public virtual void TestKeyVersion()
{
KeyProvider.KeyVersion mockKey = Org.Mockito.Mockito.Mock <KeyProvider.KeyVersion>
();
KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>();
Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k1@0"))).
ThenReturn(mockKey);
Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k2@0"))).
ThenReturn(null);
Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration());
KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
// asserting caching
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
Thread.Sleep(200);
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
// asserting no caching when key is not known
cache = new CachingKeyProvider(mockProv, 100, 100);
Assert.Equal(null, cache.GetKeyVersion("k2@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k2@0"));
Assert.Equal(null, cache.GetKeyVersion("k2@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k2@0"));
}
public virtual void TestDeleteKey()
{
KeyProvider.KeyVersion mockKey = Org.Mockito.Mockito.Mock <KeyProvider.KeyVersion>
();
KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>();
Org.Mockito.Mockito.When(mockProv.GetCurrentKey(Org.Mockito.Mockito.Eq("k1"))).ThenReturn
(mockKey);
Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k1@0"))).
ThenReturn(mockKey);
Org.Mockito.Mockito.When(mockProv.GetMetadata(Org.Mockito.Mockito.Eq("k1"))).ThenReturn
(new KMSClientProvider.KMSMetadata("c", 0, "l", null, new DateTime(), 1));
Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration());
KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100);
Assert.Equal(mockKey, cache.GetCurrentKey("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetCurrentKey(
Org.Mockito.Mockito.Eq("k1"));
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
cache.DeleteKey("k1");
// asserting the cache is purged
Assert.Equal(mockKey, cache.GetCurrentKey("k1"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetCurrentKey(
Org.Mockito.Mockito.Eq("k1"));
Assert.Equal(mockKey, cache.GetKeyVersion("k1@0"));
Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion(
Org.Mockito.Mockito.Eq("k1@0"));
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="GeneralSecurityException"/>
public virtual KeyProvider.KeyVersion DecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion
encryptedKeyVersion)
{
// Fetch the encryption key material
string encryptionKeyVersionName = encryptedKeyVersion.GetEncryptionKeyVersionName
();
KeyProvider.KeyVersion encryptionKey = keyProvider.GetKeyVersion(encryptionKeyVersionName
);
Preconditions.CheckNotNull(encryptionKey, "KeyVersion name '%s' does not exist",
encryptionKeyVersionName);
Preconditions.CheckArgument(encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName
().Equals(KeyProviderCryptoExtension.Eek), "encryptedKey version name must be '%s', is '%s'"
, KeyProviderCryptoExtension.Eek, encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName
());
// Encryption key IV is determined from encrypted key's IV
byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(encryptedKeyVersion
.GetEncryptedKeyIv());
CryptoCodec cc = CryptoCodec.GetInstance(keyProvider.GetConf());
Decryptor decryptor = cc.CreateDecryptor();
decryptor.Init(encryptionKey.GetMaterial(), encryptionIV);
KeyProvider.KeyVersion encryptedKV = encryptedKeyVersion.GetEncryptedKeyVersion();
int keyLen = encryptedKV.GetMaterial().Length;
ByteBuffer bbIn = ByteBuffer.AllocateDirect(keyLen);
ByteBuffer bbOut = ByteBuffer.AllocateDirect(keyLen);
bbIn.Put(encryptedKV.GetMaterial());
bbIn.Flip();
decryptor.Decrypt(bbIn, bbOut);
bbOut.Flip();
byte[] decryptedKey = new byte[keyLen];
bbOut.Get(decryptedKey);
return(new KeyProvider.KeyVersion(encryptionKey.GetName(), Ek, decryptedKey));
}
public virtual void TestJksProviderWithKeytoolKeys()
{
Configuration conf = new Configuration();
string keystoreDirAbsolutePath = conf.GetResource("hdfs7067.keystore").AbsolutePath;
string ourUrl = JavaKeyStoreProvider.SchemeName + "://file@/" + keystoreDirAbsolutePath;
conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl);
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
// Sanity check that we are using the right keystore
KeyProvider.KeyVersion keyVersion = provider.GetKeyVersion("testkey5@0");
try
{
