This is an automated email from the ASF dual-hosted git repository. mmiller pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/main by this push: new 0781550 Refactor Crypto packages (#1956) 0781550 is described below commit 0781550076f04d12716650fd64881d8b9d041afa Author: Mike Miller <mmil...@apache.org> AuthorDate: Thu Mar 4 17:43:04 2021 -0500 Refactor Crypto packages (#1956) * Move AESCryptoService and NoCryptoService into public spi package * Move CryptoEnvironmentImpl into core.crypto package with other server crypto stuff * Make AESCryptoUtils static methods on AESCryptoService --- .../org/apache/accumulo/core/conf/Property.java | 2 +- .../CryptoEnvironmentImpl.java | 2 +- .../accumulo/core/crypto/CryptoServiceFactory.java | 2 +- .../apache/accumulo/core/crypto/CryptoUtils.java | 1 - .../accumulo/core/cryptoImpl/AESKeyUtils.java | 95 ---------------------- .../apache/accumulo/core/file/rfile/PrintInfo.java | 2 +- .../accumulo/core/file/rfile/bcfile/BCFile.java | 6 +- .../crypto}/AESCryptoService.java | 81 +++++++++++++++--- .../crypto}/NoCryptoService.java | 7 +- .../crypto}/NoFileDecrypter.java | 5 +- .../crypto}/NoFileEncrypter.java | 5 +- .../accumulo/core/conf/SiteConfigurationTest.java | 4 +- .../apache/accumulo/core/crypto/CryptoTest.java | 30 ++++--- .../apache/accumulo/core/file/rfile/RFileTest.java | 2 +- core/src/test/resources/accumulo2.properties | 2 +- .../org/apache/accumulo/tserver/log/DfsLogger.java | 4 +- .../test/functional/WriteAheadLogEncryptedIT.java | 2 +- 17 files changed, 99 insertions(+), 153 deletions(-) diff --git a/core/src/main/java/org/apache/accumulo/core/conf/Property.java b/core/src/main/java/org/apache/accumulo/core/conf/Property.java index 04015e3..c757648 100644 --- a/core/src/main/java/org/apache/accumulo/core/conf/Property.java +++ b/core/src/main/java/org/apache/accumulo/core/conf/Property.java @@ -176,7 +176,7 @@ public enum Property { "Sensitive properties related to on-disk file encryption."), @Experimental INSTANCE_CRYPTO_SERVICE("instance.crypto.service", - "org.apache.accumulo.core.cryptoImpl.NoCryptoService", PropertyType.CLASSNAME, + "org.apache.accumulo.core.spi.crypto.NoCryptoService", PropertyType.CLASSNAME, "The class which executes on-disk file encryption. The default does nothing. To enable " + "encryption, replace this classname with an implementation of the" + "org.apache.accumulo.core.spi.crypto.CryptoService interface."), diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/CryptoEnvironmentImpl.java b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoEnvironmentImpl.java similarity index 96% rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/CryptoEnvironmentImpl.java rename to core/src/main/java/org/apache/accumulo/core/crypto/CryptoEnvironmentImpl.java index 17863be..ba2deae 100644 --- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/CryptoEnvironmentImpl.java +++ b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoEnvironmentImpl.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.accumulo.core.cryptoImpl; +package org.apache.accumulo.core.crypto; import org.apache.accumulo.core.spi.crypto.CryptoEnvironment; diff --git a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java index f3c8737..1415b0d 100644 --- a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java +++ b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoServiceFactory.java @@ -21,8 +21,8 @@ package org.apache.accumulo.core.crypto; import org.apache.accumulo.core.conf.AccumuloConfiguration; import org.apache.accumulo.core.conf.DefaultConfiguration; import org.apache.accumulo.core.conf.Property; -import org.apache.accumulo.core.cryptoImpl.NoCryptoService; import org.apache.accumulo.core.spi.crypto.CryptoService; +import org.apache.accumulo.core.spi.crypto.NoCryptoService; public class CryptoServiceFactory { diff --git a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java index 703a0eb..53fff25 100644 --- a/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java +++ b/core/src/main/java/org/apache/accumulo/core/crypto/CryptoUtils.java @@ -26,7 +26,6 @@ import java.security.NoSuchProviderException; import java.security.SecureRandom; import java.util.Objects; -import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl; import org.apache.accumulo.core.spi.crypto.CryptoEnvironment; import org.apache.accumulo.core.spi.crypto.CryptoService; import org.apache.accumulo.core.spi.crypto.CryptoService.CryptoException; diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESKeyUtils.java b/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESKeyUtils.java deleted file mode 100644 index 8b0e942..0000000 --- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESKeyUtils.java +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.accumulo.core.cryptoImpl; - -import java.io.IOException; -import java.net.URI; -import java.net.URISyntaxException; -import java.nio.file.Files; -import java.nio.file.Paths; -import java.security.InvalidKeyException; -import java.security.Key; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; - -import javax.crypto.Cipher; -import javax.crypto.IllegalBlockSizeException; -import javax.crypto.NoSuchPaddingException; -import javax.crypto.spec.SecretKeySpec; - -import org.apache.accumulo.core.spi.crypto.CryptoService.CryptoException; - -import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; - -public class AESKeyUtils { - - public static final String URI = "uri"; - public static final String KEY_WRAP_TRANSFORM = "AESWrap"; - - public static Key generateKey(SecureRandom sr, int size) { - byte[] bytes = new byte[size]; - sr.nextBytes(bytes); - return new SecretKeySpec(bytes, "AES"); - } - - @SuppressFBWarnings(value = "CIPHER_INTEGRITY", - justification = "integrity not needed for key wrap") - public static Key unwrapKey(byte[] fek, Key kek) { - Key result = null; - try { - Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM); - c.init(Cipher.UNWRAP_MODE, kek); - result = c.unwrap(fek, "AES", Cipher.SECRET_KEY); - } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { - throw new CryptoException("Unable to unwrap file encryption key", e); - } - return result; - } - - @SuppressFBWarnings(value = "CIPHER_INTEGRITY", - justification = "integrity not needed for key wrap") - public static byte[] wrapKey(Key fek, Key kek) { - byte[] result = null; - try { - Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM); - c.init(Cipher.WRAP_MODE, kek); - result = c.wrap(fek); - } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException - | IllegalBlockSizeException e) { - throw new CryptoException("Unable to wrap file encryption key", e); - } - - return result; - } - - @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "keyId specified by admin") - public static SecretKeySpec loadKekFromUri(String keyId) { - URI uri; - SecretKeySpec key = null; - try { - uri = new URI(keyId); - key = new SecretKeySpec(Files.readAllBytes(Paths.get(uri.getPath())), "AES"); - } catch (URISyntaxException | IOException | IllegalArgumentException e) { - throw new CryptoException("Unable to load key encryption key.", e); - } - - return key; - - } -} diff --git a/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java b/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java index 96b49d6..4423a0c 100644 --- a/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java +++ b/core/src/main/java/org/apache/accumulo/core/file/rfile/PrintInfo.java @@ -29,7 +29,6 @@ import org.apache.accumulo.core.cli.ConfigOpts; import org.apache.accumulo.core.crypto.CryptoServiceFactory; import org.apache.accumulo.core.crypto.CryptoServiceFactory.ClassloaderType; import org.apache.accumulo.core.crypto.CryptoUtils; -import org.apache.accumulo.core.cryptoImpl.NoFileEncrypter; import org.apache.accumulo.core.data.ByteSequence; import org.apache.accumulo.core.data.Key; import org.apache.accumulo.core.data.Range; @@ -38,6 +37,7 @@ import org.apache.accumulo.core.file.FileSKVIterator; import org.apache.accumulo.core.file.blockfile.impl.CachableBlockFile.CachableBuilder; import org.apache.accumulo.core.file.rfile.RFile.Reader; import