org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion Java Examples

The following examples show how to use org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KeyManagerImpl.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
private EncryptedKeyVersion generateEDEK(
    final String ezKeyName) throws IOException {
  if (ezKeyName == null) {
    return null;
  }
  long generateEDEKStartTime = monotonicNow();
  EncryptedKeyVersion edek = SecurityUtil.doAsLoginUser(
      new PrivilegedExceptionAction<EncryptedKeyVersion>() {
        @Override
        public EncryptedKeyVersion run() throws IOException {
          try {
            return getKMSProvider().generateEncryptedKey(ezKeyName);
          } catch (GeneralSecurityException e) {
            throw new IOException(e);
          }
        }
      });
  long generateEDEKTime = monotonicNow() - generateEDEKStartTime;
  LOG.debug("generateEDEK takes {} ms", generateEDEKTime);
  Preconditions.checkNotNull(edek);
  return edek;
}
 
Example #2
Source File: LoadBalancingKMSClientProvider.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public KeyVersion
    decryptEncryptedKey(final EncryptedKeyVersion encryptedKeyVersion)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<KeyVersion>() {
      @Override
      public KeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.decryptEncryptedKey(encryptedKeyVersion);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException)we.getCause();
  }
}
 
Example #3
Source File: LoadBalancingKMSClientProvider.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public EncryptedKeyVersion
    generateEncryptedKey(final String encryptionKeyName)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<EncryptedKeyVersion>() {
      @Override
      public EncryptedKeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.generateEncryptedKey(encryptionKeyName);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException) we.getCause();
  }
}
 
Example #4
Source File: KMSClientProvider.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Override
public void fillQueueForKey(String keyName,
    Queue<EncryptedKeyVersion> keyQueue, int numEKVs) throws IOException {
  checkNotNull(keyName, "keyName");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_GENERATE);
  params.put(KMSRESTConstants.EEK_NUM_KEYS, "" + numEKVs);
  URL url = createURL(KMSRESTConstants.KEY_RESOURCE, keyName,
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_GET);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  List response = call(conn, null,
      HttpURLConnection.HTTP_OK, List.class);
  List<EncryptedKeyVersion> ekvs =
      parseJSONEncKeyVersion(keyName, response);
  keyQueue.addAll(ekvs);
}
 
Example #5
Source File: DFSClient.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example #6
Source File: LoadBalancingKMSClientProvider.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public KeyVersion
    decryptEncryptedKey(final EncryptedKeyVersion encryptedKeyVersion)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<KeyVersion>() {
      @Override
      public KeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.decryptEncryptedKey(encryptedKeyVersion);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException)we.getCause();
  }
}
 
Example #7
Source File: LoadBalancingKMSClientProvider.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public EncryptedKeyVersion
    generateEncryptedKey(final String encryptionKeyName)
        throws IOException, GeneralSecurityException {
  try {
    return doOp(new ProviderCallable<EncryptedKeyVersion>() {
      @Override
      public EncryptedKeyVersion call(KMSClientProvider provider)
          throws IOException, GeneralSecurityException {
        return provider.generateEncryptedKey(encryptionKeyName);
      }
    }, nextIdx());
  } catch (WrapperException we) {
    throw (GeneralSecurityException) we.getCause();
  }
}
 
Example #8
Source File: KMSClientProvider.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Override
public void fillQueueForKey(String keyName,
    Queue<EncryptedKeyVersion> keyQueue, int numEKVs) throws IOException {
  checkNotNull(keyName, "keyName");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_GENERATE);
  params.put(KMSRESTConstants.EEK_NUM_KEYS, "" + numEKVs);
  URL url = createURL(KMSRESTConstants.KEY_RESOURCE, keyName,
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_GET);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  List response = call(conn, null,
      HttpURLConnection.HTTP_OK, List.class);
  List<EncryptedKeyVersion> ekvs =
      parseJSONEncKeyVersion(keyName, response);
  keyQueue.addAll(ekvs);
}
 
