Esempio n. 1
0
 /// <exception cref="System.IO.IOException"/>
 public override KeyProvider.KeyVersion RollNewVersion(string name, byte[] material
                                                       )
 {
     KeyProvider.KeyVersion keyVersion = base.RollNewVersion(name, material);
     GetExtension().Drain(name);
     return(keyVersion);
 }
Esempio n. 2
0
        public virtual Response DecryptEncryptedKey(string versionName, string eekOp, IDictionary
                                                    jsonPayload)
        {
            UserGroupInformation user = HttpUserGroupInformation.Get();

            KMSClientProvider.CheckNotEmpty(versionName, "versionName");
            KMSClientProvider.CheckNotNull(eekOp, "eekOp");
            string keyName        = (string)jsonPayload[KMSRESTConstants.NameField];
            string ivStr          = (string)jsonPayload[KMSRESTConstants.IvField];
            string encMaterialStr = (string)jsonPayload[KMSRESTConstants.MaterialField];
            object retJSON;

            if (eekOp.Equals(KMSRESTConstants.EekDecrypt))
            {
                AssertAccess(KMSACLs.Type.DecryptEek, user, KMS.KMSOp.DecryptEek, keyName);
                KMSClientProvider.CheckNotNull(ivStr, KMSRESTConstants.IvField);
                byte[] iv = Base64.DecodeBase64(ivStr);
                KMSClientProvider.CheckNotNull(encMaterialStr, KMSRESTConstants.MaterialField);
                byte[] encMaterial = Base64.DecodeBase64(encMaterialStr);
                KeyProvider.KeyVersion retKeyVersion = user.DoAs(new _PrivilegedExceptionAction_433
                                                                     (this, keyName, versionName, iv, encMaterial));
                retJSON = KMSServerJSONUtils.ToJSON(retKeyVersion);
                kmsAudit.Ok(user, KMS.KMSOp.DecryptEek, keyName, string.Empty);
            }
            else
            {
                throw new ArgumentException("Wrong " + KMSRESTConstants.EekOp + " value, it must be "
                                            + KMSRESTConstants.EekGenerate + " or " + KMSRESTConstants.EekDecrypt);
            }
            KMSWebApp.GetDecryptEEKCallsMeter().Mark();
            return(Response.Ok().Type(MediaType.ApplicationJson).Entity(retJSON).Build());
        }
Esempio n. 3
0
        public virtual Response RolloverKey(string name, IDictionary jsonMaterial)
        {
            KMSWebApp.GetAdminCallsMeter().Mark();
            UserGroupInformation user = HttpUserGroupInformation.Get();

            AssertAccess(KMSACLs.Type.Rollover, user, KMS.KMSOp.RollNewVersion, name);
            KMSClientProvider.CheckNotEmpty(name, "name");
            string material = (string)jsonMaterial[KMSRESTConstants.MaterialField];

            if (material != null)
            {
                AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.RollNewVersion, name);
            }
            KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_200(
                                                              this, material, name));
            kmsAudit.Ok(user, KMS.KMSOp.RollNewVersion, name, "UserProvidedMaterial:" + (material
                                                                                         != null) + " NewVersion:" + keyVersion.GetVersionName());
            if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user))
            {
                keyVersion = RemoveKeyMaterial(keyVersion);
            }
            IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion);

            return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build());
        }
Esempio n. 4
0
        public static IDictionary ToJSON(KeyProvider.KeyVersion keyVersion)
        {
            IDictionary json = new LinkedHashMap();

            if (keyVersion != null)
            {
                json[KMSRESTConstants.NameField]        = keyVersion.GetName();
                json[KMSRESTConstants.VersionNameField] = keyVersion.GetVersionName();
                json[KMSRESTConstants.MaterialField]    = Base64.EncodeBase64URLSafeString(keyVersion
                                                                                           .GetMaterial());
            }
            return(json);
        }
Esempio n. 5
0
 private static KeyProvider.KeyVersion ParseJSONKeyVersion(IDictionary valueMap)
 {
     KeyProvider.KeyVersion keyVersion = null;
     if (!valueMap.IsEmpty())
     {
         byte[] material = (valueMap.Contains(KMSRESTConstants.MaterialField)) ? Base64.DecodeBase64
                               ((string)valueMap[KMSRESTConstants.MaterialField]) : null;
         string versionName = (string)valueMap[KMSRESTConstants.VersionNameField];
         string keyName     = (string)valueMap[KMSRESTConstants.NameField];
         keyVersion = new KMSClientProvider.KMSKeyVersion(keyName, versionName, material);
     }
     return(keyVersion);
 }
Esempio n. 6
0
        public virtual Response CreateKey(IDictionary jsonKey)
        {
            KMSWebApp.GetAdminCallsMeter().Mark();
            UserGroupInformation user = HttpUserGroupInformation.Get();
            string name = (string)jsonKey[KMSRESTConstants.NameField];

