diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index bc93d1d9c6..bace31168b 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -180,6 +180,9 @@ Trunk (Unreleased) HADOOP-10841. EncryptedKeyVersion should have a key name property. (asuresh via tucu) + HADOOP-10842. CryptoExtension generateEncryptedKey method should + receive the key name. (asuresh via tucu) + BUG FIXES HADOOP-9451. Fault single-layer config if node group topology is enabled. diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java index 627ffe6918..204af819a4 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderCryptoExtension.java @@ -84,14 +84,13 @@ public class KeyProviderCryptoExtension extends /** * Generates a key material and encrypts it using the given key version name * and initialization vector. The generated key material is of the same - * length as the <code>KeyVersion</code> material and is encrypted using the - * same cipher. + * length as the <code>KeyVersion</code> material of the latest key version + * of the key and is encrypted using the same cipher. * <p/> * NOTE: The generated key is not stored by the <code>KeyProvider</code> * - * @param encryptionKeyVersion - * a KeyVersion object containing the keyVersion name and material - * to encrypt. + * @param encryptionKeyName + * The latest KeyVersion of this key's material will be encrypted. * @return EncryptedKeyVersion with the generated key material, the version * name is 'EEK' (for Encrypted Encryption Key) * @throws IOException @@ -101,7 +100,7 @@ public class KeyProviderCryptoExtension extends * cryptographic issue. */ public EncryptedKeyVersion generateEncryptedKey( - KeyVersion encryptionKeyVersion) throws IOException, + String encryptionKeyName) throws IOException, GeneralSecurityException; /** @@ -146,12 +145,11 @@ public class KeyProviderCryptoExtension extends } @Override - public EncryptedKeyVersion generateEncryptedKey(KeyVersion keyVersion) + public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException { - KeyVersion keyVer = - keyProvider.getKeyVersion(keyVersion.getVersionName()); - Preconditions.checkNotNull(keyVer, "KeyVersion name '%s' does not exist", - keyVersion.getVersionName()); + KeyVersion keyVer = keyProvider.getCurrentKey(encryptionKeyName); + Preconditions.checkNotNull(keyVer, "No KeyVersion exists for key '%s' ", + encryptionKeyName); byte[] newKey = new byte[keyVer.getMaterial().length]; SecureRandom.getInstance("SHA1PRNG").nextBytes(newKey); Cipher cipher = Cipher.getInstance("AES/CTR/NoPadding"); @@ -159,8 +157,8 @@ public class KeyProviderCryptoExtension extends cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(keyVer.getMaterial(), "AES"), new IvParameterSpec(flipIV(iv))); byte[] ek = cipher.doFinal(newKey); - return new EncryptedKeyVersion(keyVersion.getName(), - keyVersion.getVersionName(), iv, + return new EncryptedKeyVersion(encryptionKeyName, + keyVer.getVersionName(), iv, new KeyVersion(keyVer.getName(), EEK, ek)); } @@ -197,18 +195,18 @@ public class KeyProviderCryptoExtension extends * <p/> * NOTE: The generated key is not stored by the <code>KeyProvider</code> * - * @param encryptionKey a KeyVersion object containing the keyVersion name and - * material to encrypt. + * @param encryptionKeyName The latest KeyVersion of this key's material will + * be encrypted. * @return EncryptedKeyVersion with the generated key material, the version * name is 'EEK' (for Encrypted Encryption Key) * @throws IOException thrown if the key material could not be generated * @throws GeneralSecurityException thrown if the key material could not be * encrypted because of a cryptographic issue. */ - public EncryptedKeyVersion generateEncryptedKey(KeyVersion encryptionKey) + public EncryptedKeyVersion generateEncryptedKey(String encryptionKeyName) throws IOException, GeneralSecurityException { - return getExtension().generateEncryptedKey(encryptionKey); + return getExtension().generateEncryptedKey(encryptionKeyName); } /** diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java index 3ca6f8376d..4b578c2377 100644 --- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java +++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/crypto/key/TestKeyProviderCryptoExtension.java @@ -42,7 +42,7 @@ public class TestKeyProviderCryptoExtension { KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp); KeyProviderCryptoExtension.EncryptedKeyVersion ek1 = - kpExt.generateEncryptedKey(kv); + kpExt.generateEncryptedKey(kv.getName()); Assert.assertEquals(KeyProviderCryptoExtension.EEK, ek1.getEncryptedKey().getVersionName()); Assert.assertEquals("foo", ek1.getKeyName()); @@ -56,7 +56,7 @@ public class TestKeyProviderCryptoExtension { Assert.assertEquals(kv.getMaterial().length, k1.getMaterial().length); KeyProviderCryptoExtension.EncryptedKeyVersion ek2 = - kpExt.generateEncryptedKey(kv); + kpExt.generateEncryptedKey(kv.getName()); KeyProvider.KeyVersion k2 = kpExt.decryptEncryptedKey(ek2); boolean eq = true; for (int i = 0; eq && i < ek2.getEncryptedKey().getMaterial().length; i++) {