HADOOP-10937. Need to set version name correctly before decrypting EEK. Contributed by Arun Suresh.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615841 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
c8abf5f20a
commit
513dc29ce8
|
@ -522,6 +522,9 @@ Release 2.6.0 - UNRELEASED
|
|||
HADOOP-10927. Fix CredentialShell help behavior and error codes.
|
||||
(Josh Elser via wang)
|
||||
|
||||
HADOOP-10937. Need to set version name correctly before decrypting EEK.
|
||||
(Arun Suresh via wang)
|
||||
|
||||
Release 2.5.0 - UNRELEASED
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
|
|
@ -21,11 +21,13 @@ package org.apache.hadoop.crypto.key;
|
|||
import java.io.IOException;
|
||||
import java.security.GeneralSecurityException;
|
||||
import java.security.SecureRandom;
|
||||
|
||||
import javax.crypto.Cipher;
|
||||
import javax.crypto.spec.IvParameterSpec;
|
||||
import javax.crypto.spec.SecretKeySpec;
|
||||
|
||||
import com.google.common.base.Preconditions;
|
||||
|
||||
import org.apache.hadoop.classification.InterfaceAudience;
|
||||
|
||||
/**
|
||||
|
@ -97,7 +99,7 @@ public class KeyProviderCryptoExtension extends
|
|||
public static EncryptedKeyVersion createForDecryption(String
|
||||
encryptionKeyVersionName, byte[] encryptedKeyIv,
|
||||
byte[] encryptedKeyMaterial) {
|
||||
KeyVersion encryptedKeyVersion = new KeyVersion(null, null,
|
||||
KeyVersion encryptedKeyVersion = new KeyVersion(null, EEK,
|
||||
encryptedKeyMaterial);
|
||||
return new EncryptedKeyVersion(null, encryptionKeyVersionName,
|
||||
encryptedKeyIv, encryptedKeyVersion);
|
||||
|
@ -258,6 +260,13 @@ public class KeyProviderCryptoExtension extends
|
|||
keyProvider.getKeyVersion(encryptionKeyVersionName);
|
||||
Preconditions.checkNotNull(encryptionKey,
|
||||
"KeyVersion name '%s' does not exist", encryptionKeyVersionName);
|
||||
Preconditions.checkArgument(
|
||||
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||
.equals(KeyProviderCryptoExtension.EEK),
|
||||
"encryptedKey version name must be '%s', is '%s'",
|
||||
KeyProviderCryptoExtension.EEK,
|
||||
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||
);
|
||||
final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
|
||||
// Encryption key IV is determined from encrypted key's IV
|
||||
final byte[] encryptionIV =
|
||||
|
|
|
@ -653,7 +653,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension {
|
|||
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||
.equals(KeyProviderCryptoExtension.EEK),
|
||||
"encryptedKey version name must be '%s', is '%s'",
|
||||
KeyProviderCryptoExtension.EK,
|
||||
KeyProviderCryptoExtension.EEK,
|
||||
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||
);
|
||||
checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
|
||||
|
|
|
@ -26,10 +26,10 @@ import javax.crypto.spec.IvParameterSpec;
|
|||
import javax.crypto.spec.SecretKeySpec;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
|
||||
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
|
||||
import static org.junit.Assert.assertArrayEquals;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
@ -118,8 +118,15 @@ public class TestKeyProviderCryptoExtension {
|
|||
new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
|
||||
.deriveIV(encryptedKeyIv)));
|
||||
final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
|
||||
|
||||
// Test the createForDecryption factory method
|
||||
EncryptedKeyVersion eek2 =
|
||||
EncryptedKeyVersion.createForDecryption(
|
||||
eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
|
||||
eek.getEncryptedKeyVersion().getMaterial());
|
||||
|
||||
// Decrypt it with the API
|
||||
KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek);
|
||||
KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
|
||||
final byte[] apiMaterial = decryptedKey.getMaterial();
|
||||
|
||||
assertArrayEquals("Wrong key material from decryptEncryptedKey",
|
||||
|
|
Loading…
Reference in New Issue