kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java - ranger - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.hadoop.crypto.key;

 import java.security.Key;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;

 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.PBEKeySpec;
 import javax.crypto.spec.PBEParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import org.apache.log4j.Logger;
 import org.apache.ranger.kms.dao.DaoManager;
 import org.apache.ranger.kms.dao.RangerMasterKeyDao;
 import org.apache.ranger.entity.XXRangerMasterKey;

 import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
 import com.sun.org.apache.xml.internal.security.utils.Base64;

 public class RangerMasterKey implements RangerKMSMKI{

 	private static final Logger logger = Logger.getLogger(RangerMasterKey.class);

 	private static final String MK_CIPHER = "AES";
 	private static final int MK_KeySize = 256;
 	private static final int SALT_SIZE = 8;
 	private static final String PBE_ALGO = "PBEWithMD5AndTripleDES";
 	private static final String MD_ALGO = "MD5";

 	private DaoManager daoManager;

 	public RangerMasterKey() {
 	}

 	public RangerMasterKey(DaoManager daoManager) {
 		this.daoManager = daoManager;
 	}

 	/**
 	 * To get Master Key
 	 * @param password password to be used for decryption
 	 * @return Decrypted Master Key
 	 * @throws Throwable
 	 */
 	@Override
 	public String getMasterKey(String password) throws Throwable{
 		logger.info("Getting Master Key");
 		byte masterKeyByte[] = getEncryptedMK();
 		if(masterKeyByte != null && masterKeyByte.length > 0){
 			return decryptMasterKey(masterKeyByte, password);
 		}else{
 			throw new Exception("No Master Key Found");
 		}
 	}

 	public SecretKey getMasterSecretKey(String password) throws Throwable{
 		logger.info("Getting Master Key");
 		byte masterKeyByte[] = getEncryptedMK();
 		if(masterKeyByte != null && masterKeyByte.length > 0){
 			return decryptMasterKeySK(masterKeyByte, password);
 		}else{
 			throw new Exception("No Master Key Found");
 		}
 	}

 	/**
 	 * Generate the master key, encrypt it and save it in the database
 	 * @param password password to be used for encryption
 	 * @return true if the master key was successfully created
 	 * 		   false if master key generation was unsuccessful or the master key already exists
 	 * @throws Throwable
 	 */
 	@Override
 	public boolean generateMasterKey(String password) throws Throwable{
 		logger.info("Generating Master Key");
 		String encryptedMasterKey = encryptMasterKey(password);
 		String savedKey = saveEncryptedMK(encryptedMasterKey, daoManager);
 		if(savedKey != null && !savedKey.trim().equals("")){
 			logger.debug("Master Key Created with id = "+savedKey);
 			return true;
 		}
 		return false;
 	}

 	public boolean generateMKFromHSMMK(String password, byte[] key) throws Throwable{
 		logger.info("Generating Master Key");
 		String encryptedMasterKey = encryptMasterKey(password, key);
 		String savedKey = saveEncryptedMK(encryptedMasterKey, daoManager);
 		if(savedKey != null && !savedKey.trim().equals("")){
 			logger.debug("Master Key Created with id = "+savedKey);
 			return true;
 		}
 		return false;
 	}

 	private String decryptMasterKey(byte masterKey[], String password) throws Throwable {
 		logger.debug("Decrypting Master Key");
 		PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
 		byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
 		SecretKey masterKeyFromDB = getMasterKeyFromBytes(masterKeyFromDBDecrypted);
 		return Base64.encode(masterKeyFromDB.getEncoded());
 	}

 	private SecretKey decryptMasterKeySK(byte masterKey[], String password) throws Throwable {
 		logger.debug("Decrypting Master Key");
 		PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
 		byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
 		return getMasterKeyFromBytes(masterKeyFromDBDecrypted);
 	}

 	private byte[] getEncryptedMK() throws Base64DecodingException {
 		logger.debug("Retrieving Encrypted Master Key from database");
 		try{
 			  if(daoManager != null){
 				  RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
 				  List<XXRangerMasterKey> lstRangerMasterKey = rangerKMSDao.getAll();
 				  if(lstRangerMasterKey.size() < 1){
 					  throw new Exception("No Master Key exists");
 				  }else if(lstRangerMasterKey.size() > 1){
 					  throw new Exception("More than one Master Key exists");
 				  }else {
 					  XXRangerMasterKey rangerMasterKey = rangerKMSDao.getById(lstRangerMasterKey.get(0).getId());
 					  String masterKeyStr = rangerMasterKey.getMasterKey();
 					  return Base64.decode(masterKeyStr);
 				  }
 			  }
 		  }catch(Exception e){
 			  e.printStackTrace();
 		  }
 		  return null;
 	}

