org.apache.hadoop.crypto.CipherOption Java Examples

public static CipherOptionProto convert(CipherOption option) {
  if (option != null) {
    CipherOptionProto.Builder builder = CipherOptionProto.
        newBuilder();
    if (option.getCipherSuite() != null) {
      builder.setSuite(convert(option.getCipherSuite()));
    }
    if (option.getInKey() != null) {
      builder.setInKey(ByteString.copyFrom(option.getInKey()));
    }
    if (option.getInIv() != null) {
      builder.setInIv(ByteString.copyFrom(option.getInIv()));
    }
    if (option.getOutKey() != null) {
      builder.setOutKey(ByteString.copyFrom(option.getOutKey()));
    }
    if (option.getOutIv() != null) {
      builder.setOutIv(ByteString.copyFrom(option.getOutIv()));
    }
    return builder.build();
  }
  return null;
}
 

/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 

/**
 * Send SASL message and negotiated cipher option to client.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param option negotiated cipher option
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiatedCipherOption(
    OutputStream out, byte[] payload, CipherOption option) 
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (option != null) {
    builder.addCipherOption(PBHelper.convert(option));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 

public static CipherOptionProto convert(CipherOption option) {
  if (option != null) {
    CipherOptionProto.Builder builder = CipherOptionProto.
        newBuilder();
    if (option.getCipherSuite() != null) {
      builder.setSuite(convert(option.getCipherSuite()));
    }
    if (option.getInKey() != null) {
      builder.setInKey(ByteString.copyFrom(option.getInKey()));
    }
    if (option.getInIv() != null) {
      builder.setInIv(ByteString.copyFrom(option.getInIv()));
    }
    if (option.getOutKey() != null) {
      builder.setOutKey(ByteString.copyFrom(option.getOutKey()));
    }
    if (option.getOutIv() != null) {
      builder.setOutIv(ByteString.copyFrom(option.getOutIv()));
    }
    return builder.build();
  }
  return null;
}
 

/**
 * Reads a SASL negotiation message and negotiation cipher options. 
 * 
 * @param in stream to read
 * @param cipherOptions list to store negotiation cipher options
 * @return byte[] SASL negotiation message
 * @throws IOException for any error
 */
public static byte[] readSaslMessageAndNegotiationCipherOptions(
    InputStream in, List<CipherOption> cipherOptions) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    List<CipherOptionProto> optionProtos = proto.getCipherOptionList();
    if (optionProtos != null) {
      for (CipherOptionProto optionProto : optionProtos) {
        cipherOptions.add(PBHelper.convert(optionProto));
      }
    }
    return proto.getPayload().toByteArray();
  }
}
 

public static CipherOption convert(CipherOptionProto proto) {
  if (proto != null) {
    CipherSuite suite = null;
    if (proto.getSuite() != null) {
      suite = convert(proto.getSuite());
    }
    byte[] inKey = null;
    if (proto.getInKey() != null) {
      inKey = proto.getInKey().toByteArray();
    }
    byte[] inIv = null;
    if (proto.getInIv() != null) {
      inIv = proto.getInIv().toByteArray();
    }
    byte[] outKey = null;
    if (proto.getOutKey() != null) {
      outKey = proto.getOutKey().toByteArray();
    }
    byte[] outIv = null;
    if (proto.getOutIv() != null) {
      outIv = proto.getOutIv().toByteArray();
    }
    return new CipherOption(suite, inKey, inIv, outKey, outIv);
  }
  return null;
}
 

/**
 * Send a SASL negotiation message and negotiation cipher options to server.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param options cipher options to negotiate
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiationCipherOptions(
    OutputStream out, byte[] payload, List<CipherOption> options)
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (options != null) {
    builder.addAllCipherOption(PBHelper.convertCipherOptions(options));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 

