milleruntime closed pull request #640: Rename some Crypto terms for easier
configuration
URL: https://github.com/apache/accumulo/pull/640
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/AESCryptoService.java
b/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/AESCryptoService.java
index 54d5f5984a..d10dbff839 100644
---
a/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/AESCryptoService.java
+++
b/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/AESCryptoService.java
@@ -62,25 +62,27 @@
private static final String NO_CRYPTO_VERSION = "U+1F47B";
private Key encryptingKek = null;
- private String encryptingKekId = null;
- private String encryptingKeyManager = null;
+ private String keyLocation = null;
+ private String keyManager = null;
// Lets just load keks for reading once
private HashMap<String,Key> decryptingKeys = null;
private SecureRandom sr = null;
@Override
public void init(Map<String,String> conf) throws CryptoException {
- String kekId = conf.get("instance.crypto.opts.kekId");
- String keyMgr = conf.get("instance.crypto.opts.keyManager");
- Objects.requireNonNull(kekId, "Config property instance.crypto.opts.kekId
is required.");
- Objects.requireNonNull(keyMgr, "Config property
instance.crypto.opts.keyManager is required.");
+ String keyLocation = conf.get("instance.crypto.opts.key.location");
+ String keyMgr = conf.get("instance.crypto.opts.key.provider");
+ Objects.requireNonNull(keyLocation,
+ "Config property instance.crypto.opts.key.location is required.");
+ Objects.requireNonNull(keyMgr,
+ "Config property instance.crypto.opts.key.provider is required.");
this.sr = CryptoUtils.newSha1SecureRandom();
this.decryptingKeys = new HashMap<>();
switch (keyMgr) {
- case KeyManager.URI:
- this.encryptingKeyManager = keyMgr;
- this.encryptingKekId = kekId;
- this.encryptingKek = KeyManager.loadKekFromUri(kekId);
+ case AESKeyUtils.URI:
+ this.keyManager = keyMgr;
+ this.keyLocation = keyLocation;
+ this.encryptingKek = AESKeyUtils.loadKekFromUri(keyLocation);
break;
default:
throw new CryptoException("Unrecognized key manager");
@@ -93,13 +95,11 @@ public FileEncrypter getFileEncrypter(CryptoEnvironment
environment) {
CryptoModule cm;
switch (environment.getScope()) {
case WAL:
- cm = new AESCBCCryptoModule(this.encryptingKek, this.encryptingKekId,
- this.encryptingKeyManager);
+ cm = new AESCBCCryptoModule(this.encryptingKek, this.keyLocation,
this.keyManager);
return cm.getEncrypter();
case RFILE:
- cm = new AESGCMCryptoModule(this.encryptingKek, this.encryptingKekId,
- this.encryptingKeyManager);
+ cm = new AESGCMCryptoModule(this.encryptingKek, this.keyLocation,
this.keyManager);
return cm.getEncrypter();
default:
@@ -116,15 +116,13 @@ public FileDecrypter getFileDecrypter(CryptoEnvironment
environment) {
ParsedCryptoParameters parsed = parseCryptoParameters(decryptionParams);
Key kek = loadDecryptionKek(parsed);
- Key fek = KeyManager.unwrapKey(parsed.getEncFek(), kek);
+ Key fek = AESKeyUtils.unwrapKey(parsed.getEncFek(), kek);
switch (parsed.getCryptoServiceVersion()) {
case AESCBCCryptoModule.VERSION:
- cm = new AESCBCCryptoModule(this.encryptingKek, this.encryptingKekId,
- this.encryptingKeyManager);
+ cm = new AESCBCCryptoModule(this.encryptingKek, this.keyLocation,
this.keyManager);
return (cm.getDecrypter(fek));
case AESGCMCryptoModule.VERSION:
- cm = new AESGCMCryptoModule(this.encryptingKek, this.encryptingKekId,
- this.encryptingKeyManager);
+ cm = new AESGCMCryptoModule(this.encryptingKek, this.keyLocation,
this.keyManager);
return (cm.getDecrypter(fek));
default:
throw new CryptoException(
@@ -196,7 +194,7 @@ public void setEncFek(byte[] encFek) {
