projects / ceph.git / blame
| Commit | Line | Data |
|---|---|---|
| 1d09f67e TL |
1 | // Licensed to the Apache Software Foundation (ASF) under one |
| 2 | // or more contributor license agreements. See the NOTICE file | |
| 3 | // distributed with this work for additional information | |
| 4 | // regarding copyright ownership. The ASF licenses this file | |
| 5 | // to you under the Apache License, Version 2.0 (the | |
| 6 | // "License"); you may not use this file except in compliance | |
| 7 | // with the License. You may obtain a copy of the License at | |
| 8 | // | |
| 9 | // http://www.apache.org/licenses/LICENSE-2.0 | |
| 10 | // | |
| 11 | // Unless required by applicable law or agreed to in writing, | |
| 12 | // software distributed under the License is distributed on an | |
| 13 | // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
| 14 | // KIND, either express or implied. See the License for the | |
| 15 | // specific language governing permissions and limitations | |
| 16 | // under the License. | |
| 17 | ||
| 18 | #pragma once | |
| 19 | ||
| 20 | #include <string> | |
| 21 | ||
| 22 | #include "parquet/platform.h" | |
| 23 | ||
| 24 | namespace arrow { | |
| 25 | namespace json { | |
| 26 | namespace internal { | |
| 27 | class ObjectParser; | |
| 28 | } // namespace internal | |
| 29 | } // namespace json | |
| 30 | } // namespace arrow | |
| 31 | ||
| 32 | namespace parquet { | |
| 33 | namespace encryption { | |
| 34 | ||
| 35 | // KeyMaterial class represents the "key material", keeping the information that allows | |
| 36 | // readers to recover an encryption key (see description of the KeyMetadata class). The | |
| 37 | // keytools package (PARQUET-1373) implements the "envelope encryption" pattern, in a | |
| 38 | // "single wrapping" or "double wrapping" mode. In the single wrapping mode, the key | |
| 39 | // material is generated by encrypting the "data encryption key" (DEK) by a "master key". | |
| 40 | // In the double wrapping mode, the key material is generated by encrypting the DEK by a | |
| 41 | // "key encryption key" (KEK), that in turn is encrypted by a "master key". | |
| 42 | // | |
| 43 | // Key material is kept in a flat json object, with the following fields: | |
| 44 | // 1. "keyMaterialType" - a String, with the type of key material. In the current | |
| 45 | // version, only one value is allowed - "PKMT1" (stands | |
| 46 | // for "parquet key management tools, version 1"). For external key material storage, | |
| 47 | // this field is written in both "key metadata" and "key material" jsons. For internal | |
| 48 | // key material storage, this field is written only once in the common json. | |
| 49 | // 2. "isFooterKey" - a boolean. If true, means that the material belongs to a file footer | |
| 50 | // key, and keeps additional information (such as | |
| 51 | // KMS instance ID and URL). If false, means that the material belongs to a column | |
| 52 | // key. | |
| 53 | // 3. "kmsInstanceID" - a String, with the KMS Instance ID. Written only in footer key | |
| 54 | // material. | |
| 55 | // 4. "kmsInstanceURL" - a String, with the KMS Instance URL. Written only in footer key | |
| 56 | // material. | |
| 57 | // 5. "masterKeyID" - a String, with the ID of the master key used to generate the | |
| 58 | // material. | |
| 59 | // 6. "wrappedDEK" - a String, with the wrapped DEK (base64 encoding). | |
| 60 | // 7. "doubleWrapping" - a boolean. If true, means that the material was generated in | |
| 61 | // double wrapping mode. | |
| 62 | // If false - in single wrapping mode. | |
| 63 | // 8. "keyEncryptionKeyID" - a String, with the ID of the KEK used to generate the | |
