Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
liuzhangxing
/
hadoop
forked from apache/hadoop
1
0
Fork 0
Các tập tin
Browse Source

HADOOP-10937. Need to set version name correctly before decrypting EEK. Contributed by Arun Suresh.

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1615841 13f79535-47bb-0310-9956-ffa450edef68
Andrew Wang 10 năm trước cách đây
mục cha
c8abf5f20a
commit
513dc29ce8
4 tập tin đã thay đổi với 23 bổ sung4 xóa
View chưa được định nghĩa Hiển thị tình trạng sai khác
  1. 3 0
      hadoop-common-project/hadoop-common/CHANGES.txt
  2. 10 1
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
  3. 1 1
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
  4. 9 2
      hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java

+ 3 - 0
hadoop-common-project/hadoop-common/CHANGES.txt
Xem Tập Tin 

@@ -522,6 +522,9 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-10927. Fix CredentialShell help behavior and error codes.
 
     HADOOP-10927. Fix CredentialShell help behavior and error codes.
 
     (Josh Elser via wang)
 
     (Josh Elser via wang)
 
 
 
+    HADOOP-10937. Need to set version name correctly before decrypting EEK.
 
+    (Arun Suresh via wang)
 
+
 
 Release 2.5.0 - UNRELEASED
 
 Release 2.5.0 - UNRELEASED
 
 
 
   INCOMPATIBLE CHANGES
 
   INCOMPATIBLE CHANGES

+ 10 - 1
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java
Xem Tập Tin 

@@ -21,11 +21,13 @@ package org.apache.hadoop.crypto.key;
 
 import java.io.IOException;
 
 import java.io.IOException;
 
 import java.security.GeneralSecurityException;
 
 import java.security.GeneralSecurityException;
 
 import java.security.SecureRandom;
 
 import java.security.SecureRandom;
 
+
 
 import javax.crypto.Cipher;
 
 import javax.crypto.Cipher;
 
 import javax.crypto.spec.IvParameterSpec;
 
 import javax.crypto.spec.IvParameterSpec;
 
 import javax.crypto.spec.SecretKeySpec;
 
 import javax.crypto.spec.SecretKeySpec;
 
 
 
 import com.google.common.base.Preconditions;
 
 import com.google.common.base.Preconditions;
 
+
 
 import org.apache.hadoop.classification.InterfaceAudience;
 
 import org.apache.hadoop.classification.InterfaceAudience;
 
 
 
 /**
 
 /**
 
@@ -97,7 +99,7 @@ public class KeyProviderCryptoExtension extends
 
     public static EncryptedKeyVersion createForDecryption(String
 
     public static EncryptedKeyVersion createForDecryption(String
 
         encryptionKeyVersionName, byte[] encryptedKeyIv,
 
         encryptionKeyVersionName, byte[] encryptedKeyIv,
 
         byte[] encryptedKeyMaterial) {
 
         byte[] encryptedKeyMaterial) {
 
-      KeyVersion encryptedKeyVersion = new KeyVersion(null, null,
 
+      KeyVersion encryptedKeyVersion = new KeyVersion(null, EEK,
 
           encryptedKeyMaterial);
 
           encryptedKeyMaterial);
 
       return new EncryptedKeyVersion(null, encryptionKeyVersionName,
 
       return new EncryptedKeyVersion(null, encryptionKeyVersionName,
 
           encryptedKeyIv, encryptedKeyVersion);
 
           encryptedKeyIv, encryptedKeyVersion);
 
@@ -258,6 +260,13 @@ public class KeyProviderCryptoExtension extends
 
           keyProvider.getKeyVersion(encryptionKeyVersionName);
 
           keyProvider.getKeyVersion(encryptionKeyVersionName);
 
       Preconditions.checkNotNull(encryptionKey,
 
       Preconditions.checkNotNull(encryptionKey,
 
           "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
 
           "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
 
+      Preconditions.checkArgument(
 
+              encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
 
+                    .equals(KeyProviderCryptoExtension.EEK),
 
+                "encryptedKey version name must be '%s', is '%s'",
 
+                KeyProviderCryptoExtension.EEK,
 
+                encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
 
+            );
 
       final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
 
       final byte[] encryptionKeyMaterial = encryptionKey.getMaterial();
 
       // Encryption key IV is determined from encrypted key's IV
 
       // Encryption key IV is determined from encrypted key's IV
 
       final byte[] encryptionIV =
 
       final byte[] encryptionIV =

+ 1 - 1
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
Xem Tập Tin 

@@ -653,7 +653,7 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension {
 
         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
 
         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
 
             .equals(KeyProviderCryptoExtension.EEK),
 
             .equals(KeyProviderCryptoExtension.EEK),
 
         "encryptedKey version name must be '%s', is '%s'",
 
         "encryptedKey version name must be '%s', is '%s'",
 
-        KeyProviderCryptoExtension.EK,
 
+        KeyProviderCryptoExtension.EEK,
 
         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
 
         encryptedKeyVersion.getEncryptedKeyVersion().getVersionName()
 
     );
 
     );
 
     checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
 
     checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");

+ 9 - 2
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java
Xem Tập Tin 

@@ -26,10 +26,10 @@ import javax.crypto.spec.IvParameterSpec;
 
 import javax.crypto.spec.SecretKeySpec;
 
 import javax.crypto.spec.SecretKeySpec;
 
 
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.conf.Configuration;
 
+import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
 
 import org.junit.BeforeClass;
 
 import org.junit.BeforeClass;
 
 import org.junit.Test;
 
 import org.junit.Test;
 
 
 
-
 
 import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 
 import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 
 import static org.junit.Assert.assertArrayEquals;
 
 import static org.junit.Assert.assertArrayEquals;
 
 import static org.junit.Assert.assertEquals;
 
 import static org.junit.Assert.assertEquals;
 
@@ -118,8 +118,15 @@ public class TestKeyProviderCryptoExtension {
 
         new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
 
         new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
 
             .deriveIV(encryptedKeyIv)));
 
             .deriveIV(encryptedKeyIv)));
 
     final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
 
     final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
 
+
 
+    // Test the createForDecryption factory method
 
+    EncryptedKeyVersion eek2 =
 
+        EncryptedKeyVersion.createForDecryption(
 
+            eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
 
+            eek.getEncryptedKeyVersion().getMaterial());
 
+
 
     // Decrypt it with the API
 
     // Decrypt it with the API
 
-    KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek);
 
+    KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
 
     final byte[] apiMaterial = decryptedKey.getMaterial();
 
     final byte[] apiMaterial = decryptedKey.getMaterial();
 
 
 
     assertArrayEquals("Wrong key material from decryptEncryptedKey",
 
     assertArrayEquals("Wrong key material from decryptEncryptedKey",