params.writeUTF(version);
params.writeUTF(encryptingKeyManager);
params.writeUTF(encryptingKekId);
- byte[] wrappedFek = KeyManager.wrapKey(fek, encryptingKek);
+ byte[] wrappedFek = AESKeyUtils.wrapKey(fek, encryptingKek);
params.writeInt(wrappedFek.length);
params.write(wrappedFek);
@@ -235,8 +233,8 @@ private Key loadDecryptionKek(ParsedCryptoParameters
params) {
}
switch (params.keyManagerVersion) {
- case KeyManager.URI:
- ret = KeyManager.loadKekFromUri(params.kekId);
+ case AESKeyUtils.URI:
+ ret = AESKeyUtils.loadKekFromUri(params.kekId);
break;
default:
throw new CryptoException("Unable to load kek: " + params.kekId);
@@ -271,14 +269,13 @@ private Key loadDecryptionKek(ParsedCryptoParameters
params) {
private final String transformation = "AES/GCM/NoPadding";
private boolean ivReused = false;
private Key encryptingKek;
- private String encryptingKekId;
- private String encryptingKeyManager;
+ private String keyLocation;
+ private String keyManager;
- public AESGCMCryptoModule(Key encryptingKek, String encryptingKekId,
- String encryptingKeyManager) {
+ public AESGCMCryptoModule(Key encryptingKek, String keyLocation, String
keyManager) {
this.encryptingKek = encryptingKek;
- this.encryptingKekId = encryptingKekId;
- this.encryptingKeyManager = encryptingKeyManager;
+ this.keyLocation = keyLocation;
+ this.keyManager = keyManager;
}
@Override
@@ -298,7 +295,7 @@ public FileDecrypter getDecrypter(Key fek) {
private byte[] initVector = new byte[GCM_IV_LENGTH_IN_BYTES];
AESGCMFileEncrypter() {
- fek = KeyManager.generateKey(sr, KEY_LENGTH_IN_BYTES);
+ fek = AESKeyUtils.generateKey(sr, KEY_LENGTH_IN_BYTES);
sr.nextBytes(initVector);
firstInitVector = Arrays.copyOf(initVector, initVector.length);
}
@@ -365,8 +362,7 @@ void incrementIV(byte[] iv, int i) {
@Override
public byte[] getDecryptionParameters() {
- return createCryptoParameters(VERSION, encryptingKek, encryptingKekId,
encryptingKeyManager,
- fek);
+ return createCryptoParameters(VERSION, encryptingKek, keyLocation,
keyManager, fek);
}
}
@@ -409,14 +405,13 @@ public InputStream decryptStream(InputStream inputStream)
throws CryptoException
private final Integer KEY_LENGTH_IN_BYTES = 16;
private final String transformation = "AES/CBC/NoPadding";
private Key encryptingKek;
- private String encryptingKekId;
- private String encryptingKeyManager;
+ private String keyLocation;
+ private String keyManager;
- public AESCBCCryptoModule(Key encryptingKek, String encryptingKekId,
- String encryptingKeyManager) {
+ public AESCBCCryptoModule(Key encryptingKek, String keyLocation, String
keyManager) {
this.encryptingKek = encryptingKek;
- this.encryptingKekId = encryptingKekId;
- this.encryptingKeyManager = encryptingKeyManager;
+ this.keyLocation = keyLocation;
+ this.keyManager = keyManager;
}
@Override
@@ -431,7 +426,7 @@ public FileDecrypter getDecrypter(Key fek) {
public class AESCBCFileEncrypter implements FileEncrypter {
- private Key fek = KeyManager.generateKey(sr, KEY_LENGTH_IN_BYTES);
+ private Key fek = AESKeyUtils.generateKey(sr, KEY_LENGTH_IN_BYTES);
private byte[] initVector = new byte[IV_LENGTH_IN_BYTES];
@Override
@@ -465,8 +460,7 @@ public OutputStream encryptStream(OutputStream
outputStream) throws CryptoExcept
@Override
public byte[] getDecryptionParameters() {
- return createCryptoParameters(VERSION, encryptingKek, encryptingKekId,
encryptingKeyManager,
- fek);
+ return createCryptoParameters(VERSION, encryptingKek, keyLocation,
keyManager, fek);
}
}
diff --git
a/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/KeyManager.java
b/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/AESKeyUtils.java
