| <!DOCTYPE HTML> |
| <html lang="en"> |
| <head> |
| <!-- Generated by javadoc (17) --> |
| <title>Source code</title> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <meta name="description" content="source: package: org.apache.hadoop.hbase.security, class: EncryptionUtil"> |
| <meta name="generator" content="javadoc/SourceToHTMLConverter"> |
| <link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style"> |
| </head> |
| <body class="source-page"> |
| <main role="main"> |
| <div class="source-container"> |
| <pre><span class="source-line-no">001</span><span id="line-1">/*</span> |
| <span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span> |
| <span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span> |
| <span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span> |
| <span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span> |
| <span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span> |
| <span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span> |
| <span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span> |
| <span class="source-line-no">009</span><span id="line-9"> *</span> |
| <span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span> |
| <span class="source-line-no">011</span><span id="line-11"> *</span> |
| <span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span> |
| <span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span> |
| <span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span> |
| <span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span> |
| <span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span> |
| <span class="source-line-no">017</span><span id="line-17"> */</span> |
| <span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.security;</span> |
| <span class="source-line-no">019</span><span id="line-19"></span> |
| <span class="source-line-no">020</span><span id="line-20">import java.io.ByteArrayInputStream;</span> |
| <span class="source-line-no">021</span><span id="line-21">import java.io.ByteArrayOutputStream;</span> |
| <span class="source-line-no">022</span><span id="line-22">import java.io.IOException;</span> |
| <span class="source-line-no">023</span><span id="line-23">import java.security.Key;</span> |
| <span class="source-line-no">024</span><span id="line-24">import java.security.KeyException;</span> |
| <span class="source-line-no">025</span><span id="line-25">import java.util.Properties;</span> |
| <span class="source-line-no">026</span><span id="line-26">import javax.crypto.spec.SecretKeySpec;</span> |
| <span class="source-line-no">027</span><span id="line-27">import org.apache.commons.crypto.cipher.CryptoCipherFactory;</span> |
| <span class="source-line-no">028</span><span id="line-28">import org.apache.hadoop.conf.Configuration;</span> |
| <span class="source-line-no">029</span><span id="line-29">import org.apache.hadoop.hbase.HConstants;</span> |
| <span class="source-line-no">030</span><span id="line-30">import org.apache.hadoop.hbase.client.ColumnFamilyDescriptor;</span> |
| <span class="source-line-no">031</span><span id="line-31">import org.apache.hadoop.hbase.io.crypto.Cipher;</span> |
| <span class="source-line-no">032</span><span id="line-32">import org.apache.hadoop.hbase.io.crypto.Encryption;</span> |
| <span class="source-line-no">033</span><span id="line-33">import org.apache.hadoop.hbase.io.crypto.aes.CryptoAES;</span> |
| <span class="source-line-no">034</span><span id="line-34">import org.apache.hadoop.hbase.util.Bytes;</span> |
| <span class="source-line-no">035</span><span id="line-35">import org.apache.yetus.audience.InterfaceAudience;</span> |
| <span class="source-line-no">036</span><span id="line-36">import org.apache.yetus.audience.InterfaceStability;</span> |
| <span class="source-line-no">037</span><span id="line-37">import org.slf4j.Logger;</span> |
| <span class="source-line-no">038</span><span id="line-38">import org.slf4j.LoggerFactory;</span> |
| <span class="source-line-no">039</span><span id="line-39"></span> |
| <span class="source-line-no">040</span><span id="line-40">import org.apache.hbase.thirdparty.com.google.protobuf.UnsafeByteOperations;</span> |
| <span class="source-line-no">041</span><span id="line-41"></span> |
| <span class="source-line-no">042</span><span id="line-42">import org.apache.hadoop.hbase.shaded.protobuf.generated.EncryptionProtos;</span> |
| <span class="source-line-no">043</span><span id="line-43">import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos;</span> |
