Package org.apache.hadoop.crypto.key

Class KeyProviderCryptoExtension

java.lang.Object

org.apache.hadoop.crypto.key.KeyProvider

org.apache.hadoop.crypto.key.KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

org.apache.hadoop.crypto.key.KeyProviderCryptoExtension

All Implemented Interfaces:

java.io.Closeable, java.lang.AutoCloseable

@Private
public class KeyProviderCryptoExtension
extends KeyProviderExtension<KeyProviderCryptoExtension.CryptoExtension>

A KeyProvider with Cryptographic Extensions specifically for generating and decrypting encrypted encryption keys.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	KeyProviderCryptoExtension.CryptoExtension	CryptoExtension is a type of Extension that exposes methods to generate EncryptedKeys and to decrypt the same.
static class	KeyProviderCryptoExtension.EncryptedKeyVersion	An encrypted encryption key (EEK) and related information.

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProviderExtension

KeyProviderExtension.Extension

Nested classes/interfaces inherited from class org.apache.hadoop.crypto.key.KeyProvider

KeyProvider.KeyVersion, KeyProvider.Metadata, KeyProvider.Options

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	EEK	Designates an encrypted encryption key, or EEK.
static java.lang.String	EK	Designates a decrypted encrypted encryption key, that is, an encryption key (EK).

Fields inherited from class org.apache.hadoop.crypto.key.KeyProvider

DEFAULT_BITLENGTH, DEFAULT_BITLENGTH_NAME, DEFAULT_CIPHER, DEFAULT_CIPHER_NAME, JCEKS_KEY_SERIAL_FILTER, JCEKS_KEY_SERIALFILTER_DEFAULT

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	KeyProviderCryptoExtension(KeyProvider keyProvider, KeyProviderCryptoExtension.CryptoExtension extension)	This constructor is to be used by sub classes that provide delegating/proxying functionality to the KeyProviderCryptoExtension

Method Summary

Modifier and Type	Method	Description
void	close()	Can be used by implementing classes to close any resources that require closing
static KeyProviderCryptoExtension	createKeyProviderCryptoExtension(KeyProvider keyProvider)	Creates a KeyProviderCryptoExtension using a given KeyProvider.
KeyProvider.KeyVersion	decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKey)	Decrypts an encrypted byte[] key material using the given a key version name and initialization vector.
void	drain(java.lang.String keyName)	Calls KeyProviderCryptoExtension.CryptoExtension.drain(String) for the given key name on the underlying KeyProviderCryptoExtension.CryptoExtension.
KeyProviderCryptoExtension.EncryptedKeyVersion	generateEncryptedKey(java.lang.String encryptionKeyName)	Generates a key material and encrypts it using the given key version name and initialization vector.
KeyProviderCryptoExtension.EncryptedKeyVersion	reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv)	Re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.
void	reencryptEncryptedKeys(java.util.List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs)	Batched version of reencryptEncryptedKey(EncryptedKeyVersion).
void	warmUpEncryptedKeys(java.lang.String... keyNames)	Notifies the Underlying CryptoExtension implementation to warm up any implementation specific caches for the specified KeyVersions

Methods inherited from class org.apache.hadoop.crypto.key.KeyProviderExtension

createKey, createKey, deleteKey, flush, getCurrentKey, getExtension, getKeyProvider, getKeys, getKeysMetadata, getKeyVersion, getKeyVersions, getMetadata, invalidateCache, isTransient, rollNewVersion, rollNewVersion, toString

Methods inherited from class org.apache.hadoop.crypto.key.KeyProvider

buildVersionName, findProvider, generateKey, getBaseName, getConf, needsPassword, noPasswordError, noPasswordWarning, options

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

EEK

public static final java.lang.String EEK

Designates an encrypted encryption key, or EEK.

See Also:

Constant Field Values

EK

public static final java.lang.String EK

Designates a decrypted encrypted encryption key, that is, an encryption key (EK).

See Also:

Constant Field Values

Constructor Detail

KeyProviderCryptoExtension

protected KeyProviderCryptoExtension(KeyProvider keyProvider,
                                     KeyProviderCryptoExtension.CryptoExtension extension)

This constructor is to be used by sub classes that provide delegating/proxying functionality to the KeyProviderCryptoExtension

Parameters:

keyProvider - key provider.

extension - crypto extension.

