Examples with CryptoCodec org.apache.hadoop.crypto.CryptoCodec used on opensource projects

Example 1 with CryptoCodec

use of org.apache.hadoop.crypto.CryptoCodec in project hbase by apache.

the class FanOutOneBlockAsyncDFSOutputSaslHelper method createTransparentCryptoHelper.

private static TransparentCryptoHelper createTransparentCryptoHelper() throws NoSuchMethodException {
    Method decryptEncryptedDataEncryptionKeyMethod = DFSClient.class.getDeclaredMethod("decryptEncryptedDataEncryptionKey", FileEncryptionInfo.class);
    decryptEncryptedDataEncryptionKeyMethod.setAccessible(true);
    return new TransparentCryptoHelper() {

        @Override
        public Encryptor createEncryptor(Configuration conf, FileEncryptionInfo feInfo, DFSClient client) throws IOException {
            try {
                KeyVersion decryptedKey = (KeyVersion) decryptEncryptedDataEncryptionKeyMethod.invoke(client, feInfo);
                CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf, feInfo.getCipherSuite());
                Encryptor encryptor = cryptoCodec.createEncryptor();
                encryptor.init(decryptedKey.getMaterial(), feInfo.getIV());
                return encryptor;
            } catch (InvocationTargetException e) {
                Throwables.propagateIfPossible(e.getTargetException(), IOException.class);
                throw new RuntimeException(e.getTargetException());
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            } catch (IllegalAccessException e) {
                throw new RuntimeException(e);
            }
        }
    };
}

Example 2 with CryptoCodec

use of org.apache.hadoop.crypto.CryptoCodec in project hadoop by apache.

the class CryptoUtils method wrapIfNecessary.

/**
   * Wraps a given InputStream with a CryptoInputStream. The size of the data
   * buffer required for the stream is specified by the
   * "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
   * variable.
   * 
   * If the value of 'length' is > -1, The InputStream is additionally
   * wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
   * This means they will always try to read ahead if they can. The
   * LimitInputStream will ensure that the CryptoStream does not read past the
   * provided length from the given Input Stream.
   * 
   * @param conf configuration
   * @param in given input stream
   * @param length maximum number of bytes to read from the input stream
   * @return InputStream encrypted input stream if encryption is
   *         enabled; otherwise the given input stream itself
   * @throws IOException exception in case of error
   */
public static InputStream wrapIfNecessary(Configuration conf, InputStream in, long length) throws IOException {
    if (isEncryptedSpillEnabled(conf)) {
        int bufferSize = getBufferSize(conf);
        if (length > -1) {
            in = new LimitInputStream(in, length);
        }
        byte[] offsetArray = new byte[8];
        IOUtils.readFully(in, offsetArray, 0, 8);
        long offset = ByteBuffer.wrap(offsetArray).getLong();
        CryptoCodec cryptoCodec = CryptoCodec.getInstance(conf);
        byte[] iv = new byte[cryptoCodec.getCipherSuite().getAlgorithmBlockSize()];
        IOUtils.readFully(in, iv, 0, cryptoCodec.getCipherSuite().getAlgorithmBlockSize());
        if (LOG.isDebugEnabled()) {
            LOG.debug("IV read from [" + Base64.encodeBase64URLSafeString(iv) + "]");
        }
        return new CryptoInputStream(in, cryptoCodec, bufferSize, getEncryptionKey(), iv, offset + cryptoPadding(conf));
    } else {
        return in;
    }
}

Example 3 with CryptoCodec

use of org.apache.hadoop.crypto.CryptoCodec in project hadoop by apache.

the class DataTransferSaslUtil method negotiateCipherOption.

/**
   * Negotiate a cipher option which server supports.
   *
   * @param conf the configuration
   * @param options the cipher options which client supports
   * @return CipherOption negotiated cipher option
   */
public static CipherOption negotiateCipherOption(Configuration conf, List<CipherOption> options) throws IOException {
    // Negotiate cipher suites if configured.  Currently, the only supported
    // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
    // values for future expansion.
    String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
    if (cipherSuites == null || cipherSuites.isEmpty()) {
        return null;
    }
    if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
        throw new IOException(String.format("Invalid cipher suite, %s=%s", DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
    }
    if (options != null) {
        for (CipherOption option : options) {
            CipherSuite suite = option.getCipherSuite();
            if (suite == CipherSuite.AES_CTR_NOPADDING) {
                int keyLen = conf.getInt(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY, DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
                CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
                byte[] inKey = new byte[keyLen];
                byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
                byte[] outKey = new byte[keyLen];
                byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
                assert codec != null;
                codec.generateSecureRandom(inKey);
                codec.generateSecureRandom(inIv);
                codec.generateSecureRandom(outKey);
                codec.generateSecureRandom(outIv);
                return new CipherOption(suite, inKey, inIv, outKey, outIv);
            }
        }
    }
    return null;
}

Example 4 with CryptoCodec

use of org.apache.hadoop.crypto.CryptoCodec in project hadoop by apache.

the class DFSClient method getCryptoCodec.

/**
   * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
   * and the available CryptoCodecs configured in the Configuration.
   *
   * @param conf   Configuration
   * @param feInfo FileEncryptionInfo
   * @return CryptoCodec
   * @throws IOException if no suitable CryptoCodec for the CipherSuite is
   *                     available.
   */
private static CryptoCodec getCryptoCodec(Configuration conf, FileEncryptionInfo feInfo) throws IOException {
    final CipherSuite suite = feInfo.getCipherSuite();
    if (suite.equals(CipherSuite.UNKNOWN)) {
        throw new IOException("NameNode specified unknown CipherSuite with ID " + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
    }
    final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
    if (codec == null) {
        throw new UnknownCipherSuiteException("No configuration found for the cipher suite " + suite.getConfigSuffix() + " prefixed with " + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX + ". Please see the example configuration " + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE " + "at core-default.xml for details.");
    }
    return codec;
}

Example 5 with CryptoCodec

use of org.apache.hadoop.crypto.CryptoCodec in project hadoop by apache.

the class DFSClient method createWrappedOutputStream.

/**
   * Wraps the stream in a CryptoOutputStream if the underlying file is
   * encrypted.
   */
public HdfsDataOutputStream createWrappedOutputStream(DFSOutputStream dfsos, FileSystem.Statistics statistics, long startPos) throws IOException {
    final FileEncryptionInfo feInfo = dfsos.getFileEncryptionInfo();
    if (feInfo != null) {
        // File is encrypted, wrap the stream in a crypto stream.
        // Currently only one version, so no special logic based on the version #
        getCryptoProtocolVersion(feInfo);
        final CryptoCodec codec = getCryptoCodec(conf, feInfo);
        KeyVersion decrypted = decryptEncryptedDataEncryptionKey(feInfo);
        final CryptoOutputStream cryptoOut = new CryptoOutputStream(dfsos, codec, decrypted.getMaterial(), feInfo.getIV(), startPos);
        return new HdfsDataOutputStream(cryptoOut, statistics, startPos);
    } else {
        // No FileEncryptionInfo present so no encryption.
        return new HdfsDataOutputStream(dfsos, statistics, startPos);
    }
}