| <span class="source-line-no">044</span><span id="line-44"></span> |
| <span class="source-line-no">045</span><span id="line-45">/**</span> |
| <span class="source-line-no">046</span><span id="line-46"> * Some static utility methods for encryption uses in hbase-client.</span> |
| <span class="source-line-no">047</span><span id="line-47"> */</span> |
| <span class="source-line-no">048</span><span id="line-48">@InterfaceAudience.Private</span> |
| <span class="source-line-no">049</span><span id="line-49">@InterfaceStability.Evolving</span> |
| <span class="source-line-no">050</span><span id="line-50">public final class EncryptionUtil {</span> |
| <span class="source-line-no">051</span><span id="line-51"> static private final Logger LOG = LoggerFactory.getLogger(EncryptionUtil.class);</span> |
| <span class="source-line-no">052</span><span id="line-52"></span> |
| <span class="source-line-no">053</span><span id="line-53"> /**</span> |
| <span class="source-line-no">054</span><span id="line-54"> * Private constructor to keep this class from being instantiated.</span> |
| <span class="source-line-no">055</span><span id="line-55"> */</span> |
| <span class="source-line-no">056</span><span id="line-56"> private EncryptionUtil() {</span> |
| <span class="source-line-no">057</span><span id="line-57"> }</span> |
| <span class="source-line-no">058</span><span id="line-58"></span> |
| <span class="source-line-no">059</span><span id="line-59"> /**</span> |
| <span class="source-line-no">060</span><span id="line-60"> * Protect a key by encrypting it with the secret key of the given subject. The configuration must</span> |
| <span class="source-line-no">061</span><span id="line-61"> * be set up correctly for key alias resolution.</span> |
| <span class="source-line-no">062</span><span id="line-62"> * @param conf configuration</span> |
| <span class="source-line-no">063</span><span id="line-63"> * @param key the raw key bytes</span> |
| <span class="source-line-no">064</span><span id="line-64"> * @param algorithm the algorithm to use with this key material</span> |
| <span class="source-line-no">065</span><span id="line-65"> * @return the encrypted key bytes</span> |
| <span class="source-line-no">066</span><span id="line-66"> */</span> |
| <span class="source-line-no">067</span><span id="line-67"> public static byte[] wrapKey(Configuration conf, byte[] key, String algorithm)</span> |
| <span class="source-line-no">068</span><span id="line-68"> throws IOException {</span> |
| <span class="source-line-no">069</span><span id="line-69"> return wrapKey(conf,</span> |
| <span class="source-line-no">070</span><span id="line-70"> conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, User.getCurrent().getShortName()),</span> |
| <span class="source-line-no">071</span><span id="line-71"> new SecretKeySpec(key, algorithm));</span> |
| <span class="source-line-no">072</span><span id="line-72"> }</span> |
| <span class="source-line-no">073</span><span id="line-73"></span> |
| <span class="source-line-no">074</span><span id="line-74"> /**</span> |
| <span class="source-line-no">075</span><span id="line-75"> * Protect a key by encrypting it with the secret key of the given subject. The configuration must</span> |
| <span class="source-line-no">076</span><span id="line-76"> * be set up correctly for key alias resolution.</span> |
| <span class="source-line-no">077</span><span id="line-77"> * @param conf configuration</span> |
| <span class="source-line-no">078</span><span id="line-78"> * @param subject subject key alias</span> |
| <span class="source-line-no">079</span><span id="line-79"> * @param key the key</span> |
| <span class="source-line-no">080</span><span id="line-80"> * @return the encrypted key bytes</span> |
| <span class="source-line-no">081</span><span id="line-81"> */</span> |
| <span class="source-line-no">082</span><span id="line-82"> public static byte[] wrapKey(Configuration conf, String subject, Key key) throws IOException {</span> |
| <span class="source-line-no">083</span><span id="line-83"> // Wrap the key with the configured encryption algorithm.</span> |
| <span class="source-line-no">084</span><span id="line-84"> String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);</span> |
| <span class="source-line-no">085</span><span id="line-85"> Cipher cipher = Encryption.getCipher(conf, algorithm);</span> |
| <span class="source-line-no">086</span><span id="line-86"> if (cipher == null) {</span> |
