@SuppressWarnings("unchecked") public static Map toJSON(EncryptedKeyVersion encryptedKeyVersion) { Map json = new HashMap(); if (encryptedKeyVersion != null) { json.put(KMSRESTConstants.VERSION_NAME_FIELD, encryptedKeyVersion.getEncryptionKeyVersionName()); json.put(KMSRESTConstants.IV_FIELD, Base64 .encodeBase64URLSafeString(encryptedKeyVersion.getEncryptedKeyIv())); json.put(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD, toJSON(encryptedKeyVersion.getEncryptedKeyVersion())); } return json; }
private KeyVersion decryptEncryptedKey(final Decryptor decryptor, final KeyVersion encryptionKey, final EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException { // Encryption key IV is determined from encrypted key's IV final byte[] encryptionIV = EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv()); decryptor.init(encryptionKey.getMaterial(), encryptionIV); final KeyVersion encryptedKV = encryptedKeyVersion.getEncryptedKeyVersion(); int keyLen = encryptedKV.getMaterial().length; ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen); ByteBuffer bbOut = ByteBuffer.allocateDirect(keyLen); bbIn.put(encryptedKV.getMaterial()); bbIn.flip(); decryptor.decrypt(bbIn, bbOut); bbOut.flip(); byte[] decryptedKey = new byte[keyLen]; bbOut.get(decryptedKey); return new KeyVersion(encryptionKey.getName(), EK, decryptedKey); }
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); Map<String, String> params = new HashMap<String, String>(); params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); Map<String, String> params = new HashMap<String, String>(); params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
"KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); decryptor.init(encryptionKey.getMaterial(), encryptionIV); final KeyVersion encryptedKV = encryptedKeyVersion.getEncryptedKeyVersion(); int keyLen = encryptedKV.getMaterial().length; ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); Map<String, String> params = new HashMap<String, String>(); params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
"KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); decryptor.init(encryptionKey.getMaterial(), encryptionIV); final KeyVersion encryptedKV = encryptedKeyVersion.getEncryptedKeyVersion(); int keyLen = encryptedKV.getMaterial().length; ByteBuffer bbIn = ByteBuffer.allocateDirect(keyLen);
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); Map<String, String> params = new HashMap<String, String>(); params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), "iv"); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); Map<String, String> params = new HashMap<String, String>(); params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT); encryptedKeyVersion.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyVersion().getMaterial())); URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(),
@Test public void testEncryptDecrypt() throws Exception { // Get an EEK KeyProviderCryptoExtension.EncryptedKeyVersion eek = kpExt.generateEncryptedKey(encryptionKey.getName()); final byte[] encryptedKeyIv = eek.getEncryptedKeyIv(); final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion() .getMaterial(); // Decrypt it manually Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(encryptionKey.getMaterial(), "AES"), new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion .deriveIV(encryptedKeyIv))); final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial); // Test the createForDecryption factory method EncryptedKeyVersion eek2 = EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(), eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(), eek.getEncryptedKeyVersion().getMaterial()); // Decrypt it with the API KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2); final byte[] apiMaterial = decryptedKey.getMaterial(); assertArrayEquals("Wrong key material from decryptEncryptedKey", manualMaterial, apiMaterial); } }
@Test public void testEncryptDecrypt() throws Exception { // Get an EEK KeyProviderCryptoExtension.EncryptedKeyVersion eek = kpExt.generateEncryptedKey(encryptionKey.getName()); final byte[] encryptedKeyIv = eek.getEncryptedKeyIv(); final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion() .getMaterial(); // Decrypt it manually Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(encryptionKey.getMaterial(), "AES"), new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion .deriveIV(encryptedKeyIv))); final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial); // Test the createForDecryption factory method EncryptedKeyVersion eek2 = EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(), eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(), eek.getEncryptedKeyVersion().getMaterial()); // Decrypt it with the API KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2); final byte[] apiMaterial = decryptedKey.getMaterial(); assertArrayEquals("Wrong key material from decryptEncryptedKey", manualMaterial, apiMaterial); } }