KeyProvider.KeyVersion keyVersionWrongKeyNameFormat = provider.GetKeyVersion("testkey2"
);
NUnit.Framework.Assert.Fail("should have thrown an exception");
}
catch (IOException e)
{
// No version in key path testkey2/
GenericTestUtils.AssertExceptionContains("No version in key path", e);
}
try
{
KeyProvider.KeyVersion keyVersionCurrentKeyNotWrongKeyNameFormat = provider.GetCurrentKey
("testkey5@0");
NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey5@0");
}
catch (IOException e)
{
// javax.crypto.spec.SecretKeySpec cannot be cast to
// org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata
GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e);
}
try
{
KeyProvider.KeyVersion keyVersionCurrentKeyNotReally = provider.GetCurrentKey("testkey2"
);
NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey2");
}
catch (IOException e)
{
// javax.crypto.spec.SecretKeySpec cannot be cast to
// org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata
GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e);
}
}
/// <exception cref="System.Exception"/>
internal static void CheckSpecificProvider(Configuration conf, string ourUrl)
{
KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0];
byte[] key1 = new byte[16];
byte[] key2 = new byte[16];
byte[] key3 = new byte[16];
for (int i = 0; i < key1.Length; ++i)
{
key1[i] = unchecked ((byte)i);
key2[i] = unchecked ((byte)(i * 2));
key3[i] = unchecked ((byte)(i * 3));
}
// ensure that we get nulls when the key isn't there
Assert.Equal(null, provider.GetKeyVersion("no-such-key"));
Assert.Equal(null, provider.GetMetadata("key"));
// create a new key
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
throw;
}
// check the metadata for key3
KeyProvider.Metadata meta = provider.GetMetadata("key3");
Assert.Equal(KeyProvider.DefaultCipher, meta.GetCipher());
Assert.Equal(KeyProvider.DefaultBitlength, meta.GetBitLength()
);
Assert.Equal(1, meta.GetVersions());
// make sure we get back the right key
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
// try recreating key3
try
{
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 already exists in " + ourUrl, e.Message
);
}
provider.DeleteKey("key3");
try
{
provider.DeleteKey("key3");
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key key3 does not exist in " + ourUrl, e.Message
);
}
provider.CreateKey("key3", key3, KeyProvider.Options(conf));
try
{
provider.CreateKey("key4", key3, KeyProvider.Options(conf).SetBitLength(8));
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
provider.CreateKey("key4", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength
(8));
provider.RollNewVersion("key4", new byte[] { 2 });
meta = provider.GetMetadata("key4");
Assert.Equal(2, meta.GetVersions());
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(new byte[] { 1 }, provider.GetKeyVersion("key4@0").GetMaterial
());
Assert.Equal("key4@1", provider.GetCurrentKey("key4").GetVersionName
());
try
{
provider.RollNewVersion("key4", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Wrong key length. Required 8, but got 128", e.Message
);
}
try
{
provider.RollNewVersion("no-such-key", key1);
Assert.True("should throw", false);
}
catch (IOException e)
{
Assert.Equal("Key no-such-key not found", e.Message);
}
provider.Flush();
// get a new instance of the provider to ensure it was saved correctly
provider = KeyProviderFactory.GetProviders(conf)[0];
Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial
());
Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial());
Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName
());
IList <string> keys = provider.GetKeys();
Assert.True("Keys should have been returned.", keys.Count == 2);
Assert.True("Returned Keys should have included key3.", keys.Contains
("key3"));
Assert.True("Returned Keys should have included key4.", keys.Contains
("key4"));
IList <KeyProvider.KeyVersion> kvl = provider.GetKeyVersions("key3");
Assert.True("KeyVersions should have been returned for key3.",
kvl.Count == 1);
Assert.True("KeyVersions should have included key3@0.", kvl[0].
GetVersionName().Equals("key3@0"));
Assert.AssertArrayEquals(key3, kvl[0].GetMaterial());
}
/// <exception cref="System.IO.IOException"/>
public override KeyProvider.KeyVersion GetKeyVersion(string versionName)
{
return(keyProvider.GetKeyVersion(versionName));
}
