key material documentation

ggershinsky · ggershinsky · commit 0355f65e5266 · 2020-07-01T09:24:29.000+03:00
diff --git a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyMaterial.java b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyMaterial.java
@@ -28,14 +28,35 @@
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.type.TypeReference;
 
+/**
+ * KeyMaterial class represents the "key material", keeping the information that allows readers to recover an encryption key (see 
+ * description of the KeyMetadata class). The keytools package (PARQUET-1373) implements the "envelope encryption" pattern, in a 
+ * "single wrapping" or "double wrapping" mode. In the single wrapping mode, the key material is generated by encrypting the 
+ * "data encryption key" (DEK) by a "master key". In the double wrapping mode, the key material is generated by encrypting the DEK 
+ * by a "key encryption key" (KEK), that in turn is encrypted by a "master key".
+ * 
+ * Key material is kept in a flat json object, with the following fields:
+ * 1. "keyMaterialType" - a String, with the type of  key material. In the current version, only one value is allowed - "PKMT1" (stands 
+ *     for "parquet key management tools, version 1"). For external key material storage, this field is written in both "key metadata" and 
+ *     "key material" jsons. For internal key material storage, this field is written only once in the common json.
+ * 2. "isFooterKey" - a boolean. If true, means that the material belongs to a file footer key, and keeps additional information (such as
+ *     KMS instance ID and URL). If false, means that the material belongs to a column key.
+ * 3. "kmsInstanceID" - a String, with the KMS Instance ID. Written only in footer key material.
+ * 4. "kmsInstanceURL" - a String, with the KMS Instance URL. Written only in footer key material.
+ * 5. "masterKeyID" - a String, with the ID of the master key used to generate the material.
+ * 6. "wrappedDEK" - a String, with the wrapped DEK (base64 encoding).
+ * 7. "doubleWrapping" - a boolean. If true, means that the material was generated in double wrapping mode. 
+ *     If false - in single wrapping mode.
+ * 8. "keyEncryptionKeyID" - a String, with the ID of the KEK used to generate the material. Written only in double wrapping mode.
+ * 9. "wrappedKEK" - a String, with the wrapped KEK (base64 encoding). Written only in double wrapping mode.
+ */
 public class KeyMaterial {
   static final String KEY_MATERIAL_TYPE_FIELD = "keyMaterialType";
-  static final String KEY_MATERIAL_TYPE = "PKMT1";
-  static final String KEY_MATERIAL_INTERNAL_STORAGE_FIELD = "internalStorage";
+  static final String KEY_MATERIAL_TYPE1 = "PKMT1";
 
   static final String FOOTER_KEY_ID_IN_FILE = "footerKey";
   static final String COLUMN_KEY_ID_IN_FILE_PREFIX = "columnKey";
-  
+
   private static final String IS_FOOTER_KEY_FIELD = "isFooterKey";
   private static final String DOUBLE_WRAPPING_FIELD = "doubleWrapping";
   private static final String KMS_INSTANCE_ID_FIELD = "kmsInstanceID";
@@ -68,60 +89,83 @@ private KeyMaterial(boolean isFooterKey, String kmsInstanceID, String kmsInstanc
     this.encodedWrappedDEK = encodedWrappedDEK;
   }
 
