtils.readFully(in, iv, 0, 
        cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV read from ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoInputStream(in, cryptoCodec, bufferSize,
        getEncryptionKey(), iv, offset + cryptoPadding(conf));
  } else {
    return in;
  }
}
 
Example #16
Source File: CryptoUtils.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Wraps a given FSDataOutputStream with a CryptoOutputStream. The size of the
 * data buffer required for the stream is specified by the
 * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
 * variable.
 * 
 * @param conf
 * @param out
 * @return FSDataOutputStream
 * @throws IOException
 */
public static FSDataOutputStream wrapIfNecessary(Configuration conf,
    FSDataOutputStream out) throws IOException {
  if (isEncryptedSpillEnabled(conf)) {
    out.write(ByteBuffer.allocate(8).putLong(out.getPos()).array());
    byte[] iv = createIV(conf);
    out.write(iv);
    if (LOG.isDebugEnabled()) {
      LOG.debug("IV written to Stream ["
          + Base64.encodeBase64URLSafeString(iv) + "]");
    }
    return new CryptoFSDataOutputStream(out, CryptoCodec.getInstance(conf),
        getBufferSize(conf), getEncryptionKey(), iv);
  } else {
    return out;
  }
}
 
Example #17
Source File: ProxiedDFSClient.java    From spliceengine with GNU Affero General Public License v3.0 6 votes vote down vote up
/**
 * O
 * btain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
 * and the available CryptoCodecs configured in the Configuration.
 *
 * @param conf   Configuration
 * @param feInfo FileEncryptionInfo
 * @return CryptoCodec
 * @throws IOException if no suitable CryptoCodec for the CipherSuite is
 *                     available.
 */
private static CryptoCodec getCryptoCodec(Configuration conf,
                                          FileEncryptionInfo feInfo) throws IOException {
    final CipherSuite suite = feInfo.getCipherSuite();
    if (suite.equals(CipherSuite.UNKNOWN)) {
        throw new IOException("NameNode specified unknown CipherSuite with ID "
                + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
    }
    final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
    if (codec == null) {
        throw new UnknownCipherSuiteException(
                "No configuration found for the cipher suite "
                        + suite.getConfigSuffix() + " prefixed with "
                        + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX
                        + ". Please see the example configuration "
                        + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE "
                        + "at core-default.xml for details.");
    }
    return codec;
}
 
Example #18
Source File: KeyProviderCryptoExtension.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
    GeneralSecurityException {
  // Fetch the encryption key material
  final String encryptionKeyVersionName =
      encryptedKeyVersion.getEncryptionKeyVersionName();
  final KeyVersion encryptionKey =
      keyProvider.getKeyVersion(encryptionKeyVersionName);
  Preconditions.checkNotNull(encryptionKey,
      "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
  Preconditions.checkArgument(
          encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
                .equals(KeyProviderCryptoExtension.EEK),
            "encryptedKey version name must be '%s', is '%s'",
            KeyProviderCryptoExtension.EEK,
            encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
        );

  // Encryption key IV is determined from encrypted key's IV
  final byte[] encryptionIV =
      EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv());

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  Decryptor decryptor = cc.createDecryptor();
  decryptor.init(encryptionKey.getMaterial(), encryptionIV);
  final KeyVersion encryptedKV =
      encryptedKeyVersion.getEncryptedKeyVersion();
  int keyLen = encryptedKV.getMaterial().length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(encryptedKV.getMaterial());
  bbIn.flip();
  decryptor.decrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] decryptedKey = new byte[keyLen];
  bbOut.get(decryptedKey);
  return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
}
 
Example #19
Source File: KeyProviderCryptoExtension.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
    throws IOException, GeneralSecurityException {
  // Fetch the encryption key
  KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName);
  Preconditions.checkNotNull(encryptionKey,
      "No KeyVersion exists for key '%s' ", encryptionKeyName);
  // Generate random bytes for new key and IV

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  final byte[] newKey = new byte[encryptionKey.getMaterial().length];
  cc.generateSecureRandom(newKey);
  final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()];
  cc.generateSecureRandom(iv);
  // Encryption key IV is derived from new key's IV
  final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
  Encryptor encryptor = cc.createEncryptor();
  encryptor.init(encryptionKey.getMaterial(), encryptionIV);
  int keyLen = newKey.length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(newKey);
  bbIn.flip();
  encryptor.encrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] encryptedKey = new byte[keyLen];
  bbOut.get(encryptedKey);    
  return new EncryptedKeyVersion(encryptionKeyName,
      encryptionKey.getVersionName(), iv,
      new KeyVersion(encryptionKey.getName(), EEK, encryptedKey));
}
 
Example #20
Source File: TestHdfsCryptoStreams.java    From big-c with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void init() throws Exception {
  Configuration conf = new HdfsConfiguration();
  dfsCluster = new MiniDFSCluster.Builder(conf).build();
  dfsCluster.waitClusterUp();
  fs = dfsCluster.getFileSystem();
  codec = CryptoCodec.getInstance(conf);
}
 
