Example 1 with KeyMetadata
use of org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata in project ranger by apache.
the class RangerKeyStore method convertKeysBetweenRangerKMSAndHSM.
private XXRangerKeyStore convertKeysBetweenRangerKMSAndHSM(String alias, Key key, RangerKMSMKI rangerMKeyProvider) {
try {
XXRangerKeyStore xxRangerKeyStore;
SecretKeyEntry secretKey = (SecretKeyEntry) getKeyEntry(alias);
if (key instanceof KeyMetadata) {
Metadata meta = ((KeyMetadata) key).metadata;
KeyGenerator keyGenerator = KeyGenerator.getInstance(getAlgorithm(meta.getCipher()));
keyGenerator.init(meta.getBitLength());
byte[] keyByte = keyGenerator.generateKey().getEncoded();
Key ezkey = new SecretKeySpec(keyByte, getAlgorithm(meta.getCipher()));
byte[] encryptedKey = rangerMKeyProvider.encryptZoneKey(ezkey);
Long creationDate = new Date().getTime();
String attributes = secretKey.attributes;
xxRangerKeyStore = mapObjectToEntity(alias, creationDate, encryptedKey, meta.getCipher(), meta.getBitLength(), meta.getDescription(), meta.getVersions(), attributes);
} else {
byte[] encryptedKey = rangerMKeyProvider.encryptZoneKey(key);
Long creationDate = secretKey.date.getTime();
int version = secretKey.version;
if ((alias.split("@").length == 2) && (((Integer.parseInt(alias.split("@")[1])) + 1) != secretKey.version)) {
version++;
}
xxRangerKeyStore = mapObjectToEntity(alias, creationDate, encryptedKey, secretKey.cipher_field, secretKey.bit_length, secretKey.description, version, secretKey.attributes);
}
return xxRangerKeyStore;
} catch (Throwable t) {
throw new RuntimeException("Migration failed between key secure and Ranger DB : ", t);
}
}
Also used :
Metadata(org.apache.hadoop.crypto.key.KeyProvider.Metadata)
KeyMetadata(org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)
XXRangerKeyStore(org.apache.ranger.entity.XXRangerKeyStore)
Date(java.util.Date)
KeyMetadata(org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
KeyGenerator(javax.crypto.KeyGenerator)
Key(java.security.Key)
SecretKey(javax.crypto.SecretKey)
Example 2 with KeyMetadata
use of org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata in project ranger by apache.
the class RangerKeyStore method engineLoadToKeyStoreFile.
public void engineLoadToKeyStoreFile(OutputStream stream, char[] storePass, char[] keyPass, char[] masterKey, String fileFormat) throws IOException, NoSuchAlgorithmException, CertificateException {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerKeyStoreProvider.engineLoadToKeyStoreFile()");
}
synchronized (keyEntries) {
KeyStore ks;
try {
ks = KeyStore.getInstance(fileFormat);
if (ks != null) {
ks.load(null, storePass);
String alias = null;
engineLoad(null, masterKey);
Enumeration<String> e = engineAliases();
Key key;
while (e.hasMoreElements()) {
alias = e.nextElement();
if (keyVaultEnabled) {
key = engineGetDecryptedZoneKey(alias);
} else {
key = engineGetKey(alias, masterKey);
if (key instanceof KeyMetadata) {
Metadata meta = ((KeyMetadata) key).metadata;
if (meta != null) {
key = new KeyMetadata(meta);
}
}
}
ks.setKeyEntry(alias, key, keyPass, null);
}
ks.store(stream, storePass);
}
} catch (Throwable t) {
logger.error("Unable to load keystore file ", t);
throw new IOException(t);
}
}
}
Also used :
KeyMetadata(org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)
Metadata(org.apache.hadoop.crypto.key.KeyProvider.Metadata)
KeyMetadata(org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
XXRangerKeyStore(org.apache.ranger.entity.XXRangerKeyStore)
Key(java.security.Key)
SecretKey(javax.crypto.SecretKey)
Example 3 with KeyMetadata
use of org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata in project ranger by apache.
the class RangerKeyStore method engineLoadKeyStoreFile.