@Override public Void run() throws Exception { Options opt = newOptions(conf); Map<String, String> m = new HashMap<String, String>(); m.put("key.acl.name", "testKey"); opt.setAttributes(m); KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt); kpExt.rollNewVersion(kv.getName()); kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16)); EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName()); ekv = EncryptedKeyVersion.createForDecryption( ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial()); kpExt.decryptEncryptedKey(ekv); return null; } }
@Override public Void run() throws Exception { Options opt = newOptions(conf); Map<String, String> m = new HashMap<String, String>(); m.put("key.acl.name", "testKey"); opt.setAttributes(m); KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt); kpExt.rollNewVersion(kv.getName()); kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16)); EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName()); ekv = EncryptedKeyVersion.createForDecryption( ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial()); kpExt.decryptEncryptedKey(ekv); return null; } }
entry.existingEdek.getEncryptedKeyVersion().getMaterial())) { LOG.debug("Inode {} existing edek changed, skipping re-encryption", entry.getInodeId()); entry.edek.getEncryptedKeyVersion().getMaterial(), entry.edek.getEncryptedKeyIv(), fei.getKeyName(), entry.edek.getEncryptionKeyVersionName());
ezInfo.edek.getEncryptedKeyVersion().getMaterial(), ezInfo.edek.getEncryptedKeyIv(), ezKeyName, ezInfo.edek.getEncryptionKeyVersionName());
final String ekName = ekv.getEncryptionKeyName(); Preconditions.checkNotNull(ekName, "Key name is null"); Preconditions.checkNotNull(ekv.getEncryptedKeyVersion(), "EncryptedKeyVersion is null"); Preconditions.checkArgument( ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName());
checkNotNull(ekv.getEncryptionKeyVersionName(), "versionName"); checkNotNull(ekv.getEncryptedKeyIv(), "iv"); checkNotNull(ekv.getEncryptedKeyVersion(), "encryptedKey"); Preconditions.checkArgument(ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); if (keyName == null) { keyName = ekv.getEncryptionKeyName();
@Override public EncryptedKeyVersion reencryptEncryptedKey(EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException { checkNotNull(ekv.getEncryptionKeyVersionName(), "versionName"); checkNotNull(ekv.getEncryptedKeyIv(), "iv"); checkNotNull(ekv.getEncryptedKeyVersion(), "encryptedKey"); Preconditions.checkArgument(ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); final Map<String, String> params = new HashMap<>(); params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_REENCRYPT); final Map<String, Object> jsonPayload = new HashMap<>(); jsonPayload.put(KMSRESTConstants.NAME_FIELD, ekv.getEncryptionKeyName()); jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(ekv.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(ekv.getEncryptedKeyVersion().getMaterial())); final URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, ekv.getEncryptionKeyVersionName(), KMSRESTConstants.EEK_SUB_RESOURCE, params); final HttpURLConnection conn = createConnection(url, HTTP_POST); conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME); final Map response = call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class); return parseJSONEncKeyVersion(ekv.getEncryptionKeyName(), response); }
@Override public EncryptedKeyVersion reencryptEncryptedKey(EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException { final String ekName = ekv.getEncryptionKeyName(); final KeyVersion ekNow = keyProvider.getCurrentKey(ekName); Preconditions .checkNotNull(ekNow, "KeyVersion name '%s' does not exist", ekName); Preconditions.checkArgument(ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); if (ekv.getEncryptedKeyVersion().equals(ekNow)) { // no-op if same key version return ekv; } final KeyVersion dek = decryptEncryptedKey(ekv); final CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf()); try { final Encryptor encryptor = cc.createEncryptor(); return generateEncryptedKey(encryptor, ekNow, dek.getMaterial(), ekv.getEncryptedKeyIv()); } finally { cc.close(); } }
@Override public KeyVersion decryptEncryptedKey( EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException { // Fetch the encryption key material final String encryptionKeyVersionName = encryptedKeyVersion.getEncryptionKeyVersionName(); final KeyVersion encryptionKey = keyProvider.getKeyVersion(encryptionKeyVersionName); Preconditions .checkNotNull(encryptionKey, "KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.checkArgument( encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()); try (CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf())) { final Decryptor decryptor = cc.createDecryptor(); return decryptEncryptedKey(decryptor, encryptionKey, encryptedKeyVersion); } }