+  // parses external key material
+  static KeyMaterial parse(String keyMaterialString) {
+    Map<String, String> keyMaterialJson = null;
+    try {
+      keyMaterialJson = OBJECT_MAPPER.readValue(new StringReader(keyMaterialString),
+          new TypeReference<Map<String, String>>() {});
+    } catch (IOException e) {
+      throw new ParquetCryptoRuntimeException("Failed to parse key metadata " + keyMaterialString, e);
+    }
+    // 1. External key material - extract "key material type", and make sure it is supported
+    String keyMaterialType = keyMaterialJson.get(KEY_MATERIAL_TYPE_FIELD);
+    if (!KEY_MATERIAL_TYPE1.equals(keyMaterialType)) {
+      throw new ParquetCryptoRuntimeException("Wrong key material type: " + keyMaterialType + 
+          " vs " + KEY_MATERIAL_TYPE1);
+    }
+    // Parse other fields (common to internal and external key material)
+    return parse(keyMaterialJson);
+  }
+
+  // parses fields common to internal and external key material
   static KeyMaterial parse(Map<String, String> keyMaterialJson) {
+    // 2. Check if "key material" belongs to file footer key
     boolean isFooterKey = Boolean.valueOf(keyMaterialJson.get(IS_FOOTER_KEY_FIELD));
     String kmsInstanceID = null;
     String kmsInstanceURL = null;
     if (isFooterKey) {
+      // 3.  For footer key, extract KMS Instance ID
       kmsInstanceID = keyMaterialJson.get(KMS_INSTANCE_ID_FIELD);
+      // 4.  For footer key, extract KMS Instance URL
       kmsInstanceURL = keyMaterialJson.get(KMS_INSTANCE_URL_FIELD);
     }
-    boolean isDoubleWrapped = Boolean.valueOf(keyMaterialJson.get(DOUBLE_WRAPPING_FIELD));
+    // 5. Extract master key ID
     String masterKeyID = keyMaterialJson.get(MASTER_KEY_ID_FIELD);
+    // 6. Extract wrapped DEK
     String  encodedWrappedDEK = keyMaterialJson.get(WRAPPED_DEK_FIELD);
     String kekID = null;
     String encodedWrappedKEK = null;
+    // 7. Check if "key material" was generated in double wrapping mode
+    boolean isDoubleWrapped = Boolean.valueOf(keyMaterialJson.get(DOUBLE_WRAPPING_FIELD));
     if (isDoubleWrapped) {
+      // 8. In double wrapping mode, extract KEK ID
       kekID = keyMaterialJson.get(KEK_ID_FIELD);
+      // 9. In double wrapping mode, extract wrapped KEK
       encodedWrappedKEK = keyMaterialJson.get(WRAPPED_KEK_FIELD);
     }
 
     return new KeyMaterial(isFooterKey, kmsInstanceID, kmsInstanceURL, masterKeyID, isDoubleWrapped, kekID, encodedWrappedKEK, encodedWrappedDEK);
   }
 
-  static KeyMaterial parse(String keyMaterialString) {
-    Map<String, String> keyMaterialJson = null;
-    try {
-      keyMaterialJson = OBJECT_MAPPER.readValue(new StringReader(keyMaterialString),
-          new TypeReference<Map<String, String>>() {});
-    } catch (IOException e) {
-      throw new ParquetCryptoRuntimeException("Failed to parse key metadata " + keyMaterialString, e);
-    }
-    String keyMaterialType = keyMaterialJson.get(KEY_MATERIAL_TYPE_FIELD);
-    if (!KEY_MATERIAL_TYPE.equals(keyMaterialType)) {
-      throw new ParquetCryptoRuntimeException("Wrong key material type: " + keyMaterialType + 
-          " vs " + KEY_MATERIAL_TYPE);
-    }
-    return parse(keyMaterialJson);
-  }
-
   static String createSerialized(boolean isFooterKey, String kmsInstanceID, String kmsInstanceURL, String masterKeyID, 
       boolean isDoubleWrapped, String kekID, String encodedWrappedKEK, String encodedWrappedDEK, boolean isInternalStorage) {
     Map<String, String> keyMaterialMap = new HashMap<String, String>(10);
-    keyMaterialMap.put(KEY_MATERIAL_TYPE_FIELD, KEY_MATERIAL_TYPE);
+    // 1. Write "key material type"
+    keyMaterialMap.put(KEY_MATERIAL_TYPE_FIELD, KEY_MATERIAL_TYPE1);
     if (isInternalStorage) {
-      keyMaterialMap.put(KEY_MATERIAL_INTERNAL_STORAGE_FIELD, "true");
+      // for internal storage, key material and key metadata are the same.
+      // adding the "internalStorage" field that belongs to KeyMetadata.
+      keyMaterialMap.put(KeyMetadata.KEY_MATERIAL_INTERNAL_STORAGE_FIELD, "true");
     }
+    // 2. Write isFooterKey
     keyMaterialMap.put(IS_FOOTER_KEY_FIELD, Boolean.toString(isFooterKey));
     if (isFooterKey) {
+      // 3. For footer key, write KMS Instance ID
       keyMaterialMap.put(KMS_INSTANCE_ID_FIELD, kmsInstanceID);
+      // 4. For footer key, write KMS Instance URL
       keyMaterialMap.put(KMS_INSTANCE_URL_FIELD, kmsInstanceURL);
     }
+    // 5. Write master key ID
     keyMaterialMap.put(MASTER_KEY_ID_FIELD, masterKeyID);
+    // 6. Write wrapped DEK
     keyMaterialMap.put(WRAPPED_DEK_FIELD, encodedWrappedDEK);
+    // 7. Write isDoubleWrapped
     keyMaterialMap.put(DOUBLE_WRAPPING_FIELD, Boolean.toString(isDoubleWrapped));
     if (isDoubleWrapped) {
+      // 8. In double wrapping mode, write KEK ID
       keyMaterialMap.put(KEK_ID_FIELD, kekID);
+      // 9. In double wrapping mode, write wrapped KEK
       keyMaterialMap.put(WRAPPED_KEK_FIELD, encodedWrappedKEK);
     }
 
