HADOOP-10937. Need to set version name correctly before decrypting EEK. Contributed by Arun Suresh.
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615841 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
c8abf5f20a
commit
513dc29ce8
|
@ -522,6 +522,9 @@ Release 2.6.0 - UNRELEASED
|
||||||
HADOOP-10927. Fix CredentialShell help behavior and error codes.
|
HADOOP-10927. Fix CredentialShell help behavior and error codes.
|
||||||
(Josh Elser via wang)
|
(Josh Elser via wang)
|
||||||
|
|
||||||
|
HADOOP-10937. Need to set version name correctly before decrypting EEK.
|
||||||
|
(Arun Suresh via wang)
|
||||||
|
|
||||||
Release 2.5.0 - UNRELEASED
|
Release 2.5.0 - UNRELEASED
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -21,11 +21,13 @@ package org.apache.hadoop.crypto.key;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.security.GeneralSecurityException;
|
import java.security.GeneralSecurityException;
|
||||||
import java.security.SecureRandom;
|
import java.security.SecureRandom;
|
||||||
|
|
||||||
import javax.crypto.Cipher;
|
import javax.crypto.Cipher;
|
||||||
import javax.crypto.spec.IvParameterSpec;
|
import javax.crypto.spec.IvParameterSpec;
|
||||||
import javax.crypto.spec.SecretKeySpec;
|
import javax.crypto.spec.SecretKeySpec;
|
||||||
|
|
||||||
import com.google.common.base.Preconditions;
|
import com.google.common.base.Preconditions;
|
||||||
|
|
||||||
import org.apache.hadoop.classification.InterfaceAudience;
|
import org.apache.hadoop.classification.InterfaceAudience;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -97,7 +99,7 @@ public class KeyProviderCryptoExtension extends
|
||||||
public static EncryptedKeyVersion createForDecryption(String
|
public static EncryptedKeyVersion createForDecryption(String
|
||||||
encryptionKeyVersionName, byte[] encryptedKeyIv,
|
encryptionKeyVersionName, byte[] encryptedKeyIv,
|
||||||
byte[] encryptedKeyMaterial) {
|
byte[] encryptedKeyMaterial) {
|
||||||
KeyVersion encryptedKeyVersion = new KeyVersion(null, null,
|
KeyVersion encryptedKeyVersion = new KeyVersion(null, EEK,
|
||||||
encryptedKeyMaterial);
|
encryptedKeyMaterial);
|
||||||
return new EncryptedKeyVersion(null, encryptionKeyVersionName,
|
return new EncryptedKeyVersion(null, encryptionKeyVersionName,
|
||||||
encryptedKeyIv, encryptedKeyVersion);
|
encryptedKeyIv, encryptedKeyVersion);
|
||||||
|
@ -258,6 +260,13 @@ public class KeyProviderCryptoExtension extends
|
||||||
keyProvider.getKeyVersion(encryptionKeyVersionName);
|
keyProvider.getKeyVersion(encryptionKeyVersionName);
|
||||||
Preconditions.checkNotNull(encryptionKey,
|
Preconditions.checkNotNull(encryptionKey,
|
||||||
"KeyVersion name '%s' does not exist", encryptionKeyVersionName);
|
"KeyVersion name '%s' does not exist", encryptionKeyVersionName);
|
||||||
|
Preconditions.checkArgument(
|
||||||
|
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||||
|
.equals(KeyProviderCryptoExtension.EEK),
|
||||||
|
"encryptedKey version name must be '%s', is '%s'",
|
||||||
|
KeyProviderCryptoExtension.EEK,
|
||||||
|
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||||
|
);
|
||||||
final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
|
final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
|
||||||
// Encryption key IV is determined from encrypted key's IV
|
// Encryption key IV is determined from encrypted key's IV
|
||||||
final byte[] encryptionIV =
|
final byte[] encryptionIV =
|
||||||
|
|
|
@ -653,7 +653,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension {
|
||||||
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||||
.equals(KeyProviderCryptoExtension.EEK),
|
.equals(KeyProviderCryptoExtension.EEK),
|
||||||
"encryptedKey version name must be '%s', is '%s'",
|
"encryptedKey version name must be '%s', is '%s'",
|
||||||
KeyProviderCryptoExtension.EK,
|
KeyProviderCryptoExtension.EEK,
|
||||||
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
|
||||||
);
|
);
|
||||||
checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
|
checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
|
||||||
|
|
|
@ -26,10 +26,10 @@ import javax.crypto.spec.IvParameterSpec;
|
||||||
import javax.crypto.spec.SecretKeySpec;
|
import javax.crypto.spec.SecretKeySpec;
|
||||||
|
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
|
||||||
|
|
||||||
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
|
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
|
||||||
import static org.junit.Assert.assertArrayEquals;
|
import static org.junit.Assert.assertArrayEquals;
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
|
@ -118,8 +118,15 @@ public class TestKeyProviderCryptoExtension {
|
||||||
new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
|
new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
|
||||||
.deriveIV(encryptedKeyIv)));
|
.deriveIV(encryptedKeyIv)));
|
||||||
final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
|
final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
|
||||||
|
|
||||||
|
// Test the createForDecryption factory method
|
||||||
|
EncryptedKeyVersion eek2 =
|
||||||
|
EncryptedKeyVersion.createForDecryption(
|
||||||
|
eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
|
||||||
|
eek.getEncryptedKeyVersion().getMaterial());
|
||||||
|
|
||||||
// Decrypt it with the API
|
// Decrypt it with the API
|
||||||
KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek);
|
KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
|
||||||
final byte[] apiMaterial = decryptedKey.getMaterial();
|
final byte[] apiMaterial = decryptedKey.getMaterial();
|
||||||
|
|
||||||
assertArrayEquals("Wrong key material from decryptEncryptedKey",
|
assertArrayEquals("Wrong key material from decryptEncryptedKey",
|
||||||
|
|
Loading…
Reference in New Issue