Example 6 with Cipher
use of org.apache.hadoop.hbase.io.crypto.Cipher in project hbase by apache.
the class TestAES method testAESAlgorithm.
// Validation for AES in CTR mode with a 128 bit key
// From NIST Special Publication 800-38A
@Test
public void testAESAlgorithm() throws Exception {
Configuration conf = HBaseConfiguration.create();
Cipher aes = Encryption.getCipher(conf, "AES");
assertEquals(aes.getKeyLength(), AES.KEY_LENGTH);
assertEquals(aes.getIvLength(), AES.IV_LENGTH);
Encryptor e = aes.getEncryptor();
e.setKey(new SecretKeySpec(Bytes.fromHex("2b7e151628aed2a6abf7158809cf4f3c"), "AES"));
e.setIv(Bytes.fromHex("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"));
ByteArrayOutputStream out = new ByteArrayOutputStream();
OutputStream cout = e.createEncryptionStream(out);
cout.write(Bytes.fromHex("6bc1bee22e409f96e93d7e117393172a"));
cout.write(Bytes.fromHex("ae2d8a571e03ac9c9eb76fac45af8e51"));
cout.write(Bytes.fromHex("30c81c46a35ce411e5fbc1191a0a52ef"));
cout.write(Bytes.fromHex("f69f2445df4f9b17ad2b417be66c3710"));
cout.close();
ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray());
byte[] b = new byte[16];
IOUtils.readFully(in, b);
assertTrue("Failed #1", Bytes.equals(b, Bytes.fromHex("874d6191b620e3261bef6864990db6ce")));
IOUtils.readFully(in, b);
assertTrue("Failed #2", Bytes.equals(b, Bytes.fromHex("9806f66b7970fdff8617187bb9fffdff")));
IOUtils.readFully(in, b);
assertTrue("Failed #3", Bytes.equals(b, Bytes.fromHex("5ae4df3edbd5d35e5b4f09020db03eab")));
IOUtils.readFully(in, b);
assertTrue("Failed #4", Bytes.equals(b, Bytes.fromHex("1e031dda2fbe03d1792170a0f3009cee")));
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
HBaseConfiguration(org.apache.hadoop.hbase.HBaseConfiguration)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
OutputStream(java.io.OutputStream)
Encryptor(org.apache.hadoop.hbase.io.crypto.Encryptor)
Cipher(org.apache.hadoop.hbase.io.crypto.Cipher)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Test(org.junit.Test)
Example 7 with Cipher
use of org.apache.hadoop.hbase.io.crypto.Cipher in project hbase by apache.
the class TestCommonsAES method testAESAlgorithm.
// Validation for AES in CTR mode with a 128 bit key
// From NIST Special Publication 800-38A
@Test
public void testAESAlgorithm() throws Exception {
Configuration conf = HBaseConfiguration.create();
Cipher aes = Encryption.getCipher(conf, "AES");
assertEquals(aes.getKeyLength(), CommonsCryptoAES.KEY_LENGTH);
assertEquals(aes.getIvLength(), CommonsCryptoAES.IV_LENGTH);
Encryptor e = aes.getEncryptor();
e.setKey(new SecretKeySpec(Bytes.fromHex("2b7e151628aed2a6abf7158809cf4f3c"), "AES"));
e.setIv(Bytes.fromHex("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"));
ByteArrayOutputStream out = new ByteArrayOutputStream();
OutputStream cout = e.createEncryptionStream(out);
cout.write(Bytes.fromHex("6bc1bee22e409f96e93d7e117393172a"));
cout.write(Bytes.fromHex("ae2d8a571e03ac9c9eb76fac45af8e51"));
cout.write(Bytes.fromHex("30c81c46a35ce411e5fbc1191a0a52ef"));
cout.write(Bytes.fromHex("f69f2445df4f9b17ad2b417be66c3710"));
cout.close();
ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray());
byte[] b = new byte[16];
IOUtils.readFully(in, b);
assertTrue("Failed #1", Bytes.equals(b, Bytes.fromHex("874d6191b620e3261bef6864990db6ce")));
IOUtils.readFully(in, b);
assertTrue("Failed #2", Bytes.equals(b, Bytes.fromHex("9806f66b7970fdff8617187bb9fffdff")));
IOUtils.readFully(in, b);
assertTrue("Failed #3", Bytes.equals(b, Bytes.fromHex("5ae4df3edbd5d35e5b4f09020db03eab")));
IOUtils.readFully(in, b);
assertTrue("Failed #4", Bytes.equals(b, Bytes.fromHex("1e031dda2fbe03d1792170a0f3009cee")));
}
Also used :
HBaseConfiguration(org.apache.hadoop.hbase.HBaseConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
OutputStream(java.io.OutputStream)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Encryptor(org.apache.hadoop.hbase.io.crypto.Encryptor)
Cipher(org.apache.hadoop.hbase.io.crypto.Cipher)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Test(org.junit.Test)
Example 8 with Cipher
use of org.apache.hadoop.hbase.io.crypto.Cipher in project hbase by apache.
the class EncryptionUtil method unwrapKey.
/**
* Unwrap a key by decrypting it with the secret key of the given subject.
* The configuration must be set up correctly for key alias resolution.