Example #9
Source File: DFSClient.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Decrypts a EDEK by consulting the KeyProvider.
 */
private KeyVersion decryptEncryptedDataEncryptionKey(FileEncryptionInfo
    feInfo) throws IOException {
  TraceScope scope = Trace.startSpan("decryptEDEK", traceSampler);
  try {
    KeyProvider provider = getKeyProvider();
    if (provider == null) {
      throw new IOException("No KeyProvider is configured, cannot access" +
          " an encrypted file");
    }
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());
    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(provider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException e) {
      throw new IOException(e);
    }
  } finally {
    scope.close();
  }
}
 
Example #10
Source File: OzoneKMSUtil.java    From hadoop-ozone with Apache License 2.0 6 votes vote down vote up
public static KeyProvider.KeyVersion decryptEncryptedDataEncryptionKey(
    FileEncryptionInfo feInfo, KeyProvider keyProvider) throws IOException {
  if (keyProvider == null) {
    throw new IOException("No KeyProvider is configured, " +
        "cannot access an encrypted file");
  } else {
    EncryptedKeyVersion ekv = EncryptedKeyVersion.createForDecryption(
        feInfo.getKeyName(), feInfo.getEzKeyVersionName(), feInfo.getIV(),
        feInfo.getEncryptedDataEncryptionKey());

    try {
      KeyProviderCryptoExtension cryptoProvider = KeyProviderCryptoExtension
          .createKeyProviderCryptoExtension(keyProvider);
      return cryptoProvider.decryptEncryptedKey(ekv);
    } catch (GeneralSecurityException gse) {
      throw new IOException(gse);
    }
  }
}
 
Example #11
Source File: KMSClientProvider.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(
    String encryptionKeyName) throws IOException, GeneralSecurityException {
  try {
    return encKeyVersionQueue.getNext(encryptionKeyName);
  } catch (ExecutionException e) {
    if (e.getCause() instanceof SocketTimeoutException) {
      throw (SocketTimeoutException)e.getCause();
    }
    throw new IOException(e);
  }
}
 
Example #12
Source File: KMSClientProvider.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example #13
Source File: TestKeyProviderCryptoExtension.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testEncryptDecrypt() throws Exception {
  // Get an EEK
  KeyProviderCryptoExtension.EncryptedKeyVersion eek =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  final byte[] encryptedKeyIv = eek.getEncryptedKeyIv();
  final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion()
      .getMaterial();
  // Decrypt it manually
  Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
  cipher.init(Cipher.DECRYPT_MODE,
      new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
      new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
          .deriveIV(encryptedKeyIv)));
  final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);

  // Test the createForDecryption factory method
  EncryptedKeyVersion eek2 =
      EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(),
          eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
          eek.getEncryptedKeyVersion().getMaterial());

  // Decrypt it with the API
  KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
  final byte[] apiMaterial = decryptedKey.getMaterial();

  assertArrayEquals("Wrong key material from decryptEncryptedKey",
      manualMaterial, apiMaterial);
}
 
Example #14
Source File: KMSServerJSONUtils.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
public static Map toJSON(EncryptedKeyVersion encryptedKeyVersion) {
  Map json = new LinkedHashMap();
  if (encryptedKeyVersion != null) {
    json.put(KMSRESTConstants.VERSION_NAME_FIELD,
        encryptedKeyVersion.getEncryptionKeyVersionName());
    json.put(KMSRESTConstants.IV_FIELD,
        Base64.encodeBase64URLSafeString(
            encryptedKeyVersion.getEncryptedKeyIv()));
    json.put(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD,
        toJSON(encryptedKeyVersion.getEncryptedKeyVersion()));
  }
  return json;
}
 
Example #15
Source File: KMSClientProvider.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
private static List<EncryptedKeyVersion>
    parseJSONEncKeyVersion(String keyName, List valueList) {
  List<EncryptedKeyVersion> ekvs = new LinkedList<EncryptedKeyVersion>();
  if (!valueList.isEmpty()) {
    for (Object values : valueList) {
      Map valueMap = (Map) values;

      String versionName = checkNotNull(
              (String) valueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] iv = Base64.decodeBase64(checkNotNull(
              (String) valueMap.get(KMSRESTConstants.IV_FIELD),
              KMSRESTConstants.IV_FIELD));

      Map encValueMap = checkNotNull((Map)
              valueMap.get(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD),
              KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD);