| <span class="source-line-no">087</span><span id="line-87"> throw new RuntimeException("Cipher '" + algorithm + "' not available");</span> |
| <span class="source-line-no">088</span><span id="line-88"> }</span> |
| <span class="source-line-no">089</span><span id="line-89"> EncryptionProtos.WrappedKey.Builder builder = EncryptionProtos.WrappedKey.newBuilder();</span> |
| <span class="source-line-no">090</span><span id="line-90"> builder.setAlgorithm(key.getAlgorithm());</span> |
| <span class="source-line-no">091</span><span id="line-91"> byte[] iv = null;</span> |
| <span class="source-line-no">092</span><span id="line-92"> if (cipher.getIvLength() > 0) {</span> |
| <span class="source-line-no">093</span><span id="line-93"> iv = new byte[cipher.getIvLength()];</span> |
| <span class="source-line-no">094</span><span id="line-94"> Bytes.secureRandom(iv);</span> |
| <span class="source-line-no">095</span><span id="line-95"> builder.setIv(UnsafeByteOperations.unsafeWrap(iv));</span> |
| <span class="source-line-no">096</span><span id="line-96"> }</span> |
| <span class="source-line-no">097</span><span id="line-97"> byte[] keyBytes = key.getEncoded();</span> |
| <span class="source-line-no">098</span><span id="line-98"> builder.setLength(keyBytes.length);</span> |
| <span class="source-line-no">099</span><span id="line-99"> builder.setHashAlgorithm(Encryption.getConfiguredHashAlgorithm(conf));</span> |
| <span class="source-line-no">100</span><span id="line-100"> builder</span> |
| <span class="source-line-no">101</span><span id="line-101"> .setHash(UnsafeByteOperations.unsafeWrap(Encryption.computeCryptoKeyHash(conf, keyBytes)));</span> |
| <span class="source-line-no">102</span><span id="line-102"> ByteArrayOutputStream out = new ByteArrayOutputStream();</span> |
| <span class="source-line-no">103</span><span id="line-103"> Encryption.encryptWithSubjectKey(out, new ByteArrayInputStream(keyBytes), subject, conf, cipher,</span> |
| <span class="source-line-no">104</span><span id="line-104"> iv);</span> |
| <span class="source-line-no">105</span><span id="line-105"> builder.setData(UnsafeByteOperations.unsafeWrap(out.toByteArray()));</span> |
| <span class="source-line-no">106</span><span id="line-106"> // Build and return the protobuf message</span> |
| <span class="source-line-no">107</span><span id="line-107"> out.reset();</span> |
| <span class="source-line-no">108</span><span id="line-108"> builder.build().writeDelimitedTo(out);</span> |
| <span class="source-line-no">109</span><span id="line-109"> return out.toByteArray();</span> |
| <span class="source-line-no">110</span><span id="line-110"> }</span> |
| <span class="source-line-no">111</span><span id="line-111"></span> |
| <span class="source-line-no">112</span><span id="line-112"> /**</span> |
| <span class="source-line-no">113</span><span id="line-113"> * Unwrap a key by decrypting it with the secret key of the given subject. The configuration must</span> |
| <span class="source-line-no">114</span><span id="line-114"> * be set up correctly for key alias resolution.</span> |
| <span class="source-line-no">115</span><span id="line-115"> * @param conf configuration</span> |
| <span class="source-line-no">116</span><span id="line-116"> * @param subject subject key alias</span> |
| <span class="source-line-no">117</span><span id="line-117"> * @param value the encrypted key bytes</span> |
| <span class="source-line-no">118</span><span id="line-118"> * @return the raw key bytes</span> |
| <span class="source-line-no">119</span><span id="line-119"> */</span> |
| <span class="source-line-no">120</span><span id="line-120"> public static Key unwrapKey(Configuration conf, String subject, byte[] value)</span> |
| <span class="source-line-no">121</span><span id="line-121"> throws IOException, KeyException {</span> |
| <span class="source-line-no">122</span><span id="line-122"> EncryptionProtos.WrappedKey wrappedKey =</span> |
| <span class="source-line-no">123</span><span id="line-123"> EncryptionProtos.WrappedKey.parser().parseDelimitedFrom(new ByteArrayInputStream(value));</span> |
| <span class="source-line-no">124</span><span id="line-124"> String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);</span> |
| <span class="source-line-no">125</span><span id="line-125"> Cipher cipher = Encryption.getCipher(conf, algorithm);</span> |
| <span class="source-line-no">126</span><span id="line-126"> if (cipher == null) {</span> |
