@Override public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException { // Fetch the encryption key KeyVersion encryptionKey = keyProvider.getCurrentKey(encryptionKeyName); Preconditions.checkNotNull(encryptionKey, "No KeyVersion exists for key '%s' ", encryptionKeyName); // Generate random bytes for new key and IV CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf()); try { final byte[] newKey = new byte[encryptionKey.getMaterial().length]; cc.generateSecureRandom(newKey); final byte[] iv = new byte[cc.getCipherSuite().getAlgorithmBlockSize()]; cc.generateSecureRandom(iv); Encryptor encryptor = cc.createEncryptor(); return generateEncryptedKey(encryptor, encryptionKey, newKey, iv); } finally { cc.close(); } }
/** Update the {@link #encryptor}: calculate counter and {@link #padding}. */ private void updateEncryptor() throws IOException { final long counter = streamOffset / codec.getCipherSuite().getAlgorithmBlockSize(); padding = (byte)(streamOffset % codec.getCipherSuite().getAlgorithmBlockSize()); inBuffer.position(padding); // Set proper position for input data. codec.calculateIV(initIV, counter, iv); encryptor.init(key, iv); }
@Override public KeyVersion decryptEncryptedKey( EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException { // Fetch the encryption key material final String encryptionKeyVersionName = encryptedKeyVersion.getEncryptionKeyVersionName(); final KeyVersion encryptionKey = keyProvider.getKeyVersion(encryptionKeyVersionName); Preconditions .checkNotNull(encryptionKey, "KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()); try (CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf())) { final Decryptor decryptor = cc.createDecryptor(); return decryptEncryptedKey(decryptor, encryptionKey, encryptedKeyVersion); } }
@Override public Encryptor createEncryptor(Configuration conf, FileEncryptionInfo feInfo, DFSClient client) throws IOException { try { KeyVersion decryptedKey = (KeyVersion) decryptEncryptedDataEncryptionKeyMethod.invoke(client, feInfo); CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf, feInfo.getCipherSuite()); Encryptor encryptor = cryptoCodec.createEncryptor(); encryptor.init(decryptedKey.getMaterial(), feInfo.getIV()); return encryptor; } catch (InvocationTargetException e) { Throwables.propagateIfPossible(e.getTargetException(), IOException.class); throw new RuntimeException(e.getTargetException()); } catch (GeneralSecurityException e) { throw new IOException(e); } catch (IllegalAccessException e) { throw new RuntimeException(e); } } };
/** * This method creates and initializes an IV (Initialization Vector) * * @param conf * @return byte[] * @throws IOException */ public static byte[] createIV(Configuration conf) throws IOException { CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf); if (isEncryptedSpillEnabled(conf)) { byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()]; cryptoCodec.generateSecureRandom(iv); return iv; } else { return null; } }
/** * Get crypto codec for algorithm/mode/padding in config value * hadoop.security.crypto.cipher.suite * * @param conf * the configuration * @return CryptoCodec the codec object Null value will be returned if no * crypto codec classes with cipher suite configured. */ public static CryptoCodec getInstance(Configuration conf) { String name = conf.get(HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_KEY, HADOOP_SECURITY_CRYPTO_CIPHER_SUITE_DEFAULT); return getInstance(conf, CipherSuite.convert(name)); }
public static int cryptoPadding(Configuration conf) { // Sizeof(IV) + long(start-offset) return isEncryptedSpillEnabled(conf) ? CryptoCodec.getInstance(conf) .getCipherSuite().getAlgorithmBlockSize() + 8 : 0; }
DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY, DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8; CryptoCodec codec = CryptoCodec.getInstance(conf, suite); byte[] inKey = new byte[keyLen]; byte[] inIv = new byte[suite.getAlgorithmBlockSize()]; byte[] outKey = new byte[keyLen]; byte[] outIv = new byte[suite.getAlgorithmBlockSize()]; codec.generateSecureRandom(inKey); codec.generateSecureRandom(inIv); codec.generateSecureRandom(outKey); codec.generateSecureRandom(outIv); return new CipherOption(suite, inKey, inIv, outKey, outIv);