 	private String saveEncryptedMK(String encryptedMasterKey, DaoManager daoManager) {
 		  logger.debug("Saving Encrypted Master Key to database");
 		  XXRangerMasterKey xxRangerMasterKey = new XXRangerMasterKey();
 		  xxRangerMasterKey.setCipher(MK_CIPHER);
 		  xxRangerMasterKey.setBitLength(MK_KeySize);
 		  xxRangerMasterKey.setMasterKey(encryptedMasterKey);
 		  try{
 			  if(daoManager != null){
 				  RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
 				  Long l = rangerKMSDao.getAllCount();
 				  if(l < 1){
 					  XXRangerMasterKey rangerMasterKey = rangerKMSDao.create(xxRangerMasterKey);
 					  return rangerMasterKey.getId().toString();
 				  }
 			  }
 		  }catch(Exception e){
 			  e.printStackTrace();
 		  }
 		  return null;
 	}

 	private String encryptMasterKey(String password) throws Throwable {
 			logger.debug("Encrypting Master Key");
 			Key secretKey = generateMasterKey();
 			PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
 			byte[] masterKeyToDB = encryptKey(secretKey.getEncoded(), pbeKeySpec);
 			return Base64.encode(masterKeyToDB);
 	}

 	private String encryptMasterKey(String password, byte[] secretKey) throws Throwable {
 		logger.debug("Encrypting Master Key");
 		PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
 		byte[] masterKeyToDB = encryptKey(secretKey, pbeKeySpec);
 		return Base64.encode(masterKeyToDB);
 	}

 	private Key generateMasterKey() throws NoSuchAlgorithmException{
 		KeyGenerator kg = KeyGenerator.getInstance(MK_CIPHER);
 		kg.init(MK_KeySize);
 		return kg.generateKey();
 	}

 	private PBEKeySpec getPBEParameterSpec(String password) throws Throwable {
 		MessageDigest md = MessageDigest.getInstance(MD_ALGO);
 		byte[] saltGen = md.digest(password.getBytes());
 		byte[] salt = new byte[SALT_SIZE];
 		System.arraycopy(saltGen, 0, salt, 0, SALT_SIZE);
 		int iteration = password.toCharArray().length + 1;
 		return new PBEKeySpec(password.toCharArray(), salt, iteration);
 	}
 	private byte[] encryptKey(byte[] data, PBEKeySpec keyspec) throws Throwable {
 		SecretKey key = getPasswordKey(keyspec);
 		if(keyspec.getSalt() != null) {
 			PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
 			Cipher c = Cipher.getInstance(key.getAlgorithm());
 			c.init(Cipher.ENCRYPT_MODE, key,paramSpec);
 			return c.doFinal(data);
 		}
 		return null;
 	}
 	private SecretKey getPasswordKey(PBEKeySpec keyspec) throws Throwable {
 		SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGO);
 		return factory.generateSecret(keyspec);
 	}
 	private byte[] decryptKey(byte[] encrypted, PBEKeySpec keyspec) throws Throwable {
 		SecretKey key = getPasswordKey(keyspec);
 		if(keyspec.getSalt() != null) {
 			PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
 			Cipher c = Cipher.getInstance(key.getAlgorithm());
 			c.init(Cipher.DECRYPT_MODE, key, paramSpec);
 			return c.doFinal(encrypted);
 		}
 		return null;
 	}
 	private SecretKey getMasterKeyFromBytes(byte[] keyData) throws Throwable {
 		return new SecretKeySpec(keyData, MK_CIPHER);
 	}

 	public Map<String, String> getPropertiesWithPrefix(Properties props, String prefix) {
 		Map<String, String> prefixedProperties = new HashMap<String, String>();

 		if(props != null && prefix != null) {
 			for(String key : props.stringPropertyNames()) {
 				if(key == null) {
 					continue;
 				}