diff --git a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyMetadata.java b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/KeyMetadata.java
@@ -29,7 +29,27 @@
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.type.TypeReference;
 
+/**
+ * Parquet encryption specification defines "key metadata" as an arbitrary byte array, generated by file writers for each encryption key, 
+ * and passed to the low level API for storage in the file footer . The "key metadata" field is made available to file readers to enable 
+ * recovery of the key. This simple interface can be utilized for implementation of any key management scheme.
+ * 
+ * The keytools package (PARQUET-1373) implements one approach, of many possible, to key management and to generation of the "key metadata" 
+ * fields. This approach, based on the "envelope encryption" pattern, allows to work with KMS servers. It keeps the actual material, 
+ * required to recover a key, in a "key material" object (see the KeyMaterial class for details).
+ * 
+ * KeyMetadata class writes (and reads) the "key metadata" field as a flat json object, with the following fields:
+ * 1. "keyMaterialType" - a String, with the type of  key material. In the current version, only one value is allowed - "PKMT1" (stands 
+ *     for "parquet key management tools, version 1")
+ * 2. "internalStorage" - a boolean. If true, means that "key material" is kept inside the "key metadata" field. If false, "key material"
+ *     is kept externally (outside Parquet files) - in this case, "key metadata" keeps a reference to the external "key material".
+ * 3. "keyReference" - a String, with the reference to the external "key material". Written only if internalStorage is false.
+ * 
+ * If internalStorage is true, "key material" is a part of "key metadata", and the json keeps additional fields, described in the
+ * KeyMaterial class.
+ */
 public class KeyMetadata {
+  static final String KEY_MATERIAL_INTERNAL_STORAGE_FIELD = "internalStorage";
   private static final String KEY_REFERENCE_FIELD = "keyReference";
 
   private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
@@ -54,30 +74,39 @@ static KeyMetadata parse(byte[] keyMetadataBytes) {
       throw new ParquetCryptoRuntimeException("Failed to parse key metadata " + keyMetaDataString, e);
     }
 
+    // 1. Extract "key material type", and make sure it is supported
     String keyMaterialType = keyMetadataJson.get(KeyMaterial.KEY_MATERIAL_TYPE_FIELD);
-    if (!KeyMaterial.KEY_MATERIAL_TYPE.equals(keyMaterialType)) {
+    if (!KeyMaterial.KEY_MATERIAL_TYPE1.equals(keyMaterialType)) {
       throw new ParquetCryptoRuntimeException("Wrong key material type: " + keyMaterialType + 
-          " vs " + KeyMaterial.KEY_MATERIAL_TYPE);
+          " vs " + KeyMaterial.KEY_MATERIAL_TYPE1);
     }
 
-    boolean isInternalStorage = Boolean.parseBoolean(keyMetadataJson.get(KeyMaterial.KEY_MATERIAL_INTERNAL_STORAGE_FIELD));
+    // 2. Check if "key material" is stored internally in Parquet file key metadata, or is stored externally
+    boolean isInternalStorage = Boolean.parseBoolean(keyMetadataJson.get(KEY_MATERIAL_INTERNAL_STORAGE_FIELD));
     String keyReference;
     KeyMaterial keyMaterial;
 
     if (isInternalStorage) {
-      keyReference = null;
+      // 3.1 "key material" is stored internally, inside "key metadata" - parse it
       keyMaterial = KeyMaterial.parse(keyMetadataJson);
+      keyReference = null;
     } else {
+      // 3.2 "key material" is stored externally. "key metadata" keeps a reference to it
       keyReference = keyMetadataJson.get(KEY_REFERENCE_FIELD);
       keyMaterial = null;
     }
+
     return new KeyMetadata(isInternalStorage, keyReference, keyMaterial);
   }
 