org.apache.accumulo.core.file.rfile.bcfile.Utils; +import org.apache.accumulo.core.spi.crypto.NoFileEncrypter; import org.apache.accumulo.core.summary.SummaryReader; import org.apache.accumulo.core.util.LocalityGroupUtil; import org.apache.accumulo.start.spi.KeywordExecutable; diff --git a/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java b/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java index 1d9fff3..eddf315 100644 --- a/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java +++ b/core/src/main/java/org/apache/accumulo/core/file/rfile/bcfile/BCFile.java @@ -34,10 +34,8 @@ import java.util.Arrays; import java.util.Map; import java.util.TreeMap; +import org.apache.accumulo.core.crypto.CryptoEnvironmentImpl; import org.apache.accumulo.core.crypto.CryptoUtils; -import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl; -import org.apache.accumulo.core.cryptoImpl.NoFileDecrypter; -import org.apache.accumulo.core.cryptoImpl.NoFileEncrypter; import org.apache.accumulo.core.file.rfile.bcfile.Compression.Algorithm; import org.apache.accumulo.core.file.rfile.bcfile.Utils.Version; import org.apache.accumulo.core.file.streams.BoundedRangeFileInputStream; @@ -48,6 +46,8 @@ import org.apache.accumulo.core.spi.crypto.CryptoEnvironment.Scope; import org.apache.accumulo.core.spi.crypto.CryptoService; import org.apache.accumulo.core.spi.crypto.FileDecrypter; import org.apache.accumulo.core.spi.crypto.FileEncrypter; +import org.apache.accumulo.core.spi.crypto.NoFileDecrypter; +import org.apache.accumulo.core.spi.crypto.NoFileEncrypter; import org.apache.accumulo.core.util.ratelimit.RateLimiter; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESCryptoService.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/AESCryptoService.java similarity index 87% rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESCryptoService.java rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/AESCryptoService.java index 60aee63..95d10a4 100644 --- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/AESCryptoService.java +++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/AESCryptoService.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.accumulo.core.cryptoImpl; +package org.apache.accumulo.core.spi.crypto; import static java.nio.charset.StandardCharsets.UTF_8; @@ -27,6 +27,10 @@ import java.io.DataOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.net.URI; +import java.net.URISyntaxException; +import java.nio.file.Files; +import java.nio.file.Paths; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.Key; @@ -40,19 +44,17 @@ import java.util.Objects; import javax.crypto.Cipher; import javax.crypto.CipherInputStream; import javax.crypto.CipherOutputStream; +import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; import org.apache.accumulo.core.crypto.CryptoUtils; import org.apache.accumulo.core.crypto.streams.BlockedInputStream; import org.apache.accumulo.core.crypto.streams.BlockedOutputStream; import org.apache.accumulo.core.crypto.streams.DiscardCloseOutputStream; import org.apache.accumulo.core.crypto.streams.RFileCipherOutputStream; -import org.apache.accumulo.core.spi.crypto.CryptoEnvironment; -import org.apache.accumulo.core.spi.crypto.CryptoService; -import org.apache.accumulo.core.spi.crypto.FileDecrypter; -import org.apache.accumulo.core.spi.crypto.FileEncrypter; import org.apache.commons.io.IOUtils; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; @@ -65,6 +67,8 @@ public class AESCryptoService implements CryptoService { // Hard coded NoCryptoService.VERSION - this permits the removal of NoCryptoService from the // core jar, allowing use of only one crypto service private static final String NO_CRYPTO_VERSION = "U+1F47B"; + public static final String URI = "uri"; + public static final String KEY_WRAP_TRANSFORM = "AESWrap"; private Key encryptingKek = null; private String keyLocation = null; @@ -83,10 +87,10 @@ public class AESCryptoService implements CryptoService { this.sr = CryptoUtils.newSha1SecureRandom(); this.decryptingKeys = new HashMap<>(); switch (keyMgr) { - case