/// <exception cref="System.IO.IOException"/> public override KeyProvider.KeyVersion RollNewVersion(string name, byte[] material ) { KeyProvider.KeyVersion keyVersion = base.RollNewVersion(name, material); GetExtension().Drain(name); return(keyVersion); }
public virtual Response DecryptEncryptedKey(string versionName, string eekOp, IDictionary jsonPayload) { UserGroupInformation user = HttpUserGroupInformation.Get(); KMSClientProvider.CheckNotEmpty(versionName, "versionName"); KMSClientProvider.CheckNotNull(eekOp, "eekOp"); string keyName = (string)jsonPayload[KMSRESTConstants.NameField]; string ivStr = (string)jsonPayload[KMSRESTConstants.IvField]; string encMaterialStr = (string)jsonPayload[KMSRESTConstants.MaterialField]; object retJSON; if (eekOp.Equals(KMSRESTConstants.EekDecrypt)) { AssertAccess(KMSACLs.Type.DecryptEek, user, KMS.KMSOp.DecryptEek, keyName); KMSClientProvider.CheckNotNull(ivStr, KMSRESTConstants.IvField); byte[] iv = Base64.DecodeBase64(ivStr); KMSClientProvider.CheckNotNull(encMaterialStr, KMSRESTConstants.MaterialField); byte[] encMaterial = Base64.DecodeBase64(encMaterialStr); KeyProvider.KeyVersion retKeyVersion = user.DoAs(new _PrivilegedExceptionAction_433 (this, keyName, versionName, iv, encMaterial)); retJSON = KMSServerJSONUtils.ToJSON(retKeyVersion); kmsAudit.Ok(user, KMS.KMSOp.DecryptEek, keyName, string.Empty); } else { throw new ArgumentException("Wrong " + KMSRESTConstants.EekOp + " value, it must be " + KMSRESTConstants.EekGenerate + " or " + KMSRESTConstants.EekDecrypt); } KMSWebApp.GetDecryptEEKCallsMeter().Mark(); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(retJSON).Build()); }
public virtual Response RolloverKey(string name, IDictionary jsonMaterial) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); AssertAccess(KMSACLs.Type.Rollover, user, KMS.KMSOp.RollNewVersion, name); KMSClientProvider.CheckNotEmpty(name, "name"); string material = (string)jsonMaterial[KMSRESTConstants.MaterialField]; if (material != null) { AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.RollNewVersion, name); } KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_200( this, material, name)); kmsAudit.Ok(user, KMS.KMSOp.RollNewVersion, name, "UserProvidedMaterial:" + (material != null) + " NewVersion:" + keyVersion.GetVersionName()); if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user)) { keyVersion = RemoveKeyMaterial(keyVersion); } IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
public static IDictionary ToJSON(KeyProvider.KeyVersion keyVersion) { IDictionary json = new LinkedHashMap(); if (keyVersion != null) { json[KMSRESTConstants.NameField] = keyVersion.GetName(); json[KMSRESTConstants.VersionNameField] = keyVersion.GetVersionName(); json[KMSRESTConstants.MaterialField] = Base64.EncodeBase64URLSafeString(keyVersion .GetMaterial()); } return(json); }
private static KeyProvider.KeyVersion ParseJSONKeyVersion(IDictionary valueMap) { KeyProvider.KeyVersion keyVersion = null; if (!valueMap.IsEmpty()) { byte[] material = (valueMap.Contains(KMSRESTConstants.MaterialField)) ? Base64.DecodeBase64 ((string)valueMap[KMSRESTConstants.MaterialField]) : null; string versionName = (string)valueMap[KMSRESTConstants.VersionNameField]; string keyName = (string)valueMap[KMSRESTConstants.NameField]; keyVersion = new KMSClientProvider.KMSKeyVersion(keyName, versionName, material); } return(keyVersion); }
