org.apache.parquet.crypto.keytools.KeyMaterial Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.parquet.crypto.keytools;
import java.io.IOException;
import java.io.StringReader;
import java.util.HashMap;
import java.util.Map;
import org.apache.parquet.crypto.ParquetCryptoRuntimeException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.core.type.TypeReference;
/**
* KeyMaterial class represents the "key material", keeping the information that allows readers to recover an encryption key (see
* description of the KeyMetadata class). The keytools package (PARQUET-1373) implements the "envelope encryption" pattern, in a
* "single wrapping" or "double wrapping" mode. In the single wrapping mode, the key material is generated by encrypting the
* "data encryption key" (DEK) by a "master key". In the double wrapping mode, the key material is generated by encrypting the DEK
* by a "key encryption key" (KEK), that in turn is encrypted by a "master key".
*
* Key material is kept in a flat json object, with the following fields:
* 1. "keyMaterialType" - a String, with the type of key material. In the current version, only one value is allowed - "PKMT1" (stands
* for "parquet key management tools, version 1"). For external key material storage, this field is written in both "key metadata" and
* "key material" jsons. For internal key material storage, this field is written only once in the common json.
* 2. "isFooterKey" - a boolean. If true, means that the material belongs to a file footer key, and keeps additional information (such as
* KMS instance ID and URL). If false, means that the material belongs to a column key.
* 3. "kmsInstanceID" - a String, with the KMS Instance ID. Written only in footer key material.
* 4. "kmsInstanceURL" - a String, with the KMS Instance URL. Written only in footer key material.
* 5. "masterKeyID" - a String, with the ID of the master key used to generate the material.
* 6. "wrappedDEK" - a String, with the wrapped DEK (base64 encoding).
* 7. "doubleWrapping" - a boolean. If true, means that the material was generated in double wrapping mode.
* If false - in single wrapping mode.
* 8. "keyEncryptionKeyID" - a String, with the ID of the KEK used to generate the material. Written only in double wrapping mode.
* 9. "wrappedKEK" - a String, with the wrapped KEK (base64 encoding). Written only in double wrapping mode.
*/
public class KeyMaterial {
static final String KEY_MATERIAL_TYPE_FIELD = "keyMaterialType";
static final String KEY_MATERIAL_TYPE1 = "PKMT1";
static final String FOOTER_KEY_ID_IN_FILE = "footerKey";
static final String COLUMN_KEY_ID_IN_FILE_PREFIX = "columnKey";
private static final String IS_FOOTER_KEY_FIELD = "isFooterKey";
private static final String DOUBLE_WRAPPING_FIELD = "doubleWrapping";
private static final String KMS_INSTANCE_ID_FIELD = "kmsInstanceID";
private static final String KMS_INSTANCE_URL_FIELD = "kmsInstanceURL";
private static final String MASTER_KEY_ID_FIELD = "masterKeyID";
private static final String WRAPPED_DEK_FIELD = "wrappedDEK";
private static final String KEK_ID_FIELD = "keyEncryptionKeyID";
private static final String WRAPPED_KEK_FIELD = "wrappedKEK";
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
private final boolean isFooterKey;
private final String kmsInstanceID;
private final String kmsInstanceURL;
private final String masterKeyID;
private final boolean isDoubleWrapped;
private final String kekID;
private final String encodedWrappedKEK;
private final String encodedWrappedDEK;
private KeyMaterial(boolean isFooterKey, String kmsInstanceID, String kmsInstanceURL, String masterKeyID,
boolean isDoubleWrapped, String kekID, String encodedWrappedKEK, String encodedWrappedDEK) {
this.isFooterKey = isFooterKey;
this.kmsInstanceID = kmsInstanceID;
this.kmsInstanceURL = kmsInstanceURL;
this.masterKeyID = masterKeyID;
this.isDoubleWrapped = isDoubleWrapped;
this.kekID = kekID;
this.encodedWrappedKEK = encodedWrappedKEK;
this.encodedWrappedDEK = encodedWrappedDEK;
}
// parses external key material
static KeyMaterial parse(String keyMaterialString) {
Map keyMaterialJson = null;
try {
keyMaterialJson = OBJECT_MAPPER.readValue(new StringReader(keyMaterialString),
new TypeReference
© 2015 - 2025 Weber Informatics LLC | Privacy Policy