Examples with CipherSuite org.apache.hadoop.crypto.CipherSuite used on opensource projects

Example 1 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class PBHelperClient method convert.

public static CipherSuite convert(HdfsProtos.CipherSuiteProto proto) {
    switch(proto) {
        case AES_CTR_NOPADDING:
            return CipherSuite.AES_CTR_NOPADDING;
        default:
            // Set to UNKNOWN and stash the unknown enum value
            CipherSuite suite = CipherSuite.UNKNOWN;
            suite.setUnknownValue(proto.getNumber());
            return suite;
    }
}

Example 2 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class DataTransferSaslUtil method negotiateCipherOption.

/**
   * Negotiate a cipher option which server supports.
   *
   * @param conf the configuration
   * @param options the cipher options which client supports
   * @return CipherOption negotiated cipher option
   */
public static CipherOption negotiateCipherOption(Configuration conf, List<CipherOption> options) throws IOException {
    // Negotiate cipher suites if configured.  Currently, the only supported
    // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
    // values for future expansion.
    String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
    if (cipherSuites == null || cipherSuites.isEmpty()) {
        return null;
    }
    if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
        throw new IOException(String.format("Invalid cipher suite, %s=%s", DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
    }
    if (options != null) {
        for (CipherOption option : options) {
            CipherSuite suite = option.getCipherSuite();
            if (suite == CipherSuite.AES_CTR_NOPADDING) {
                int keyLen = conf.getInt(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY, DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
                CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
                byte[] inKey = new byte[keyLen];
                byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
                byte[] outKey = new byte[keyLen];
                byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
                assert codec != null;
                codec.generateSecureRandom(inKey);
                codec.generateSecureRandom(inIv);
                codec.generateSecureRandom(outKey);
                codec.generateSecureRandom(outIv);
                return new CipherOption(suite, inKey, inIv, outKey, outIv);
            }
        }
    }
    return null;
}

Example 3 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class PBHelperClient method convert.

public static FileEncryptionInfo convert(HdfsProtos.FileEncryptionInfoProto proto) {
    if (proto == null) {
        return null;
    }
    CipherSuite suite = convert(proto.getSuite());
    CryptoProtocolVersion version = convert(proto.getCryptoProtocolVersion());
    byte[] key = proto.getKey().toByteArray();
    byte[] iv = proto.getIv().toByteArray();
    String ezKeyVersionName = proto.getEzKeyVersionName();
    String keyName = proto.getKeyName();
    return new FileEncryptionInfo(suite, version, key, iv, keyName, ezKeyVersionName);
}

Example 4 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class FSDirEncryptionZoneOp method createEncryptionZone.

/**
   * Create an encryption zone on directory path using the specified key.
   *
   * @param fsd fsdirectory
   * @param srcArg the path of a directory which will be the root of the
   *               encryption zone. The directory must be empty
   * @param pc permission checker to check fs permission
   * @param cipher cipher
   * @param keyName name of a key which must be present in the configured
   *                KeyProvider
   * @param logRetryCache whether to record RPC ids in editlog for retry cache
   *                      rebuilding
   * @return HdfsFileStatus
   * @throws IOException
   */
static HdfsFileStatus createEncryptionZone(final FSDirectory fsd, final String srcArg, final FSPermissionChecker pc, final String cipher, final String keyName, final boolean logRetryCache) throws IOException {
    final CipherSuite suite = CipherSuite.convert(cipher);
    List<XAttr> xAttrs = Lists.newArrayListWithCapacity(1);
    // For now this is hard coded, as we only support one method.
    final CryptoProtocolVersion version = CryptoProtocolVersion.ENCRYPTION_ZONES;
    final INodesInPath iip;
    fsd.writeLock();
    try {
        iip = fsd.resolvePath(pc, srcArg, DirOp.WRITE);
        final XAttr ezXAttr = fsd.ezManager.createEncryptionZone(iip, suite, version, keyName);
        xAttrs.add(ezXAttr);
    } finally {
        fsd.writeUnlock();
    }
    fsd.getEditLog().logSetXAttrs(iip.getPath(), xAttrs, logRetryCache);
    return fsd.getAuditFileInfo(iip);
}

Example 5 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class FSDirEncryptionZoneOp method getFileEncryptionInfo.

/**
   * This function combines the per-file encryption info (obtained
   * from the inode's XAttrs), and the encryption info from its zone, and
   * returns a consolidated FileEncryptionInfo instance. Null is returned
   * for non-encrypted or raw files.
   *
   * @param fsd fsdirectory
   * @param iip inodes in the path containing the file, passed in to
   *            avoid obtaining the list of inodes again
   * @return consolidated file encryption info; null for non-encrypted files
   */
static FileEncryptionInfo getFileEncryptionInfo(final FSDirectory fsd, final INodesInPath iip) throws IOException {
    if (iip.isRaw() || !fsd.ezManager.hasCreatedEncryptionZone() || !iip.getLastINode().isFile()) {
        return null;
    }
    fsd.readLock();
    try {
        EncryptionZone encryptionZone = getEZForPath(fsd, iip);
        if (encryptionZone == null) {
            // not an encrypted file
            return null;
        } else if (encryptionZone.getPath() == null || encryptionZone.getPath().isEmpty()) {
            if (NameNode.LOG.isDebugEnabled()) {
                NameNode.LOG.debug("Encryption zone " + encryptionZone.getPath() + " does not have a valid path.");
            }
        }
        final CryptoProtocolVersion version = encryptionZone.getVersion();
        final CipherSuite suite = encryptionZone.getSuite();
        final String keyName = encryptionZone.getKeyName();
        XAttr fileXAttr = FSDirXAttrOp.unprotectedGetXAttrByPrefixedName(iip, CRYPTO_XATTR_FILE_ENCRYPTION_INFO);
        if (fileXAttr == null) {
            NameNode.LOG.warn("Could not find encryption XAttr for file " + iip.getPath() + " in encryption zone " + encryptionZone.getPath());
            return null;
        }
        try {
            HdfsProtos.PerFileEncryptionInfoProto fileProto = HdfsProtos.PerFileEncryptionInfoProto.parseFrom(fileXAttr.getValue());
            return PBHelperClient.convert(fileProto, suite, version, keyName);
        } catch (InvalidProtocolBufferException e) {
            throw new IOException("Could not parse file encryption info for " + "inode " + iip.getPath(), e);
        }
    } finally {
        fsd.readUnlock();
    }
}