Decryptor decryptor = null; Encryptor encryptor = null; try (CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf())) { decryptor = cc.createDecryptor(); encryptor = cc.createEncryptor(); ListIterator<EncryptedKeyVersion> iter = ekvs.listIterator(); while (iter.hasNext()) {
/** Check and floor buffer size */ public static int checkBufferSize(CryptoCodec codec, int bufferSize) { Preconditions.checkArgument(bufferSize >= MIN_BUFFER_SIZE, "Minimum value of buffer size is " + MIN_BUFFER_SIZE + "."); return bufferSize - bufferSize % codec.getCipherSuite() .getAlgorithmBlockSize(); }
@Override public EncryptedKeyVersion reencryptEncryptedKey(EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException { final String ekName = ekv.getEncryptionKeyName(); final KeyVersion ekNow = keyProvider.getCurrentKey(ekName); Preconditions .checkNotNull(ekNow, "KeyVersion name '%s' does not exist", ekName); Preconditions.checkArgument(ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); if (ekv.getEncryptedKeyVersion().equals(ekNow)) { // no-op if same key version return ekv; } final KeyVersion dek = decryptEncryptedKey(ekv); final CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf()); try { final Encryptor encryptor = cc.createEncryptor(); return generateEncryptedKey(encryptor, ekNow, dek.getMaterial(), ekv.getEncryptedKeyIv()); } finally { cc.close(); } }
List<Class<? extends CryptoCodec>> klasses = getCodecClasses( conf, cipherSuite); if (klasses == null) { try { CryptoCodec c = ReflectionUtils.newInstance(klass, conf); if (c.getCipherSuite().getName().equals(cipherSuite.getName())) { if (codec == null) { PerformanceAdvisory.LOG.debug("Using crypto codec {}.",
DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY, DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8; CryptoCodec codec = CryptoCodec.getInstance(conf, suite); byte[] inKey = new byte[keyLen]; byte[] inIv = new byte[suite.getAlgorithmBlockSize()]; byte[] outIv = new byte[suite.getAlgorithmBlockSize()]; assert codec != null; codec.generateSecureRandom(inKey); codec.generateSecureRandom(inIv); codec.generateSecureRandom(outKey); codec.generateSecureRandom(outIv); codec.close(); return new CipherOption(suite, inKey, inIv, outKey, outIv);
/** Calculate the counter and iv, update the decryptor. */ private void updateDecryptor(Decryptor decryptor, long position, byte[] iv) throws IOException { final long counter = getCounter(position); codec.calculateIV(initIV, counter, iv); decryptor.init(key, iv); }
private void checkSecureRandom(CryptoCodec codec, int len) { byte[] rand = new byte[len]; byte[] rand1 = new byte[len]; codec.generateSecureRandom(rand); codec.generateSecureRandom(rand1); Assert.assertEquals(len, rand.length); Assert.assertEquals(len, rand1.length); Assert.assertFalse(Arrays.equals(rand, rand1)); }
public CryptoOutputStream(OutputStream out, CryptoCodec codec, byte[] key, byte[] iv, long streamOffset, boolean closeOutputStream) throws IOException { this(out, codec, CryptoStreamUtils.getBufferSize(codec.getConf()), key, iv, streamOffset, closeOutputStream); }
/** Get decryptor from pool */ private Decryptor getDecryptor() throws IOException { Decryptor decryptor = decryptorPool.poll(); if (decryptor == null) { try { decryptor = codec.createDecryptor(); } catch (GeneralSecurityException e) { throw new IOException(e); } } return decryptor; }
public EncryptHandler(CryptoCodec codec, byte[] key, byte[] iv) throws GeneralSecurityException, IOException { this.encryptor = codec.createEncryptor(); this.encryptor.init(key, Arrays.copyOf(iv, iv.length)); }
/** * This method creates and initializes an IV (Initialization Vector) * * @param conf * @return byte[] * @throws IOException */ public static byte[] createIV(Configuration conf) throws IOException { CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf); if (isEncryptedSpillEnabled(conf)) { byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()]; cryptoCodec.generateSecureRandom(iv); return iv; } else { return null; } }
CryptoCodec codec = CryptoCodec.getInstance(conf, cipherOption.getCipherSuite()); p.addLast(new EncryptHandler(codec, cipherOption.getInKey(), cipherOption.getInIv()), new DecryptHandler(codec, cipherOption.getOutKey(), cipherOption.getOutIv()));