/// <summary>Wraps a given InputStream with a CryptoInputStream.</summary> /// <remarks> /// Wraps a given InputStream with a CryptoInputStream. The size of the data /// buffer required for the stream is specified by the /// "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration /// variable. /// If the value of 'length' is > -1, The InputStream is additionally /// wrapped in a LimitInputStream. CryptoStreams are late buffering in nature. /// This means they will always try to read ahead if they can. The /// LimitInputStream will ensure that the CryptoStream does not read past the /// provided length from the given Input Stream. /// </remarks> /// <param name="conf"/> /// <param name="in"/> /// <param name="length"/> /// <returns>InputStream</returns> /// <exception cref="System.IO.IOException"/> public static InputStream WrapIfNecessary(Configuration conf, InputStream @in, long length) { if (IsEncryptedSpillEnabled(conf)) { int bufferSize = GetBufferSize(conf); if (length > -1) { @in = new LimitInputStream(@in, length); } byte[] offsetArray = new byte[8]; IOUtils.ReadFully(@in, offsetArray, 0, 8); long offset = ByteBuffer.Wrap(offsetArray).GetLong(); CryptoCodec cryptoCodec = CryptoCodec.GetInstance(conf); byte[] iv = new byte[cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize()]; IOUtils.ReadFully(@in, iv, 0, cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize( )); if (Log.IsDebugEnabled()) { Log.Debug("IV read from [" + Base64.EncodeBase64URLSafeString(iv) + "]"); } return(new CryptoInputStream(@in, cryptoCodec, bufferSize, GetEncryptionKey(), iv , offset + CryptoPadding(conf))); } else { return(@in); } }
/// <summary>Wraps a given FSDataInputStream with a CryptoInputStream.</summary> /// <remarks> /// Wraps a given FSDataInputStream with a CryptoInputStream. The size of the /// data buffer required for the stream is specified by the /// "mapreduce.job.encrypted-intermediate-data.buffer.kb" Job configuration /// variable. /// </remarks> /// <param name="conf"/> /// <param name="in"/> /// <returns>FSDataInputStream</returns> /// <exception cref="System.IO.IOException"/> public static FSDataInputStream WrapIfNecessary(Configuration conf, FSDataInputStream @in) { if (IsEncryptedSpillEnabled(conf)) { CryptoCodec cryptoCodec = CryptoCodec.GetInstance(conf); int bufferSize = GetBufferSize(conf); // Not going to be used... but still has to be read... // Since the O/P stream always writes it.. IOUtils.ReadFully(@in, new byte[8], 0, 8); byte[] iv = new byte[cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize()]; IOUtils.ReadFully(@in, iv, 0, cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize( )); if (Log.IsDebugEnabled()) { Log.Debug("IV read from Stream [" + Base64.EncodeBase64URLSafeString(iv) + "]"); } return(new CryptoFSDataInputStream(@in, cryptoCodec, bufferSize, GetEncryptionKey (), iv)); } else { return(@in); } }
/// <exception cref="System.IO.IOException"/> /// <exception cref="GeneralSecurityException"/> public virtual KeyProviderCryptoExtension.EncryptedKeyVersion GenerateEncryptedKey (string encryptionKeyName) { // Fetch the encryption key KeyProvider.KeyVersion encryptionKey = keyProvider.GetCurrentKey(encryptionKeyName ); Preconditions.CheckNotNull(encryptionKey, "No KeyVersion exists for key '%s' ", encryptionKeyName ); // Generate random bytes for new key and IV CryptoCodec cc = CryptoCodec.GetInstance(keyProvider.GetConf()); byte[] newKey = new byte[encryptionKey.GetMaterial().Length]; cc.GenerateSecureRandom(newKey); byte[] iv = new byte[cc.GetCipherSuite().GetAlgorithmBlockSize()]; cc.GenerateSecureRandom(iv); // Encryption key IV is derived from new key's IV byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(iv); Encryptor encryptor = cc.CreateEncryptor(); encryptor.Init(encryptionKey.GetMaterial(), encryptionIV); int keyLen = newKey.Length; ByteBuffer bbIn = ByteBuffer.AllocateDirect(keyLen); ByteBuffer bbOut = ByteBuffer.AllocateDirect(keyLen); bbIn.Put(newKey); bbIn.Flip(); encryptor.Encrypt(bbIn, bbOut); bbOut.Flip(); byte[] encryptedKey = new byte[keyLen]; bbOut.Get(encryptedKey); return(new KeyProviderCryptoExtension.EncryptedKeyVersion(encryptionKeyName, encryptionKey .GetVersionName(), iv, new KeyProvider.KeyVersion(encryptionKey.GetName(), Eek, encryptedKey))); }
/// <summary>This method creates and initializes an IV (Initialization Vector)</summary> /// <param name="conf"/> /// <returns>byte[]</returns> /// <exception cref="System.IO.IOException"/> public static byte[] CreateIV(Configuration conf) { CryptoCodec cryptoCodec = CryptoCodec.GetInstance(conf); if (IsEncryptedSpillEnabled(conf)) { byte[] iv = new byte[cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize()]; cryptoCodec.GenerateSecureRandom(iv); return(iv); } else { return(null); } }