AESKeyUtils.URI: + case URI: this.keyManager = keyMgr; this.keyLocation = keyLocation; - this.encryptingKek = AESKeyUtils.loadKekFromUri(keyLocation); + this.encryptingKek = loadKekFromUri(keyLocation); break; default: throw new CryptoException("Unrecognized key manager"); @@ -121,7 +125,7 @@ public class AESCryptoService implements CryptoService { ParsedCryptoParameters parsed = parseCryptoParameters(decryptionParams); Key kek = loadDecryptionKek(parsed); - Key fek = AESKeyUtils.unwrapKey(parsed.getEncFek(), kek); + Key fek = unwrapKey(parsed.getEncFek(), kek); switch (parsed.getCryptoServiceVersion()) { case AESCBCCryptoModule.VERSION: cm = new AESCBCCryptoModule(this.encryptingKek, this.keyLocation, this.keyManager); @@ -195,7 +199,7 @@ public class AESCryptoService implements CryptoService { params.writeUTF(version); params.writeUTF(encryptingKeyManager); params.writeUTF(encryptingKekId); - byte[] wrappedFek = AESKeyUtils.wrapKey(fek, encryptingKek); + byte[] wrappedFek = wrapKey(fek, encryptingKek); params.writeInt(wrappedFek.length); params.write(wrappedFek); @@ -234,8 +238,8 @@ public class AESCryptoService implements CryptoService { } switch (params.keyManagerVersion) { - case AESKeyUtils.URI: - ret = AESKeyUtils.loadKekFromUri(params.kekId); + case URI: + ret = loadKekFromUri(params.kekId); break; default: throw new CryptoException("Unable to load kek: " + params.kekId); @@ -296,7 +300,7 @@ public class AESCryptoService implements CryptoService { private final byte[] initVector = new byte[GCM_IV_LENGTH_IN_BYTES]; AESGCMFileEncrypter() { - this.fek = AESKeyUtils.generateKey(sr, KEY_LENGTH_IN_BYTES); + this.fek = generateKey(sr, KEY_LENGTH_IN_BYTES); sr.nextBytes(this.initVector); this.firstInitVector = Arrays.copyOf(this.initVector, this.initVector.length); } @@ -429,7 +433,7 @@ public class AESCryptoService implements CryptoService { @SuppressFBWarnings(value = "CIPHER_INTEGRITY", justification = "CBC is provided for WALs") public class AESCBCFileEncrypter implements FileEncrypter { - private Key fek = AESKeyUtils.generateKey(sr, KEY_LENGTH_IN_BYTES); + private Key fek = generateKey(sr, KEY_LENGTH_IN_BYTES); private byte[] initVector = new byte[IV_LENGTH_IN_BYTES]; @Override @@ -492,4 +496,55 @@ public class AESCryptoService implements CryptoService { } } } + + public static Key generateKey(SecureRandom sr, int size) { + byte[] bytes = new byte[size]; + sr.nextBytes(bytes); + return new SecretKeySpec(bytes, "AES"); + } + + @SuppressFBWarnings(value = "CIPHER_INTEGRITY", + justification = "integrity not needed for key wrap") + public static Key unwrapKey(byte[] fek, Key kek) { + Key result = null; + try { + Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM); + c.init(Cipher.UNWRAP_MODE, kek); + result = c.unwrap(fek, "AES", Cipher.SECRET_KEY); + } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { + throw new CryptoException("Unable to unwrap file encryption key", e); + } + return result; + } + + @SuppressFBWarnings(value = "CIPHER_INTEGRITY", + justification = "integrity not needed for key wrap") + public static byte[] wrapKey(Key fek, Key kek) { + byte[] result = null; + try { + Cipher c = Cipher.getInstance(KEY_WRAP_TRANSFORM); + c.init(Cipher.WRAP_MODE, kek); + result = c.wrap(fek); + } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException + | IllegalBlockSizeException e) { + throw new CryptoException("Unable to wrap file encryption key", e); + } + + return result; + } + + @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "keyId specified by admin") + public static Key loadKekFromUri(String keyId) { + java.net.URI uri; + SecretKeySpec key = null; + try { + uri = new URI(keyId); + key = new SecretKeySpec(Files.readAllBytes(Paths.get(uri.getPath())), "AES"); + } catch (URISyntaxException | IOException | IllegalArgumentException e) { + throw new CryptoException("Unable to load key encryption key.", e); + } + + return key; + + } } diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoCryptoService.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoCryptoService.java similarity index 83% rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoCryptoService.java rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/NoCryptoService.java index 21e61f5..669af43 100644 --- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoCryptoService.java +++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoCryptoService.java @@ -16,15 +16,10 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.accumulo.core.cryptoImpl; +package org.apache.accumulo.core.spi.crypto; import java.util.Map; -import org.apache.accumulo.core.spi.crypto.CryptoEnvironment; -import org.apache.accumulo.core.spi.crypto.CryptoService; -import org.apache.accumulo.core.spi.crypto.FileDecrypter; -import org.apache.accumulo.core.spi.crypto.FileEncrypter; - /** * The default encryption strategy which does nothing. */ diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileDecrypter.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileDecrypter.java similarity index 86% rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileDecrypter.java rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileDecrypter.java index f48bf92..e9860b7 100644 --- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileDecrypter.java +++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileDecrypter.java @@ -16,13 +16,10 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.accumulo.core.cryptoImpl; +package org.apache.accumulo.core.spi.crypto; import java.io.InputStream; -import org.apache.accumulo.core.spi.crypto.CryptoService; -import org.apache.accumulo.core.spi.crypto.FileDecrypter; - public class NoFileDecrypter implements FileDecrypter { @Override public InputStream decryptStream(InputStream inputStream) throws CryptoService.CryptoException { diff --git a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileEncrypter.java b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileEncrypter.java similarity index 88% rename from core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileEncrypter.java rename to core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileEncrypter.java index ed36937..a980c73 100644 --- a/core/src/main/java/org/apache/accumulo/core/cryptoImpl/NoFileEncrypter.java +++ b/core/src/main/java/org/apache/accumulo/core/spi/crypto/NoFileEncrypter.java @@ -16,15 +16,12 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.accumulo.core.cryptoImpl; +package org.apache.accumulo.core.spi.crypto; import static java.nio.charset.StandardCharsets.UTF_8; import java.io.OutputStream; -import org.apache.accumulo.core.spi.crypto.CryptoService; -import org.apache.accumulo.core.spi.crypto.FileEncrypter; - public class NoFileEncrypter implements FileEncrypter { @Override diff --git a/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java b/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java index f7dc1aa..cc0b00e 100644 --- a/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java +++ b/core/src/test/java/org/apache/accumulo/core/conf/SiteConfigurationTest.java @@ -62,7 +62,7 @@ public class SiteConfigurationTest { assertEquals("", conf.get(Property.INSTANCE_VOLUMES)); assertEquals("120s", conf.get(Property.GENERAL_RPC_TIMEOUT)); assertEquals("1G", conf.get(Property.TSERV_WALOG_MAX_SIZE)); - assertEquals("org.apache.accumulo.core.cryptoImpl.NoCryptoService", + assertEquals("org.apache.accumulo.core.spi.crypto.NoCryptoService", conf.get(Property.INSTANCE_CRYPTO_SERVICE)); } @@ -76,7 +76,7 @@ public class SiteConfigurationTest { assertEquals("hdfs://localhost:8020/accumulo123", conf.get(Property.INSTANCE_VOLUMES)); assertEquals("123s", conf.get(Property.GENERAL_RPC_TIMEOUT)); assertEquals("256M", conf.get(Property.TSERV_WALOG_MAX_SIZE)); - assertEquals("org.apache.accumulo.core.cryptoImpl.AESCryptoService", + assertEquals("org.apache.accumulo.core.spi.crypto.AESCryptoService", conf.get(Property.INSTANCE_CRYPTO_SERVICE)); assertEquals(System.getenv("USER"), conf.get("general.test.user.name")); assertEquals("/tmp/test/dir", conf.get("general.test.user.dir")); diff --git