public virtual void TestKeyVersion() { KeyProvider.KeyVersion mockKey = Org.Mockito.Mockito.Mock <KeyProvider.KeyVersion> (); KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>(); Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k1@0"))). ThenReturn(mockKey); Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k2@0"))). ThenReturn(null); Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration()); KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100); // asserting caching Assert.Equal(mockKey, cache.GetKeyVersion("k1@0")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion( Org.Mockito.Mockito.Eq("k1@0")); Assert.Equal(mockKey, cache.GetKeyVersion("k1@0")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion( Org.Mockito.Mockito.Eq("k1@0")); Thread.Sleep(200); Assert.Equal(mockKey, cache.GetKeyVersion("k1@0")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion( Org.Mockito.Mockito.Eq("k1@0")); // asserting no caching when key is not known cache = new CachingKeyProvider(mockProv, 100, 100); Assert.Equal(null, cache.GetKeyVersion("k2@0")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion( Org.Mockito.Mockito.Eq("k2@0")); Assert.Equal(null, cache.GetKeyVersion("k2@0")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion( Org.Mockito.Mockito.Eq("k2@0")); }
public virtual void TestDeleteKey() { KeyProvider.KeyVersion mockKey = Org.Mockito.Mockito.Mock <KeyProvider.KeyVersion> (); KeyProvider mockProv = Org.Mockito.Mockito.Mock <KeyProvider>(); Org.Mockito.Mockito.When(mockProv.GetCurrentKey(Org.Mockito.Mockito.Eq("k1"))).ThenReturn (mockKey); Org.Mockito.Mockito.When(mockProv.GetKeyVersion(Org.Mockito.Mockito.Eq("k1@0"))). ThenReturn(mockKey); Org.Mockito.Mockito.When(mockProv.GetMetadata(Org.Mockito.Mockito.Eq("k1"))).ThenReturn (new KMSClientProvider.KMSMetadata("c", 0, "l", null, new DateTime(), 1)); Org.Mockito.Mockito.When(mockProv.GetConf()).ThenReturn(new Configuration()); KeyProvider cache = new CachingKeyProvider(mockProv, 100, 100); Assert.Equal(mockKey, cache.GetCurrentKey("k1")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetCurrentKey( Org.Mockito.Mockito.Eq("k1")); Assert.Equal(mockKey, cache.GetKeyVersion("k1@0")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(1)).GetKeyVersion( Org.Mockito.Mockito.Eq("k1@0")); cache.DeleteKey("k1"); // asserting the cache is purged Assert.Equal(mockKey, cache.GetCurrentKey("k1")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetCurrentKey( Org.Mockito.Mockito.Eq("k1")); Assert.Equal(mockKey, cache.GetKeyVersion("k1@0")); Org.Mockito.Mockito.Verify(mockProv, Org.Mockito.Mockito.Times(2)).GetKeyVersion( Org.Mockito.Mockito.Eq("k1@0")); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="GeneralSecurityException"/> public virtual KeyProvider.KeyVersion DecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) { // Fetch the encryption key material string encryptionKeyVersionName = encryptedKeyVersion.GetEncryptionKeyVersionName (); KeyProvider.KeyVersion encryptionKey = keyProvider.GetKeyVersion(encryptionKeyVersionName ); Preconditions.CheckNotNull(encryptionKey, "KeyVersion name '%s' does not exist", encryptionKeyVersionName); Preconditions.CheckArgument(encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName ().Equals(KeyProviderCryptoExtension.Eek), "encryptedKey version name must be '%s', is '%s'" , KeyProviderCryptoExtension.Eek, encryptedKeyVersion.GetEncryptedKeyVersion().GetVersionName ()); // Encryption key IV is determined from encrypted key's IV byte[] encryptionIV = KeyProviderCryptoExtension.EncryptedKeyVersion.DeriveIV(encryptedKeyVersion .GetEncryptedKeyIv()); CryptoCodec cc = CryptoCodec.GetInstance(keyProvider.GetConf()); Decryptor decryptor = cc.CreateDecryptor(); decryptor.Init(encryptionKey.GetMaterial(), encryptionIV); KeyProvider.KeyVersion encryptedKV = encryptedKeyVersion.GetEncryptedKeyVersion(); int keyLen = encryptedKV.GetMaterial().Length; ByteBuffer bbIn = ByteBuffer.AllocateDirect(keyLen); ByteBuffer bbOut = ByteBuffer.AllocateDirect(keyLen); bbIn.Put(encryptedKV.GetMaterial()); bbIn.Flip(); decryptor.Decrypt(bbIn, bbOut); bbOut.Flip(); byte[] decryptedKey = new byte[keyLen]; bbOut.Get(decryptedKey); return(new KeyProvider.KeyVersion(encryptionKey.GetName(), Ek, decryptedKey)); }
