Map<String, Object> jsonPayload = new HashMap<String, Object>(); jsonPayload.put(KMSRESTConstants.NAME_FIELD, encryptedKeyVersion.getEncryptionKeyName()); jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyIv()));
@Override public EncryptedKeyVersion reencryptEncryptedKey(EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException { checkNotNull(ekv.getEncryptionKeyVersionName(), "versionName"); checkNotNull(ekv.getEncryptedKeyIv(), "iv"); checkNotNull(ekv.getEncryptedKeyVersion(), "encryptedKey"); Preconditions.checkArgument(ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); final Map<String, String> params = new HashMap<>(); params.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_REENCRYPT); final Map<String, Object> jsonPayload = new HashMap<>(); jsonPayload.put(KMSRESTConstants.NAME_FIELD, ekv.getEncryptionKeyName()); jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(ekv.getEncryptedKeyIv())); jsonPayload.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(ekv.getEncryptedKeyVersion().getMaterial())); final URL url = createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, ekv.getEncryptionKeyVersionName(), KMSRESTConstants.EEK_SUB_RESOURCE, params); final HttpURLConnection conn = createConnection(url, HTTP_POST); conn.setRequestProperty(CONTENT_TYPE, APPLICATION_JSON_MIME); final Map response = call(conn, jsonPayload, HttpURLConnection.HTTP_OK, Map.class); return parseJSONEncKeyVersion(ekv.getEncryptionKeyName(), response); }
String keyName = null; for (EncryptedKeyVersion ekv : ekvs) { checkNotNull(ekv.getEncryptionKeyName(), "keyName"); checkNotNull(ekv.getEncryptionKeyVersionName(), "versionName"); checkNotNull(ekv.getEncryptedKeyIv(), "iv"); ekv.getEncryptedKeyVersion().getVersionName()); if (keyName == null) { keyName = ekv.getEncryptionKeyName(); } else { Preconditions.checkArgument(keyName.equals(ekv.getEncryptionKeyName()), "All EncryptedKey must have the same key name.");
ek1.getEncryptedKeyVersion().getVersionName()); assertEquals("Name of EEK should be encryption key name", ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName()); assertNotNull("Expected encrypted key material", ek1.getEncryptedKeyVersion().getMaterial());
Map<String, Object> jsonPayload = new HashMap<String, Object>(); jsonPayload.put(KMSRESTConstants.NAME_FIELD, encryptedKeyVersion.getEncryptionKeyName()); jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyIv()));
Map<String, Object> jsonPayload = new HashMap<String, Object>(); jsonPayload.put(KMSRESTConstants.NAME_FIELD, encryptedKeyVersion.getEncryptionKeyName()); jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyIv()));
Map<String, Object> jsonPayload = new HashMap<String, Object>(); jsonPayload.put(KMSRESTConstants.NAME_FIELD, encryptedKeyVersion.getEncryptionKeyName()); jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyIv()));
Map<String, Object> jsonPayload = new HashMap<String, Object>(); jsonPayload.put(KMSRESTConstants.NAME_FIELD, encryptedKeyVersion.getEncryptionKeyName()); jsonPayload.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String( encryptedKeyVersion.getEncryptedKeyIv()));
@Test public void testEncryptDecrypt() throws Exception { // Get an EEK KeyProviderCryptoExtension.EncryptedKeyVersion eek = kpExt.generateEncryptedKey(encryptionKey.getName()); final byte[] encryptedKeyIv = eek.getEncryptedKeyIv(); final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion() .getMaterial(); // Decrypt it manually Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(encryptionKey.getMaterial(), "AES"), new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion .deriveIV(encryptedKeyIv))); final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial); // Test the createForDecryption factory method EncryptedKeyVersion eek2 = EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(), eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(), eek.getEncryptedKeyVersion().getMaterial()); // Decrypt it with the API KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2); final byte[] apiMaterial = decryptedKey.getMaterial(); assertArrayEquals("Wrong key material from decryptEncryptedKey", manualMaterial, apiMaterial); } }
@Test public void testEncryptDecrypt() throws Exception { // Get an EEK KeyProviderCryptoExtension.EncryptedKeyVersion eek = kpExt.generateEncryptedKey(encryptionKey.getName()); final byte[] encryptedKeyIv = eek.getEncryptedKeyIv(); final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion() .getMaterial(); // Decrypt it manually Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(encryptionKey.getMaterial(), "AES"), new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion .deriveIV(encryptedKeyIv))); final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial); // Test the createForDecryption factory method EncryptedKeyVersion eek2 = EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(), eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(), eek.getEncryptedKeyVersion().getMaterial()); // Decrypt it with the API KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2); final byte[] apiMaterial = decryptedKey.getMaterial(); assertArrayEquals("Wrong key material from decryptEncryptedKey", manualMaterial, apiMaterial); } }
