This is an automated email from the ASF dual-hosted git repository. mehul pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 50d8f2f RANGER-2537 : Ranger KMS having wrong bit length and version in DB after after export / import within keystore file 50d8f2f is described below commit 50d8f2fa8ce564cea522c95b97a17421edb7fcd9 Author: Dhaval B. Shah <dhavalshah9...@gmail.com> AuthorDate: Tue Oct 15 16:39:47 2019 +0530 RANGER-2537 : Ranger KMS having wrong bit length and version in DB after after export / import within keystore file Signed-off-by: Mehul Parikh <me...@apache.org> --- .../apache/hadoop/crypto/key/RangerKeyStore.java | 74 ++++++++++++++++------ .../hadoop/crypto/key/RangerKeyStoreProvider.java | 2 +- 2 files changed, 57 insertions(+), 19 deletions(-) diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java index f3d7c20..b9e7cb2 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java @@ -750,8 +750,7 @@ public class RangerKeyStore extends KeyStoreSpi { Metadata metadata = (Metadata) f.get(keyMetadata); entry.bit_length = metadata.getBitLength(); entry.cipher_field = metadata.getAlgorithm(); - entry.version = (alias.split("@").length == 2) ? (Integer - .parseInt(alias.split("@")[1])) : 0; + entry.version = metadata.getVersions(); Constructor<RangerKeyStoreProvider.KeyMetadata> constructor = RangerKeyStoreProvider.KeyMetadata.class .getDeclaredConstructor(Metadata.class); constructor.setAccessible(true); @@ -761,17 +760,43 @@ public class RangerKeyStore extends KeyStoreSpi { secretKey = new SecretKeySpec(k.getEncoded(), getAlgorithm(metadata.getAlgorithm())); } else if (k instanceof KeyByteMetadata) { - Metadata m = ((KeyByteMetadata) k).metadata; - byte[] encodedKey = ((KeyByteMetadata) k) - .getEncoded(); - entry.cipher_field = m.getCipher(); - entry.version = m.getVersions(); - entry.bit_length = m.getBitLength(); - if (encodedKey != null && encodedKey.length > 0) { - secretKey = new SecretKeySpec(encodedKey, - m.getAlgorithm()); + Metadata metadata = ((KeyByteMetadata) k).metadata; + entry.cipher_field = metadata.getCipher(); + entry.version = metadata.getVersions(); + entry.bit_length = metadata.getBitLength(); + if (k.getEncoded() != null && k.getEncoded().length > 0) { + secretKey = new SecretKeySpec(k.getEncoded(), + getAlgorithm(metadata.getAlgorithm())); + } else { + KeyGenerator keyGenerator = KeyGenerator + .getInstance(getAlgorithm(metadata.getCipher())); + keyGenerator.init(metadata.getBitLength()); + byte[] keyByte = keyGenerator.generateKey().getEncoded(); + secretKey = new SecretKeySpec(keyByte, + getAlgorithm(metadata.getCipher())); } - } else { + } else if (k instanceof KeyMetadata) { + Metadata metadata = ((KeyMetadata) k).metadata; + entry.bit_length = metadata.getBitLength(); + entry.cipher_field = metadata.getCipher(); + entry.version = metadata.getVersions(); + + if (k.getEncoded() != null + && k.getEncoded().length > 0) { + secretKey = new SecretKeySpec(k.getEncoded(), + getAlgorithm(metadata.getAlgorithm())); + } else { + KeyGenerator keyGenerator = KeyGenerator + .getInstance(getAlgorithm(metadata + .getCipher())); + keyGenerator.init(metadata.getBitLength()); + byte[] keyByte = keyGenerator.generateKey() + .getEncoded(); + secretKey = new SecretKeySpec(keyByte, + getAlgorithm(metadata.getCipher())); + } + + }else { entry.bit_length = (k.getEncoded().length * NUMBER_OF_BITS_PER_BYTE); entry.cipher_field = k.getAlgorithm(); if (alias.split("@").length == 2) { @@ -797,7 +822,7 @@ public class RangerKeyStore extends KeyStoreSpi { + ks.getType(); deltaEntries.put(alias, entry); } - } catch (Exception t) { + } catch (Throwable t) { logger.error("Unable to load keystore file ", t); throw new IOException(t); } @@ -820,15 +845,23 @@ public class RangerKeyStore extends KeyStoreSpi { Metadata metadata = (Metadata) f.get(keyMetadata); entry.bit_length = metadata.getBitLength(); entry.cipher_field = metadata.getAlgorithm(); + entry.version = metadata.getVersions(); Constructor<RangerKeyStoreProvider.KeyMetadata> constructor = RangerKeyStoreProvider.KeyMetadata.class .getDeclaredConstructor(Metadata.class); constructor.setAccessible(true); RangerKeyStoreProvider.KeyMetadata nk = constructor .newInstance(metadata); k = nk; + } else if (k instanceof KeyMetadata) { + Metadata metadata = ((KeyMetadata) k).metadata; + entry.bit_length = metadata.getBitLength(); + entry.cipher_field = metadata.getCipher(); + entry.version = metadata.getVersions(); } else { entry.bit_length = (k.getEncoded().length * NUMBER_OF_BITS_PER_BYTE); entry.cipher_field = k.getAlgorithm(); + entry.version = (alias.split("@").length == 2) ? (Integer + .parseInt(alias.split("@")[1]) + 1) : 1; } String keyName = alias.split("@")[0]; validateKeyName(keyName); @@ -857,8 +890,6 @@ public class RangerKeyStore extends KeyStoreSpi { } entry.date = ks.getCreationDate(alias); - entry.version = (alias.split("@").length == 2) ? (Integer - .parseInt(alias.split("@")[1])) : 0; entry.description = k.getFormat() + " - " + ks.getType(); deltaEntries.put(alias, entry); @@ -892,9 +923,16 @@ public class RangerKeyStore extends KeyStoreSpi { alias = e.nextElement(); if(azureKeyVaultEnabled){ key = engineGetDecryptedZoneKey(alias); - }else{ - key = engineGetKey(alias, masterKey); - } + } else { + key = engineGetKey(alias, masterKey); + if (key instanceof KeyMetadata) { + Metadata meta = ((KeyMetadata) key).metadata; + if (meta != null) { + key = new KeyMetadata(meta); + } + } + + } ks.setKeyEntry(alias, key, keyPass, null); } diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java index 1792bc4..7473871 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java @@ -672,7 +672,7 @@ public class RangerKeyStoreProvider extends KeyProvider { Metadata metadata; private final static long serialVersionUID = 8405872419967874451L; - private KeyMetadata(Metadata meta) { + protected KeyMetadata(Metadata meta) { this.metadata = meta; }