Example 6 with Key
use of java.security.Key in project hbase by apache.
the class TestEncryptionUtil method testKeyWrapping.
// There does not seem to be a ready way to test either getKeyFromBytesOrMasterKey
// or createEncryptionContext, and the existing code under MobUtils appeared to be
// untested. Not ideal!
@Test
public void testKeyWrapping() throws Exception {
// set up the key provider for testing to resolve a key for our test subject
// we don't need HBaseConfiguration for this
Configuration conf = new Configuration();
conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName());
// generate a test key
byte[] keyBytes = new byte[AES.KEY_LENGTH];
new SecureRandom().nextBytes(keyBytes);
String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
Key key = new SecretKeySpec(keyBytes, algorithm);
// wrap the test key
byte[] wrappedKeyBytes = EncryptionUtil.wrapKey(conf, "hbase", key);
assertNotNull(wrappedKeyBytes);
// unwrap
Key unwrappedKey = EncryptionUtil.unwrapKey(conf, "hbase", wrappedKeyBytes);
assertNotNull(unwrappedKey);
// only secretkeyspec supported for now
assertTrue(unwrappedKey instanceof SecretKeySpec);
// did we get back what we wrapped?
assertTrue("Unwrapped key bytes do not match original", Bytes.equals(keyBytes, unwrappedKey.getEncoded()));
// unwrap with an incorrect key
try {
EncryptionUtil.unwrapKey(conf, "other", wrappedKeyBytes);
fail("Unwrap with incorrect key did not throw KeyException");
} catch (KeyException e) {
// expected
}
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
SecureRandom(java.security.SecureRandom)
KeyProviderForTesting(org.apache.hadoop.hbase.io.crypto.KeyProviderForTesting)
Key(java.security.Key)
KeyException(java.security.KeyException)
Test(org.junit.Test)
Example 7 with Key
use of java.security.Key in project hbase by apache.
the class TestEncryptionUtil method testWALKeyWrappingWithIncorrectKey.
@Test(expected = KeyException.class)
public void testWALKeyWrappingWithIncorrectKey() throws Exception {
// set up the key provider for testing to resolve a key for our test subject
// we don't need HBaseConfiguration for this
Configuration conf = new Configuration();
conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName());
// generate a test key
byte[] keyBytes = new byte[AES.KEY_LENGTH];
new SecureRandom().nextBytes(keyBytes);
String algorithm = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
Key key = new SecretKeySpec(keyBytes, algorithm);
// wrap the test key
byte[] wrappedKeyBytes = EncryptionUtil.wrapKey(conf, "hbase", key);
assertNotNull(wrappedKeyBytes);
// unwrap with an incorrect key
EncryptionUtil.unwrapWALKey(conf, "other", wrappedKeyBytes);
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
SecureRandom(java.security.SecureRandom)
KeyProviderForTesting(org.apache.hadoop.hbase.io.crypto.KeyProviderForTesting)
Key(java.security.Key)
Test(org.junit.Test)
Example 8 with Key
use of java.security.Key in project hbase by apache.
the class Encryption method encryptWithSubjectKey.
/**
* Encrypts a block of plaintext with the symmetric key resolved for the given subject
* @param out ciphertext
* @param in plaintext
* @param conf configuration
* @param cipher the encryption algorithm
* @param iv the initialization vector, can be null
* @throws IOException
*/
public static void encryptWithSubjectKey(OutputStream out, InputStream in, String subject, Configuration conf, Cipher cipher, byte[] iv) throws IOException {
Key key = getSecretKeyForSubject(subject, conf);
if (key == null) {
throw new IOException("No key found for subject '" + subject + "'");
}
Encryptor e = cipher.getEncryptor();
e.setKey(key);
// can be null
e.setIv(iv);
encrypt(out, in, e);
}
Also used :
IOException(java.io.IOException)
Key(java.security.Key)
Example 9 with Key
use of java.security.Key in project hbase by apache.
the class HFileReaderImpl method createHFileContext.