public void engineLoadKeyStoreFile(InputStream stream, char[] storePass, char[] keyPass, char[] masterKey, String fileFormat) throws IOException, NoSuchAlgorithmException, CertificateException {
if (logger.isDebugEnabled()) {
logger.debug("==> RangerKeyStoreProvider.engineLoadKeyStoreFile()");
}
synchronized (deltaEntries) {
KeyStore ks;
if (keyVaultEnabled) {
try {
ks = KeyStore.getInstance(fileFormat);
ks.load(stream, storePass);
deltaEntries.clear();
for (Enumeration<String> name = ks.aliases(); name.hasMoreElements(); ) {
SecretKeyByteEntry entry = new SecretKeyByteEntry();
String alias = (String) name.nextElement();
Key k = ks.getKey(alias, keyPass);
SecretKey secretKey = null;
if (k instanceof JavaKeyStoreProvider.KeyMetadata) {
JavaKeyStoreProvider.KeyMetadata keyMetadata = (JavaKeyStoreProvider.KeyMetadata) k;
Field f = JavaKeyStoreProvider.KeyMetadata.class.getDeclaredField(METADATA_FIELDNAME);
f.setAccessible(true);
Metadata metadata = (Metadata) f.get(keyMetadata);
entry.bit_length = metadata.getBitLength();
entry.cipher_field = metadata.getAlgorithm();
entry.version = metadata.getVersions();
Constructor<RangerKeyStoreProvider.KeyMetadata> constructor = RangerKeyStoreProvider.KeyMetadata.class.getDeclaredConstructor(Metadata.class);
constructor.setAccessible(true);
RangerKeyStoreProvider.KeyMetadata nk = constructor.newInstance(metadata);
k = nk;
secretKey = new SecretKeySpec(k.getEncoded(), getAlgorithm(metadata.getAlgorithm()));
} else if (k instanceof KeyByteMetadata) {
Metadata metadata = ((KeyByteMetadata) k).metadata;
entry.cipher_field = metadata.getCipher();
entry.version = metadata.getVersions();
entry.bit_length = metadata.getBitLength();
if (k.getEncoded() != null && k.getEncoded().length > 0) {
secretKey = new SecretKeySpec(k.getEncoded(), getAlgorithm(metadata.getAlgorithm()));
} else {
KeyGenerator keyGenerator = KeyGenerator.getInstance(getAlgorithm(metadata.getCipher()));
keyGenerator.init(metadata.getBitLength());
byte[] keyByte = keyGenerator.generateKey().getEncoded();
secretKey = new SecretKeySpec(keyByte, getAlgorithm(metadata.getCipher()));
}
} else if (k instanceof KeyMetadata) {
Metadata metadata = ((KeyMetadata) k).metadata;
entry.bit_length = metadata.getBitLength();
entry.cipher_field = metadata.getCipher();
entry.version = metadata.getVersions();
if (k.getEncoded() != null && k.getEncoded().length > 0) {
secretKey = new SecretKeySpec(k.getEncoded(), getAlgorithm(metadata.getAlgorithm()));
} else {
KeyGenerator keyGenerator = KeyGenerator.getInstance(getAlgorithm(metadata.getCipher()));
keyGenerator.init(metadata.getBitLength());
byte[] keyByte = keyGenerator.generateKey().getEncoded();
secretKey = new SecretKeySpec(keyByte, getAlgorithm(metadata.getCipher()));
}
} else {
entry.bit_length = (k.getEncoded().length * NUMBER_OF_BITS_PER_BYTE);
entry.cipher_field = k.getAlgorithm();
if (alias.split("@").length == 2) {
entry.version = Integer.parseInt(alias.split("@")[1]) + 1;
} else {
entry.version = 1;
}
if (k.getEncoded() != null && k.getEncoded().length > 0) {
secretKey = new SecretKeySpec(k.getEncoded(), getAlgorithm(k.getAlgorithm()));
}
}
String keyName = alias.split("@")[0];
validateKeyName(keyName);
entry.attributes = "{\"key.acl.name\":\"" + keyName + "\"}";
entry.key = masterKeyProvider.encryptZoneKey(secretKey);
entry.date = ks.getCreationDate(alias);
entry.description = k.getFormat() + " - " + ks.getType();
deltaEntries.put(alias, entry);
}
} catch (Throwable t) {
logger.error("Unable to load keystore file ", t);
throw new IOException(t);
}
} else {
try {
ks = KeyStore.getInstance(fileFormat);
