HADOOP-10937. Need to set version name correctly before decrypting EEK. Contributed by Arun Suresh.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615841 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andrew Wang 2014-08-05 02:21:28 +00:00
parent c8abf5f20a
commit 513dc29ce8
4 changed files with 23 additions and 4 deletions

View File

@ -522,6 +522,9 @@ Release 2.6.0 - UNRELEASED
HADOOP-10927. Fix CredentialShell help behavior and error codes. HADOOP-10927. Fix CredentialShell help behavior and error codes.
(Josh Elser via wang) (Josh Elser via wang)
HADOOP-10937. Need to set version name correctly before decrypting EEK.
(Arun Suresh via wang)
Release 2.5.0 - UNRELEASED Release 2.5.0 - UNRELEASED
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -21,11 +21,13 @@ package org.apache.hadoop.crypto.key;
import java.io.IOException; import java.io.IOException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.SecureRandom; import java.security.SecureRandom;
import javax.crypto.Cipher; import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import com.google.common.base.Preconditions; import com.google.common.base.Preconditions;
import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceAudience;
/** /**
@ -97,7 +99,7 @@ public class KeyProviderCryptoExtension extends
public static EncryptedKeyVersion createForDecryption(String public static EncryptedKeyVersion createForDecryption(String
encryptionKeyVersionName, byte[] encryptedKeyIv, encryptionKeyVersionName, byte[] encryptedKeyIv,
byte[] encryptedKeyMaterial) { byte[] encryptedKeyMaterial) {
KeyVersion encryptedKeyVersion = new KeyVersion(null, null, KeyVersion encryptedKeyVersion = new KeyVersion(null, EEK,
encryptedKeyMaterial); encryptedKeyMaterial);
return new EncryptedKeyVersion(null, encryptionKeyVersionName, return new EncryptedKeyVersion(null, encryptionKeyVersionName,
encryptedKeyIv, encryptedKeyVersion); encryptedKeyIv, encryptedKeyVersion);
@ -258,6 +260,13 @@ public class KeyProviderCryptoExtension extends
keyProvider.getKeyVersion(encryptionKeyVersionName); keyProvider.getKeyVersion(encryptionKeyVersionName);
Preconditions.checkNotNull(encryptionKey, Preconditions.checkNotNull(encryptionKey,
"KeyVersion name '%s' does not exist", encryptionKeyVersionName); "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
Preconditions.checkArgument(
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
.equals(KeyProviderCryptoExtension.EEK),
"encryptedKey version name must be '%s', is '%s'",
KeyProviderCryptoExtension.EEK,
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
);
final byte[] encryptionKeyMaterial = encryptionKey.getMaterial(); final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
// Encryption key IV is determined from encrypted key's IV // Encryption key IV is determined from encrypted key's IV
final byte[] encryptionIV = final byte[] encryptionIV =

View File

@ -653,7 +653,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension {
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
.equals(KeyProviderCryptoExtension.EEK), .equals(KeyProviderCryptoExtension.EEK),
"encryptedKey version name must be '%s', is '%s'", "encryptedKey version name must be '%s', is '%s'",
KeyProviderCryptoExtension.EK, KeyProviderCryptoExtension.EEK,
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
); );
checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");

View File

@ -26,10 +26,10 @@ import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion; import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
@ -118,8 +118,15 @@ public class TestKeyProviderCryptoExtension {
new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
.deriveIV(encryptedKeyIv))); .deriveIV(encryptedKeyIv)));
final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial); final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
// Test the createForDecryption factory method
EncryptedKeyVersion eek2 =
EncryptedKeyVersion.createForDecryption(
eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
eek.getEncryptedKeyVersion().getMaterial());
// Decrypt it with the API // Decrypt it with the API
KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek); KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
final byte[] apiMaterial = decryptedKey.getMaterial(); final byte[] apiMaterial = decryptedKey.getMaterial();
assertArrayEquals("Wrong key material from decryptEncryptedKey", assertArrayEquals("Wrong key material from decryptEncryptedKey",