| <span class="source-line-no">127</span><span id="line-127"> throw new RuntimeException("Cipher '" + algorithm + "' not available");</span> |
| <span class="source-line-no">128</span><span id="line-128"> }</span> |
| <span class="source-line-no">129</span><span id="line-129"> return getUnwrapKey(conf, subject, wrappedKey, cipher);</span> |
| <span class="source-line-no">130</span><span id="line-130"> }</span> |
| <span class="source-line-no">131</span><span id="line-131"></span> |
| <span class="source-line-no">132</span><span id="line-132"> private static Key getUnwrapKey(Configuration conf, String subject,</span> |
| <span class="source-line-no">133</span><span id="line-133"> EncryptionProtos.WrappedKey wrappedKey, Cipher cipher) throws IOException, KeyException {</span> |
| <span class="source-line-no">134</span><span id="line-134"> String configuredHashAlgorithm = Encryption.getConfiguredHashAlgorithm(conf);</span> |
| <span class="source-line-no">135</span><span id="line-135"> String wrappedHashAlgorithm = wrappedKey.getHashAlgorithm().trim();</span> |
| <span class="source-line-no">136</span><span id="line-136"> if (!configuredHashAlgorithm.equalsIgnoreCase(wrappedHashAlgorithm)) {</span> |
| <span class="source-line-no">137</span><span id="line-137"> String msg = String.format("Unexpected encryption key hash algorithm: %s (expecting: %s)",</span> |
| <span class="source-line-no">138</span><span id="line-138"> wrappedHashAlgorithm, configuredHashAlgorithm);</span> |
| <span class="source-line-no">139</span><span id="line-139"> if (Encryption.failOnHashAlgorithmMismatch(conf)) {</span> |
| <span class="source-line-no">140</span><span id="line-140"> throw new KeyException(msg);</span> |
| <span class="source-line-no">141</span><span id="line-141"> }</span> |
| <span class="source-line-no">142</span><span id="line-142"> LOG.debug(msg);</span> |
| <span class="source-line-no">143</span><span id="line-143"> }</span> |
| <span class="source-line-no">144</span><span id="line-144"> ByteArrayOutputStream out = new ByteArrayOutputStream();</span> |
| <span class="source-line-no">145</span><span id="line-145"> byte[] iv = wrappedKey.hasIv() ? wrappedKey.getIv().toByteArray() : null;</span> |
| <span class="source-line-no">146</span><span id="line-146"> Encryption.decryptWithSubjectKey(out, wrappedKey.getData().newInput(), wrappedKey.getLength(),</span> |
| <span class="source-line-no">147</span><span id="line-147"> subject, conf, cipher, iv);</span> |
| <span class="source-line-no">148</span><span id="line-148"> byte[] keyBytes = out.toByteArray();</span> |
| <span class="source-line-no">149</span><span id="line-149"> if (wrappedKey.hasHash()) {</span> |
| <span class="source-line-no">150</span><span id="line-150"> if (</span> |
| <span class="source-line-no">151</span><span id="line-151"> !Bytes.equals(wrappedKey.getHash().toByteArray(),</span> |
| <span class="source-line-no">152</span><span id="line-152"> Encryption.hashWithAlg(wrappedHashAlgorithm, keyBytes))</span> |
| <span class="source-line-no">153</span><span id="line-153"> ) {</span> |
| <span class="source-line-no">154</span><span id="line-154"> throw new KeyException("Key was not successfully unwrapped");</span> |
| <span class="source-line-no">155</span><span id="line-155"> }</span> |
| <span class="source-line-no">156</span><span id="line-156"> }</span> |
| <span class="source-line-no">157</span><span id="line-157"> return new SecretKeySpec(keyBytes, wrappedKey.getAlgorithm());</span> |
| <span class="source-line-no">158</span><span id="line-158"> }</span> |
| <span class="source-line-no">159</span><span id="line-159"></span> |
| <span class="source-line-no">160</span><span id="line-160"> /**</span> |
| <span class="source-line-no">161</span><span id="line-161"> * Unwrap a wal key by decrypting it with the secret key of the given subject. The configuration</span> |
| <span class="source-line-no">162</span><span id="line-162"> * must be set up correctly for key alias resolution.</span> |
| <span class="source-line-no">163</span><span id="line-163"> * @param conf configuration</span> |
| <span class="source-line-no">164</span><span id="line-164"> * @param subject subject key alias</span> |
| <span class="source-line-no">165</span><span id="line-165"> * @param value the encrypted key bytes</span> |
| <span class="source-line-no">166</span><span id="line-166"> * @return the raw key bytes</span> |
| <span class="source-line-no">167</span><span id="line-167"> * @throws IOException if key is not found for the subject, or if some I/O error occurs</span> |