* @param conf configuration
* @param subject subject key alias
* @param value the encrypted key bytes
* @return the raw key bytes
* @throws IOException
* @throws KeyException
*/
public static Key unwrapKey(Configuration conf, String subject, byte[] value) throws IOException, KeyException {
EncryptionProtos.WrappedKey wrappedKey = EncryptionProtos.WrappedKey.PARSER.parseDelimitedFrom(new ByteArrayInputStream(value));
String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
Cipher cipher = Encryption.getCipher(conf, algorithm);
if (cipher == null) {
throw new RuntimeException("Cipher '" + algorithm + "' not available");
}
return getUnwrapKey(conf, subject, wrappedKey, cipher);
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
Cipher(org.apache.hadoop.hbase.io.crypto.Cipher)
EncryptionProtos(org.apache.hadoop.hbase.shaded.protobuf.generated.EncryptionProtos)
Example 9 with Cipher
use of org.apache.hadoop.hbase.io.crypto.Cipher in project hbase by apache.
the class EncryptionUtil method wrapKey.
/**
* Protect a key by encrypting it with the secret key of the given subject.
* The configuration must be set up correctly for key alias resolution.
* @param conf configuration
* @param subject subject key alias
* @param key the key
* @return the encrypted key bytes
*/
public static byte[] wrapKey(Configuration conf, String subject, Key key) throws IOException {
// Wrap the key with the configured encryption algorithm.
String algorithm = conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
Cipher cipher = Encryption.getCipher(conf, algorithm);
if (cipher == null) {
throw new RuntimeException("Cipher '" + algorithm + "' not available");
}
EncryptionProtos.WrappedKey.Builder builder = EncryptionProtos.WrappedKey.newBuilder();
builder.setAlgorithm(key.getAlgorithm());
byte[] iv = null;
if (cipher.getIvLength() > 0) {
iv = new byte[cipher.getIvLength()];
RNG.nextBytes(iv);
builder.setIv(UnsafeByteOperations.unsafeWrap(iv));
}
byte[] keyBytes = key.getEncoded();
builder.setLength(keyBytes.length);
builder.setHash(UnsafeByteOperations.unsafeWrap(Encryption.hash128(keyBytes)));
ByteArrayOutputStream out = new ByteArrayOutputStream();
Encryption.encryptWithSubjectKey(out, new ByteArrayInputStream(keyBytes), subject, conf, cipher, iv);
builder.setData(UnsafeByteOperations.unsafeWrap(out.toByteArray()));
// Build and return the protobuf message
out.reset();
builder.build().writeDelimitedTo(out);
return out.toByteArray();
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
Cipher(org.apache.hadoop.hbase.io.crypto.Cipher)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Example 10 with Cipher
use of org.apache.hadoop.hbase.io.crypto.Cipher in project hbase by apache.
the class EncryptionUtil method createEncryptionContext.
/**
* Helper to create an encyption context.
*
* @param conf The current configuration.
* @param family The current column descriptor.
* @return The created encryption context.
* @throws IOException if an encryption key for the column cannot be unwrapped
*/
public static Encryption.Context createEncryptionContext(Configuration conf, HColumnDescriptor family) throws IOException {
Encryption.Context cryptoContext = Encryption.Context.NONE;
String cipherName = family.getEncryptionType();
if (cipherName != null) {
Cipher cipher;
Key key;
byte[] keyBytes = family.getEncryptionKey();
if (keyBytes != null) {
// Family provides specific key material
key = unwrapKey(conf, keyBytes);
// Use the algorithm the key wants
cipher = Encryption.getCipher(conf, key.getAlgorithm());
if (cipher == null) {
throw new RuntimeException("Cipher '" + key.getAlgorithm() + "' is not available");
}
// what the wrapped key is telling us
if (!cipher.getName().equalsIgnoreCase(cipherName)) {
throw new RuntimeException("Encryption for family '" + family.getNameAsString() + "' configured with type '" + cipherName + "' but key specifies algorithm '" + cipher.getName() + "'");
}
} else {
// Family does not provide key material, create a random key
cipher = Encryption.getCipher(conf, cipherName);
if (cipher == null) {
throw new RuntimeException("Cipher '" + cipherName + "' is not available");
}
key = cipher.getRandomKey();
}
cryptoContext = Encryption.newContext(conf);
cryptoContext.setCipher(cipher);
cryptoContext.setKey(key);
}
return cryptoContext;
}
Also used :
Encryption(org.apache.hadoop.hbase.io.crypto.Encryption)
Cipher(org.apache.hadoop.hbase.io.crypto.Cipher)
Key(java.security.Key)
Aggregations
Cipher (org.apache.hadoop.hbase.io.crypto.Cipher)12
ByteArrayInputStream (java.io.ByteArrayInputStream)6
Key (java.security.Key)4
Encryption (org.apache.hadoop.hbase.io.crypto.Encryption)4
Encryptor (org.apache.hadoop.hbase.io.crypto.Encryptor)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
SecretKeySpec (javax.crypto.spec.SecretKeySpec)3
Configuration (org.apache.hadoop.conf.Configuration)3
IOException (java.io.IOException)2
InputStream (java.io.InputStream)2
OutputStream (java.io.OutputStream)2
HBaseConfiguration (org.apache.hadoop.hbase.HBaseConfiguration)2
EncryptionProtos (org.apache.hadoop.hbase.shaded.protobuf.generated.EncryptionProtos)2
Test (org.junit.Test)2
DataInputStream (java.io.DataInputStream)1
KeyException (java.security.KeyException)1
SecureRandom (java.security.SecureRandom)1
ByteBuffInputStream (org.apache.hadoop.hbase.io.ByteBuffInputStream)1
Compression (org.apache.hadoop.hbase.io.compress.Compression)1
Decryptor (org.apache.hadoop.hbase.io.crypto.Decryptor)1