a/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java b/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java index 94336db..5568a8d 100644 --- a/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java +++ b/core/src/test/java/org/apache/accumulo/core/crypto/CryptoTest.java @@ -58,11 +58,9 @@ import org.apache.accumulo.core.conf.DefaultConfiguration; import org.apache.accumulo.core.conf.Property; import org.apache.accumulo.core.crypto.CryptoServiceFactory.ClassloaderType; import org.apache.accumulo.core.crypto.streams.NoFlushOutputStream; -import org.apache.accumulo.core.cryptoImpl.AESCryptoService; -import org.apache.accumulo.core.cryptoImpl.AESKeyUtils; -import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl; import org.apache.accumulo.core.data.Key; import org.apache.accumulo.core.data.Value; +import org.apache.accumulo.core.spi.crypto.AESCryptoService; import org.apache.accumulo.core.spi.crypto.CryptoEnvironment; import org.apache.accumulo.core.spi.crypto.CryptoEnvironment.Scope; import org.apache.accumulo.core.spi.crypto.CryptoService; @@ -267,7 +265,7 @@ public class CryptoTest { aconf.set(e.getKey(), e.getValue()); } aconf.set(Property.INSTANCE_CRYPTO_SERVICE, - "org.apache.accumulo.core.cryptoImpl.AESCryptoService"); + "org.apache.accumulo.core.spi.crypto.AESCryptoService"); String configuredClass = aconf.get(Property.INSTANCE_CRYPTO_SERVICE.getKey()); Class<? extends CryptoService> clazz = ClassLoaderUtil.loadClass(configuredClass, CryptoService.class); @@ -297,7 +295,7 @@ public class CryptoTest { @SuppressFBWarnings(value = "CIPHER_INTEGRITY", justification = "CBC is being tested") private void verifyKeySizeForCBC(SecureRandom sr, int sizeInBytes) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException { - java.security.Key key = AESKeyUtils.generateKey(sr, sizeInBytes); + java.security.Key key = AESCryptoService.generateKey(sr, sizeInBytes); Cipher.getInstance("AES/CBC/NoPadding").init(Cipher.ENCRYPT_MODE, key); } @@ -305,11 +303,11 @@ public class CryptoTest { public void testAESKeyUtilsWrapAndUnwrap() throws NoSuchAlgorithmException, NoSuchProviderException { SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN"); - java.security.Key kek = AESKeyUtils.generateKey(sr, 16); - java.security.Key fek = AESKeyUtils.generateKey(sr, 16); - byte[] wrapped = AESKeyUtils.wrapKey(fek, kek); + java.security.Key kek = AESCryptoService.generateKey(sr, 16); + java.security.Key fek = AESCryptoService.generateKey(sr, 16); + byte[] wrapped = AESCryptoService.wrapKey(fek, kek); assertFalse(Arrays.equals(fek.getEncoded(), wrapped)); - java.security.Key unwrapped = AESKeyUtils.unwrapKey(wrapped, kek); + java.security.Key unwrapped = AESCryptoService.unwrapKey(wrapped, kek); assertEquals(unwrapped, fek); } @@ -317,19 +315,19 @@ public class CryptoTest { public void testAESKeyUtilsFailUnwrapWithWrongKEK() throws NoSuchAlgorithmException, NoSuchProviderException { SecureRandom sr = SecureRandom.getInstance("SHA1PRNG", "SUN"); - java.security.Key kek = AESKeyUtils.generateKey(sr, 16); - java.security.Key fek = AESKeyUtils.generateKey(sr, 16); + java.security.Key kek = AESCryptoService.generateKey(sr, 16); + java.security.Key fek = AESCryptoService.generateKey(sr, 16); byte[] wrongBytes = kek.getEncoded(); wrongBytes[0]++; java.security.Key wrongKek = new SecretKeySpec(wrongBytes, "AES"); - byte[] wrapped = AESKeyUtils.wrapKey(fek, kek); - assertThrows(CryptoException.class, () -> AESKeyUtils.unwrapKey(wrapped, wrongKek)); + byte[] wrapped = AESCryptoService.wrapKey(fek, kek); + assertThrows(CryptoException.class, () -> AESCryptoService.unwrapKey(wrapped, wrongKek)); } @Test public void testAESKeyUtilsLoadKekFromUri() throws IOException { - SecretKeySpec fileKey = AESKeyUtils.loadKekFromUri(keyPath); + java.security.Key fileKey = AESCryptoService.loadKekFromUri(keyPath); ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream dos = new DataOutputStream(baos); dos.writeUTF("sixteenbytekey"); @@ -339,13 +337,13 @@ public class CryptoTest { @Test public void