| <span class="source-line-no">168</span><span id="line-168"> * @throws KeyException if fail to unwrap the key</span> |
| <span class="source-line-no">169</span><span id="line-169"> */</span> |
| <span class="source-line-no">170</span><span id="line-170"> public static Key unwrapWALKey(Configuration conf, String subject, byte[] value)</span> |
| <span class="source-line-no">171</span><span id="line-171"> throws IOException, KeyException {</span> |
| <span class="source-line-no">172</span><span id="line-172"> EncryptionProtos.WrappedKey wrappedKey =</span> |
| <span class="source-line-no">173</span><span id="line-173"> EncryptionProtos.WrappedKey.parser().parseDelimitedFrom(new ByteArrayInputStream(value));</span> |
| <span class="source-line-no">174</span><span id="line-174"> String algorithm = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);</span> |
| <span class="source-line-no">175</span><span id="line-175"> Cipher cipher = Encryption.getCipher(conf, algorithm);</span> |
| <span class="source-line-no">176</span><span id="line-176"> if (cipher == null) {</span> |
| <span class="source-line-no">177</span><span id="line-177"> throw new RuntimeException("Cipher '" + algorithm + "' not available");</span> |
| <span class="source-line-no">178</span><span id="line-178"> }</span> |
| <span class="source-line-no">179</span><span id="line-179"> return getUnwrapKey(conf, subject, wrappedKey, cipher);</span> |
| <span class="source-line-no">180</span><span id="line-180"> }</span> |
| <span class="source-line-no">181</span><span id="line-181"></span> |
| <span class="source-line-no">182</span><span id="line-182"> /**</span> |
| <span class="source-line-no">183</span><span id="line-183"> * Helper to create an encyption context.</span> |
| <span class="source-line-no">184</span><span id="line-184"> * @param conf The current configuration.</span> |
| <span class="source-line-no">185</span><span id="line-185"> * @param family The current column descriptor.</span> |
| <span class="source-line-no">186</span><span id="line-186"> * @return The created encryption context.</span> |
| <span class="source-line-no">187</span><span id="line-187"> * @throws IOException if an encryption key for the column cannot be unwrapped</span> |
| <span class="source-line-no">188</span><span id="line-188"> * @throws IllegalStateException in case of encryption related configuration errors</span> |
| <span class="source-line-no">189</span><span id="line-189"> */</span> |
| <span class="source-line-no">190</span><span id="line-190"> public static Encryption.Context createEncryptionContext(Configuration conf,</span> |
| <span class="source-line-no">191</span><span id="line-191"> ColumnFamilyDescriptor family) throws IOException {</span> |
| <span class="source-line-no">192</span><span id="line-192"> Encryption.Context cryptoContext = Encryption.Context.NONE;</span> |
| <span class="source-line-no">193</span><span id="line-193"> String cipherName = family.getEncryptionType();</span> |
| <span class="source-line-no">194</span><span id="line-194"> if (cipherName != null) {</span> |
| <span class="source-line-no">195</span><span id="line-195"> if (!Encryption.isEncryptionEnabled(conf)) {</span> |
| <span class="source-line-no">196</span><span id="line-196"> throw new IllegalStateException("Encryption for family '" + family.getNameAsString()</span> |
| <span class="source-line-no">197</span><span id="line-197"> + "' configured with type '" + cipherName + "' but the encryption feature is disabled");</span> |
| <span class="source-line-no">198</span><span id="line-198"> }</span> |
| <span class="source-line-no">199</span><span id="line-199"> Cipher cipher;</span> |
| <span class="source-line-no">200</span><span id="line-200"> Key key;</span> |
| <span class="source-line-no">201</span><span id="line-201"> byte[] keyBytes = family.getEncryptionKey();</span> |
| <span class="source-line-no">202</span><span id="line-202"> if (keyBytes != null) {</span> |
| <span class="source-line-no">203</span><span id="line-203"> // Family provides specific key material</span> |
| <span class="source-line-no">204</span><span id="line-204"> key = unwrapKey(conf, keyBytes);</span> |
| <span class="source-line-no">205</span><span id="line-205"> // Use the algorithm the key wants</span> |
| <span class="source-line-no">206</span><span id="line-206"> cipher = Encryption.getCipher(conf, key.getAlgorithm());</span> |
