From d90671137e005e05b3f41ee1f66387dee95b609a Mon Sep 17 00:00:00 2001 From: Yi Liu Date: Thu, 10 Jul 2014 06:27:52 +0000 Subject: [PATCH] HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name format. (yliu) git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/fs-encryption@1609403 13f79535-47bb-0310-9956-ffa450edef68 --- .../hadoop-common/CHANGES-fs-encryption.txt | 6 ++ .../crypto/OpensslAesCtrCryptoCodec.java | 3 +- .../apache/hadoop/crypto/OpensslCipher.java | 101 +++++++++++++++--- .../hadoop/crypto/TestOpensslCipher.java | 15 +-- .../hadoop-hdfs/CHANGES-fs-encryption.txt | 3 - 5 files changed, 97 insertions(+), 31 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt index 8983f8e73cb..2ea4420bce2 100644 --- a/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt +++ b/hadoop-common-project/hadoop-common/CHANGES-fs-encryption.txt @@ -28,6 +28,12 @@ fs-encryption (Unreleased) HADOOP-10713. Refactor CryptoCodec#generateSecureRandom to take a byte[]. (wang via yliu) + HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL. + (Yi Liu via cmccabe) + + HADOOP-10803. Update OpensslCipher#getInstance to accept CipherSuite#name + format. (Yi Liu) + OPTIMIZATIONS BUG FIXES diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java index 669271fa9ef..ee11f50683b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslAesCtrCryptoCodec.java @@ -70,8 +70,7 @@ public class OpensslAesCtrCryptoCodec extends AesCtrCryptoCodec { public OpensslAesCtrCipher(int mode) throws GeneralSecurityException { this.mode = mode; - cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, - OpensslCipher.PADDING_NOPADDING); + cipher = OpensslCipher.getInstance(SUITE.getName()); } @Override diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java index c0a4e9bdb45..652a8b4c324 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/OpensslCipher.java @@ -19,6 +19,7 @@ package org.apache.hadoop.crypto; import java.nio.ByteBuffer; import java.security.NoSuchAlgorithmException; +import java.util.StringTokenizer; import javax.crypto.BadPaddingException; import javax.crypto.IllegalBlockSizeException; @@ -45,11 +46,34 @@ public final class OpensslCipher { public static final int DECRYPT_MODE = 0; /** Currently only support AES/CTR/NoPadding. */ - public static final int AES_CTR = 0; - public static final int PADDING_NOPADDING = 0; + private static enum AlgMode { + AES_CTR; + + static int get(String algorithm, String mode) + throws NoSuchAlgorithmException { + try { + return AlgMode.valueOf(algorithm + "_" + mode).ordinal(); + } catch (Exception e) { + throw new NoSuchAlgorithmException("Doesn't support algorithm: " + + algorithm + " and mode: " + mode); + } + } + } + + private static enum Padding { + NoPadding; + + static int get(String padding) throws NoSuchPaddingException { + try { + return Padding.valueOf(padding).ordinal(); + } catch (Exception e) { + throw new NoSuchPaddingException("Doesn't support padding: " + padding); + } + } + } private long context = 0; - private final int algorithm; + private final int alg; private final int padding; private static boolean nativeCipherLoaded = false; @@ -69,26 +93,71 @@ public final class OpensslCipher { return nativeCipherLoaded; } - private OpensslCipher(long context, int algorithm, int padding) { + private OpensslCipher(long context, int alg, int padding) { this.context = context; - this.algorithm = algorithm; + this.alg = alg; this.padding = padding; } /** * Return an OpensslCipher object that implements the specified - * algorithm. + * transformation. * - * @param algorithm currently only supports {@link #AES_CTR} - * @param padding currently only supports {@link #PADDING_NOPADDING} - * @return OpensslCipher an OpensslCipher object - * @throws NoSuchAlgorithmException - * @throws NoSuchPaddingException + * @param transformation the name of the transformation, e.g., + * AES/CTR/NoPadding. + * @return OpensslCipher an OpensslCipher object + * @throws NoSuchAlgorithmException if transformation is null, + * empty, in an invalid format, or if Openssl doesn't implement the + * specified algorithm. + * @throws NoSuchPaddingException if transformation contains + * a padding scheme that is not available. */ - public static