"EncryptedKeyVersion is null"); Preconditions.checkArgument( ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); .checkNotNull(ekNow, "Key name '%s' does not exist", ekName); } else { Preconditions.checkArgument(ekNow.getName().equals(ekName), "All keys must have the same key name. Expected '%s' " + "but found '%s'", ekNow.getName(), ekName); Preconditions.checkNotNull(encryptionKey, "KeyVersion name '%s' does not exist", encryptionKeyVersionName); if (encryptionKey.equals(ekNow)) { iter.set(generateEncryptedKey(encryptor, ekNow, ek.getMaterial(), ekv.getEncryptedKeyIv()));
@Override public KeyVersion getKeyVersion(String versionName) throws IOException { readLock.lock(); try { SecretKeySpec key = null; try { if (!keyStore.containsAlias(versionName)) { return null; } key = (SecretKeySpec) keyStore.getKey(versionName, password); } catch (KeyStoreException e) { throw new IOException("Can't get key " + versionName + " from " + path, e); } catch (NoSuchAlgorithmException e) { throw new IOException("Can't get algorithm for key " + key + " from " + path, e); } catch (UnrecoverableKeyException e) { throw new IOException("Can't recover key " + key + " from " + path, e); } return new KeyVersion(getBaseName(versionName), versionName, key.getEncoded()); } finally { readLock.unlock(); } }
KeyProvider.KeyVersion kv0 = kp.createKey("k1", options); Assert.assertNotNull(kv0); Assert.assertNotNull(kv0.getVersionName()); Assert.assertNotNull(kv0.getMaterial()); KeyProvider.KeyVersion kv1 = kp.getKeyVersion(kv0.getVersionName()); Assert.assertEquals(kv0.getVersionName(), kv1.getVersionName()); Assert.assertNotNull(kv1.getMaterial()); Assert.assertEquals(kv0.getVersionName(), cv1.getVersionName()); Assert.assertNotNull(cv1.getMaterial()); Assert.assertEquals(kv0.getVersionName(), lkv1.get(0).getVersionName()); Assert.assertNotNull(kv1.getMaterial()); Assert.assertNotSame(kv0.getVersionName(), kv2.getVersionName()); Assert.assertNotNull(kv2.getMaterial()); kv2 = kp.getKeyVersion(kv2.getVersionName()); boolean eq = true; for (int i = 0; i < kv1.getMaterial().length; i++) { eq = eq && kv1.getMaterial()[i] == kv2.getMaterial()[i]; Assert.assertEquals(kv2.getVersionName(), cv2.getVersionName()); Assert.assertNotNull(cv2.getMaterial()); eq = true; for (int i = 0; i < kv1.getMaterial().length; i++) { eq = eq && cv2.getMaterial()[i] == kv2.getMaterial()[i];
KeyProvider.KeyVersion kv0 = kp.createKey("k1", options); Assert.assertNotNull(kv0); Assert.assertNotNull(kv0.getVersionName()); Assert.assertNotNull(kv0.getMaterial()); KeyProvider.KeyVersion kv1 = kp.getKeyVersion(kv0.getVersionName()); Assert.assertEquals(kv0.getVersionName(), kv1.getVersionName()); Assert.assertNotNull(kv1.getMaterial()); Assert.assertEquals(kv0.getVersionName(), cv1.getVersionName()); Assert.assertNotNull(cv1.getMaterial()); Assert.assertEquals(kv0.getVersionName(), lkv1.get(0).getVersionName()); Assert.assertNotNull(kv1.getMaterial()); Assert.assertNotSame(kv0.getVersionName(), kv2.getVersionName()); Assert.assertNotNull(kv2.getMaterial()); kv2 = kp.getKeyVersion(kv2.getVersionName()); boolean eq = true; for (int i = 0; i < kv1.getMaterial().length; i++) { eq = eq && kv1.getMaterial()[i] == kv2.getMaterial()[i]; Assert.assertEquals(kv2.getVersionName(), cv2.getVersionName()); Assert.assertNotNull(cv2.getMaterial()); eq = true; for (int i = 0; i < kv1.getMaterial().length; i++) { eq = eq && cv2.getMaterial()[i] == kv2.getMaterial()[i];
assertEquals(1, meta.getVersions()); assertArrayEquals(key3, provider.getCurrentKey("key3").getMaterial()); assertEquals("key3@0", provider.getCurrentKey("key3").getVersionName()); assertEquals(2, meta.getVersions()); assertArrayEquals(new byte[]{2}, provider.getCurrentKey("key4").getMaterial()); assertArrayEquals(new byte[]{1}, provider.getKeyVersion("key4@0").getMaterial()); assertEquals("key4@1", provider.getCurrentKey("key4").getVersionName()); try { provider.rollNewVersion("key4", key1); provider.getCurrentKey("key4").getMaterial()); assertArrayEquals(key3, provider.getCurrentKey("key3").getMaterial()); assertEquals("key3@0", provider.getCurrentKey("key3").getVersionName()); assertTrue("KeyVersions should have included key3@0.", kvl.get(0).getVersionName().equals("key3@0")); assertArrayEquals(key3, kvl.get(0).getMaterial());
