/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.crypto.key;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.List;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.apache.hadoop.crypto.key.KeyProvider.KeyVersion;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
public class TestKeyProviderCryptoExtension {
private static final String CIPHER = "AES";
private static final String ENCRYPTION_KEY_NAME = "fooKey";
private static Configuration conf;
private static KeyProvider kp;
private static KeyProviderCryptoExtension kpExt;
private static KeyProvider.Options options;
private static KeyVersion encryptionKey;
@BeforeClass
public static void setup() throws Exception {
conf = new Configuration();
kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
kpExt = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
options = new KeyProvider.Options(conf);
options.setCipher(CIPHER);
options.setBitLength(128);
encryptionKey =
kp.createKey(ENCRYPTION_KEY_NAME, SecureRandom.getSeed(16), options);
}
@Test
public void testGenerateEncryptedKey() throws Exception {
// Generate a new EEK and check it
KeyProviderCryptoExtension.EncryptedKeyVersion ek1 =
kpExt.generateEncryptedKey(encryptionKey.getName());
assertEquals("Version name of EEK should be EEK",
KeyProviderCryptoExtension.EEK,
ek1.getEncryptedKeyVersion().getVersionName());
assertEquals("Name of EEK should be encryption key name",
ENCRYPTION_KEY_NAME, ek1.getEncryptionKeyName());
assertNotNull("Expected encrypted key material",
ek1.getEncryptedKeyVersion().getMaterial());
assertEquals("Length of encryption key material and EEK material should "
+ "be the same", encryptionKey.getMaterial().length,
ek1.getEncryptedKeyVersion().getMaterial().length
);
// Decrypt EEK into an EK and check it
KeyVersion k1 = kpExt.decryptEncryptedKey(ek1);
assertEquals(KeyProviderCryptoExtension.EK, k1.getVersionName());
assertEquals(encryptionKey.getMaterial().length, k1.getMaterial().length);
if (Arrays.equals(k1.getMaterial(), encryptionKey.getMaterial())) {
fail("Encrypted key material should not equal encryption key material");
}
if (Arrays.equals(ek1.getEncryptedKeyVersion().getMaterial(),
encryptionKey.getMaterial())) {
fail("Encrypted key material should not equal decrypted key material");
}
// Decrypt it again and it should be the same
KeyVersion k1a = kpExt.decryptEncryptedKey(ek1);
assertArrayEquals(k1.getMaterial(), k1a.getMaterial());
// Generate another EEK and make sure it's different from the first
KeyProviderCryptoExtension.EncryptedKeyVersion ek2 =
kpExt.generateEncryptedKey(encryptionKey.getName());
KeyVersion k2 = kpExt.decryptEncryptedKey(ek2);
if (Arrays.equals(k1.getMaterial(), k2.getMaterial())) {
fail("Generated EEKs should have different material!");
}
if (Arrays.equals(ek1.getEncryptedKeyIv(), ek2.getEncryptedKeyIv())) {
fail("Generated EEKs should have different IVs!");
}
}
@Test
public void testEncryptDecrypt() throws Exception {
// Get an EEK
KeyProviderCryptoExtension.EncryptedKeyVersion eek =
kpExt.generateEncryptedKey(encryptionKey.getName());
final byte[] encryptedKeyIv = eek.getEncryptedKeyIv();
final byte[] encryptedKeyMaterial = eek.getEncryptedKeyVersion()
.getMaterial();
// Decrypt it manually
Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding");
cipher.init(Cipher.DECRYPT_MODE,
new SecretKeySpec(encryptionKey.getMaterial(), "AES"),
new IvParameterSpec(KeyProviderCryptoExtension.EncryptedKeyVersion
.deriveIV(encryptedKeyIv)));
final byte[] manualMaterial = cipher.doFinal(encryptedKeyMaterial);
// Test the createForDecryption factory method
EncryptedKeyVersion eek2 =
EncryptedKeyVersion.createForDecryption(eek.getEncryptionKeyName(),
eek.getEncryptionKeyVersionName(), eek.getEncryptedKeyIv(),
eek.getEncryptedKeyVersion().getMaterial());
// Decrypt it with the API
KeyVersion decryptedKey = kpExt.decryptEncryptedKey(eek2);
final byte[] apiMaterial = decryptedKey.getMaterial();
assertArrayEquals("Wrong key material from decryptEncryptedKey",
manualMaterial, apiMaterial);
}
@Test
public void testNonDefaultCryptoExtensionSelectionWithCachingKeyProvider()
throws Exception {
Configuration config = new Configuration();
KeyProvider localKp = new DummyCryptoExtensionKeyProvider(config);
localKp = new CachingKeyProvider(localKp, 30000, 30000);
EncryptedKeyVersion localEkv = getEncryptedKeyVersion(config, localKp);
Assert.assertEquals("dummyFakeKey@1",
localEkv.getEncryptionKeyVersionName());
}
@Test
public void testDefaultCryptoExtensionSelectionWithCachingKeyProvider()
throws Exception {
Configuration config = new Configuration();
KeyProvider localKp =
new UserProvider.Factory().