| 64 | // material. Written only in double wrapping mode. | |
| 65 | // 9. "wrappedKEK" - a String, with the wrapped KEK (base64 encoding). Written only in | |
| 66 | // double wrapping mode. | |
| 67 | class PARQUET_EXPORT KeyMaterial { | |
| 68 | public: | |
| 69 | // these fields are defined in a specification and should never be changed | |
| 70 | static constexpr const char kKeyMaterialTypeField[] = "keyMaterialType"; | |
| 71 | static constexpr const char kKeyMaterialType1[] = "PKMT1"; | |
| 72 | ||
| 73 | static constexpr const char kFooterKeyIdInFile[] = "footerKey"; | |
| 74 | static constexpr const char kColumnKeyIdInFilePrefix[] = "columnKey"; | |
| 75 | ||
| 76 | static constexpr const char kIsFooterKeyField[] = "isFooterKey"; | |
| 77 | static constexpr const char kDoubleWrappingField[] = "doubleWrapping"; | |
| 78 | static constexpr const char kKmsInstanceIdField[] = "kmsInstanceID"; | |
| 79 | static constexpr const char kKmsInstanceUrlField[] = "kmsInstanceURL"; | |
| 80 | static constexpr const char kMasterKeyIdField[] = "masterKeyID"; | |
| 81 | static constexpr const char kWrappedDataEncryptionKeyField[] = "wrappedDEK"; | |
| 82 | static constexpr const char kKeyEncryptionKeyIdField[] = "keyEncryptionKeyID"; | |
| 83 | static constexpr const char kWrappedKeyEncryptionKeyField[] = "wrappedKEK"; | |
| 84 | ||
| 85 | public: | |
| 86 | KeyMaterial() = default; | |
| 87 | ||
| 88 | static KeyMaterial Parse(const std::string& key_material_string); | |
| 89 | ||
| 90 | static KeyMaterial Parse( | |
| 91 | const ::arrow::json::internal::ObjectParser* key_material_json); | |
| 92 | ||
| 93 | /// This method returns a json string that will be stored either inside a parquet file | |
| 94 | /// or in a key material store outside the parquet file. | |
| 95 | static std::string SerializeToJson(bool is_footer_key, | |
| 96 | const std::string& kms_instance_id, | |
| 97 | const std::string& kms_instance_url, | |
| 98 | const std::string& master_key_id, | |
| 99 | bool is_double_wrapped, const std::string& kek_id, | |
| 100 | const std::string& encoded_wrapped_kek, | |
| 101 | const std::string& encoded_wrapped_dek, | |
| 102 | bool is_internal_storage); | |
| 103 | ||
| 104 | bool is_footer_key() const { return is_footer_key_; } | |
| 105 | bool is_double_wrapped() const { return is_double_wrapped_; } | |
| 106 | const std::string& master_key_id() const { return master_key_id_; } | |
| 107 | const std::string& wrapped_dek() const { return encoded_wrapped_dek_; } | |
| 108 | const std::string& kek_id() const { return kek_id_; } | |
| 109 | const std::string& wrapped_kek() const { return encoded_wrapped_kek_; } | |
| 110 | const std::string& kms_instance_id() const { return kms_instance_id_; } | |
| 111 | const std::string& kms_instance_url() const { return kms_instance_url_; } | |
| 112 | ||
| 113 | private: | |
| 114 | KeyMaterial(bool is_footer_key, const std::string& kms_instance_id, | |
| 115 | const std::string& kms_instance_url, const std::string& master_key_id, | |
| 116 | bool is_double_wrapped, const std::string& kek_id, | |
| 117 | const std::string& encoded_wrapped_kek, | |
| 118 | const std::string& encoded_wrapped_dek); | |
| 119 | ||
| 120 | bool is_footer_key_; | |
| 121 | std::string kms_instance_id_; | |
| 122 | std::string kms_instance_url_; | |
| 123 | std::string master_key_id_; | |
| 124 | bool is_double_wrapped_; | |
| 125 | std::string kek_id_; | |
| 126 | std::string encoded_wrapped_kek_; | |
| 127 | std::string encoded_wrapped_dek_; | |
| 128 | }; | |
| 129 | ||
| 130 | } // namespace encryption | |
| 131 | } // namespace parquet |