public virtual Response CreateKey(IDictionary jsonKey) { KMSWebApp.GetAdminCallsMeter().Mark(); UserGroupInformation user = HttpUserGroupInformation.Get(); string name = (string)jsonKey[KMSRESTConstants.NameField]; KMSClientProvider.CheckNotEmpty(name, KMSRESTConstants.NameField); AssertAccess(KMSACLs.Type.Create, user, KMS.KMSOp.CreateKey, name); string cipher = (string)jsonKey[KMSRESTConstants.CipherField]; string material = (string)jsonKey[KMSRESTConstants.MaterialField]; int length = (jsonKey.Contains(KMSRESTConstants.LengthField)) ? (int)jsonKey[KMSRESTConstants .LengthField] : 0; string description = (string)jsonKey[KMSRESTConstants.DescriptionField]; IDictionary <string, string> attributes = (IDictionary <string, string>)jsonKey[KMSRESTConstants .AttributesField]; if (material != null) { AssertAccess(KMSACLs.Type.SetKeyMaterial, user, KMS.KMSOp.CreateKey, name); } KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.GetConfiguration( )); if (cipher != null) { options.SetCipher(cipher); } if (length != 0) { options.SetBitLength(length); } options.SetDescription(description); options.SetAttributes(attributes); KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_132( this, material, name, options)); kmsAudit.Ok(user, KMS.KMSOp.CreateKey, name, "UserProvidedMaterial:" + (material != null) + " Description:" + description); if (!KMSWebApp.GetACLs().HasAccess(KMSACLs.Type.Get, user)) { keyVersion = RemoveKeyMaterial(keyVersion); } IDictionary json = KMSServerJSONUtils.ToJSON(keyVersion); string requestURL = KMSMDCFilter.GetURL(); int idx = requestURL.LastIndexOf(KMSRESTConstants.KeysResource); requestURL = Runtime.Substring(requestURL, 0, idx); string keyURL = requestURL + KMSRESTConstants.KeyResource + "/" + name; return(Response.Created(GetKeyURI(name)).Type(MediaType.ApplicationJson).Header("Location" , keyURL).Entity(json).Build()); }
public virtual Response GetCurrentVersion(string name) { UserGroupInformation user = HttpUserGroupInformation.Get(); KMSClientProvider.CheckNotEmpty(name, "name"); KMSWebApp.GetKeyCallsMeter().Mark(); AssertAccess(KMSACLs.Type.Get, user, KMS.KMSOp.GetCurrentKey, name); KeyProvider.KeyVersion keyVersion = user.DoAs(new _PrivilegedExceptionAction_312( this, name)); object json = KMSServerJSONUtils.ToJSON(keyVersion); kmsAudit.Ok(user, KMS.KMSOp.GetCurrentKey, name, string.Empty); return(Response.Ok().Type(MediaType.ApplicationJson).Entity(json).Build()); }
/// <exception cref="System.IO.IOException"/> public override KeyProvider.KeyVersion GetKeyVersion(string versionName) { readLock.Lock(); try { KeyProvider.KeyVersion keyVersion = provider.GetKeyVersion(versionName); if (keyVersion != null) { DoAccessCheck(keyVersion.GetName(), KeyAuthorizationKeyProvider.KeyOpType.Read); } return(keyVersion); } finally { readLock.Unlock(); } }
/// <exception cref="System.IO.IOException"/> private void VerifyKeyVersionBelongsToKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv) { string kn = ekv.GetEncryptionKeyName(); string kvn = ekv.GetEncryptionKeyVersionName(); KeyProvider.KeyVersion kv = provider.GetKeyVersion(kvn); if (kv == null) { throw new ArgumentException(string.Format("'%s' not found", kvn)); } if (!kv.GetName().Equals(kn)) { throw new ArgumentException(string.Format("KeyVersion '%s' does not belong to the key '%s'" , kvn, kn)); } }