      String encVersionName = checkNotNull((String)
              encValueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] encKeyMaterial = Base64.decodeBase64(checkNotNull((String)
              encValueMap.get(KMSRESTConstants.MATERIAL_FIELD),
              KMSRESTConstants.MATERIAL_FIELD));

      ekvs.add(new KMSEncryptedKeyVersion(keyName, versionName, iv,
          encVersionName, encKeyMaterial));
    }
  }
  return ekvs;
}
 
Example #16
Source File: KMSClientProvider.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
private static List<EncryptedKeyVersion>
    parseJSONEncKeyVersion(String keyName, List valueList) {
  List<EncryptedKeyVersion> ekvs = new LinkedList<EncryptedKeyVersion>();
  if (!valueList.isEmpty()) {
    for (Object values : valueList) {
      Map valueMap = (Map) values;

      String versionName = checkNotNull(
              (String) valueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] iv = Base64.decodeBase64(checkNotNull(
              (String) valueMap.get(KMSRESTConstants.IV_FIELD),
              KMSRESTConstants.IV_FIELD));

      Map encValueMap = checkNotNull((Map)
              valueMap.get(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD),
              KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD);

      String encVersionName = checkNotNull((String)
              encValueMap.get(KMSRESTConstants.VERSION_NAME_FIELD),
              KMSRESTConstants.VERSION_NAME_FIELD);

      byte[] encKeyMaterial = Base64.decodeBase64(checkNotNull((String)
              encValueMap.get(KMSRESTConstants.MATERIAL_FIELD),
              KMSRESTConstants.MATERIAL_FIELD));

      ekvs.add(new KMSEncryptedKeyVersion(keyName, versionName, iv,
          encVersionName, encKeyMaterial));
    }
  }
  return ekvs;
}
 
Example #17
Source File: KMSServerJSONUtils.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("unchecked")
public static Map toJSON(EncryptedKeyVersion encryptedKeyVersion) {
  Map json = new LinkedHashMap();
  if (encryptedKeyVersion != null) {
    json.put(KMSRESTConstants.VERSION_NAME_FIELD,
        encryptedKeyVersion.getEncryptionKeyVersionName());
    json.put(KMSRESTConstants.IV_FIELD,
        Base64.encodeBase64URLSafeString(
            encryptedKeyVersion.getEncryptedKeyIv()));
    json.put(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD,
        toJSON(encryptedKeyVersion.getEncryptedKeyVersion()));
  }
  return json;
}
 
Example #18
Source File: KMSClientProvider.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Override
public EncryptedKeyVersion generateEncryptedKey(
    String encryptionKeyName) throws IOException, GeneralSecurityException {
  try {
    return encKeyVersionQueue.getNext(encryptionKeyName);
  } catch (ExecutionException e) {
    if (e.getCause() instanceof SocketTimeoutException) {
      throw (SocketTimeoutException)e.getCause();
    }
    throw new IOException(e);
  }
}
 
Example #19
Source File: KMSClientProvider.java    From big-c with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("rawtypes")
@Override
public KeyVersion decryptEncryptedKey(
    EncryptedKeyVersion encryptedKeyVersion) throws IOException,
                                                    GeneralSecurityException {
  checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(),
      "versionName");
  checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv");
  Preconditions.checkArgument(
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
          .equals(KeyProviderCryptoExtension.EEK),
      "encryptedKey version name must be '%s', is '%s'",
      KeyProviderCryptoExtension.EEK,
      encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
  );
  checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
  Map<String, String> params = new HashMap<String, String>();
  params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
  Map<String, Object> jsonPayload = new HashMap<String, Object>();
  jsonPayload.put(KMSRESTConstants.NAME_FIELD,
      encryptedKeyVersion.getEncryptionKeyName());
  jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(
      encryptedKeyVersion.getEncryptedKeyIv()));
  jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(
          encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
  URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE,
      encryptedKeyVersion.getEncryptionKeyVersionName(),
      KMSRESTConstants.EEK_SUB_RESOURCE, params);
  HttpURLConnection conn = createConnection(url, HTTP_POST);
  conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME);
  Map response =
      call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class);
  return parseJSONKeyVersion(response);
}
 
