[GitHub] [hadoop] iwasakims edited a comment on pull request #2847: HADOOP-17609. Make SM4 support optional for OpenSSL native code.

[GitBox]

iwasakims edited a comment on pull request #2847:
URL: https://github.com/apache/hadoop/pull/2847#issuecomment-811652915


   OpensslAesCtrCryptoCodec is used for 'AES/CTR/NoPadding':
   ```
   $ bin/hadoop key create key-aes -cipher 'AES/CTR/NoPadding'
   $ bin/hdfs dfs -mkdir /zone-aes
   $ bin/hdfs crypto -createZone -path /zone-aes -keyName key-aes
   $ bin/hdfs dfs -put README.txt /zone-aes/
   2021-04-01 05:23:37,755 DEBUG util.NativeCodeLoader: Trying to load the 
custom-built native-hadoop library...
   2021-04-01 05:23:37,756 DEBUG util.NativeCodeLoader: Loaded the 
native-hadoop library
   2021-04-01 05:23:38,457 DEBUG util.PerformanceAdvisory: Both short-circuit 
local reads and UNIX domain socket are disabled.
   2021-04-01 05:23:39,072 DEBUG crypto.OpensslAesCtrCryptoCodec: Using 
org.apache.hadoop.crypto.random.OpensslSecureRandom as random number generator.
   2021-04-01 05:23:39,073 DEBUG util.PerformanceAdvisory: Using crypto codec 
org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec.
   ...
   
   $ bin/hdfs dfs -cat /zone-aes/README.txt
   2021-04-01 05:23:52,844 DEBUG util.NativeCodeLoader: Trying to load the 
custom-built native-hadoop library...
   2021-04-01 05:23:52,845 DEBUG util.NativeCodeLoader: Loaded the 
native-hadoop library
   2021-04-01 05:23:53,549 DEBUG util.PerformanceAdvisory: Both short-circuit 
local reads and UNIX domain socket are disabled.
   2021-04-01 05:23:54,084 DEBUG kms.KMSClientProvider: KMSClientProvider 
created for KMS url: http://localhost:9600/kms/v1/ delegation token service: 
kms://http@localhost:9600/kms canonical service: 127.0.0.1:9600.
   2021-04-01 05:23:54,087 DEBUG kms.LoadBalancingKMSClientProvider: Created 
LoadBalancingKMSClientProvider for KMS url: kms://http@localhost:9600/kms with 
1 providers. delegation token service: kms://http@localhost:9600/kms, canonical 
service: 127.0.0.1:9600
   2021-04-01 05:23:54,111 DEBUG crypto.OpensslAesCtrCryptoCodec: Using 
org.apache.hadoop.crypto.random.OpensslSecureRandom as random number generator.
   2021-04-01 05:23:54,111 DEBUG util.PerformanceAdvisory: Using crypto codec 
org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec.
   ...
   For the latest information about Hadoop, please visit our website at:
   
  http://hadoop.apache.org/
   
   and our wiki, at:
   
   $ bin/hadoop checknative 2>/dev/null
   Native library checking:
   hadoop:  true 
/home/centos/dist/hadoop-3.4.0-SNAPSHOT-HADOOP-17609/lib/native/libhadoop.so.1.0.0
   zlib:true /lib64/libz.so.1
   zstd  :  true /lib64/libzstd.so.1
   bzip2:   true /lib64/libbz2.so.1
   openssl: true /lib64/libcrypto.so
   ISA-L:   true /lib64/libisal.so.2
   PMDK:false The native code was built without PMDK support.
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[GitHub] [hadoop] iwasakims edited a comment on pull request #2847: HADOOP-17609. Make SM4 support optional for OpenSSL native code.

[GitBox]

iwasakims edited a comment on pull request #2847:
URL: https://github.com/apache/hadoop/pull/2847#issuecomment-811597921


   I manually tested the fix on CentOS 8 with bcprov-ext-jdk15on-168.jar set up 
based on [the comment of 
HDFS-15098](https://issues.apache.org/jira/browse/HDFS-15098?focusedCommentId=17112893&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17112893).
 OpensslCipher is available but SM4 is not suppored. `hadoop key create key1 
-cipher 'SM4/CTR/NoPadding'` worked (by falling back from 
OpensslSm4CtrCryptoCodec to JceSm4CtrCryptoCodec).
   
   ```
   $ grep Bouncy /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/java.security
   security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
   
   $ bin/hadoop checknative 2>/dev/null
   Native library checking:
   hadoop:  true 
/home/centos/dist/hadoop-3.4.0-SNAPSHOT-HADOOP-17609/lib/native/libhadoop.so.1.0.0
   zlib:true /lib64/libz.so.1
   zstd  :  true /lib64/libzstd.so.1
   bzip2:   true /lib64/libbz2.so.1
   openssl: true /lib64/libcrypto.so
   ISA-L:   true /lib64/libisal.so.2
   PMDK:false The native code was built without PMDK support.
   
   $ bin/hadoop --daemon start kms
   $ bin/hadoop key create key1 -cipher 'SM4/CTR/NoPadding'
   2021-04-01 02:38:10,276 DEBUG kms.KMSClientProvider: KMSClientProvider 
created for KMS url: http://localhost:9600/kms/v1/ delegation token service: 
kms://http@localhost:9600/kms canonical service: 127.0.0.1:9600.
   2021-04-01 02:38:10,288 DEBUG kms.LoadBalancingKMSClientProvider: Created 
LoadBalancingKMSClientProvider for KMS url: kms://http@localhost:9600/kms with 
1 providers. delegation token service: kms://http@localhost:9600/kms, canonical 
service: 127.0.0.1:9600
   2021-04-01 02:38:10,447 DEBUG kms.KMSClientProvider: Current UGI: centos 
(auth:SIMPLE)
   2021-04-01 02:38:10,450 DEBUG kms.KMSClientProvider: Login UGI: centos 
(auth:SIMPLE)
   key1 has been successfully created with options 
Options{cipher='SM4/CTR/NoPadding', bitLength=128, description='null', 
attributes=null}.
   org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@41e1e210 has 
been updated.
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org