Author: tucu Date: Thu Aug 21 18:59:46 2014 New Revision: 1619544 URL: http://svn.apache.org/r1619544 Log: HADOOP-10937. Need to set version name correctly before decrypting EEK. Contributed by Arun Suresh.
Conflicts: hadoop-common-project/hadoop-common/CHANGES.txt Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt?rev=1619544&r1=1619543&r2=1619544&view=diff ============================================================================== --- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt (original) +++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/CHANGES.txt Thu Aug 21 18:59:46 2014 @@ -282,6 +282,9 @@ Release 2.6.0 - UNRELEASED HADOOP-10920. site plugin couldn't parse hadoop-kms index.apt.vm. (Akira Ajisaka via wang) + HADOOP-10937. Need to set version name correctly before decrypting EEK. + (Arun Suresh via wang) + Release 2.5.0 - 2014-08-11 INCOMPATIBLE CHANGES Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java?rev=1619544&r1=1619543&r2=1619544&view=diff ============================================================================== --- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java (original) +++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java Thu Aug 21 18:59:46 2014 @@ -21,11 +21,13 @@ package org.apache.hadoop.crypto.key; import java.io.IOException; import java.security.GeneralSecurityException; import java.security.SecureRandom; + import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import com.google.common.base.Preconditions; + import org.apache.hadoop.classification.InterfaceAudience; /** @@ -97,7 +99,7 @@ public class KeyProviderCryptoExtension public static EncryptedKeyVersion createForDecryption(String encryptionKeyVersionName, byte[] encryptedKeyIv, byte[] encryptedKeyMaterial) { - KeyVersion encryptedKeyVersion = new KeyVersion(null, null, + KeyVersion encryptedKeyVersion = new KeyVersion(null, EEK, encryptedKeyMaterial); return new EncryptedKeyVersion(null, encryptionKeyVersionName, encryptedKeyIv, encryptedKeyVersion); @@ -258,6 +260,13 @@ public class KeyProviderCryptoExtension keyProvider.getKeyVersion(encryptionKeyVersionName); Preconditions.checkNotNull(encryptionKey, "KeyVersion name '%s' does not exist", encryptionKeyVersionName); + Preconditions.checkArgument( + encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() + .equals(KeyProviderCryptoExtension.EEK), + "encryptedKey version name must be '%s', is '%s'", + KeyProviderCryptoExtension.EEK, + encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() + ); final byte[] encryptionKeyMaterial = encryptionKey.getMaterial(); // Encryption key IV is determined from encrypted key's IV final byte[] encryptionIV = Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java?rev=1619544&r1=1619543&r2=1619544&view=diff ============================================================================== --- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java (original) +++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java Thu Aug 21 18:59:46 2014 @@ -653,7 +653,7 @@ public class KMSClientProvider extends K encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() .equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", - KeyProviderCryptoExtension.EK, + KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName() ); checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey"); Modified: hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java?rev=1619544&r1=1619543&r2=1619544&view=diff ============================================================================== --- hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java (original) +++ hadoop/common/branches/branch-2/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java Thu Aug 21 18:59:46 2014 @@ -26,10 +26,10 @@ import javax.crypto.spec.IvParameterSpec import javax.crypto.spec.SecretKeySpec; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion; import org.junit.BeforeClass; import org.junit.Test; - import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion; import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertEquals; @@ -118,8 +118,15 @@ public class TestKeyProviderCryptoExtens new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion .deriveIV(encryptedKeyIv))); final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial); + + // Test the createForDecryption factory method + EncryptedKeyVersion eek2 = + EncryptedKeyVersion.createForDecryption( + eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(), + eek.getEncryptedKeyVersion().getMaterial()); + // Decrypt it with the API - KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek); + KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2); final byte[] apiMaterial = decryptedKey.getMaterial(); assertArrayEquals("Wrong key material from decryptEncryptedKey",