public virtual void TestJksProviderWithKeytoolKeys() { Configuration conf = new Configuration(); string keystoreDirAbsolutePath = conf.GetResource("hdfs7067.keystore").AbsolutePath; string ourUrl = JavaKeyStoreProvider.SchemeName + "://file@/" + keystoreDirAbsolutePath; conf.Set(KeyProviderFactory.KeyProviderPath, ourUrl); KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0]; // Sanity check that we are using the right keystore KeyProvider.KeyVersion keyVersion = provider.GetKeyVersion("testkey5@0"); try { KeyProvider.KeyVersion keyVersionWrongKeyNameFormat = provider.GetKeyVersion("testkey2" ); NUnit.Framework.Assert.Fail("should have thrown an exception"); } catch (IOException e) { // No version in key path testkey2/ GenericTestUtils.AssertExceptionContains("No version in key path", e); } try { KeyProvider.KeyVersion keyVersionCurrentKeyNotWrongKeyNameFormat = provider.GetCurrentKey ("testkey5@0"); NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey5@0"); } catch (IOException e) { // javax.crypto.spec.SecretKeySpec cannot be cast to // org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e); } try { KeyProvider.KeyVersion keyVersionCurrentKeyNotReally = provider.GetCurrentKey("testkey2" ); NUnit.Framework.Assert.Fail("should have thrown an exception getting testkey2"); } catch (IOException e) { // javax.crypto.spec.SecretKeySpec cannot be cast to // org.apache.hadoop.crypto.key.JavaKeyStoreProvider$KeyMetadata GenericTestUtils.AssertExceptionContains("other non-Hadoop method", e); } }
/// <exception cref="System.Exception"/> internal static void CheckSpecificProvider(Configuration conf, string ourUrl) { KeyProvider provider = KeyProviderFactory.GetProviders(conf)[0]; byte[] key1 = new byte[16]; byte[] key2 = new byte[16]; byte[] key3 = new byte[16]; for (int i = 0; i < key1.Length; ++i) { key1[i] = unchecked ((byte)i); key2[i] = unchecked ((byte)(i * 2)); key3[i] = unchecked ((byte)(i * 3)); } // ensure that we get nulls when the key isn't there Assert.Equal(null, provider.GetKeyVersion("no-such-key")); Assert.Equal(null, provider.GetMetadata("key")); // create a new key try { provider.CreateKey("key3", key3, KeyProvider.Options(conf)); } catch (Exception e) { Runtime.PrintStackTrace(e); throw; } // check the metadata for key3 KeyProvider.Metadata meta = provider.GetMetadata("key3"); Assert.Equal(KeyProvider.DefaultCipher, meta.GetCipher()); Assert.Equal(KeyProvider.DefaultBitlength, meta.GetBitLength() ); Assert.Equal(1, meta.GetVersions()); // make sure we get back the right key Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial()); Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName ()); // try recreating key3 try { provider.CreateKey("key3", key3, KeyProvider.Options(conf)); Assert.True("should throw", false); } catch (IOException e) { Assert.Equal("Key key3 already exists in " + ourUrl, e.Message ); } provider.DeleteKey("key3"); try { provider.DeleteKey("key3"); Assert.True("should throw", false); } catch (IOException e) { Assert.Equal("Key key3 does not exist in " + ourUrl, e.Message ); } provider.CreateKey("key3", key3, KeyProvider.Options(conf)); try { provider.CreateKey("key4", key3, KeyProvider.Options(conf).SetBitLength(8)); Assert.True("should throw", false); } catch (IOException e) { Assert.Equal("Wrong key length. Required 8, but got 128", e.Message ); } provider.CreateKey("key4", new byte[] { 1 }, KeyProvider.Options(conf).SetBitLength (8)); provider.RollNewVersion("key4", new byte[] { 2 }); meta = provider.GetMetadata("key4"); Assert.Equal(2, meta.GetVersions()); Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial ()); Assert.AssertArrayEquals(new byte[] { 1 }, provider.GetKeyVersion("key4@0").GetMaterial ()); Assert.Equal("key4@1", provider.GetCurrentKey("key4").GetVersionName ()); try { provider.RollNewVersion("key4", key1); Assert.True("should throw", false); } catch (IOException e) { Assert.Equal("Wrong key length. Required 8, but got 128", e.Message ); } try { provider.RollNewVersion("no-such-key", key1); Assert.True("should throw", false); } catch (IOException e) { Assert.Equal("Key no-such-key not found", e.Message); } provider.Flush(); // get a new instance of the provider to ensure it was saved correctly provider = KeyProviderFactory.GetProviders(conf)[0]; Assert.AssertArrayEquals(new byte[] { 2 }, provider.GetCurrentKey("key4").GetMaterial ()); Assert.AssertArrayEquals(key3, provider.GetCurrentKey("key3").GetMaterial()); Assert.Equal("key3@0", provider.GetCurrentKey("key3").GetVersionName ()); IList <string> keys = provider.GetKeys(); Assert.True("Keys should have been returned.", keys.Count == 2); Assert.True("Returned Keys should have included key3.", keys.Contains ("key3")); Assert.True("Returned Keys should have included key4.", keys.Contains ("key4")); IList <KeyProvider.KeyVersion> kvl = provider.GetKeyVersions("key3"); Assert.True("KeyVersions should have been returned for key3.", kvl.Count == 1); Assert.True("KeyVersions should have included key3@0.", kvl[0]. GetVersionName().Equals("key3@0")); Assert.AssertArrayEquals(key3, kvl[0].GetMaterial()); }
/// <exception cref="System.IO.IOException"/> public override KeyProvider.KeyVersion GetKeyVersion(string versionName) { return(keyProvider.GetKeyVersion(versionName)); }