| <span class="source-line-no">207</span><span id="line-207"> if (cipher == null) {</span> |
| <span class="source-line-no">208</span><span id="line-208"> throw new IllegalStateException("Cipher '" + key.getAlgorithm() + "' is not available");</span> |
| <span class="source-line-no">209</span><span id="line-209"> }</span> |
| <span class="source-line-no">210</span><span id="line-210"> // Fail if misconfigured</span> |
| <span class="source-line-no">211</span><span id="line-211"> // We use the encryption type specified in the column schema as a sanity check on</span> |
| <span class="source-line-no">212</span><span id="line-212"> // what the wrapped key is telling us</span> |
| <span class="source-line-no">213</span><span id="line-213"> if (!cipher.getName().equalsIgnoreCase(cipherName)) {</span> |
| <span class="source-line-no">214</span><span id="line-214"> throw new IllegalStateException(</span> |
| <span class="source-line-no">215</span><span id="line-215"> "Encryption for family '" + family.getNameAsString() + "' configured with type '"</span> |
| <span class="source-line-no">216</span><span id="line-216"> + cipherName + "' but key specifies algorithm '" + cipher.getName() + "'");</span> |
| <span class="source-line-no">217</span><span id="line-217"> }</span> |
| <span class="source-line-no">218</span><span id="line-218"> } else {</span> |
| <span class="source-line-no">219</span><span id="line-219"> // Family does not provide key material, create a random key</span> |
| <span class="source-line-no">220</span><span id="line-220"> cipher = Encryption.getCipher(conf, cipherName);</span> |
| <span class="source-line-no">221</span><span id="line-221"> if (cipher == null) {</span> |
| <span class="source-line-no">222</span><span id="line-222"> throw new IllegalStateException("Cipher '" + cipherName + "' is not available");</span> |
| <span class="source-line-no">223</span><span id="line-223"> }</span> |
| <span class="source-line-no">224</span><span id="line-224"> key = cipher.getRandomKey();</span> |
| <span class="source-line-no">225</span><span id="line-225"> }</span> |
| <span class="source-line-no">226</span><span id="line-226"> cryptoContext = Encryption.newContext(conf);</span> |
| <span class="source-line-no">227</span><span id="line-227"> cryptoContext.setCipher(cipher);</span> |
| <span class="source-line-no">228</span><span id="line-228"> cryptoContext.setKey(key);</span> |
| <span class="source-line-no">229</span><span id="line-229"> }</span> |
| <span class="source-line-no">230</span><span id="line-230"> return cryptoContext;</span> |
| <span class="source-line-no">231</span><span id="line-231"> }</span> |
| <span class="source-line-no">232</span><span id="line-232"></span> |
| <span class="source-line-no">233</span><span id="line-233"> /**</span> |
| <span class="source-line-no">234</span><span id="line-234"> * Helper for {@link #unwrapKey(Configuration, String, byte[])} which automatically uses the</span> |
| <span class="source-line-no">235</span><span id="line-235"> * configured master and alternative keys, rather than having to specify a key type to unwrap</span> |
| <span class="source-line-no">236</span><span id="line-236"> * with. The configuration must be set up correctly for key alias resolution.</span> |
| <span class="source-line-no">237</span><span id="line-237"> * @param conf the current configuration</span> |
| <span class="source-line-no">238</span><span id="line-238"> * @param keyBytes the key encrypted by master (or alternative) to unwrap</span> |
| <span class="source-line-no">239</span><span id="line-239"> * @return the key bytes, decrypted</span> |
| <span class="source-line-no">240</span><span id="line-240"> * @throws IOException if the key cannot be unwrapped</span> |
| <span class="source-line-no">241</span><span id="line-241"> */</span> |
| <span class="source-line-no">242</span><span id="line-242"> public static Key unwrapKey(Configuration conf, byte[] keyBytes) throws IOException {</span> |
| <span class="source-line-no">243</span><span id="line-243"> Key key;</span> |
| <span class="source-line-no">244</span><span id="line-244"> String masterKeyName =</span> |
| <span class="source-line-no">245</span><span id="line-245"> conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, User.getCurrent().getShortName());</span> |
| <span class="source-line-no">246</span><span id="line-246"> try {</span> |
| <span class="source-line-no">247</span><span id="line-247"> // First try the master key</span> |
