} else { context.setKey(EncryptionUtil.unwrapKey(conf, conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, "hbase"), key));
@Test public void testKeyWrapping() throws Exception { // set up the key provider for testing to resolve a key for our test subject Configuration conf = new Configuration(); // we don't need HBaseConfiguration for this conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName()); // generate a test key byte[] keyBytes = new byte[AES.KEY_LENGTH]; new SecureRandom().nextBytes(keyBytes); String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES); Key key = new SecretKeySpec(keyBytes, algorithm); // wrap the test key byte[] wrappedKeyBytes = EncryptionUtil.wrapKey(conf, "hbase", key); assertNotNull(wrappedKeyBytes); // unwrap Key unwrappedKey = EncryptionUtil.unwrapKey(conf, "hbase", wrappedKeyBytes); assertNotNull(unwrappedKey); // only secretkeyspec supported for now assertTrue(unwrappedKey instanceof SecretKeySpec); // did we get back what we wrapped? assertTrue("Unwrapped key bytes do not match original", Bytes.equals(keyBytes, unwrappedKey.getEncoded())); // unwrap with an incorrect key try { EncryptionUtil.unwrapKey(conf, "other", wrappedKeyBytes); fail("Unwrap with incorrect key did not throw KeyException"); } catch (KeyException e) { // expected } }
Encryption.Context cryptoContext = Encryption.newContext(conf); Key key; key = EncryptionUtil.unwrapKey(conf, keyBytes);
if (keyBytes != null) { key = unwrapKey(conf, keyBytes);
@Test public void testKeyWrapping() throws Exception { // set up the key provider for testing to resolve a key for our test subject Configuration conf = new Configuration(); // we don't need HBaseConfiguration for this conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName()); // generate a test key byte[] keyBytes = new byte[AES.KEY_LENGTH]; new SecureRandom().nextBytes(keyBytes); String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES); Key key = new SecretKeySpec(keyBytes, algorithm); // wrap the test key byte[] wrappedKeyBytes = EncryptionUtil.wrapKey(conf, "hbase", key); assertNotNull(wrappedKeyBytes); // unwrap Key unwrappedKey = EncryptionUtil.unwrapKey(conf, "hbase", wrappedKeyBytes); assertNotNull(unwrappedKey); // only secretkeyspec supported for now assertTrue(unwrappedKey instanceof SecretKeySpec); // did we get back what we wrapped? assertTrue("Unwrapped key bytes do not match original", Bytes.equals(keyBytes, unwrappedKey.getEncoded())); // unwrap with an incorrect key try { EncryptionUtil.unwrapKey(conf, "other", wrappedKeyBytes); fail("Unwrap with incorrect key did not throw KeyException"); } catch (KeyException e) { // expected } }
if (keyBytes != null) { key = unwrapKey(conf, keyBytes);
} else { context.setKey(EncryptionUtil.unwrapKey(conf, conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, "hbase"), key));
if (keyBytes != null) { key = unwrapKey(conf, keyBytes);