+  // For external material only. For internal material, create serialized KeyMaterial directly
   static String createSerializedForExternalMaterial(String keyReference) {
     Map<String, String> keyMetadataMap = new HashMap<String, String>(3);
-    keyMetadataMap.put(KeyMaterial.KEY_MATERIAL_TYPE_FIELD, KeyMaterial.KEY_MATERIAL_TYPE);
-    keyMetadataMap.put(KeyMaterial.KEY_MATERIAL_INTERNAL_STORAGE_FIELD, "false");
+    // 1. Write "key material type"
+    keyMetadataMap.put(KeyMaterial.KEY_MATERIAL_TYPE_FIELD, KeyMaterial.KEY_MATERIAL_TYPE1);
+    // 2. Write internal storage as false
+    keyMetadataMap.put(KEY_MATERIAL_INTERNAL_STORAGE_FIELD, "false");
+    // 3. For externally stored "key material", "key metadata" keeps only a reference to it
     keyMetadataMap.put(KEY_REFERENCE_FIELD, keyReference);
 
     try {
diff --git a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/PropertiesDrivenCryptoFactory.java b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/PropertiesDrivenCryptoFactory.java
@@ -23,9 +23,7 @@
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
@@ -46,10 +44,8 @@
 
 public class PropertiesDrivenCryptoFactory implements EncryptionPropertiesFactory, DecryptionPropertiesFactory {
   private static final Logger LOG = LoggerFactory.getLogger(PropertiesDrivenCryptoFactory.class);
-  
-  private static final Integer[] ACCEPTABLE_DATA_KEY_LENGTHS = {128, 192, 256};
-  private static final Set<Integer> ACCEPTABLE_DATA_KEY_LENGTHS_SET =
-    new HashSet<>(Arrays.asList(ACCEPTABLE_DATA_KEY_LENGTHS));
+
+  private static final int[] ACCEPTABLE_DATA_KEY_LENGTHS = {128, 192, 256};
 
   /**
    * List of columns to encrypt, with master key IDs (see HIVE-21848).
@@ -117,7 +113,7 @@ public FileEncryptionProperties getFileEncryptionProperties(Configuration fileHa
     int dekLengthBits = fileHadoopConfig.getInt(KeyToolkit.DATA_KEY_LENGTH_PROPERTY_NAME,
         KeyToolkit.DATA_KEY_LENGTH_DEFAULT);
 
-    if (!ACCEPTABLE_DATA_KEY_LENGTHS_SET.contains(dekLengthBits)) {
+    if (Arrays.binarySearch(ACCEPTABLE_DATA_KEY_LENGTHS, dekLengthBits) < 0) {
       throw new ParquetCryptoRuntimeException("Wrong data key length : " + dekLengthBits);
     }
 
diff --git a/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/RemoteKmsClient.java b/parquet-hadoop/src/main/java/org/apache/parquet/crypto/keytools/RemoteKmsClient.java
@@ -49,6 +49,18 @@ public abstract class RemoteKmsClient implements KmsClient {
   // MasterKey cache: master keys per key ID (per KMS Client). For local wrapping only.
   private ConcurrentMap<String, byte[]> masterKeyCache;
 
+  /**
+   * KMS systems wrap keys by encrypting them by master keys, and attaching additional information (such as the version 
+   * number of the masker key) to the result of encryption. The master key version is required in  key rotation.
+   * Currently, the local wrapping mode does not support key rotation (because not all KMS systems allow to fetch a master
+   * key by its ID and version number). Still, the local wrapping mode adds a placeholder for the master key version, that will
+   * enable support for key rotation in this mode in the future, with appropriate KMS systems. This will also enable backward
+   * compatibility, where future readers will be able to extract master key version in the files written by the current code.
+   * 
+   * LocalKeyWrap class writes (and reads) the "key wrap" as a flat json with the following fields:
+   * 1. "masterKeyVersion" - a String, with the master key version. In the current version, only one value is allowed - "NO_VERSION".
+   * 2. "encryptedKey" - a String, with the key encrypted by the master key (base64-encoded).
+   */
   static class LocalKeyWrap {
     public static final String LOCAL_WRAP_KEY_VERSION_FIELD = "masterKeyVersion";
     public static final String LOCAL_WRAP_ENCRYPTED_KEY_FIELD = "encryptedKey";