assertEquals(1, meta.getVersions()); assertArrayEquals(key3, provider.getCurrentKey("key3").getMaterial()); assertEquals("key3@0", provider.getCurrentKey("key3").getVersionName()); assertEquals(2, meta.getVersions()); assertArrayEquals(new byte[]{2}, provider.getCurrentKey("key4").getMaterial()); assertArrayEquals(new byte[]{1}, provider.getKeyVersion("key4@0").getMaterial()); assertEquals("key4@1", provider.getCurrentKey("key4").getVersionName()); try { provider.rollNewVersion("key4", key1); provider.getCurrentKey("key4").getMaterial()); assertArrayEquals(key3, provider.getCurrentKey("key3").getMaterial()); assertEquals("key3@0", provider.getCurrentKey("key3").getVersionName()); assertTrue("KeyVersions should have included key3@0.", kvl.get(0).getVersionName().equals("key3@0")); assertArrayEquals(key3, kvl.get(0).getMaterial());
" NewVersion:" + keyVersion.getVersionName());
options.setDescription("l1"); KeyProvider.KeyVersion kv0 = kmscp.createKey(keyName, options); assertNotNull(kv0.getVersionName());
new KMSClientProvider[] { p1, p2, p3, p4 }, 0, conf); assertEquals("p1", kp.createKey("test4", new Options(conf)).getName()); kp.createKey("test1", new Options(conf)).getName(); fail("Should fail since its not an IOException"); } catch (Exception e) { assertTrue(e instanceof NoSuchAlgorithmException); assertEquals("p3", kp.createKey("test2", new Options(conf)).getName()); assertEquals("p1", kp.createKey("test3", new Options(conf)).getName());
kpExt.generateEncryptedKey(encryptionKey.getName()); assertEquals("Version name of EEK should be EEK", KeyProviderCryptoExtension.EEK, ek1.getEncryptedKeyVersion().getVersionName()); assertEquals("Name of EEK should be encryption key name", ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName()); assertNotNull("Expected encrypted key material", ek1.getEncryptedKeyVersion().getMaterial()); assertEquals("Length of encryption key material and EEK material should " + "be the same", encryptionKey.getMaterial().length, ek1.getEncryptedKeyVersion().getMaterial().length ); assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName()); assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length); if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) { fail("Encrypted key material should not equal encryption key material"); if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(), encryptionKey.getMaterial())) { fail("Encrypted key material should not equal decrypted key material"); assertArrayEquals(k1.getMaterial(), k1a.getMaterial()); kpExt.generateEncryptedKey(encryptionKey.getName()); KeyVersion k2 = kpExt.decryptEncryptedKey(ek2); if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) { fail("Generated EEKs should have different material!");
"KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); decryptor.init(encryptionKey.getMaterial(), encryptionIV); final KeyVersion encryptedKV = encryptedKeyVersion.getEncryptedKeyVersion(); int keyLen = encryptedKV.getMaterial().length; ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen); ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen); bbIn.put(encryptedKV.getMaterial()); bbIn.flip(); decryptor.decrypt(bbIn, bbOut); byte[] decryptedKey = new byte[keyLen]; bbOut.get(decryptedKey); return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
"KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); decryptor.init(encryptionKey.getMaterial(), encryptionIV); final KeyVersion encryptedKV = encryptedKeyVersion.getEncryptedKeyVersion(); int keyLen = encryptedKV.getMaterial().length; ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen); ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen); bbIn.put(encryptedKV.getMaterial()); bbIn.flip(); decryptor.decrypt(bbIn, bbOut); byte[] decryptedKey = new byte[keyLen]; bbOut.get(decryptedKey); return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