            KMSClientProvider.CheckNotEmpty(name, KMSRESTConstants.NameField);
            AssertAccess(KMSACLs.Type.Create, user, KMS.KMSOp.CreateKey, name);
            string cipher   = (string)jsonKey[KMSRESTConstants.CipherField];
            string material = (string)jsonKey[KMSRESTConstants.MaterialField];
            int    length   = (jsonKey.Contains(KMSRESTConstants.LengthField)) ? (int)jsonKey[KMSRESTConstants
                                                                                              .LengthField] : 0;
            string description = (string)jsonKey[KMSRESTConstants.DescriptionField];
            IDictionary <string, string> attributes = (IDictionary <string, string>)jsonKey[KMSRESTConstants
                                                                                            .AttributesField];

            if (material != null)
            {
                AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.CreateKey, name);
            }
            KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.GetConfiguration(
                                                                      ));
            if (cipher != null)
            {
                options.SetCipher(cipher);
            }
            if (length != 0)
            {
                options.SetBitLength(length);
            }
            options.SetDescription(description);
            options.SetAttributes(attributes);
            KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_132(
                                                              this, material, name, options));
            kmsAudit.Ok(user, KMS.KMSOp.CreateKey, name, "UserProvidedMaterial:" + (material
                                                                                    != null) + " Description:" + description);
            if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user))
            {
                keyVersion = RemoveKeyMaterial(keyVersion);
            }
            IDictionary json       = KMSServerJSONUtils.ToJSON(keyVersion);
            string      requestURL = KMSMDCFilter.GetURL();
            int         idx        = requestURL.LastIndexOf(KMSRESTConstants.KeysResource);

            requestURL = Runtime.Substring(requestURL, 0, idx);
            string keyURL = requestURL + KMSRESTConstants.KeyResource + "/" + name;

            return(Response.Created(GetKeyURI(name)).Type(MediaType.ApplicationJson).Header("Location"
                                                                                            , keyURL).Entity(json).Build());
        }
Esempio n. 7
0
        public virtual Response GetCurrentVersion(string name)
        {
            UserGroupInformation user = HttpUserGroupInformation.Get();

            KMSClientProvider.CheckNotEmpty(name, "name");
            KMSWebApp.GetKeyCallsMeter().Mark();
            AssertAccess(KMSACLs.Type.Get, user, KMS.KMSOp.GetCurrentKey, name);
            KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_312(
                                                              this, name));
            object json = KMSServerJSONUtils.ToJSON(keyVersion);

            kmsAudit.Ok(user, KMS.KMSOp.GetCurrentKey, name, string.Empty);
            return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build());
        }
Esempio n. 8
0
 /// <exception cref="System.IO.IOException"/>
 public override KeyProvider.KeyVersion GetKeyVersion(string versionName)
 {
     readLock.Lock();
     try
     {
         KeyProvider.KeyVersion keyVersion = provider.GetKeyVersion(versionName);
         if (keyVersion != null)
         {
             DoAccessCheck(keyVersion.GetName(), KeyAuthorizationKeyProvider.KeyOpType.Read);
         }
         return(keyVersion);
     }
     finally
     {
         readLock.Unlock();
     }
 }
Esempio n. 9
0
        /// <exception cref="System.IO.IOException"/>
        private void VerifyKeyVersionBelongsToKey(KeyProviderCryptoExtension.EncryptedKeyVersion
                                                  ekv)
        {
            string kn  = ekv.GetEncryptionKeyName();
            string kvn = ekv.GetEncryptionKeyVersionName();

            KeyProvider.KeyVersion kv = provider.GetKeyVersion(kvn);
            if (kv == null)
            {
                throw new ArgumentException(string.Format("'%s' not found", kvn));
            }
            if (!kv.GetName().Equals(kn))
            {
                throw new ArgumentException(string.Format("KeyVersion '%s' does not belong to the key '%s'"
                                                          , kvn, kn));
            }
        }
Esempio n. 10
0
            /// <exception cref="System.Exception"/>
            public Void Run()
            {
                KeyProvider.Options          opt = TestKeyAuthorizationKeyProvider.NewOptions(conf);
                IDictionary <string, string> m   = new Dictionary <string, string>();

