cipher = Encryption.getCipher(conf, key.getAlgorithm()); if (cipher == null) { throw new RuntimeException("Cipher '" + key.getAlgorithm() + "' is not available"); cipher = Encryption.getCipher(conf, cipherName); if (cipher == null) { throw new RuntimeException("Cipher '" + cipherName + "' is not available"); cryptoContext = Encryption.newContext(conf); cryptoContext.setCipher(cipher); cryptoContext.setKey(key);
Key key = getSecretKeyForSubject(subject, conf); if (key == null) { throw new IOException("No key found for subject '" + subject + "'"); decrypt(out, in, outLen, d); } catch (IOException e) { + "' configured."); Cipher alterCipher = Encryption.getCipher(conf, alternateAlgorithm); if (alterCipher == null) { throw new RuntimeException("Cipher '" + alternateAlgorithm + "' not available"); d.setKey(key); decrypt(out, in, outLen, d); } else { throw new IOException(e);
private void checkTransformSymmetry(byte[] keyBytes, byte[] iv, byte[] plaintext) throws Exception { LOG.info("checkTransformSymmetry: AES, plaintext length = " + plaintext.length); Configuration conf = HBaseConfiguration.create(); String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES); Cipher aes = Encryption.getCipher(conf, algorithm); Key key = new SecretKeySpec(keyBytes, algorithm); Encryptor e = aes.getEncryptor(); e.setKey(key); e.setIv(iv); e.reset(); ByteArrayOutputStream encOut = new ByteArrayOutputStream(); Encryption.encrypt(encOut, plaintext, 0, plaintext.length, e); byte[] encrypted = encOut.toByteArray(); Decryptor d = aes.getDecryptor(); d.setKey(key); d.setIv(iv); d.reset(); ByteArrayInputStream encIn = new ByteArrayInputStream(encrypted); ByteArrayOutputStream decOut = new ByteArrayOutputStream(); Encryption.decrypt(decOut, encIn, plaintext.length, d); byte[] result = decOut.toByteArray(); assertEquals("Decrypted result has different length than plaintext", result.length, plaintext.length); assertTrue("Transformation was not symmetric", Bytes.equals(result, plaintext)); }
/** * Encrypts a block of plaintext with the symmetric key resolved for the given subject * @param out ciphertext * @param in plaintext * @param conf configuration * @param cipher the encryption algorithm * @param iv the initialization vector, can be null * @throws IOException */ public static void encryptWithSubjectKey(OutputStream out, InputStream in, String subject, Configuration conf, Cipher cipher, byte[] iv) throws IOException { Key key = getSecretKeyForSubject(subject, conf); if (key == null) { throw new IOException("No key found for subject '" + subject + "'"); } Encryptor e = cipher.getEncryptor(); e.setKey(key); e.setIv(iv); // can be null encrypt(out, in, e); }
if (result == null) { try { Encryption.Context context = Encryption.newContext(conf); context.setCipher(Encryption.getCipher(conf, cipher)); if (key == null) { Bytes.random(plaintext); ByteArrayOutputStream out = new ByteArrayOutputStream(); Encryption.encrypt(out, new ByteArrayInputStream(plaintext), context, iv); byte[] ciphertext = out.toByteArray(); out.reset(); Encryption.decrypt(out, new ByteArrayInputStream(ciphertext), plaintext.length, context, iv); byte[] test = out.toByteArray();
@Test public void testCustomProvider() { Configuration conf = HBaseConfiguration.create(); conf.set(HConstants.CRYPTO_CIPHERPROVIDER_CONF_KEY, MyCipherProvider.class.getName()); CipherProvider provider = Encryption.getCipherProvider(conf); assertTrue(provider instanceof MyCipherProvider); assertTrue(Arrays.asList(provider.getSupportedCiphers()).contains("TEST")); Cipher a = Encryption.getCipher(conf, "TEST"); assertNotNull(a); assertTrue(a.getProvider() instanceof MyCipherProvider); assertEquals("TEST", a.getName()); assertEquals(0, a.getKeyLength()); }
/** * Unwrap a wal key by decrypting it with the secret key of the given subject. The configuration * must be set up correctly for key alias resolution. * @param conf configuration * @param subject subject key alias * @param value the encrypted key bytes * @return the raw key bytes * @throws IOException if key is not found for the subject, or if some I/O error occurs * @throws KeyException if fail to unwrap the key */ public static Key unwrapWALKey(Configuration conf, String subject, byte[] value) throws IOException, KeyException { EncryptionProtos.WrappedKey wrappedKey = EncryptionProtos.WrappedKey.PARSER.parseDelimitedFrom(new ByteArrayInputStream(value)); String algorithm = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES); Cipher cipher = Encryption.getCipher(conf, algorithm); if (cipher == null) { throw new RuntimeException("Cipher '" + algorithm + "' not available"); } return getUnwrapKey(conf, subject, wrappedKey, cipher); }
Cipher cipher = Encryption.getCipher(conf, algorithm); if (cipher == null) { throw new RuntimeException("Cipher '" + algorithm + "' not available"); builder.setHash(UnsafeByteOperations.unsafeWrap(Encryption.hash128(keyBytes))); ByteArrayOutputStream out = new ByteArrayOutputStream(); Encryption.encryptWithSubjectKey(out, new ByteArrayInputStream(keyBytes), subject, conf, cipher, iv); builder.setData(UnsafeByteOperations.unsafeWrap(out.toByteArray()));
Encryption.encrypt(cryptoByteStream, in, encryptor); Encryption.incrementIv(iv, 1 + (cryptoByteStream.size() / encryptor.getBlockSize())); return new Bytes(cryptoByteStream.getBuffer(), 0, cryptoByteStream.size()); } else {