final OpensslCipher getInstance(int algorithm, - int padding) throws NoSuchAlgorithmException, NoSuchPaddingException { - long context = initContext(algorithm, padding); - return new OpensslCipher(context, algorithm, padding); + public static final OpensslCipher getInstance(String transformation) + throws NoSuchAlgorithmException, NoSuchPaddingException { + Transform transform = tokenizeTransformation(transformation); + int algMode = AlgMode.get(transform.alg, transform.mode); + int padding = Padding.get(transform.padding); + long context = initContext(algMode, padding); + return new OpensslCipher(context, algMode, padding); + } + + /** Nested class for algorithm, mode and padding. */ + private static class Transform { + final String alg; + final String mode; + final String padding; + + public Transform(String alg, String mode, String padding) { + this.alg = alg; + this.mode = mode; + this.padding = padding; + } + } + + private static Transform tokenizeTransformation(String transformation) + throws NoSuchAlgorithmException { + if (transformation == null) { + throw new NoSuchAlgorithmException("No transformation given."); + } + + /* + * Array containing the components of a Cipher transformation: + * + * index 0: algorithm (e.g., AES) + * index 1: mode (e.g., CTR) + * index 2: padding (e.g., NoPadding) + */ + String[] parts = new String[3]; + int count = 0; + StringTokenizer parser = new StringTokenizer(transformation, "/"); + while (parser.hasMoreTokens() && count < 3) { + parts[count++] = parser.nextToken().trim(); + } + if (count != 3 || parser.hasMoreTokens()) { + throw new NoSuchAlgorithmException("Invalid transformation format: " + + transformation); + } + return new Transform(parts[0], parts[1], parts[2]); } /** @@ -99,7 +168,7 @@ public final class OpensslCipher { * @param iv crypto iv */ public void init(int mode, byte[] key, byte[] iv) { - context = init(context, mode, algorithm, padding, key, iv); + context = init(context, mode, alg, padding, key, iv); } /** diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java index 739e53fdc8f..b3a894a164f 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/TestOpensslCipher.java @@ -38,21 +38,18 @@ public class TestOpensslCipher { if (!OpensslCipher.isNativeCodeLoaded()) { return; } - OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, - OpensslCipher.PADDING_NOPADDING); + OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding"); Assert.assertTrue(cipher != null); try { - cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR + 100, - OpensslCipher.PADDING_NOPADDING); + cipher = OpensslCipher.getInstance("AES2/CTR/NoPadding"); Assert.fail("Should specify correct algorithm."); } catch (NoSuchAlgorithmException e) { // Expect NoSuchAlgorithmException } try { - cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, - OpensslCipher.PADDING_NOPADDING + 100); + cipher = OpensslCipher.getInstance("AES/CTR/NoPadding2"); Assert.fail("Should specify correct padding."); } catch (NoSuchPaddingException e) { // Expect NoSuchPaddingException @@ -64,8 +61,7 @@ public class TestOpensslCipher { if (!OpensslCipher.isNativeCodeLoaded()) { return; } - OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, - OpensslCipher.PADDING_NOPADDING); + OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding"); Assert.assertTrue(cipher != null); cipher.init(OpensslCipher.ENCRYPT_MODE, key, iv); @@ -100,8 +96,7 @@ public class TestOpensslCipher { if (!OpensslCipher.isNativeCodeLoaded()) { return; } - OpensslCipher cipher = OpensslCipher.getInstance(OpensslCipher.AES_CTR, - OpensslCipher.PADDING_NOPADDING); + OpensslCipher cipher = OpensslCipher.getInstance("AES/CTR/NoPadding"); Assert.assertTrue(cipher != null); cipher.init(OpensslCipher.ENCRYPT_MODE, key, iv); diff --git a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt index dfc8055c6f1..4c2a60ef4b1 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt +++ b/hadoop-hdfs-project/hadoop-hdfs/CHANGES-fs-encryption.txt @@ -8,9 +8,6 @@ fs-encryption (Unreleased) IMPROVEMENTS - HADOOP-10693. Implementation of AES-CTR CryptoCodec using JNI to OpenSSL - (hitliuyi via cmccabe) - HDFS-6387. HDFS CLI admin tool for creating & deleting an encryption zone. (clamb)