10 years ago · 513dc29ce8
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -522,6 +522,9 @@ Release 2.6.0 - UNRELEASED
 
				     HADOOP-10927. Fix CredentialShell help behavior and error codes.
			
 
				     (Josh Elser via wang)
			
 
				 
			
 
				+    HADOOP-10937. Need to set version name correctly before decrypting EEK.
			
 
				+    (Arun Suresh via wang)
			
 
				+
			
 
				 Release 2.5.0 - UNRELEASED
			
 
				 
			
 
				   INCOMPATIBLE CHANGES
			
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
@@ -21,11 +21,13 @@ package org.apache.hadoop.crypto.key;
 
				 import java.io.IOException;
			
 
				 import java.security.GeneralSecurityException;
			
 
				 import java.security.SecureRandom;
			
 
				+
			
 
				 import javax.crypto.Cipher;
			
 
				 import javax.crypto.spec.IvParameterSpec;
			
 
				 import javax.crypto.spec.SecretKeySpec;
			
 
				 
			
 
				 import com.google.common.base.Preconditions;
			
 
				+
			
 
				 import org.apache.hadoop.classification.InterfaceAudience;
			
 
				 
			
 
				 /**
			
@@ -97,7 +99,7 @@ public class KeyProviderCryptoExtension extends
 
				     public static EncryptedKeyVersion createForDecryption(String
			
 
				         encryptionKeyVersionName, byte[] encryptedKeyIv,
			
 
				         byte[] encryptedKeyMaterial) {
			
 
				-      KeyVersion encryptedKeyVersion = new KeyVersion(null, null,
			
 
				+      KeyVersion encryptedKeyVersion = new KeyVersion(null, EEK,
			
 
				           encryptedKeyMaterial);
			
 
				       return new EncryptedKeyVersion(null, encryptionKeyVersionName,
			
 
				           encryptedKeyIv, encryptedKeyVersion);
			
@@ -258,6 +260,13 @@ public class KeyProviderCryptoExtension extends
 
				           keyProvider.getKeyVersion(encryptionKeyVersionName);
			
 
				       Preconditions.checkNotNull(encryptionKey,
			
 
				           "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
			
 
				+      Preconditions.checkArgument(
			
 
				+              encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
			
 
				+                    .equals(KeyProviderCryptoExtension.EEK),
			
 
				+                "encryptedKey version name must be '%s', is '%s'",
			
 
				+                KeyProviderCryptoExtension.EEK,
			
 
				+                encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
			
 
				+            );
			
 
				       final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
			
 
				       // Encryption key IV is determined from encrypted key's IV
			
 
				       final byte[] encryptionIV =
			
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
@@ -653,7 +653,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension {
 
				         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
			
 
				             .equals(KeyProviderCryptoExtension.EEK),
			
 
				         "encryptedKey version name must be '%s', is '%s'",
			
 
				-        KeyProviderCryptoExtension.EK,
			
 
				+        KeyProviderCryptoExtension.EEK,
			
 
				         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
			
 
				     );
			
 
				     checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
			
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java
@@ -26,10 +26,10 @@ import javax.crypto.spec.IvParameterSpec;
 
				 import javax.crypto.spec.SecretKeySpec;
			
 
				 
			
 
				 import org.apache.hadoop.conf.Configuration;
			
 
				+import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
			
 
				 import org.junit.BeforeClass;
			
 
				 import org.junit.Test;
			
 
				 
			
 
				-
			
 
				 import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
			
 
				 import static org.junit.Assert.assertArrayEquals;
			
 
				 import static org.junit.Assert.assertEquals;
			
@@ -118,8 +118,15 @@ public class TestKeyProviderCryptoExtension {
 
				         new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
			
 
				             .deriveIV(encryptedKeyIv)));
			
 
				     final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
			
 
				+
			
 
				+    // Test the createForDecryption factory method
			
 
				+    EncryptedKeyVersion eek2 =
			
 
				+        EncryptedKeyVersion.createForDecryption(
			
 
				+            eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
			
 
				+            eek.getEncryptedKeyVersion().getMaterial());
			
 
				+
			
 
				     // Decrypt it with the API
			
 
				-    KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek);
			
 
				+    KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
			
 
				     final byte[] apiMaterial = decryptedKey.getMaterial();
			
 
				 
			
 
				     assertArrayEquals("Wrong key material from decryptEncryptedKey",