Example #20
Source File: TestKeyProviderCryptoExtension.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testEncryptDecrypt() throws Exception {
  // Get an EEK
  KeyProviderCryptoExtension.EncryptedKeyVersion eek =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  final byte[] encryptedKeyIv = eek.getEncryptedKeyIv();
  final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion()
      .getMaterial();
  // Decrypt it manually
  Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
  cipher.init(Cipher.DECRYPT_MODE,
      new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
      new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
          .deriveIV(encryptedKeyIv)));
  final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);

  // Test the createForDecryption factory method
  EncryptedKeyVersion eek2 =
      EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(),
          eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
          eek.getEncryptedKeyVersion().getMaterial());

  // Decrypt it with the API
  KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
  final byte[] apiMaterial = decryptedKey.getMaterial();

  assertArrayEquals("Wrong key material from decryptEncryptedKey",
      manualMaterial, apiMaterial);
}
 
Example #21
Source File: TestKeyAuthorizationKeyProvider.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          byte[] seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          KeyVersion kv =
              kpExt.createKey("foo", seed, opt);
          kpExt.rollNewVersion(kv.getName());
          seed = new byte[16];
          SECURE_RANDOM.nextBytes(seed);
          kpExt.rollNewVersion(kv.getName(), seed);
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #22
Source File: KMS.java    From ranger with Apache License 2.0 4 votes vote down vote up
@Override
public EncryptedKeyVersion run() throws Exception {
  return provider.reencryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(keyName,versionName, iv, KeyProviderCryptoExtension.EEK,
    encMaterial));
}
 
Example #23
Source File: TestKeyAuthorizationKeyProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #24
Source File: TestKeyProviderCryptoExtension.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testGenerateEncryptedKey() throws Exception {
  // Generate a new EEK and check it
  KeyProviderCryptoExtension.EncryptedKeyVersion ek1 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  assertEquals("Version name of EEK should be EEK",
      KeyProviderCryptoExtension.EEK,
      ek1.getEncryptedKeyVersion().getVersionName());
  assertEquals("Name of EEK should be encryption key name",
      ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName());
  assertNotNull("Expected encrypted key material",
      ek1.getEncryptedKeyVersion().getMaterial());
  assertEquals("Length of encryption key material and EEK material should "
          + "be the same", encryptionKey.getMaterial().length,
      ek1.getEncryptedKeyVersion().getMaterial().length
  );

  // Decrypt EEK into an EK and check it
  KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
  assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
  assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length);
  if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal encryption key material");
  }
  if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(),
      encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal decrypted key material");
  }
  // Decrypt it again and it should be the same
  KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
  assertArrayEquals(k1.getMaterial(), k1a.getMaterial());

  // Generate another EEK and make sure it's different from the first
  KeyProviderCryptoExtension.EncryptedKeyVersion ek2 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
  if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) {
    fail("Generated EEKs should have different material!");
  }
  if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) {
    fail("Generated EEKs should have different IVs!");
  }
}
 
Example #25
Source File: KMSClientProvider.java    From big-c with Apache License 2.0 4 votes vote down vote up
public KMSClientProvider(URI uri, Configuration conf) throws IOException {
  super(conf);
  kmsUrl = createServiceURL(extractKMSPath(uri));
  if ("https".equalsIgnoreCase(new URL(kmsUrl).getProtocol())) {
    sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    try {
      sslFactory.init();
    } catch (GeneralSecurityException ex) {
      throw new IOException(ex);
    }
  }
  int timeout = conf.getInt(TIMEOUT_ATTR, DEFAULT_TIMEOUT);
  authRetry = conf.getInt(AUTH_RETRY, DEFAULT_AUTH_RETRY);
  configurator = new TimeoutConnConfigurator(timeout, sslFactory);
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(
              CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          new EncryptedQueueRefiller());
  authToken = new DelegationTokenAuthenticatedURL.Token();
  actualUgi =
      (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
      UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
          .getCurrentUser().getRealUser() : UserGroupInformation
          .getCurrentUser();
}
 
