| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.hadoop.crypto.key; |
| |
| import java.net.URI; |
| import java.security.SecureRandom; |
| import java.util.Arrays; |
| |
| import javax.crypto.Cipher; |
| import javax.crypto.spec.IvParameterSpec; |
| import javax.crypto.spec.SecretKeySpec; |
| |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion; |
| import org.junit.BeforeClass; |
| import org.junit.Test; |
| |
| import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion; |
| import static org.junit.Assert.assertArrayEquals; |
| import static org.junit.Assert.assertEquals; |
| import static org.junit.Assert.assertNotNull; |
| import static org.junit.Assert.fail; |
| |
| public class TestKeyProviderCryptoExtension { |
| |
| private static final String CIPHER = "AES"; |
| private static final String ENCRYPTION_KEY_NAME = "fooKey"; |
| |
| private static Configuration conf; |
| private static KeyProvider kp; |
| private static KeyProviderCryptoExtension kpExt; |
| private static KeyProvider.Options options; |
| private static KeyVersion encryptionKey; |
| |
| @BeforeClass |
| public static void setup() throws Exception { |
| conf = new Configuration(); |
| kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf); |
| kpExt = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp); |
| options = new KeyProvider.Options(conf); |
| options.setCipher(CIPHER); |
| options.setBitLength(128); |
| encryptionKey = |
| kp.createKey(ENCRYPTION_KEY_NAME, SecureRandom.getSeed(16), options); |
| } |
| |
| @Test |
| public void testGenerateEncryptedKey() throws Exception { |
| // Generate a new EEK and check it |
| KeyProviderCryptoExtension.EncryptedKeyVersion ek1 = |
| kpExt.generateEncryptedKey(encryptionKey.getName()); |
| assertEquals("Version name of EEK should be EEK", |
| KeyProviderCryptoExtension.EEK, |
| ek1.getEncryptedKeyVersion().getVersionName()); |
| assertEquals("Name of EEK should be encryption key name", |
| ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName()); |
| assertNotNull("Expected encrypted key material", |
| ek1.getEncryptedKeyVersion().getMaterial()); |
| assertEquals("Length of encryption key material and EEK material should " |
| + "be the same", encryptionKey.getMaterial().length, |
| ek1.getEncryptedKeyVersion().getMaterial().length |
| ); |
| |
| // Decrypt EEK into an EK and check it |
| KeyVersion k1 = kpExt.decryptEncryptedKey(ek1); |
| assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName()); |
| assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length); |
| if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) { |
| fail("Encrypted key material should not equal encryption key material"); |
| } |
| if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(), |
| encryptionKey.getMaterial())) { |
| fail("Encrypted key material should not equal decrypted key material"); |
| } |
| // Decrypt it again and it should be the same |
| KeyVersion k1a = kpExt.decryptEncryptedKey(ek1); |
| assertArrayEquals(k1.getMaterial(), k1a.getMaterial()); |
| |
| // Generate another EEK and make sure it's different from the first |
| KeyProviderCryptoExtension.EncryptedKeyVersion ek2 = |
| kpExt.generateEncryptedKey(encryptionKey.getName()); |
| KeyVersion k2 = kpExt.decryptEncryptedKey(ek2); |
| if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) { |
| fail("Generated EEKs should have different material!"); |
| } |
| if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) { |
| fail("Generated EEKs should have different IVs!"); |
| } |
| } |
| |
| @Test |
| public void testEncryptDecrypt() throws Exception { |
| // Get an EEK |
| KeyProviderCryptoExtension.EncryptedKeyVersion eek = |
| kpExt.generateEncryptedKey(encryptionKey.getName()); |
| final byte[] encryptedKeyIv = eek.getEncryptedKeyIv(); |
| final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion() |
| .getMaterial(); |
| // Decrypt it manually |
| Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding"); |
| cipher.init(Cipher.DECRYPT_MODE, |
| new SecretKeySpec(encryptionKey.getMaterial(), "AES"), |
| new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion |
| .deriveIV(encryptedKeyIv))); |
| final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial); |
| |
| // Test the createForDecryption factory method |
| EncryptedKeyVersion eek2 = |
| EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(), |
| eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(), |
| eek.getEncryptedKeyVersion().getMaterial()); |
| |
| // Decrypt it with the API |
| KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2); |
| final byte[] apiMaterial = decryptedKey.getMaterial(); |
| |
| assertArrayEquals("Wrong key material from decryptEncryptedKey", |
| manualMaterial, apiMaterial); |
| } |
| } |