This is an automated email from the ASF dual-hosted git repository.
gabor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/parquet-mr.git
The following commit(s) were added to refs/heads/master by this push:
new c6187e8 PARQUET-1940: KEK length configuration (#838)
c6187e8 is described below
commit c6187e8d50a241ff83bb364526658d5ddce34b34
Author: ggershinsky <[email protected]>
AuthorDate: Thu Nov 12 18:01:33 2020 +0200
PARQUET-1940: KEK length configuration (#838)
---
parquet-hadoop/README.md | 6 ++++++
.../apache/parquet/crypto/keytools/FileKeyWrapper.java | 15 ++++++++++++---
.../org/apache/parquet/crypto/keytools/KeyToolkit.java | 6 ++++++
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/parquet-hadoop/README.md b/parquet-hadoop/README.md
index ca7aa48..87beeb9 100644
--- a/parquet-hadoop/README.md
+++ b/parquet-hadoop/README.md
@@ -436,3 +436,9 @@ If `false`, key material is stored in separate new files,
created in the same fo
**Description:** Length of data encryption keys (DEKs), randomly generated by
parquet key management tools. Can be 128, 192 or 256 bits.
**Default value:** `128`
+---
+
+**Property:** `parquet.encryption.kek.length.bits`
+**Description:** Length of key encryption keys (KEKs), randomly generated by
parquet key management tools. Can be 128, 192 or 256 bits.
+**Default value:** `128`
+
diff --git
a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/FileKeyWrapper.java
b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/FileKeyWrapper.java
index 4886019..d6d6d77 100644
---
a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/FileKeyWrapper.java
+++
b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/FileKeyWrapper.java
@@ -21,6 +21,7 @@ package org.apache.parquet.crypto.keytools;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
+import java.util.Arrays;
import java.util.concurrent.ConcurrentMap;
import org.apache.hadoop.conf.Configuration;
@@ -35,7 +36,7 @@ import static
org.apache.parquet.crypto.keytools.KeyToolkit.KEK_WRITE_CACHE_PER_
public class FileKeyWrapper {
private static final Logger LOG =
LoggerFactory.getLogger(FileKeyWrapper.class);
- public static final int KEK_LENGTH = 16;
+ private static final int[] ACCEPTABLE_KEK_LENGTHS = {128, 192, 256};
public static final int KEK_ID_LENGTH = 16;
// A map of MEK_ID -> KeyEncryptionKey, for the current token
@@ -49,6 +50,7 @@ public class FileKeyWrapper {
private final Configuration hadoopConfiguration;
private final SecureRandom random;
private final boolean doubleWrapping;
+ private final int kekLength;
private short keyCounter;
private String accessToken;
@@ -79,8 +81,15 @@ public class FileKeyWrapper {
if (doubleWrapping) {
KEK_WRITE_CACHE_PER_TOKEN.checkCacheForExpiredTokens(cacheEntryLifetime);
KEKPerMasterKeyID =
KEK_WRITE_CACHE_PER_TOKEN.getOrCreateInternalCache(accessToken,
cacheEntryLifetime);
+ int kekLengthBits =
configuration.getInt(KeyToolkit.KEK_LENGTH_PROPERTY_NAME,
+ KeyToolkit.KEK_LENGTH_DEFAULT);
+ if (Arrays.binarySearch(ACCEPTABLE_KEK_LENGTHS, kekLengthBits) < 0) {
+ throw new ParquetCryptoRuntimeException("Wrong key encryption key
(KEK) length : " + kekLengthBits);
+ }
+ kekLength = kekLengthBits / 8;
} else {
KEKPerMasterKeyID = null;
+ kekLength = 0;
}
if (LOG.isDebugEnabled()) {
@@ -143,7 +152,7 @@ public class FileKeyWrapper {
}
private KeyEncryptionKey createKeyEncryptionKey(String masterKeyID) {
- byte[] kekBytes = new byte[KEK_LENGTH];
+ byte[] kekBytes = new byte[kekLength];
random.nextBytes(kekBytes);
byte[] kekID = new byte[KEK_ID_LENGTH];
@@ -155,4 +164,4 @@ public class FileKeyWrapper {
return new KeyEncryptionKey(kekBytes, kekID, encodedWrappedKEK);
}
-}
\ No newline at end of file
+}
diff --git
a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyToolkit.java
b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyToolkit.java
index 6116bab..668d9db 100644
---
a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyToolkit.java
+++
b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyToolkit.java
@@ -84,12 +84,18 @@ public class KeyToolkit {
* Can be 128, 192 or 256 bits.
*/
public static final String DATA_KEY_LENGTH_PROPERTY_NAME =
"parquet.encryption.data.key.length.bits";
+ /**
+ * Length of key encryption keys (KEKs), randomly generated by parquet key
management tools.
+ * Can be 128, 192 or 256 bits.
+ */
+ public static final String KEK_LENGTH_PROPERTY_NAME =
"parquet.encryption.kek.length.bits";
public static final boolean DOUBLE_WRAPPING_DEFAULT = true;
public static final long CACHE_LIFETIME_DEFAULT_SECONDS = 10 * 60; // 10
minutes
public static final boolean WRAP_LOCALLY_DEFAULT = false;
public static final boolean KEY_MATERIAL_INTERNAL_DEFAULT = true;
public static final int DATA_KEY_LENGTH_DEFAULT = 128;
+ public static final int KEK_LENGTH_DEFAULT = 128;
private static long lastCacheCleanForKeyRotationTime = 0;
private static Object lastCacheCleanForKeyRotationTimeLock = new Object();