similarity index 90%
rename from
core/src/main/java/org/apache/accumulo/core/security/crypto/impl/KeyManager.java
rename to
core/src/main/java/org/apache/accumulo/core/security/crypto/impl/AESKeyUtils.java
index f24d24ee2b..50b9eea99a 100644
---
a/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/KeyManager.java
+++
b/core/src/main/java/org/apache/accumulo/core/security/crypto/impl/AESKeyUtils.java
@@ -34,9 +34,11 @@
import org.apache.accumulo.core.spi.crypto.CryptoService.CryptoException;
-public class KeyManager {
+public class AESKeyUtils {
public static final String URI = "uri";
+ public static final String KEY_WRAP_TRANSFORM = "AESWrap";
+ public static final String KEY_PROVIDER = "SunJCE";
public static Key generateKey(SecureRandom sr, int size) {
byte[] bytes = new byte[size];
@@ -47,7 +49,7 @@ public static Key generateKey(SecureRandom sr, int size) {
public static Key unwrapKey(byte[] fek, Key kek) {
Key result = null;
try {
- Cipher c = Cipher.getInstance("AESWrap", "SunJCE");
+ Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM, KEY_PROVIDER);
c.init(Cipher.UNWRAP_MODE, kek);
result = c.unwrap(fek, "AES", Cipher.SECRET_KEY);
} catch (InvalidKeyException | NoSuchAlgorithmException |
NoSuchProviderException
@@ -60,7 +62,7 @@ public static Key unwrapKey(byte[] fek, Key kek) {
public static byte[] wrapKey(Key fek, Key kek) {
byte[] result = null;
try {
- Cipher c = Cipher.getInstance("AESWrap", "SunJCE");
+ Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM, KEY_PROVIDER);
c.init(Cipher.WRAP_MODE, kek);
result = c.wrap(fek);
} catch (InvalidKeyException | NoSuchAlgorithmException |
NoSuchProviderException
diff --git a/core/src/main/spotbugs/exclude-filter.xml
b/core/src/main/spotbugs/exclude-filter.xml
index 5aa5421ff9..2be74ba531 100644
--- a/core/src/main/spotbugs/exclude-filter.xml
+++ b/core/src/main/spotbugs/exclude-filter.xml
@@ -38,7 +38,7 @@
<Class name="org.apache.accumulo.core.security.crypto.CryptoTest"/>
<Class
name="org.apache.accumulo.core.security.crypto.impl.AESCryptoService$AESCBCCryptoModule$AESCBCFileEncrypter"/>
<Class
name="org.apache.accumulo.core.security.crypto.impl.AESCryptoService$AESCBCCryptoModule$AESCBCFileDecrypter"/>
- <Class name="org.apache.accumulo.core.security.crypto.impl.KeyManager"/>
+ <Class name="org.apache.accumulo.core.security.crypto.impl.AESKeyUtils"/>
</Or>
<Bug code="CIPHER" pattern="CIPHER_INTEGRITY" />
</Match>
@@ -95,7 +95,7 @@
</Match>
<Match>
<!-- Calling new File on input can be dangerous, but OK here -->
- <Class name="org.apache.accumulo.core.security.crypto.impl.KeyManager" />
+ <Class name="org.apache.accumulo.core.security.crypto.impl.AESKeyUtils" />
<Method name="loadKekFromUri" params="java.lang.String"/>
<Bug code="PATH" pattern="PATH_TRAVERSAL_IN" />
</Match>
diff --git
a/core/src/test/java/org/apache/accumulo/core/security/crypto/CryptoTest.java
b/core/src/test/java/org/apache/accumulo/core/security/crypto/CryptoTest.java
index d5496fb096..e5e3e53442 100644
---
a/core/src/test/java/org/apache/accumulo/core/security/crypto/CryptoTest.java
+++
b/core/src/test/java/org/apache/accumulo/core/security/crypto/CryptoTest.java
@@ -51,8 +51,8 @@
import org.apache.accumulo.core.data.Key;
import org.apache.accumulo.core.data.Value;
import org.apache.accumulo.core.security.crypto.impl.AESCryptoService;
+import org.apache.accumulo.core.security.crypto.impl.AESKeyUtils;
import org.apache.accumulo.core.security.crypto.impl.CryptoEnvironmentImpl;
-import org.apache.accumulo.core.security.crypto.impl.KeyManager;
import org.apache.accumulo.core.security.crypto.impl.NoCryptoService;