| <span class="source-line-no">248</span><span id="line-248"> key = unwrapKey(conf, masterKeyName, keyBytes);</span> |
| <span class="source-line-no">249</span><span id="line-249"> } catch (KeyException e) {</span> |
| <span class="source-line-no">250</span><span id="line-250"> // If the current master key fails to unwrap, try the alternate, if</span> |
| <span class="source-line-no">251</span><span id="line-251"> // one is configured</span> |
| <span class="source-line-no">252</span><span id="line-252"> if (LOG.isDebugEnabled()) {</span> |
| <span class="source-line-no">253</span><span id="line-253"> LOG.debug("Unable to unwrap key with current master key '" + masterKeyName + "'");</span> |
| <span class="source-line-no">254</span><span id="line-254"> }</span> |
| <span class="source-line-no">255</span><span id="line-255"> String alternateKeyName = conf.get(HConstants.CRYPTO_MASTERKEY_ALTERNATE_NAME_CONF_KEY);</span> |
| <span class="source-line-no">256</span><span id="line-256"> if (alternateKeyName != null) {</span> |
| <span class="source-line-no">257</span><span id="line-257"> try {</span> |
| <span class="source-line-no">258</span><span id="line-258"> key = unwrapKey(conf, alternateKeyName, keyBytes);</span> |
| <span class="source-line-no">259</span><span id="line-259"> } catch (KeyException ex) {</span> |
| <span class="source-line-no">260</span><span id="line-260"> throw new IOException(ex);</span> |
| <span class="source-line-no">261</span><span id="line-261"> }</span> |
| <span class="source-line-no">262</span><span id="line-262"> } else {</span> |
| <span class="source-line-no">263</span><span id="line-263"> throw new IOException(e);</span> |
| <span class="source-line-no">264</span><span id="line-264"> }</span> |
| <span class="source-line-no">265</span><span id="line-265"> }</span> |
| <span class="source-line-no">266</span><span id="line-266"> return key;</span> |
| <span class="source-line-no">267</span><span id="line-267"> }</span> |
| <span class="source-line-no">268</span><span id="line-268"></span> |
| <span class="source-line-no">269</span><span id="line-269"> /**</span> |
| <span class="source-line-no">270</span><span id="line-270"> * Helper to create an instance of CryptoAES.</span> |
| <span class="source-line-no">271</span><span id="line-271"> * @param conf The current configuration.</span> |
| <span class="source-line-no">272</span><span id="line-272"> * @param cryptoCipherMeta The metadata for create CryptoAES.</span> |
| <span class="source-line-no">273</span><span id="line-273"> * @return The instance of CryptoAES.</span> |
| <span class="source-line-no">274</span><span id="line-274"> * @throws IOException if create CryptoAES failed</span> |
| <span class="source-line-no">275</span><span id="line-275"> */</span> |
| <span class="source-line-no">276</span><span id="line-276"> public static CryptoAES createCryptoAES(RPCProtos.CryptoCipherMeta cryptoCipherMeta,</span> |
| <span class="source-line-no">277</span><span id="line-277"> Configuration conf) throws IOException {</span> |
| <span class="source-line-no">278</span><span id="line-278"> Properties properties = new Properties();</span> |
| <span class="source-line-no">279</span><span id="line-279"> // the property for cipher class</span> |
| <span class="source-line-no">280</span><span id="line-280"> properties.setProperty(CryptoCipherFactory.CLASSES_KEY,</span> |
| <span class="source-line-no">281</span><span id="line-281"> conf.get("hbase.rpc.crypto.encryption.aes.cipher.class",</span> |
| <span class="source-line-no">282</span><span id="line-282"> "org.apache.commons.crypto.cipher.JceCipher"));</span> |
| <span class="source-line-no">283</span><span id="line-283"> // create SaslAES for client</span> |
| <span class="source-line-no">284</span><span id="line-284"> return new CryptoAES(cryptoCipherMeta.getTransformation(), properties,</span> |
| <span class="source-line-no">285</span><span id="line-285"> cryptoCipherMeta.getInKey().toByteArray(), cryptoCipherMeta.getOutKey().toByteArray(),</span> |
| <span class="source-line-no">286</span><span id="line-286"> cryptoCipherMeta.getInIv().toByteArray(), cryptoCipherMeta.getOutIv().toByteArray());</span> |
| <span class="source-line-no">287</span><span id="line-287"> }</span> |
| <span class="source-line-no">288</span><span id="line-288">}</span> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| </pre> |
| </div> |
| </main> |
| </body> |
| </html> |