 				String val = props.getProperty(key);

 				if(key.startsWith(prefix)) {
 					key = key.substring(prefix.length());

 					if(key != null) {
 					    prefixedProperties.put(key, val);
                     }
 				}
 			}
 		}

 		return prefixedProperties;
 	}
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.crypto.key;

	import java.security.Key;
	import java.security.MessageDigest;
	import java.security.NoSuchAlgorithmException;
	import java.util.HashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.Properties;

	import javax.crypto.Cipher;
	import javax.crypto.KeyGenerator;
	import javax.crypto.SecretKey;
	import javax.crypto.SecretKeyFactory;
	import javax.crypto.spec.PBEKeySpec;
	import javax.crypto.spec.PBEParameterSpec;
	import javax.crypto.spec.SecretKeySpec;
	import org.apache.log4j.Logger;
	import org.apache.ranger.kms.dao.DaoManager;
	import org.apache.ranger.kms.dao.RangerMasterKeyDao;
	import org.apache.ranger.entity.XXRangerMasterKey;

	import com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException;
	import com.sun.org.apache.xml.internal.security.utils.Base64;

	public class RangerMasterKey implements RangerKMSMKI{

	private static final Logger logger = Logger.getLogger(RangerMasterKey.class);

	private static final String MK_CIPHER = "AES";
	private static final int MK_KeySize = 256;
	private static final int SALT_SIZE = 8;
	private static final String PBE_ALGO = "PBEWithMD5AndTripleDES";
	private static final String MD_ALGO = "MD5";

	private DaoManager daoManager;

	public RangerMasterKey() {
	}

	public RangerMasterKey(DaoManager daoManager) {
	this.daoManager = daoManager;
	}

	/**
	* To get Master Key
	* @param password password to be used for decryption
	* @return Decrypted Master Key
	* @throws Throwable
	*/
	@Override
	public String getMasterKey(String password) throws Throwable{
	logger.info("Getting Master Key");
	byte masterKeyByte[] = getEncryptedMK();
	if(masterKeyByte != null && masterKeyByte.length > 0){
	return decryptMasterKey(masterKeyByte, password);
	}else{
	throw new Exception("No Master Key Found");
	}
	}

	public SecretKey getMasterSecretKey(String password) throws Throwable{
	logger.info("Getting Master Key");
	byte masterKeyByte[] = getEncryptedMK();
	if(masterKeyByte != null && masterKeyByte.length > 0){
	return decryptMasterKeySK(masterKeyByte, password);
	}else{
	throw new Exception("No Master Key Found");
	}
	}

	/**
	* Generate the master key, encrypt it and save it in the database
	* @param password password to be used for encryption
	* @return true if the master key was successfully created
	* false if master key generation was unsuccessful or the master key already exists
	* @throws Throwable
	*/
	@Override
	public boolean generateMasterKey(String password) throws Throwable{
	logger.info("Generating Master Key");
	String encryptedMasterKey = encryptMasterKey(password);
	String savedKey = saveEncryptedMK(encryptedMasterKey, daoManager);
	if(savedKey != null && !savedKey.trim().equals("")){
	logger.debug("Master Key Created with id = "+savedKey);
	return true;
	}
	return false;
	}

	public boolean generateMKFromHSMMK(String password, byte[] key) throws Throwable{
	logger.info("Generating Master Key");
	String encryptedMasterKey = encryptMasterKey(password, key);
	String savedKey = saveEncryptedMK(encryptedMasterKey, daoManager);
	if(savedKey != null && !savedKey.trim().equals("")){
	logger.debug("Master Key Created with id = "+savedKey);
	return true;
	}
	return false;
	}

	private String decryptMasterKey(byte masterKey[], String password) throws Throwable {
	logger.debug("Decrypting Master Key");
	PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
	byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
	SecretKey masterKeyFromDB = getMasterKeyFromBytes(masterKeyFromDBDecrypted);
	return Base64.encode(masterKeyFromDB.getEncoded());
	}

	private SecretKey decryptMasterKeySK(byte masterKey[], String password) throws Throwable {
	logger.debug("Decrypting Master Key");
	PBEKeySpec pbeKeyspec = getPBEParameterSpec(password);
	byte[] masterKeyFromDBDecrypted = decryptKey(masterKey, pbeKeyspec);
	return getMasterKeyFromBytes(masterKeyFromDBDecrypted);
	}

	private byte[] getEncryptedMK() throws Base64DecodingException {
	logger.debug("Retrieving Encrypted Master Key from database");
	try{
	if(daoManager != null){
	RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
	List<XXRangerMasterKey> lstRangerMasterKey = rangerKMSDao.getAll();
	if(lstRangerMasterKey.size() < 1){
	throw new Exception("No Master Key exists");
	}else if(lstRangerMasterKey.size() > 1){
	throw new Exception("More than one Master Key exists");
	}else {
	XXRangerMasterKey rangerMasterKey = rangerKMSDao.getById(lstRangerMasterKey.get(0).getId());
	String masterKeyStr = rangerMasterKey.getMasterKey();
	return Base64.decode(masterKeyStr);
	}
	}
	}catch(Exception e){
	e.printStackTrace();
	}
	return null;
	}