Example #21
Source File: DataTransferSaslUtil.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example #22
Source File: CryptoUtils.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * This method creates and initializes an IV (Initialization Vector)
 * 
 * @param conf
 * @return byte[]
 * @throws IOException
 */
public static byte[] createIV(Configuration conf) throws IOException {
  CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
  if (isEncryptedSpillEnabled(conf)) {
    byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    cryptoCodec.generateSecureRandom(iv);
    return iv;
  } else {
    return null;
  }
}
 
Example #23
Source File: CryptoUtils.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * This method creates and initializes an IV (Initialization Vector)
 * 
 * @param conf
 * @return byte[]
 * @throws IOException
 */
public static byte[] createIV(Configuration conf) throws IOException {
  CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
  if (isEncryptedSpillEnabled(conf)) {
    byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
    cryptoCodec.generateSecureRandom(iv);
    return iv;
  } else {
    return null;
  }
}
 
Example #24
Source File: KeyProviderCryptoExtension.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
    GeneralSecurityException {
  // Fetch the encryption key material
  final String encryptionKeyVersionName =
      encryptedKeyVersion.getEncryptionKeyVersionName();
  final KeyVersion encryptionKey =
      keyProvider.getKeyVersion(encryptionKeyVersionName);
  Preconditions.checkNotNull(encryptionKey,
      "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
  Preconditions.checkArgument(
          encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
                .equals(KeyProviderCryptoExtension.EEK),
            "encryptedKey version name must be '%s', is '%s'",
            KeyProviderCryptoExtension.EEK,
            encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
        );

  // Encryption key IV is determined from encrypted key's IV
  final byte[] encryptionIV =
      EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv());

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  Decryptor decryptor = cc.createDecryptor();
  decryptor.init(encryptionKey.getMaterial(), encryptionIV);
  final KeyVersion encryptedKV =
      encryptedKeyVersion.getEncryptedKeyVersion();
  int keyLen = encryptedKV.getMaterial().length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(encryptedKV.getMaterial());
  bbIn.flip();
  decryptor.decrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] decryptedKey = new byte[keyLen];
  bbOut.get(decryptedKey);
  return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
}
 
Example #25
Source File: KeyProviderCryptoExtension.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
    throws IOException, GeneralSecurityException {
  // Fetch the encryption key
  KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName);
  Preconditions.checkNotNull(encryptionKey,
      "No KeyVersion exists for key '%s' ", encryptionKeyName);
  // Generate random bytes for new key and IV

  CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf());
  final byte[] newKey = new byte[encryptionKey.getMaterial().length];
  cc.generateSecureRandom(newKey);
  final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()];
  cc.generateSecureRandom(iv);
  // Encryption key IV is derived from new key's IV
  final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(iv);
  Encryptor encryptor = cc.createEncryptor();
  encryptor.init(encryptionKey.getMaterial(), encryptionIV);
  int keyLen = newKey.length;
  ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
  ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen);
  bbIn.put(newKey);
  bbIn.flip();
  encryptor.encrypt(bbIn, bbOut);
  bbOut.flip();
  byte[] encryptedKey = new byte[keyLen];
  bbOut.get(encryptedKey);    
  return new EncryptedKeyVersion(encryptionKeyName,
      encryptionKey.getVersionName(), iv,
      new KeyVersion(encryptionKey.getName(), EEK, encryptedKey));
}
 
Example #26
Source File: DataTransferSaslUtil.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 
Example #27
Source File: TestHdfsCryptoStreams.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@BeforeClass
public static void init() throws Exception {
  Configuration conf = new HdfsConfiguration();
  dfsCluster = new MiniDFSCluster.Builder(conf).build();
  dfsCluster.waitClusterUp();
  fs = dfsCluster.getFileSystem();
  codec = CryptoCodec.getInstance(conf);
}
 
Example #28
Source File: CryptoUtils.java    From hadoop with Apache License 2.0 4 votes vote down vote up
public static int cryptoPadding(Configuration conf) {
  // Sizeof(IV) + long(start-offset)
  return isEncryptedSpillEnabled(conf) ? CryptoCodec.getInstance(conf)
      .getCipherSuite().getAlgorithmBlockSize() + 8 : 0;
}
 
Example #29
Source File: CryptoUtils.java    From big-c with Apache License 2.0 4 votes vote down vote up
public static int cryptoPadding(Configuration conf) {
  // Sizeof(IV) + long(start-offset)
  return isEncryptedSpillEnabled(conf) ? CryptoCodec.getInstance(conf)
      .getCipherSuite().getAlgorithmBlockSize() + 8 : 0;
}
 
Example #30
Source File: FanOutOneBlockAsyncDFSOutputSaslHelper.java    From hbase with Apache License 2.0 4 votes vote down vote up
public EncryptHandler(CryptoCodec codec, byte[] key, byte[] iv)
    throws GeneralSecurityException, IOException {
  this.encryptor = codec.createEncryptor();
  this.encryptor.init(key, Arrays.copyOf(iv, iv.length));
}