import org.apache.accumulo.core.security.crypto.streams.NoFlushOutputStream;
import org.apache.accumulo.core.spi.crypto.CryptoEnvironment;
@@ -272,12 +272,12 @@ public void testKeyManagerGeneratesKey() throws
NoSuchAlgorithmException, NoSuch
NoSuchPaddingException, InvalidKeyException {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN");
java.security.Key key;
- key = KeyManager.generateKey(sr, 16);
+ key = AESKeyUtils.generateKey(sr, 16);
Cipher.getInstance("AES/CBC/NoPadding").init(Cipher.ENCRYPT_MODE, key);
- key = KeyManager.generateKey(sr, 24);
- key = KeyManager.generateKey(sr, 32);
- key = KeyManager.generateKey(sr, 11);
+ key = AESKeyUtils.generateKey(sr, 24);
+ key = AESKeyUtils.generateKey(sr, 32);
+ key = AESKeyUtils.generateKey(sr, 11);
exception.expect(InvalidKeyException.class);
Cipher.getInstance("AES/CBC/NoPadding").init(Cipher.ENCRYPT_MODE, key);
@@ -287,17 +287,17 @@ public void testKeyManagerGeneratesKey() throws
NoSuchAlgorithmException, NoSuch
public void testKeyManagerWrapAndUnwrap()
throws NoSuchAlgorithmException, NoSuchProviderException {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN");
- java.security.Key kek = KeyManager.generateKey(sr, 16);
- java.security.Key fek = KeyManager.generateKey(sr, 16);
- byte[] wrapped = KeyManager.wrapKey(fek, kek);
+ java.security.Key kek = AESKeyUtils.generateKey(sr, 16);
+ java.security.Key fek = AESKeyUtils.generateKey(sr, 16);
+ byte[] wrapped = AESKeyUtils.wrapKey(fek, kek);
assertFalse(Arrays.equals(fek.getEncoded(), wrapped));
- java.security.Key unwrapped = KeyManager.unwrapKey(wrapped, kek);
+ java.security.Key unwrapped = AESKeyUtils.unwrapKey(wrapped, kek);
assertEquals(unwrapped, fek);
}
@Test
public void testKeyManagerLoadKekFromUri() throws IOException {
- SecretKeySpec fileKey =
KeyManager.loadKekFromUri("file:///tmp/testAESFile");
+ SecretKeySpec fileKey =
AESKeyUtils.loadKekFromUri("file:///tmp/testAESFile");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream dos = new DataOutputStream(baos);
dos.writeUTF("sixteenbytekey");
diff --git a/core/src/test/resources/crypto-on-accumulo.properties
b/core/src/test/resources/crypto-on-accumulo.properties
index 6623b94a2b..52100c706f 100644
--- a/core/src/test/resources/crypto-on-accumulo.properties
+++ b/core/src/test/resources/crypto-on-accumulo.properties
@@ -14,5 +14,5 @@
# limitations under the License.
instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService
-instance.crypto.opts.kekId=file:///tmp/testAESFile
-instance.crypto.opts.keyManager=uri
+instance.crypto.opts.key.location=file:///tmp/testAESFile
+instance.crypto.opts.key.provider=uri
diff --git
a/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java
b/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java
index 1b263decda..0d1e51932e 100644
---
a/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java
+++
b/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java
@@ -47,8 +47,8 @@ public void configureMiniCluster(MiniAccumuloConfigImpl cfg,
Configuration hadoo
+ "/target/mini-tests/WriteAheadLogEncryptedIT-testkeyfile";
cfg.setProperty(Property.INSTANCE_CRYPTO_SERVICE,
"org.apache.accumulo.core.security.crypto.impl.AESCryptoService");
- cfg.setProperty(INSTANCE_CRYPTO_PREFIX.getKey() + "kekId", keyPath);
- cfg.setProperty(INSTANCE_CRYPTO_PREFIX.getKey() + "keyManager", "uri");
+ cfg.setProperty(INSTANCE_CRYPTO_PREFIX.getKey() + "key.location", keyPath);
+ cfg.setProperty(INSTANCE_CRYPTO_PREFIX.getKey() + "key.provider", "uri");
cfg.setProperty(Property.TSERV_WALOG_MAX_SIZE, "2M");
cfg.setProperty(Property.GC_CYCLE_DELAY, "1");
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