	private String saveEncryptedMK(String encryptedMasterKey, DaoManager daoManager) {
	logger.debug("Saving Encrypted Master Key to database");
	XXRangerMasterKey xxRangerMasterKey = new XXRangerMasterKey();
	xxRangerMasterKey.setCipher(MK_CIPHER);
	xxRangerMasterKey.setBitLength(MK_KeySize);
	xxRangerMasterKey.setMasterKey(encryptedMasterKey);
	try{
	if(daoManager != null){
	RangerMasterKeyDao rangerKMSDao = new RangerMasterKeyDao(daoManager);
	Long l = rangerKMSDao.getAllCount();
	if(l < 1){
	XXRangerMasterKey rangerMasterKey = rangerKMSDao.create(xxRangerMasterKey);
	return rangerMasterKey.getId().toString();
	}
	}
	}catch(Exception e){
	e.printStackTrace();
	}
	return null;
	}

	private String encryptMasterKey(String password) throws Throwable {
	logger.debug("Encrypting Master Key");
	Key secretKey = generateMasterKey();
	PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
	byte[] masterKeyToDB = encryptKey(secretKey.getEncoded(), pbeKeySpec);
	return Base64.encode(masterKeyToDB);
	}

	private String encryptMasterKey(String password, byte[] secretKey) throws Throwable {
	logger.debug("Encrypting Master Key");
	PBEKeySpec pbeKeySpec = getPBEParameterSpec(password);
	byte[] masterKeyToDB = encryptKey(secretKey, pbeKeySpec);
	return Base64.encode(masterKeyToDB);
	}

	private Key generateMasterKey() throws NoSuchAlgorithmException{
	KeyGenerator kg = KeyGenerator.getInstance(MK_CIPHER);
	kg.init(MK_KeySize);
	return kg.generateKey();
	}

	private PBEKeySpec getPBEParameterSpec(String password) throws Throwable {
	MessageDigest md = MessageDigest.getInstance(MD_ALGO);
	byte[] saltGen = md.digest(password.getBytes());
	byte[] salt = new byte[SALT_SIZE];
	System.arraycopy(saltGen, 0, salt, 0, SALT_SIZE);
	int iteration = password.toCharArray().length + 1;
	return new PBEKeySpec(password.toCharArray(), salt, iteration);
	}
	private byte[] encryptKey(byte[] data, PBEKeySpec keyspec) throws Throwable {
	SecretKey key = getPasswordKey(keyspec);
	if(keyspec.getSalt() != null) {
	PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
	Cipher c = Cipher.getInstance(key.getAlgorithm());
	c.init(Cipher.ENCRYPT_MODE, key,paramSpec);
	return c.doFinal(data);
	}
	return null;
	}
	private SecretKey getPasswordKey(PBEKeySpec keyspec) throws Throwable {
	SecretKeyFactory factory = SecretKeyFactory.getInstance(PBE_ALGO);
	return factory.generateSecret(keyspec);
	}
	private byte[] decryptKey(byte[] encrypted, PBEKeySpec keyspec) throws Throwable {
	SecretKey key = getPasswordKey(keyspec);
	if(keyspec.getSalt() != null) {
	PBEParameterSpec paramSpec = new PBEParameterSpec(keyspec.getSalt(), keyspec.getIterationCount());
	Cipher c = Cipher.getInstance(key.getAlgorithm());
	c.init(Cipher.DECRYPT_MODE, key, paramSpec);
	return c.doFinal(encrypted);
	}
	return null;
	}
	private SecretKey getMasterKeyFromBytes(byte[] keyData) throws Throwable {
	return new SecretKeySpec(keyData, MK_CIPHER);
	}

	public Map<String, String> getPropertiesWithPrefix(Properties props, String prefix) {
	Map<String, String> prefixedProperties = new HashMap<String, String>();

	if(props != null && prefix != null) {
	for(String key : props.stringPropertyNames()) {
	if(key == null) {
	continue;
	}

	String val = props.getProperty(key);

	if(key.startsWith(prefix)) {
	key = key.substring(prefix.length());

	if(key != null) {
	prefixedProperties.put(key, val);
	}
	}
	}
	}

	return prefixedProperties;
	}
	}