                m["key.acl.name"] = "testKey";
                opt.SetAttributes(m);
                KeyProvider.KeyVersion kv = kpExt.CreateKey("foo", SecureRandom.GetSeed(16), opt);
                kpExt.RollNewVersion(kv.GetName());
                kpExt.RollNewVersion(kv.GetName(), SecureRandom.GetSeed(16));
                KeyProviderCryptoExtension.EncryptedKeyVersion ekv = kpExt.GenerateEncryptedKey(kv
                                                                                                .GetName());
                ekv = KeyProviderCryptoExtension.EncryptedKeyVersion.CreateForDecryption(ekv.GetEncryptionKeyName
                                                                                             () + "x", ekv.GetEncryptionKeyVersionName(), ekv.GetEncryptedKeyIv(), ekv.GetEncryptedKeyVersion
                                                                                             ().GetMaterial());
                kpExt.DecryptEncryptedKey(ekv);
                return(null);
            }
Esempio n. 11
0
        public virtual void TestOpsWhenACLAttributeExists()
        {
            Configuration conf = new Configuration();
            KeyProvider   kp   = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf
                                                                           );

            KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs
                                                                                 >();
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .Management)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .GenerateEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .DecryptEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .All)).ThenReturn(true);
            UserGroupInformation u1   = UserGroupInformation.CreateRemoteUser("u1");
            UserGroupInformation u2   = UserGroupInformation.CreateRemoteUser("u2");
            UserGroupInformation u3   = UserGroupInformation.CreateRemoteUser("u3");
            UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo");

            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType
                                                         .Management)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType
                                                         .GenerateEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType
                                                         .DecryptEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType
                                                         .All)).ThenReturn(true);
            KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension
                                                                               .CreateKeyProviderCryptoExtension(kp), mock);

            KeyProvider.KeyVersion barKv = u1.DoAs(new _PrivilegedExceptionAction_127(conf, kpExt
                                                                                      ));
            KeyProviderCryptoExtension.EncryptedKeyVersion barEKv = u2.DoAs(new _PrivilegedExceptionAction_159
                                                                                (kpExt, barKv));
            u3.DoAs(new _PrivilegedExceptionAction_173(kpExt, barKv, barEKv));
            sudo.DoAs(new _PrivilegedExceptionAction_187(conf, kpExt));
        }
Esempio n. 12
0
        /// <exception cref="NoSuchAlgorithmException"/>
        /// <exception cref="System.IO.IOException"/>
        private KeyProvider.KeyVersion RollNewVersionInternal(string name, byte[] material
                                                              )
        {
            CheckNotEmpty(name, "name");
            IDictionary <string, string> jsonMaterial = new Dictionary <string, string>();

            if (material != null)
            {
                jsonMaterial[KMSRESTConstants.MaterialField] = Base64.EncodeBase64String(material
                                                                                         );
            }
            Uri url = CreateURL(KMSRESTConstants.KeyResource, name, null, null);
            HttpURLConnection conn = CreateConnection(url, HttpPost);

            conn.SetRequestProperty(ContentType, ApplicationJsonMime);
            IDictionary response = Call <IDictionary>(conn, jsonMaterial, HttpURLConnection.HttpOk
                                                      );

            KeyProvider.KeyVersion keyVersion = ParseJSONKeyVersion(response);
            encKeyVersionQueue.Drain(name);
            return(keyVersion);
        }
Esempio n. 13
0
            /// <exception cref="System.Exception"/>
            public Void Run()
            {
                KeyProvider.Options          opt = TestKeyAuthorizationKeyProvider.NewOptions(conf);
                IDictionary <string, string> m   = new Dictionary <string, string>();

                m["key.acl.name"] = "testKey";
                opt.SetAttributes(m);
                try
                {
                    KeyProvider.KeyVersion kv = kpExt.CreateKey("foo", SecureRandom.GetSeed(16), opt);
                    kpExt.RollNewVersion(kv.GetName());
                    kpExt.RollNewVersion(kv.GetName(), SecureRandom.GetSeed(16));
                    KeyProviderCryptoExtension.EncryptedKeyVersion ekv = kpExt.GenerateEncryptedKey(kv
                                                                                                    .GetName());
                    kpExt.DecryptEncryptedKey(ekv);
                    kpExt.DeleteKey(kv.GetName());
                }
                catch (IOException)
                {
                    NUnit.Framework.Assert.Fail("User should be Allowed to do everything !!");
                }
                return(null);
            }
Esempio n. 14
0
 public _PrivilegedExceptionAction_159(KeyProviderCryptoExtension kpExt, KeyProvider.KeyVersion
                                       barKv)
 {
     this.kpExt = kpExt;
     this.barKv = barKv;
 }
Esempio n. 15
0
 private static KeyProvider.KeyVersion RemoveKeyMaterial(KeyProvider.KeyVersion keyVersion
                                                         )
 {
     return(new KMSClientProvider.KMSKeyVersion(keyVersion.GetName(), keyVersion.GetVersionName
                                                    (), null));
 }