/// <exception cref="System.IO.IOException"/>
/// <exception cref="GeneralSecurityException"/>
public virtual KeyProviderCryptoExtension.EncryptedKeyVersion GenerateEncryptedKey
(string encryptionKeyName)
{
// Fetch the encryption key
KeyProvider.KeyVersion encryptionKey = keyProvider.GetCurrentKey(encryptionKeyName
);
Preconditions.CheckNotNull(encryptionKey, "No KeyVersion exists for key '%s' ", encryptionKeyName
);
// Generate random bytes for new key and IV
CryptoCodec cc = CryptoCodec.GetInstance(keyProvider.GetConf());
byte[] newKey = new byte[encryptionKey.GetMaterial().Length];
cc.GenerateSecureRandom(newKey);
byte[] iv = new byte[cc.GetCipherSuite().GetAlgorithmBlockSize()];
cc.GenerateSecureRandom(iv);
// Encryption key IV is derived from new key's IV
byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(iv);
Encryptor encryptor = cc.CreateEncryptor();
encryptor.Init(encryptionKey.GetMaterial(), encryptionIV);
int keyLen = newKey.Length;
ByteBuffer bbIn = ByteBuffer.AllocateDirect(keyLen);
ByteBuffer bbOut = ByteBuffer.AllocateDirect(keyLen);
bbIn.Put(newKey);
bbIn.Flip();
encryptor.Encrypt(bbIn, bbOut);
bbOut.Flip();
byte[] encryptedKey = new byte[keyLen];
bbOut.Get(encryptedKey);
return(new KeyProviderCryptoExtension.EncryptedKeyVersion(encryptionKeyName, encryptionKey
.GetVersionName(), iv, new KeyProvider.KeyVersion(encryptionKey.GetName(), Eek,
encryptedKey)));
}
/// <summary>Negotiate a cipher option which server supports.</summary>
/// <param name="conf">the configuration</param>
/// <param name="options">the cipher options which client supports</param>
/// <returns>CipherOption negotiated cipher option</returns>
/// <exception cref="System.IO.IOException"/>
public static CipherOption NegotiateCipherOption(Configuration conf, IList <CipherOption
> options)
{
// Negotiate cipher suites if configured. Currently, the only supported
// cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
// values for future expansion.
string cipherSuites = conf.Get(DFSConfigKeys.DfsEncryptDataTransferCipherSuitesKey
);
if (cipherSuites == null || cipherSuites.IsEmpty())
{
return(null);
}
if (!cipherSuites.Equals(CipherSuite.AesCtrNopadding.GetName()))
{
throw new IOException(string.Format("Invalid cipher suite, %s=%s", DFSConfigKeys.
DfsEncryptDataTransferCipherSuitesKey, cipherSuites));
}
if (options != null)
{
foreach (CipherOption option in options)
{
CipherSuite suite = option.GetCipherSuite();
if (suite == CipherSuite.AesCtrNopadding)
{
int keyLen = conf.GetInt(DFSConfigKeys.DfsEncryptDataTransferCipherKeyBitlengthKey
, DFSConfigKeys.DfsEncryptDataTransferCipherKeyBitlengthDefault) / 8;
CryptoCodec codec = CryptoCodec.GetInstance(conf, suite);
byte[] inKey = new byte[keyLen];
byte[] inIv = new byte[suite.GetAlgorithmBlockSize()];
byte[] outKey = new byte[keyLen];
byte[] outIv = new byte[suite.GetAlgorithmBlockSize()];
codec.GenerateSecureRandom(inKey);
codec.GenerateSecureRandom(inIv);
codec.GenerateSecureRandom(outKey);
codec.GenerateSecureRandom(outIv);
return(new CipherOption(suite, inKey, inIv, outKey, outIv));
}
}
}
return(null);
}
/// <summary>This method creates and initializes an IV (Initialization Vector)</summary>
/// <param name="conf"/>
/// <returns>byte[]</returns>
/// <exception cref="System.IO.IOException"/>
public static byte[] CreateIV(Configuration conf)
{
CryptoCodec cryptoCodec = CryptoCodec.GetInstance(conf);
if (IsEncryptedSpillEnabled(conf))
{
byte[] iv = new byte[cryptoCodec.GetCipherSuite().GetAlgorithmBlockSize()];
cryptoCodec.GenerateSecureRandom(iv);
return(iv);
}
else
{
return(null);
}
}
