HBASE-10951 Use PBKDF2 to generate test encryption keys in the shell

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1586694 13f79535-47bb-0310-9956-ffa450edef68
2014-04-11 15:47:41 +00:00 · 2014-04-11 15:47:41 +00:00 · 81bebaee81
parent d102fedd37
commit 81bebaee81
2 changed files with 50 additions and 1 deletions
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java
@ -23,9 +23,12 @@ import java.security.DigestException;
 import java.security.Key;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;

+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.SecretKeySpec;

 import org.apache.commons.io.IOUtils;
@ -199,6 +202,52 @@ public final class Encryption {
    }
  }

+  /**
+   * Return a 128 bit key derived from the concatenation of the supplied
+   * arguments using PBKDF2WithHmacSHA1 at 10,000 iterations.
+   * 
+   */
+  public static byte[] pbkdf128(String... args) {
+    byte[] salt = new byte[128];
+    Bytes.random(salt);
+    StringBuilder sb = new StringBuilder();
+    for (String s: args) {
+      sb.append(s);
+    }
+    PBEKeySpec spec = new PBEKeySpec(sb.toString().toCharArray(), salt, 10000, 128);
+    try {
+      return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
+        .generateSecret(spec).getEncoded();
+    } catch (NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    } catch (InvalidKeySpecException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  /**
+   * Return a 128 bit key derived from the concatenation of the supplied
+   * arguments using PBKDF2WithHmacSHA1 at 10,000 iterations.
+   * 
+   */
+  public static byte[] pbkdf128(byte[]... args) {
+    byte[] salt = new byte[128];
+    Bytes.random(salt);
+    StringBuilder sb = new StringBuilder();
+    for (byte[] b: args) {
+      sb.append(b);
+    }
+    PBEKeySpec spec = new PBEKeySpec(sb.toString().toCharArray(), salt, 10000, 128);
+    try {
+      return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
+        .generateSecret(spec).getEncoded();
+    } catch (NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    } catch (InvalidKeySpecException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
  /**
   * Encrypt a block of plaintext
   * <p>
--- a/hbase-shell/src/main/ruby/hbase/admin.rb
+++ b/hbase-shell/src/main/ruby/hbase/admin.rb
@ -640,7 +640,7 @@ module Hbase
        algorithm = arg.delete(org.apache.hadoop.hbase.HColumnDescriptor::ENCRYPTION).upcase
        family.setEncryptionType(algorithm)
        if arg.include?(org.apache.hadoop.hbase.HColumnDescriptor::ENCRYPTION_KEY)
-          key = org.apache.hadoop.hbase.io.crypto.Encryption.hash128(
+          key = org.apache.hadoop.hbase.io.crypto.Encryption.pbkdf128(
            arg.delete(org.apache.hadoop.hbase.HColumnDescriptor::ENCRYPTION_KEY))
          family.setEncryptionKey(org.apache.hadoop.hbase.security.EncryptionUtil.wrapKey(@conf, key,
            algorithm))