@Override public Void run() throws Exception { Options opt = newOptions(conf); Map<String, String> m = new HashMap<String, String>(); m.put("key.acl.name", "testKey"); opt.setAttributes(m); KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt); kpExt.rollNewVersion(kv.getName()); kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16)); EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName()); ekv = EncryptedKeyVersion.createForDecryption( ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial()); kpExt.decryptEncryptedKey(ekv); return null; } }
@Override public void reencryptEncryptedKeys(List<EncryptedKeyVersion> ekvs) throws IOException, GeneralSecurityException { if (ekvs.isEmpty()) { return; } readLock.lock(); try { for (EncryptedKeyVersion ekv : ekvs) { verifyKeyVersionBelongsToKey(ekv); } final String keyName = ekvs.get(0).getEncryptionKeyName(); doAccessCheck(keyName, KeyOpType.GENERATE_EEK); provider.reencryptEncryptedKeys(ekvs); } finally { readLock.unlock(); } }
@Override public Void run() throws Exception { Options opt = newOptions(conf); Map<String, String> m = new HashMap<String, String>(); m.put("key.acl.name", "testKey"); opt.setAttributes(m); KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt); kpExt.rollNewVersion(kv.getName()); kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16)); EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName()); ekv = EncryptedKeyVersion.createForDecryption( ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial()); kpExt.decryptEncryptedKey(ekv); return null; } }
private void verifyKeyVersionBelongsToKey(EncryptedKeyVersion ekv) throws IOException { String kn = ekv.getEncryptionKeyName(); String kvn = ekv.getEncryptionKeyVersionName(); KeyVersion kv = provider.getKeyVersion(kvn); if (kv == null) { throw new IllegalArgumentException(String.format( "'%s' not found", kvn)); } if (!kv.getName().equals(kn)) { throw new IllegalArgumentException(String.format( "KeyVersion '%s' does not belong to the key '%s'", kvn, kn)); } }
@Override public KeyVersion decryptEncryptedKey(EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException { readLock.lock(); try { verifyKeyVersionBelongsToKey(encryptedKeyVersion); doAccessCheck( encryptedKeyVersion.getEncryptionKeyName(), KeyOpType.DECRYPT_EEK); return provider.decryptEncryptedKey(encryptedKeyVersion); } finally { readLock.unlock(); } }
@Override public EncryptedKeyVersion reencryptEncryptedKey(EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException { readLock.lock(); try { verifyKeyVersionBelongsToKey(ekv); doAccessCheck(ekv.getEncryptionKeyName(), KeyOpType.GENERATE_EEK); return provider.reencryptEncryptedKey(ekv); } finally { readLock.unlock(); } }
final FileEncryptionInfo fei = FSDirEncryptionZoneOp .getFileEncryptionInfo(dir, INodesInPath.fromINode(inode)); if (!fei.getKeyName().equals(entry.edek.getEncryptionKeyName())) { LOG.debug("Inode {} EZ key changed, skipping re-encryption.", entry.getInodeId());
if (!ezKeyName.equals(ezInfo.edek.getEncryptionKeyName())) { throw new RetryStartFileException();
final EncryptedKeyVersion ekv = iter.next(); Preconditions.checkNotNull(ekv, "EncryptedKeyVersion is null"); final String ekName = ekv.getEncryptionKeyName(); Preconditions.checkNotNull(ekName, "Key name is null"); Preconditions.checkNotNull(ekv.getEncryptedKeyVersion(),
@Override public EncryptedKeyVersion reencryptEncryptedKey(EncryptedKeyVersion ekv) throws IOException, GeneralSecurityException { final String ekName = ekv.getEncryptionKeyName(); final KeyVersion ekNow = keyProvider.getCurrentKey(ekName); Preconditions .checkNotNull(ekNow, "KeyVersion name '%s' does not exist", ekName); Preconditions.checkArgument(ekv.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', but found '%s'", KeyProviderCryptoExtension.EEK, ekv.getEncryptedKeyVersion().getVersionName()); if (ekv.getEncryptedKeyVersion().equals(ekNow)) { // no-op if same key version return ekv; } final KeyVersion dek = decryptEncryptedKey(ekv); final CryptoCodec cc = CryptoCodec.getInstance(keyProvider.getConf()); try { final Encryptor encryptor = cc.createEncryptor(); return generateEncryptedKey(encryptor, ekNow, dek.getMaterial(), ekv.getEncryptedKeyIv()); } finally { cc.close(); } }