testAESKeyUtilsLoadKekFromUriInvalidUri() { - assertThrows(CryptoException.class, () -> AESKeyUtils.loadKekFromUri( + assertThrows(CryptoException.class, () -> AESCryptoService.loadKekFromUri( System.getProperty("user.dir") + "/target/CryptoTest-testkeyfile-doesnt-exist")); } @Test public void testAESKeyUtilsLoadKekFromEmptyFile() { - assertThrows(CryptoException.class, () -> AESKeyUtils.loadKekFromUri(emptyKeyPath)); + assertThrows(CryptoException.class, () -> AESCryptoService.loadKekFromUri(emptyKeyPath)); } private ArrayList<Key> testData() { diff --git a/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java b/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java index 617ca93..f0cee84 100644 --- a/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java +++ b/core/src/test/java/org/apache/accumulo/core/file/rfile/RFileTest.java @@ -1801,7 +1801,7 @@ public class RFileTest { switch (cryptoOn) { case CryptoTest.CRYPTO_ON_CONF: cfg.set(Property.INSTANCE_CRYPTO_SERVICE, - "org.apache.accumulo.core.cryptoImpl.AESCryptoService"); + "org.apache.accumulo.core.spi.crypto.AESCryptoService"); cfg.set(INSTANCE_CRYPTO_PREFIX.getKey() + "key.uri", CryptoTest.keyPath); } return cfg; diff --git a/core/src/test/resources/accumulo2.properties b/core/src/test/resources/accumulo2.properties index adfbe13..a6328d9 100644 --- a/core/src/test/resources/accumulo2.properties +++ b/core/src/test/resources/accumulo2.properties @@ -18,7 +18,7 @@ # general.rpc.timeout=123s -instance.crypto.service=org.apache.accumulo.core.cryptoImpl.AESCryptoService +instance.crypto.service=org.apache.accumulo.core.spi.crypto.AESCryptoService instance.secret=mysecret instance.volumes=hdfs://localhost:8020/accumulo123 instance.zookeeper.host=myhost123:2181 diff --git a/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java b/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java index 7e2b410..e9b5d4e 100644 --- a/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java +++ b/server/tserver/src/main/java/org/apache/accumulo/tserver/log/DfsLogger.java @@ -46,18 +46,18 @@ import java.util.concurrent.atomic.AtomicLong; import org.apache.accumulo.core.client.Durability; import org.apache.accumulo.core.conf.AccumuloConfiguration; import org.apache.accumulo.core.conf.Property; +import org.apache.accumulo.core.crypto.CryptoEnvironmentImpl; import org.apache.accumulo.core.crypto.CryptoServiceFactory; import org.apache.accumulo.core.crypto.CryptoServiceFactory.ClassloaderType; import org.apache.accumulo.core.crypto.CryptoUtils; import org.apache.accumulo.core.crypto.streams.NoFlushOutputStream; -import org.apache.accumulo.core.cryptoImpl.CryptoEnvironmentImpl; -import org.apache.accumulo.core.cryptoImpl.NoCryptoService; import org.apache.accumulo.core.data.Mutation; import org.apache.accumulo.core.spi.crypto.CryptoEnvironment; import org.apache.accumulo.core.spi.crypto.CryptoEnvironment.Scope; import org.apache.accumulo.core.spi.crypto.CryptoService; import org.apache.accumulo.core.spi.crypto.FileDecrypter; import org.apache.accumulo.core.spi.crypto.FileEncrypter; +import org.apache.accumulo.core.spi.crypto.NoCryptoService; import org.apache.accumulo.core.util.Pair; import org.apache.accumulo.core.util.threads.Threads; import org.apache.accumulo.server.ServerConstants; diff --git a/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java b/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java index d7d54c6..d17f521 100644 --- a/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java +++ b/test/src/main/java/org/apache/accumulo/test/functional/WriteAheadLogEncryptedIT.java @@ -43,7 +43,7 @@ public class WriteAheadLogEncryptedIT extends AccumuloClusterHarness { String keyPath = System.getProperty("user.dir") + "/target/mini-tests/WriteAheadLogEncryptedIT-testkeyfile"; cfg.setProperty(Property.INSTANCE_CRYPTO_SERVICE, - "org.apache.accumulo.core.cryptoImpl.AESCryptoService"); + "org.apache.accumulo.core.spi.crypto.AESCryptoService"); cfg.setProperty(INSTANCE_CRYPTO_PREFIX.getKey() + "key.uri", keyPath); WriteAheadLogIT.setupConfig(cfg, hadoopCoreSite);