Examples with CipherSuite org.apache.hadoop.crypto.CipherSuite used on opensource projects

Example 6 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class DFSClient method getCryptoCodec.

/**
   * Obtain a CryptoCodec based on the CipherSuite set in a FileEncryptionInfo
   * and the available CryptoCodecs configured in the Configuration.
   *
   * @param conf   Configuration
   * @param feInfo FileEncryptionInfo
   * @return CryptoCodec
   * @throws IOException if no suitable CryptoCodec for the CipherSuite is
   *                     available.
   */
private static CryptoCodec getCryptoCodec(Configuration conf, FileEncryptionInfo feInfo) throws IOException {
    final CipherSuite suite = feInfo.getCipherSuite();
    if (suite.equals(CipherSuite.UNKNOWN)) {
        throw new IOException("NameNode specified unknown CipherSuite with ID " + suite.getUnknownValue() + ", cannot instantiate CryptoCodec.");
    }
    final CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
    if (codec == null) {
        throw new UnknownCipherSuiteException("No configuration found for the cipher suite " + suite.getConfigSuffix() + " prefixed with " + HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX + ". Please see the example configuration " + "hadoop.security.crypto.codec.classes.EXAMPLECIPHERSUITE " + "at core-default.xml for details.");
    }
    return codec;
}

Example 7 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class PBHelperClient method convert.

public static CipherOption convert(HdfsProtos.CipherOptionProto proto) {
    if (proto != null) {
        CipherSuite suite = null;
        if (proto.getSuite() != null) {
            suite = convert(proto.getSuite());
        }
        byte[] inKey = null;
        if (proto.getInKey() != null) {
            inKey = proto.getInKey().toByteArray();
        }
        byte[] inIv = null;
        if (proto.getInIv() != null) {
            inIv = proto.getInIv().toByteArray();
        }
        byte[] outKey = null;
        if (proto.getOutKey() != null) {
            outKey = proto.getOutKey().toByteArray();
        }
        byte[] outIv = null;
        if (proto.getOutIv() != null) {
            outIv = proto.getOutIv().toByteArray();
        }
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
    }
    return null;
}

Example 8 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class FSDirEncryptionZoneOp method getEncryptionKeyInfo.

/**
   * If the file is in an encryption zone, we optimistically create an
   * EDEK for the file by calling out to the configured KeyProvider.
   * Since this typically involves doing an RPC, the fsn lock is yielded.
   *
   * Since the path can flip-flop between being in an encryption zone and not
   * in the meantime, the call MUST re-resolve the IIP and re-check
   * preconditions if this method does not return null;
   *
   * @param fsn the namesystem.
   * @param iip the inodes for the path
   * @param supportedVersions client's supported versions
   * @return EncryptionKeyInfo if the path is in an EZ, else null
   */
static EncryptionKeyInfo getEncryptionKeyInfo(FSNamesystem fsn, INodesInPath iip, CryptoProtocolVersion[] supportedVersions) throws IOException {
    FSDirectory fsd = fsn.getFSDirectory();
    // Nothing to do if the path is not within an EZ
    final EncryptionZone zone = getEZForPath(fsd, iip);
    if (zone == null) {
        EncryptionFaultInjector.getInstance().startFileNoKey();
        return null;
    }
    CryptoProtocolVersion protocolVersion = fsn.chooseProtocolVersion(zone, supportedVersions);
    CipherSuite suite = zone.getSuite();
    String ezKeyName = zone.getKeyName();
    Preconditions.checkNotNull(protocolVersion);
    Preconditions.checkNotNull(suite);
    Preconditions.checkArgument(!suite.equals(CipherSuite.UNKNOWN), "Chose an UNKNOWN CipherSuite!");
    Preconditions.checkNotNull(ezKeyName);
    // Generate EDEK while not holding the fsn lock.
    fsn.writeUnlock();
    try {
        EncryptionFaultInjector.getInstance().startFileBeforeGenerateKey();
        return new EncryptionKeyInfo(protocolVersion, suite, ezKeyName, generateEncryptedDataEncryptionKey(fsd, ezKeyName));
    } finally {
        fsn.writeLock();
        EncryptionFaultInjector.getInstance().startFileAfterGenerateKey();
    }
}

Example 9 with CipherSuite

use of org.apache.hadoop.crypto.CipherSuite in project hadoop by apache.

the class TestEncryptionZones method testCipherSuiteNegotiation.

// This test only uses mocks. Called from the end of an existing test to
// avoid an extra mini cluster.
private static void testCipherSuiteNegotiation(DistributedFileSystem fs, Configuration conf) throws Exception {
    // Set up mock ClientProtocol to test client-side CipherSuite negotiation
    final ClientProtocol mcp = Mockito.mock(ClientProtocol.class);
    // Try with an empty conf
    final Configuration noCodecConf = new Configuration(conf);
    final CipherSuite suite = CipherSuite.AES_CTR_NOPADDING;
    final String confKey = CommonConfigurationKeysPublic.HADOOP_SECURITY_CRYPTO_CODEC_CLASSES_KEY_PREFIX + suite.getConfigSuffix();
    noCodecConf.set(confKey, "");
    fs.dfs = new DFSClient(null, mcp, noCodecConf, null);
    mockCreate(mcp, suite, CryptoProtocolVersion.ENCRYPTION_ZONES);
    try {
        fs.create(new Path("/mock"));
        fail("Created with no configured codecs!");
    } catch (UnknownCipherSuiteException e) {
        assertExceptionContains("No configuration found for the cipher", e);
    }
    // Try create with an UNKNOWN CipherSuite
    fs.dfs = new DFSClient(null, mcp, conf, null);
    CipherSuite unknown = CipherSuite.UNKNOWN;
    unknown.setUnknownValue(989);
    mockCreate(mcp, unknown, CryptoProtocolVersion.ENCRYPTION_ZONES);
    try {
        fs.create(new Path("/mock"));
        fail("Created with unknown cipher!");
    } catch (IOException e) {
        assertExceptionContains("unknown CipherSuite with ID 989", e);
    }
}