1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 package org.apache.hadoop.hbase.security;
19
20 import static org.junit.Assert.*;
21
22 import java.security.Key;
23 import java.security.KeyException;
24 import java.security.SecureRandom;
25
26 import javax.crypto.spec.SecretKeySpec;
27
28 import org.apache.hadoop.conf.Configuration;
29 import org.apache.hadoop.hbase.HConstants;
30 import org.apache.hadoop.hbase.testclassification.SmallTests;
31 import org.apache.hadoop.hbase.io.crypto.KeyProviderForTesting;
32 import org.apache.hadoop.hbase.io.crypto.aes.AES;
33 import org.apache.hadoop.hbase.util.Bytes;
34
35 import org.junit.Test;
36 import org.junit.experimental.categories.Category;
37
38 @Category(SmallTests.class)
39 public class TestEncryptionUtil {
40
41 @Test
42 public void testKeyWrapping() throws Exception {
43
44 Configuration conf = new Configuration();
45 conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName());
46
47
48 byte[] keyBytes = new byte[AES.KEY_LENGTH];
49 new SecureRandom().nextBytes(keyBytes);
50 String algorithm =
51 conf.get(HConstants.CRYPTO_KEY_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
52 Key key = new SecretKeySpec(keyBytes, algorithm);
53
54
55 byte[] wrappedKeyBytes = EncryptionUtil.wrapKey(conf, "hbase", key);
56 assertNotNull(wrappedKeyBytes);
57
58
59 Key unwrappedKey = EncryptionUtil.unwrapKey(conf, "hbase", wrappedKeyBytes);
60 assertNotNull(unwrappedKey);
61
62 assertTrue(unwrappedKey instanceof SecretKeySpec);
63
64 assertTrue("Unwrapped key bytes do not match original",
65 Bytes.equals(keyBytes, unwrappedKey.getEncoded()));
66
67
68 try {
69 EncryptionUtil.unwrapKey(conf, "other", wrappedKeyBytes);
70 fail("Unwrap with incorrect key did not throw KeyException");
71 } catch (KeyException e) {
72
73 }
74 }
75
76 @Test
77 public void testWALKeyWrapping() throws Exception {
78
79 Configuration conf = new Configuration();
80 conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName());
81
82
83 byte[] keyBytes = new byte[AES.KEY_LENGTH];
84 new SecureRandom().nextBytes(keyBytes);
85 String algorithm = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
86 Key key = new SecretKeySpec(keyBytes, algorithm);
87
88
89 byte[] wrappedKeyBytes = EncryptionUtil.wrapKey(conf, "hbase", key);
90 assertNotNull(wrappedKeyBytes);
91
92
93 Key unwrappedKey = EncryptionUtil.unwrapWALKey(conf, "hbase", wrappedKeyBytes);
94 assertNotNull(unwrappedKey);
95
96 assertTrue(unwrappedKey instanceof SecretKeySpec);
97
98 assertTrue("Unwrapped key bytes do not match original",
99 Bytes.equals(keyBytes, unwrappedKey.getEncoded()));
100 }
101
102 @Test(expected = KeyException.class)
103 public void testWALKeyWrappingWithIncorrectKey() throws Exception {
104
105 Configuration conf = new Configuration();
106 conf.set(HConstants.CRYPTO_KEYPROVIDER_CONF_KEY, KeyProviderForTesting.class.getName());
107
108
109 byte[] keyBytes = new byte[AES.KEY_LENGTH];
110 new SecureRandom().nextBytes(keyBytes);
111 String algorithm = conf.get(HConstants.CRYPTO_WAL_ALGORITHM_CONF_KEY, HConstants.CIPHER_AES);
112 Key key = new SecretKeySpec(keyBytes, algorithm);
113
114
115 byte[] wrappedKeyBytes = EncryptionUtil.wrapKey(conf, "hbase", key);
116 assertNotNull(wrappedKeyBytes);
117
118
119 EncryptionUtil.unwrapWALKey(conf, "other", wrappedKeyBytes);
120 }
121 }