hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.crypto.key;

 import java.net.URI;
 import java.security.SecureRandom;
 import java.util.Arrays;

 import javax.crypto.Cipher;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;

 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
 import org.junit.BeforeClass;
 import org.junit.Test;

 import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;

 public class TestKeyProviderCryptoExtension {

   private static final String CIPHER = "AES";
   private static final String ENCRYPTION_KEY_NAME = "fooKey";

   private static Configuration conf;
   private static KeyProvider kp;
   private static KeyProviderCryptoExtension kpExt;
   private static KeyProvider.Options options;
   private static KeyVersion encryptionKey;

   @BeforeClass
   public static void setup() throws Exception {
     conf = new Configuration();
     kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
     kpExt = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
     options = new KeyProvider.Options(conf);
     options.setCipher(CIPHER);
     options.setBitLength(128);
     encryptionKey =
         kp.createKey(ENCRYPTION_KEY_NAME, SecureRandom.getSeed(16), options);
   }

   @Test
   public void testGenerateEncryptedKey() throws Exception {
     // Generate a new EEK and check it
     KeyProviderCryptoExtension.EncryptedKeyVersion ek1 =
         kpExt.generateEncryptedKey(encryptionKey.getName());
     assertEquals("Version name of EEK should be EEK",
         KeyProviderCryptoExtension.EEK,
         ek1.getEncryptedKeyVersion().getVersionName());
     assertEquals("Name of EEK should be encryption key name",
         ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName());
     assertNotNull("Expected encrypted key material",
         ek1.getEncryptedKeyVersion().getMaterial());
     assertEquals("Length of encryption key material and EEK material should "
             + "be the same", encryptionKey.getMaterial().length,
         ek1.getEncryptedKeyVersion().getMaterial().length
     );

     // Decrypt EEK into an EK and check it
     KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
     assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
     assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length);
     if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) {
       fail("Encrypted key material should not equal encryption key material");
     }
     if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(),
         encryptionKey.getMaterial())) {
       fail("Encrypted key material should not equal decrypted key material");
     }
     // Decrypt it again and it should be the same
     KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
     assertArrayEquals(k1.getMaterial(), k1a.getMaterial());

     // Generate another EEK and make sure it's different from the first
     KeyProviderCryptoExtension.EncryptedKeyVersion ek2 =
         kpExt.generateEncryptedKey(encryptionKey.getName());
     KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
     if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) {
       fail("Generated EEKs should have different material!");
     }
     if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) {
       fail("Generated EEKs should have different IVs!");
     }
   }

   @Test
   public void testEncryptDecrypt() throws Exception {
     // Get an EEK
     KeyProviderCryptoExtension.EncryptedKeyVersion eek =
         kpExt.generateEncryptedKey(encryptionKey.getName());
     final byte[] encryptedKeyIv = eek.getEncryptedKeyIv();
     final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion()
         .getMaterial();
     // Decrypt it manually
     Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
     cipher.init(Cipher.DECRYPT_MODE,
         new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
         new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
             .deriveIV(encryptedKeyIv)));
     final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);

     // Test the createForDecryption factory method
     EncryptedKeyVersion eek2 =
         EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(),
             eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
             eek.getEncryptedKeyVersion().getMaterial());

     // Decrypt it with the API
     KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
     final byte[] apiMaterial = decryptedKey.getMaterial();

     assertArrayEquals("Wrong key material from decryptEncryptedKey",
         manualMaterial, apiMaterial);
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.crypto.key;

	import java.net.URI;
	import java.security.SecureRandom;
	import java.util.Arrays;

	import javax.crypto.Cipher;
	import javax.crypto.spec.IvParameterSpec;
	import javax.crypto.spec.SecretKeySpec;

	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
	import org.junit.BeforeClass;
	import org.junit.Test;

	import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
	import static org.junit.Assert.assertArrayEquals;
	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertNotNull;
	import static org.junit.Assert.fail;

	public class TestKeyProviderCryptoExtension {

	private static final String CIPHER = "AES";
	private static final String ENCRYPTION_KEY_NAME = "fooKey";

	private static Configuration conf;
	private static KeyProvider kp;
	private static KeyProviderCryptoExtension kpExt;
	private static KeyProvider.Options options;
	private static KeyVersion encryptionKey;

	@BeforeClass
	public static void setup() throws Exception {
	conf = new Configuration();
	kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
	kpExt = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
	options = new KeyProvider.Options(conf);
	options.setCipher(CIPHER);
	options.setBitLength(128);
	encryptionKey =
	kp.createKey(ENCRYPTION_KEY_NAME, SecureRandom.getSeed(16), options);
	}

	@Test
	public void testGenerateEncryptedKey() throws Exception {
	// Generate a new EEK and check it
	KeyProviderCryptoExtension.EncryptedKeyVersion ek1 =
	kpExt.generateEncryptedKey(encryptionKey.getName());
	assertEquals("Version name of EEK should be EEK",
	KeyProviderCryptoExtension.EEK,
	ek1.getEncryptedKeyVersion().getVersionName());
	assertEquals("Name of EEK should be encryption key name",
	ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName());
	assertNotNull("Expected encrypted key material",
	ek1.getEncryptedKeyVersion().getMaterial());
	assertEquals("Length of encryption key material and EEK material should "
	+ "be the same", encryptionKey.getMaterial().length,
	ek1.getEncryptedKeyVersion().getMaterial().length
	);

	// Decrypt EEK into an EK and check it
	KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
	assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
	assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length);
	if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) {
	fail("Encrypted key material should not equal encryption key material");
	}
	if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(),
	encryptionKey.getMaterial())) {
	fail("Encrypted key material should not equal decrypted key material");
	}
	// Decrypt it again and it should be the same
	KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
	assertArrayEquals(k1.getMaterial(), k1a.getMaterial());

	// Generate another EEK and make sure it's different from the first
	KeyProviderCryptoExtension.EncryptedKeyVersion ek2 =
	kpExt.generateEncryptedKey(encryptionKey.getName());
	KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
	if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) {
	fail("Generated EEKs should have different material!");
	}
	if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) {
	fail("Generated EEKs should have different IVs!");
	}
	}

	@Test
	public void testEncryptDecrypt() throws Exception {
	// Get an EEK
	KeyProviderCryptoExtension.EncryptedKeyVersion eek =
	kpExt.generateEncryptedKey(encryptionKey.getName());
	final byte[] encryptedKeyIv = eek.getEncryptedKeyIv();
	final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion()
	.getMaterial();
	// Decrypt it manually
	Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
	cipher.init(Cipher.DECRYPT_MODE,
	new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
	new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
	.deriveIV(encryptedKeyIv)));
	final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);

	// Test the createForDecryption factory method
	EncryptedKeyVersion eek2 =
	EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(),
	eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
	eek.getEncryptedKeyVersion().getMaterial());

	// Decrypt it with the API
	KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
	final byte[] apiMaterial = decryptedKey.getMaterial();

	assertArrayEquals("Wrong key material from decryptEncryptedKey",
	manualMaterial, apiMaterial);
	}
	}