Method Detail

warmUpEncryptedKeys

public void warmUpEncryptedKeys(java.lang.String... keyNames)
                         throws java.io.IOException

Notifies the Underlying CryptoExtension implementation to warm up any implementation specific caches for the specified KeyVersions

Parameters:

keyNames - Arrays of key Names

Throws:

java.io.IOException - raised on errors performing I/O.

generateEncryptedKey

public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(java.lang.String encryptionKeyName)
                                                                    throws java.io.IOException,
                                                                           java.security.GeneralSecurityException

Generates a key material and encrypts it using the given key version name and initialization vector. The generated key material is of the same length as the KeyVersion material and is encrypted using the same cipher.

NOTE: The generated key is not stored by the KeyProvider

Parameters:

encryptionKeyName - The latest KeyVersion of this key's material will be encrypted.

Returns:

EncryptedKeyVersion with the generated key material, the version name is 'EEK' (for Encrypted Encryption Key)

Throws:

java.io.IOException - thrown if the key material could not be generated

java.security.GeneralSecurityException - thrown if the key material could not be encrypted because of a cryptographic issue.

decryptEncryptedKey

public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKey)
                                           throws java.io.IOException,
                                                  java.security.GeneralSecurityException

Decrypts an encrypted byte[] key material using the given a key version name and initialization vector.

Parameters:

encryptedKey - contains keyVersionName and IV to decrypt the encrypted key material

Returns:

a KeyVersion with the decrypted key material, the version name is 'EK' (For Encryption Key)

Throws:

java.io.IOException - thrown if the key material could not be decrypted

java.security.GeneralSecurityException - thrown if the key material could not be decrypted because of a cryptographic issue.

reencryptEncryptedKey

public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion ekv)
                                                                     throws java.io.IOException,
                                                                            java.security.GeneralSecurityException

Re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name in the key provider.

If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

NOTE: The generated key is not stored by the KeyProvider

Parameters:

ekv - The EncryptedKeyVersion containing keyVersionName and IV.

Returns:

The re-encrypted EncryptedKeyVersion.

Throws:

java.io.IOException - If the key material could not be re-encrypted

java.security.GeneralSecurityException - If the key material could not be re-encrypted because of a cryptographic issue.

drain

public void drain(java.lang.String keyName)

Calls KeyProviderCryptoExtension.CryptoExtension.drain(String) for the given key name on the underlying KeyProviderCryptoExtension.CryptoExtension.

Parameters:

keyName - key name.

reencryptEncryptedKeys

public void reencryptEncryptedKeys(java.util.List<KeyProviderCryptoExtension.EncryptedKeyVersion> ekvs)
                            throws java.io.IOException,
                                   java.security.GeneralSecurityException

Batched version of reencryptEncryptedKey(EncryptedKeyVersion).

For each encrypted key version, re-encrypts an encrypted key version, using its initialization vector and key material, but with the latest key version name of its key name. If the latest key version name in the provider is the same as the one encrypted the passed-in encrypted key version, the same encrypted key version is returned.

NOTE: The generated key is not stored by the KeyProvider

Parameters:

ekvs - List containing the EncryptedKeyVersion's

Throws:

java.io.IOException - If any EncryptedKeyVersion could not be re-encrypted

java.security.GeneralSecurityException - If any EncryptedKeyVersion could not be re-encrypted because of a cryptographic issue.

createKeyProviderCryptoExtension

public static KeyProviderCryptoExtension createKeyProviderCryptoExtension(KeyProvider keyProvider)

Creates a KeyProviderCryptoExtension using a given KeyProvider.

If the given KeyProvider implements the KeyProviderCryptoExtension.CryptoExtension interface the KeyProvider itself will provide the extension functionality. If the given KeyProvider implements the KeyProviderExtension interface and the KeyProvider being extended by the KeyProvider implements the KeyProviderCryptoExtension.CryptoExtension interface, the KeyProvider being extended will provide the extension functionality. Otherwise, a default extension implementation will be used.

Parameters:

keyProvider - KeyProvider to use to create the KeyProviderCryptoExtension extension.

Returns:

a KeyProviderCryptoExtension instance using the given KeyProvider.

close

public void close()
           throws java.io.IOException

Description copied from class: KeyProvider

Can be used by implementing classes to close any resources that require closing

Specified by:

close in interface java.lang.AutoCloseable

Specified by:

close in interface java.io.Closeable

Overrides:

close in class KeyProvider

Throws:

java.io.IOException