ks.load(stream, storePass);
deltaEntries.clear();
for (Enumeration<String> name = ks.aliases(); name.hasMoreElements(); ) {
SecretKeyEntry entry = new SecretKeyEntry();
String alias = (String) name.nextElement();
Key k = ks.getKey(alias, keyPass);
if (k instanceof JavaKeyStoreProvider.KeyMetadata) {
JavaKeyStoreProvider.KeyMetadata keyMetadata = (JavaKeyStoreProvider.KeyMetadata) k;
Field f = JavaKeyStoreProvider.KeyMetadata.class.getDeclaredField(METADATA_FIELDNAME);
f.setAccessible(true);
Metadata metadata = (Metadata) f.get(keyMetadata);
entry.bit_length = metadata.getBitLength();
entry.cipher_field = metadata.getAlgorithm();
entry.version = metadata.getVersions();
Constructor<RangerKeyStoreProvider.KeyMetadata> constructor = RangerKeyStoreProvider.KeyMetadata.class.getDeclaredConstructor(Metadata.class);
constructor.setAccessible(true);
RangerKeyStoreProvider.KeyMetadata nk = constructor.newInstance(metadata);
k = nk;
} else if (k instanceof KeyMetadata) {
Metadata metadata = ((KeyMetadata) k).metadata;
entry.bit_length = metadata.getBitLength();
entry.cipher_field = metadata.getCipher();
entry.version = metadata.getVersions();
} else {
entry.bit_length = (k.getEncoded().length * NUMBER_OF_BITS_PER_BYTE);
entry.cipher_field = k.getAlgorithm();
entry.version = (alias.split("@").length == 2) ? (Integer.parseInt(alias.split("@")[1]) + 1) : 1;
}
String keyName = alias.split("@")[0];
validateKeyName(keyName);
entry.attributes = "{\"key.acl.name\":\"" + keyName + "\"}";
Class<?> c = null;
Object o = null;
try {
c = Class.forName("com.sun.crypto.provider.KeyProtector");
Constructor<?> constructor = c.getDeclaredConstructor(char[].class);
constructor.setAccessible(true);
o = constructor.newInstance(masterKey);
// seal and store the key
Method m = c.getDeclaredMethod("seal", Key.class);
m.setAccessible(true);
entry.sealedKey = (SealedObject) m.invoke(o, k);
} catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
logger.error(e.getMessage());
throw new IOException(e.getMessage());
}
entry.date = ks.getCreationDate(alias);
entry.description = k.getFormat() + " - " + ks.getType();
deltaEntries.put(alias, entry);
}
} catch (Throwable t) {
logger.error("Unable to load keystore file ", t);
throw new IOException(t);
}
}
}
}
Also used :
Metadata(org.apache.hadoop.crypto.key.KeyProvider.Metadata)
KeyMetadata(org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)
Field(java.lang.reflect.Field)
KeyMetadata(org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
KeyGenerator(javax.crypto.KeyGenerator)
KeyMetadata(org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)
IOException(java.io.IOException)
Method(java.lang.reflect.Method)
KeyStore(java.security.KeyStore)
XXRangerKeyStore(org.apache.ranger.entity.XXRangerKeyStore)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
SecretKey(javax.crypto.SecretKey)
SealedObject(javax.crypto.SealedObject)
Key(java.security.Key)
SecretKey(javax.crypto.SecretKey)
Aggregations
Key (java.security.Key)3
SecretKey (javax.crypto.SecretKey)3
Metadata (org.apache.hadoop.crypto.key.KeyProvider.Metadata)3
KeyMetadata (org.apache.hadoop.crypto.key.RangerKeyStoreProvider.KeyMetadata)3
XXRangerKeyStore (org.apache.ranger.entity.XXRangerKeyStore)3
IOException (java.io.IOException)2
KeyStore (java.security.KeyStore)2
KeyGenerator (javax.crypto.KeyGenerator)2
SecretKeySpec (javax.crypto.spec.SecretKeySpec)2
Field (java.lang.reflect.Field)1
InvocationTargetException (java.lang.reflect.InvocationTargetException)1
Method (java.lang.reflect.Method)1
Date (java.util.Date)1
SealedObject (javax.crypto.SealedObject)1