createProvider(new URI("user:///"), config);
localKp = new CachingKeyProvider(localKp, 30000, 30000);
EncryptedKeyVersion localEkv = getEncryptedKeyVersion(config, localKp);
Assert.assertEquals(ENCRYPTION_KEY_NAME+"@0",
localEkv.getEncryptionKeyVersionName());
}
@Test
public void testNonDefaultCryptoExtensionSelectionOnKeyProviderExtension()
throws Exception {
Configuration config = new Configuration();
KeyProvider localKp = new UserProvider.Factory().
createProvider(new URI("user:///"), config);
localKp = new DummyCachingCryptoExtensionKeyProvider(localKp, 30000, 30000);
EncryptedKeyVersion localEkv = getEncryptedKeyVersion(config, localKp);
Assert.assertEquals("dummyCachingFakeKey@1",
localEkv.getEncryptionKeyVersionName());
}
private EncryptedKeyVersion getEncryptedKeyVersion(Configuration config,
KeyProvider localKp)
throws IOException, GeneralSecurityException {
KeyProvider.Options localOptions = new KeyProvider.Options(config);
localOptions.setCipher(CIPHER);
localOptions.setBitLength(128);
KeyVersion localEncryptionKey =
localKp.createKey(ENCRYPTION_KEY_NAME,
SecureRandom.getSeed(16), localOptions);
KeyProviderCryptoExtension localKpExt =
KeyProviderCryptoExtension.
createKeyProviderCryptoExtension(localKp);
return localKpExt.generateEncryptedKey(localEncryptionKey.getName());
}
/**
* Dummy class to test that this key provider is chosen to
* provide CryptoExtension services over the DefaultCryptoExtension.
*/
public class DummyCryptoExtensionKeyProvider extends KeyProvider
implements KeyProviderCryptoExtension.CryptoExtension {
private KeyProvider kp;
private KeyVersion kv;
private EncryptedKeyVersion ekv;
public DummyCryptoExtensionKeyProvider(Configuration conf) {
super(conf);
conf = new Configuration();
try {
this.kp = new UserProvider.Factory().createProvider(
new URI("user:///"), conf);
this.kv = new KeyVersion(ENCRYPTION_KEY_NAME,
"dummyFakeKey@1", new byte[16]);
this.ekv = new EncryptedKeyVersion(ENCRYPTION_KEY_NAME,
"dummyFakeKey@1", new byte[16], kv);
} catch (URISyntaxException e) {
fail(e.getMessage());
} catch (IOException e) {
fail(e.getMessage());
}
}
@Override
public void warmUpEncryptedKeys(String... keyNames) throws IOException {
}
@Override
public void drain(String keyName) {
}
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
throws IOException, GeneralSecurityException {
return this.ekv;
}
@Override
public KeyVersion decryptEncryptedKey(
EncryptedKeyVersion encryptedKeyVersion)
throws IOException, GeneralSecurityException {
return kv;
}
@Override
public KeyVersion getKeyVersion(String versionName)
throws IOException {
return this.kp.getKeyVersion(versionName);
}
@Override
public List<String> getKeys() throws IOException {
return this.kp.getKeys();
}
@Override
public List<KeyVersion> getKeyVersions(String name)
throws IOException {
return this.kp.getKeyVersions(name);
}
@Override
public Metadata getMetadata(String name)
throws IOException {
return this.kp.getMetadata(name);
}
@Override
public KeyVersion createKey(String name, byte[] material,
Options localOptions) throws IOException {
return this.kp.createKey(name, material, localOptions);
}
@Override
public void deleteKey(String name) throws IOException {
this.kp.deleteKey(name);
}
@Override
public KeyVersion rollNewVersion(String name,
byte[] material) throws IOException {
return this.kp.rollNewVersion(name, material);
}
@Override
public void flush() throws IOException {
this.kp.flush();
}
}
/**
* Dummy class to verify that CachingKeyProvider is used to
* provide CryptoExtension services if the CachingKeyProvider itself
* implements CryptoExtension.
*/
public class DummyCachingCryptoExtensionKeyProvider
extends CachingKeyProvider
implements KeyProviderCryptoExtension.CryptoExtension {
private KeyProvider kp;
private KeyVersion kv;
private EncryptedKeyVersion ekv;
public DummyCachingCryptoExtensionKeyProvider(KeyProvider keyProvider,
long keyTimeoutMillis,
long currKeyTimeoutMillis) {
super(keyProvider, keyTimeoutMillis, currKeyTimeoutMillis);
conf = new Configuration();
try {
this.kp = new UserProvider.Factory().createProvider(
new URI("user:///"), conf);
this.kv = new KeyVersion(ENCRYPTION_KEY_NAME,
"dummyCachingFakeKey@1", new byte[16]);
this.ekv = new EncryptedKeyVersion(ENCRYPTION_KEY_NAME,
"dummyCachingFakeKey@1", new byte[16], kv);
} catch (URISyntaxException e) {
fail(e.getMessage());
} catch (IOException e) {
fail(e.getMessage());
}
}
@Override
public void warmUpEncryptedKeys(String... keyNames) throws IOException {
}
@Override
public void drain(String keyName) {
}
@Override
public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName)
throws IOException, GeneralSecurityException {
return this.ekv;
}
@Override
public KeyVersion decryptEncryptedKey(
EncryptedKeyVersion encryptedKeyVersion)
throws IOException, GeneralSecurityException {
return kv;
}
}
}