/// <summary>Wraps a given InputStream with a CryptoInputStream.</summary>
/// <remarks>
/// Wraps a given InputStream with a CryptoInputStream. The size of the data
/// buffer required for the stream is specified by the
/// "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
/// variable.
/// If the value of 'length' is > -1, The InputStream is additionally
/// wrapped in a LimitInputStream. CryptoStreams are late buffering in nature.
/// This means they will always try to read ahead if they can. The
/// LimitInputStream will ensure that the CryptoStream does not read past the
/// provided length from the given Input Stream.
/// </remarks>
/// <param name="conf"/>
/// <param name="in"/>
/// <param name="length"/>
/// <returns>InputStream</returns>
/// <exception cref="System.IO.IOException"/>
public static InputStream WrapIfNecessary(Configuration conf, InputStream @in, long
length)
{
if (IsEncryptedSpillEnabled(conf))
{
int bufferSize = GetBufferSize(conf);
if (length > -1)
{
@in = new LimitInputStream(@in, length);
}
byte[] offsetArray = new byte[8];
IOUtils.ReadFully(@in, offsetArray, 0, 8);
long offset = ByteBuffer.Wrap(offsetArray).GetLong();
CryptoCodec cryptoCodec = CryptoCodec.GetInstance(conf);
byte[] iv = new byte[cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize()];
IOUtils.ReadFully(@in, iv, 0, cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize(
));
if (Log.IsDebugEnabled())
{
Log.Debug("IV read from [" + Base64.EncodeBase64URLSafeString(iv) + "]");
}
return(new CryptoInputStream(@in, cryptoCodec, bufferSize, GetEncryptionKey(), iv
, offset + CryptoPadding(conf)));
}
else
{
return(@in);
}
}
/// <summary>Wraps a given FSDataInputStream with a CryptoInputStream.</summary>
/// <remarks>
/// Wraps a given FSDataInputStream with a CryptoInputStream. The size of the
/// data buffer required for the stream is specified by the
/// "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration
/// variable.
/// </remarks>
/// <param name="conf"/>
/// <param name="in"/>
/// <returns>FSDataInputStream</returns>
/// <exception cref="System.IO.IOException"/>
public static FSDataInputStream WrapIfNecessary(Configuration conf, FSDataInputStream
@in)
{
if (IsEncryptedSpillEnabled(conf))
{
CryptoCodec cryptoCodec = CryptoCodec.GetInstance(conf);
int bufferSize = GetBufferSize(conf);
// Not going to be used... but still has to be read...
// Since the O/P stream always writes it..
IOUtils.ReadFully(@in, new byte[8], 0, 8);
byte[] iv = new byte[cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize()];
IOUtils.ReadFully(@in, iv, 0, cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize(
));
if (Log.IsDebugEnabled())
{
Log.Debug("IV read from Stream [" + Base64.EncodeBase64URLSafeString(iv) + "]");
}
return(new CryptoFSDataInputStream(@in, cryptoCodec, bufferSize, GetEncryptionKey
(), iv));
}
else
{
return(@in);
}
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="GeneralSecurityException"/>
public virtual KeyProviderCryptoExtension.EncryptedKeyVersion GenerateEncryptedKey
(string encryptionKeyName)
{
// Fetch the encryption key
KeyProvider.KeyVersion encryptionKey = keyProvider.GetCurrentKey(encryptionKeyName
);
Preconditions.CheckNotNull(encryptionKey, "No KeyVersion exists for key '%s' ", encryptionKeyName
);
// Generate random bytes for new key and IV
CryptoCodec cc = CryptoCodec.GetInstance(keyProvider.GetConf());
byte[] newKey = new byte[encryptionKey.GetMaterial().Length];
cc.GenerateSecureRandom(newKey);
byte[] iv = new byte[cc.GetCipherSuite().GetAlgorithmBlockSize()];
cc.GenerateSecureRandom(iv);
// Encryption key IV is derived from new key's IV
byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(iv);
Encryptor encryptor = cc.CreateEncryptor();
encryptor.Init(encryptionKey.GetMaterial(), encryptionIV);
int keyLen = newKey.Length;
ByteBuffer bbIn = ByteBuffer.AllocateDirect(keyLen);
ByteBuffer bbOut = ByteBuffer.AllocateDirect(keyLen);
bbIn.Put(newKey);
bbIn.Flip();
encryptor.Encrypt(bbIn, bbOut);
bbOut.Flip();
byte[] encryptedKey = new byte[keyLen];
bbOut.Get(encryptedKey);
return(new KeyProviderCryptoExtension.EncryptedKeyVersion(encryptionKeyName, encryptionKey
.GetVersionName(), iv, new KeyProvider.KeyVersion(encryptionKey.GetName(), Eek,
encryptedKey)));
}
/// <summary>This method creates and initializes an IV (Initialization Vector)</summary>
/// <param name="conf"/>
/// <returns>byte[]</returns>
/// <exception cref="System.IO.IOException"/>
public static byte[] CreateIV(Configuration conf)
{
CryptoCodec cryptoCodec = CryptoCodec.GetInstance(conf);
if (IsEncryptedSpillEnabled(conf))
{
byte[] iv = new byte[cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize()];
cryptoCodec.GenerateSecureRandom(iv);
return(iv);
}
else
{
return(null);
}
}