new KMSClientProvider[] { p1, p2, p3, p4 }, 0, conf); assertEquals("p1", kp.createKey("test4", new Options(conf)).getName()); kp.createKey("test1", new Options(conf)).getName(); fail("Should fail since its not an IOException"); } catch (Exception e) { assertTrue(e instanceof NoSuchAlgorithmException); assertEquals("p3", kp.createKey("test2", new Options(conf)).getName()); assertEquals("p1", kp.createKey("test3", new Options(conf)).getName());
kpExt.generateEncryptedKey(encryptionKey.getName()); assertEquals("Version name of EEK should be EEK", KeyProviderCryptoExtension.EEK, ek1.getEncryptedKeyVersion().getVersionName()); assertEquals("Name of EEK should be encryption key name", ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName()); assertNotNull("Expected encrypted key material", ek1.getEncryptedKeyVersion().getMaterial()); assertEquals("Length of encryption key material and EEK material should " + "be the same", encryptionKey.getMaterial().length, ek1.getEncryptedKeyVersion().getMaterial().length ); assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName()); assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length); if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) { fail("Encrypted key material should not equal encryption key material"); if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(), encryptionKey.getMaterial())) { fail("Encrypted key material should not equal decrypted key material"); assertArrayEquals(k1.getMaterial(), k1a.getMaterial()); kpExt.generateEncryptedKey(encryptionKey.getName()); KeyVersion k2 = kpExt.decryptEncryptedKey(ek2); if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) { fail("Generated EEKs should have different material!");
"KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); decryptor.init(encryptionKey.getMaterial(), encryptionIV); final KeyVersion encryptedKV = encryptedKeyVersion.getEncryptedKeyVersion(); int keyLen = encryptedKV.getMaterial().length; ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen); ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen); bbIn.put(encryptedKV.getMaterial()); bbIn.flip(); decryptor.decrypt(bbIn, bbOut); byte[] decryptedKey = new byte[keyLen]; bbOut.get(decryptedKey); return new KeyVersion(encryptionKey.getName(), EK, decryptedKey);
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
/** * Wraps the stream in a CryptoOutputStream if the underlying file is * encrypted. */ public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos, FileSystem.Statistics statistics, long startPos) throws IOException { final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo(); if (feInfo != null) { // File is encrypted, wrap the stream in a crypto stream. // Currently only one version, so no special logic based on the version # HdfsKMSUtil.getCryptoProtocolVersion(feInfo); final CryptoCodec codec = HdfsKMSUtil.getCryptoCodec(conf, feInfo); KeyVersion decrypted; try (TraceScope ignored = tracer.newScope("decryptEDEK")) { LOG.debug("Start decrypting EDEK for file: {}, output stream: 0x{}", dfsos.getSrc(), Integer.toHexString(dfsos.hashCode())); decrypted = HdfsKMSUtil.decryptEncryptedDataEncryptionKey(feInfo, getKeyProvider()); LOG.debug("Decrypted EDEK for file: {}, output stream: 0x{}", dfsos.getSrc(), Integer.toHexString(dfsos.hashCode())); } final CryptoOutputStream cryptoOut = new CryptoOutputStream(dfsos, codec, decrypted.getMaterial(), feInfo.getIV(), startPos); return new HdfsDataOutputStream(cryptoOut, statistics, startPos); } else { // No FileEncryptionInfo present so no encryption. return new HdfsDataOutputStream(dfsos, statistics, startPos); } }
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),