/// <exception cref="System.Exception"/> public Void Run() { KeyProvider.Options opt = TestKeyAuthorizationKeyProvider.NewOptions(conf); IDictionary <string, string> m = new Dictionary <string, string>(); m["key.acl.name"] = "testKey"; opt.SetAttributes(m); KeyProvider.KeyVersion kv = kpExt.CreateKey("foo", SecureRandom.GetSeed(16), opt); kpExt.RollNewVersion(kv.GetName()); kpExt.RollNewVersion(kv.GetName(), SecureRandom.GetSeed(16)); KeyProviderCryptoExtension.EncryptedKeyVersion ekv = kpExt.GenerateEncryptedKey(kv .GetName()); ekv = KeyProviderCryptoExtension.EncryptedKeyVersion.CreateForDecryption(ekv.GetEncryptionKeyName () + "x", ekv.GetEncryptionKeyVersionName(), ekv.GetEncryptedKeyIv(), ekv.GetEncryptedKeyVersion ().GetMaterial()); kpExt.DecryptEncryptedKey(ekv); return(null); }
public virtual void TestOpsWhenACLAttributeExists() { Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf ); KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs >(); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1"); UserGroupInformation u2 = UserGroupInformation.CreateRemoteUser("u2"); UserGroupInformation u3 = UserGroupInformation.CreateRemoteUser("u3"); UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo"); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension .CreateKeyProviderCryptoExtension(kp), mock); KeyProvider.KeyVersion barKv = u1.DoAs(new _PrivilegedExceptionAction_127(conf, kpExt )); KeyProviderCryptoExtension.EncryptedKeyVersion barEKv = u2.DoAs(new _PrivilegedExceptionAction_159 (kpExt, barKv)); u3.DoAs(new _PrivilegedExceptionAction_173(kpExt, barKv, barEKv)); sudo.DoAs(new _PrivilegedExceptionAction_187(conf, kpExt)); }
/// <exception cref="NoSuchAlgorithmException"/> /// <exception cref="System.IO.IOException"/> private KeyProvider.KeyVersion RollNewVersionInternal(string name, byte[] material ) { CheckNotEmpty(name, "name"); IDictionary <string, string> jsonMaterial = new Dictionary <string, string>(); if (material != null) { jsonMaterial[KMSRESTConstants.MaterialField] = Base64.EncodeBase64String(material ); } Uri url = CreateURL(KMSRESTConstants.KeyResource, name, null, null); HttpURLConnection conn = CreateConnection(url, HttpPost); conn.SetRequestProperty(ContentType, ApplicationJsonMime); IDictionary response = Call <IDictionary>(conn, jsonMaterial, HttpURLConnection.HttpOk ); KeyProvider.KeyVersion keyVersion = ParseJSONKeyVersion(response); encKeyVersionQueue.Drain(name); return(keyVersion); }
/// <exception cref="System.Exception"/> public Void Run() { KeyProvider.Options opt = TestKeyAuthorizationKeyProvider.NewOptions(conf); IDictionary <string, string> m = new Dictionary <string, string>(); m["key.acl.name"] = "testKey"; opt.SetAttributes(m); try { KeyProvider.KeyVersion kv = kpExt.CreateKey("foo", SecureRandom.GetSeed(16), opt); kpExt.RollNewVersion(kv.GetName()); kpExt.RollNewVersion(kv.GetName(), SecureRandom.GetSeed(16)); KeyProviderCryptoExtension.EncryptedKeyVersion ekv = kpExt.GenerateEncryptedKey(kv .GetName()); kpExt.DecryptEncryptedKey(ekv); kpExt.DeleteKey(kv.GetName()); } catch (IOException) { NUnit.Framework.Assert.Fail("User should be Allowed to do everything !!"); } return(null); }
public _PrivilegedExceptionAction_159(KeyProviderCryptoExtension kpExt, KeyProvider.KeyVersion barKv) { this.kpExt = kpExt; this.barKv = barKv; }
private static KeyProvider.KeyVersion RemoveKeyMaterial(KeyProvider.KeyVersion keyVersion ) { return(new KMSClientProvider.KMSKeyVersion(keyVersion.GetName(), keyVersion.GetVersionName (), null)); }