protected HFileContext createHFileContext(FSDataInputStreamWrapper fsdis, long fileSize, HFileSystem hfs, Path path, FixedFileTrailer trailer) throws IOException {
HFileContextBuilder builder = new HFileContextBuilder().withIncludesMvcc(shouldIncludeMemstoreTS()).withHBaseCheckSum(true).withHFileName(this.getName()).withCompression(this.compressAlgo);
// Check for any key material available
byte[] keyBytes = trailer.getEncryptionKey();
if (keyBytes != null) {
Encryption.Context cryptoContext = Encryption.newContext(conf);
Key key;
key = EncryptionUtil.unwrapKey(conf, keyBytes);
// Use the algorithm the key wants
Cipher cipher = Encryption.getCipher(conf, key.getAlgorithm());
if (cipher == null) {
throw new IOException("Cipher '" + key.getAlgorithm() + "' is not available");
}
cryptoContext.setCipher(cipher);
cryptoContext.setKey(key);
builder.withEncryptionContext(cryptoContext);
}
HFileContext context = builder.build();
if (LOG.isTraceEnabled()) {
LOG.trace("Reader" + (path != null ? " for " + path : "") + " initialized with cacheConf: " + cacheConf + " comparator: " + comparator.getClass().getSimpleName() + " fileContext: " + context);
}
return context;
}
Also used :
Encryption(org.apache.hadoop.hbase.io.crypto.Encryption)
Cipher(org.apache.hadoop.hbase.io.crypto.Cipher)
IOException(java.io.IOException)
Key(java.security.Key)
Example 10 with Key
use of java.security.Key in project hbase by apache.
the class EncryptionUtil method unwrapKey.
/**
* Helper for {@link #unwrapKey(Configuration, String, byte[])} which automatically uses the
* configured master and alternative keys, rather than having to specify a key type to unwrap
* with.
*
* The configuration must be set up correctly for key alias resolution.
*
* @param conf the current configuration
* @param keyBytes the key encrypted by master (or alternative) to unwrap
* @return the key bytes, decrypted
* @throws IOException if the key cannot be unwrapped
*/
public static Key unwrapKey(Configuration conf, byte[] keyBytes) throws IOException {
Key key;
String masterKeyName = conf.get(HConstants.CRYPTO_MASTERKEY_NAME_CONF_KEY, User.getCurrent().getShortName());
try {
// First try the master key
key = unwrapKey(conf, masterKeyName, keyBytes);
} catch (KeyException e) {
// one is configured
if (LOG.isDebugEnabled()) {
LOG.debug("Unable to unwrap key with current master key '" + masterKeyName + "'");
}
String alternateKeyName = conf.get(HConstants.CRYPTO_MASTERKEY_ALTERNATE_NAME_CONF_KEY);
if (alternateKeyName != null) {
try {
key = unwrapKey(conf, alternateKeyName, keyBytes);
} catch (KeyException ex) {
throw new IOException(ex);
}
} else {
throw new IOException(e);
}
}
return key;
}
Also used :
IOException(java.io.IOException)
Key(java.security.Key)
KeyException(java.security.KeyException)
Aggregations
Key (java.security.Key)268
PrivateKey (java.security.PrivateKey)108
SecretKey (javax.crypto.SecretKey)77
KeyStore (java.security.KeyStore)62
PublicKey (java.security.PublicKey)58
X509Certificate (java.security.cert.X509Certificate)56
Cipher (javax.crypto.Cipher)54
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)46
IOException (java.io.IOException)39
ByteArrayInputStream (java.io.ByteArrayInputStream)38
Certificate (java.security.cert.Certificate)36
KeyFactory (java.security.KeyFactory)35
InvalidKeyException (java.security.InvalidKeyException)31
KeyGenerator (javax.crypto.KeyGenerator)31
SecretKeySpec (javax.crypto.spec.SecretKeySpec)27
PKCS8EncodedKeySpec (java.security.spec.PKCS8EncodedKeySpec)26
Test (org.junit.Test)26
KeyStoreException (java.security.KeyStoreException)21
SecureRandom (java.security.SecureRandom)21
IvParameterSpec (javax.crypto.spec.IvParameterSpec)18