Example #26
Source File: TestKeyAuthorizationKeyProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
  final Configuration conf = new Configuration();
  KeyProvider kp =
      new UserProvider.Factory().createProvider(new URI("user:///"), conf);
  KeyACLs mock = mock(KeyACLs.class);
  when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
  UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
  UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
  UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
  UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
  when(mock.hasAccessToKey("testKey", u1,
      KeyOpType.MANAGEMENT)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u2,
      KeyOpType.GENERATE_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", u3,
      KeyOpType.DECRYPT_EEK)).thenReturn(true);
  when(mock.hasAccessToKey("testKey", sudo,
      KeyOpType.ALL)).thenReturn(true);
  final KeyProviderCryptoExtension kpExt =
      new KeyAuthorizationKeyProvider(
          KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp),
          mock);

  sudo.doAs(
      new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          Options opt = newOptions(conf);
          Map<String, String> m = new HashMap<String, String>();
          m.put("key.acl.name", "testKey");
          opt.setAttributes(m);
          KeyVersion kv =
              kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
          kpExt.rollNewVersion(kv.getName());
          kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
          EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
          ekv = EncryptedKeyVersion.createForDecryption(
              ekv.getEncryptionKeyName() + "x",
              ekv.getEncryptionKeyVersionName(),
              ekv.getEncryptedKeyIv(),
              ekv.getEncryptedKeyVersion().getMaterial());
          kpExt.decryptEncryptedKey(ekv);
          return null;
        }
      }
  );
}
 
Example #27
Source File: TestKeyProviderCryptoExtension.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testGenerateEncryptedKey() throws Exception {
  // Generate a new EEK and check it
  KeyProviderCryptoExtension.EncryptedKeyVersion ek1 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  assertEquals("Version name of EEK should be EEK",
      KeyProviderCryptoExtension.EEK,
      ek1.getEncryptedKeyVersion().getVersionName());
  assertEquals("Name of EEK should be encryption key name",
      ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName());
  assertNotNull("Expected encrypted key material",
      ek1.getEncryptedKeyVersion().getMaterial());
  assertEquals("Length of encryption key material and EEK material should "
          + "be the same", encryptionKey.getMaterial().length,
      ek1.getEncryptedKeyVersion().getMaterial().length
  );

  // Decrypt EEK into an EK and check it
  KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
  assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
  assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length);
  if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal encryption key material");
  }
  if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(),
      encryptionKey.getMaterial())) {
    fail("Encrypted key material should not equal decrypted key material");
  }
  // Decrypt it again and it should be the same
  KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
  assertArrayEquals(k1.getMaterial(), k1a.getMaterial());

  // Generate another EEK and make sure it's different from the first
  KeyProviderCryptoExtension.EncryptedKeyVersion ek2 =
      kpExt.generateEncryptedKey(encryptionKey.getName());
  KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
  if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) {
    fail("Generated EEKs should have different material!");
  }
  if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) {
    fail("Generated EEKs should have different IVs!");
  }
}
 
Example #28
Source File: KMSClientProvider.java    From hadoop with Apache License 2.0 4 votes vote down vote up
public KMSClientProvider(URI uri, Configuration conf) throws IOException {
  super(conf);
  kmsUrl = createServiceURL(extractKMSPath(uri));
  if ("https".equalsIgnoreCase(new URL(kmsUrl).getProtocol())) {
    sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    try {
      sslFactory.init();
    } catch (GeneralSecurityException ex) {
      throw new IOException(ex);
    }
  }
  int timeout = conf.getInt(TIMEOUT_ATTR, DEFAULT_TIMEOUT);
  authRetry = conf.getInt(AUTH_RETRY, DEFAULT_AUTH_RETRY);
  configurator = new TimeoutConnConfigurator(timeout, sslFactory);
  encKeyVersionQueue =
      new ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion>(
          conf.getInt(
              CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_SIZE_DEFAULT),
          conf.getFloat(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT),
          conf.getInt(
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS,
              CommonConfigurationKeysPublic.
                  KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS_DEFAULT),
          new EncryptedQueueRefiller());
  authToken = new DelegationTokenAuthenticatedURL.Token();
  actualUgi =
      (UserGroupInformation.getCurrentUser().getAuthenticationMethod() ==
      UserGroupInformation.AuthenticationMethod.PROXY) ? UserGroupInformation
          .getCurrentUser().getRealUser() : UserGroupInformation
          .getCurrentUser();
}