/** * Get an cipher given a name * @param name the cipher name * @return the cipher, or null if a suitable one could not be found */ public static Cipher getCipher(Configuration conf, String name) { return getCipherProvider(conf).getCipher(name); }
/** * Check that the configured key provider can be loaded and initialized, or * throw an exception. * * @param conf * @throws IOException */ public static void testKeyProvider(final Configuration conf) throws IOException { String providerClassName = conf.get(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyStoreKeyProvider.class.getName()); Boolean result = keyProviderResults.get(providerClassName); if (result == null) { try { Encryption.getKeyProvider(conf); keyProviderResults.put(providerClassName, true); } catch (Exception e) { // most likely a RuntimeException keyProviderResults.put(providerClassName, false); throw new IOException("Key provider " + providerClassName + " failed test: " + e.getMessage(), e); } } else if (result.booleanValue() == false) { throw new IOException("Key provider " + providerClassName + " previously failed test"); } }
/** * Encrypt a stream of plaintext given a context and IV * @param out ciphertext * @param in plaintet * @param context * @param iv * @throws IOException */ public static void encrypt(OutputStream out, InputStream in, Context context, byte[] iv) throws IOException { Encryptor e = context.getCipher().getEncryptor(); e.setKey(context.getKey()); e.setIv(iv); // can be null e.reset(); encrypt(out, in, e); }
/** * Decrypt a stream of ciphertext given a context and IV * @param out * @param in * @param outLen * @param context * @param iv * @throws IOException */ public static void decrypt(OutputStream out, InputStream in, int outLen, Context context, byte[] iv) throws IOException { Decryptor d = context.getCipher().getDecryptor(); d.setKey(context.getKey()); d.setIv(iv); // can be null decrypt(out, in, outLen, d); }
private static Key getUnwrapKey(Configuration conf, String subject, EncryptionProtos.WrappedKey wrappedKey, Cipher cipher) throws IOException, KeyException { ByteArrayOutputStream out = new ByteArrayOutputStream(); byte[] iv = wrappedKey.hasIv() ? wrappedKey.getIv().toByteArray() : null; Encryption.decryptWithSubjectKey(out, wrappedKey.getData().newInput(), wrappedKey.getLength(), subject, conf, cipher, iv); byte[] keyBytes = out.toByteArray(); if (wrappedKey.hasHash()) { if (!Bytes.equals(wrappedKey.getHash().toByteArray(), Encryption.hash128(keyBytes))) { throw new KeyException("Key was not successfully unwrapped"); } } return new SecretKeySpec(keyBytes, wrappedKey.getAlgorithm()); }
@Override public Key[] getKeys(String[] aliases) { Key[] result = new Key[aliases.length]; for (int i = 0; i < aliases.length; i++) { result[i] = new SecretKeySpec(Encryption.hash128(aliases[i]), "AES"); } return result; } }
public static void incrementIv(byte[] iv) { incrementIv(iv, 1); }
@Test public void testDefaultProvider() { Configuration conf = HBaseConfiguration.create(); CipherProvider provider = Encryption.getCipherProvider(conf); assertTrue(provider instanceof DefaultCipherProvider); String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES); assertTrue(Arrays.asList(provider.getSupportedCiphers()).contains(algorithm)); Cipher a = Encryption.getCipher(conf, algorithm); assertNotNull(a); assertTrue(a.getProvider() instanceof DefaultCipherProvider); assertEquals(a.getName(), algorithm); assertEquals(AES.KEY_LENGTH, a.getKeyLength()); }
if (result == null) { try { Encryption.Context context = Encryption.newContext(conf); context.setCipher(Encryption.getCipher(conf, cipher)); if (key == null) { Bytes.random(plaintext); ByteArrayOutputStream out = new ByteArrayOutputStream(); Encryption.encrypt(out, new ByteArrayInputStream(plaintext), context, iv); byte[] ciphertext = out.toByteArray(); out.reset(); Encryption.decrypt(out, new ByteArrayInputStream(ciphertext), plaintext.length, context, iv); byte[] test = out.toByteArray();
/** * Unwrap a key by decrypting it with the secret key of the given subject. * The configuration must be set up correctly for key alias resolution. * @param conf configuration * @param subject subject key alias * @param value the encrypted key bytes * @return the raw key bytes * @throws IOException * @throws KeyException */ public static Key unwrapKey(Configuration conf, String subject, byte[] value) throws IOException, KeyException { EncryptionProtos.WrappedKey wrappedKey = EncryptionProtos.WrappedKey.PARSER .parseDelimitedFrom(new ByteArrayInputStream(value)); String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES); Cipher cipher = Encryption.getCipher(conf, algorithm); if (cipher == null) { throw new RuntimeException("Cipher '" + algorithm + "' not available"); } return getUnwrapKey(conf, subject, wrappedKey, cipher); }
Cipher cipher = Encryption.getCipher(conf, algorithm); if (cipher == null) { throw new RuntimeException("Cipher '" + algorithm + "' not available"); builder.setHash(UnsafeByteOperations.unsafeWrap(Encryption.hash128(keyBytes))); ByteArrayOutputStream out = new ByteArrayOutputStream(); Encryption.encryptWithSubjectKey(out, new ByteArrayInputStream(keyBytes), subject, conf, cipher, iv); builder.setData(UnsafeByteOperations.unsafeWrap(out.toByteArray()));