/**
 * Read SASL message and negotiated cipher option from server.
 * 
 * @param in stream to read
 * @return SaslResponseWithNegotiatedCipherOption SASL message and 
 * negotiated cipher option
 * @throws IOException for any error
 */
public static SaslResponseWithNegotiatedCipherOption
    readSaslMessageAndNegotiatedCipherOption(InputStream in)
        throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    byte[] response = proto.getPayload().toByteArray();
    List<CipherOption> options = PBHelper.convertCipherOptionProtos(
        proto.getCipherOptionList());
    CipherOption option = null;
    if (options != null && !options.isEmpty()) {
      option = options.get(0);
    }
    return new SaslResponseWithNegotiatedCipherOption(response, option);
  }
}
 

/**
 * Encrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing server
 * @return CipherOption negotiated cipher option which contains the 
 * encrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption wrap(CipherOption option, SaslParticipant sasl) 
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.wrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.wrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 

public static CipherOption convert(CipherOptionProto proto) {
  if (proto != null) {
    CipherSuite suite = null;
    if (proto.getSuite() != null) {
      suite = convert(proto.getSuite());
    }
    byte[] inKey = null;
    if (proto.getInKey() != null) {
      inKey = proto.getInKey().toByteArray();
    }
    byte[] inIv = null;
    if (proto.getInIv() != null) {
      inIv = proto.getInIv().toByteArray();
    }
    byte[] outKey = null;
    if (proto.getOutKey() != null) {
      outKey = proto.getOutKey().toByteArray();
    }
    byte[] outIv = null;
    if (proto.getOutIv() != null) {
      outIv = proto.getOutIv().toByteArray();
    }
    return new CipherOption(suite, inKey, inIv, outKey, outIv);
  }
  return null;
}
 

/**
 * Decrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing client
 * @return CipherOption negotiated cipher option which contains the 
 * decrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption unwrap(CipherOption option, SaslParticipant sasl)
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.unwrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.unwrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 

/**
 * Encrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing server
 * @return CipherOption negotiated cipher option which contains the 
 * encrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption wrap(CipherOption option, SaslParticipant sasl) 
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.wrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.wrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 

/**
 * Read SASL message and negotiated cipher option from server.
 * 
 * @param in stream to read
 * @return SaslResponseWithNegotiatedCipherOption SASL message and 
 * negotiated cipher option
 * @throws IOException for any error
 */
public static SaslResponseWithNegotiatedCipherOption
    readSaslMessageAndNegotiatedCipherOption(InputStream in)
        throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    byte[] response = proto.getPayload().toByteArray();
    List<CipherOption> options = PBHelper.convertCipherOptionProtos(
        proto.getCipherOptionList());
    CipherOption option = null;
    if (options != null && !options.isEmpty()) {
      option = options.get(0);
    }
    return new SaslResponseWithNegotiatedCipherOption(response, option);
  }
}
 

/**
 * Send a SASL negotiation message and negotiation cipher options to server.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param options cipher options to negotiate
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiationCipherOptions(
    OutputStream out, byte[] payload, List<CipherOption> options)
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (options != null) {
    builder.addAllCipherOption(PBHelper.convertCipherOptions(options));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 

/**
 * Create IOStreamPair of {@link org.apache.hadoop.crypto.CryptoInputStream}
 * and {@link org.apache.hadoop.crypto.CryptoOutputStream}
 * 
 * @param conf the configuration
 * @param cipherOption negotiated cipher option
 * @param out underlying output stream
 * @param in underlying input stream
 * @param isServer is server side
 * @return IOStreamPair the stream pair
 * @throws IOException for any error
 */
public static IOStreamPair createStreamPair(Configuration conf,
    CipherOption cipherOption, OutputStream out, InputStream in, 
    boolean isServer) throws IOException {
  if (LOG.isDebugEnabled()) {
    LOG.debug("Creating IOStreamPair of CryptoInputStream and " +
        "CryptoOutputStream.");
  }
  CryptoCodec codec = CryptoCodec.getInstance(conf, 
      cipherOption.getCipherSuite());
  byte[] inKey = cipherOption.getInKey();
  byte[] inIv = cipherOption.getInIv();
  byte[] outKey = cipherOption.getOutKey();
  byte[] outIv = cipherOption.getOutIv();
  InputStream cIn = new CryptoInputStream(in, codec, 
      isServer ? inKey : outKey, isServer ? inIv : outIv);
  OutputStream cOut = new CryptoOutputStream(out, codec, 
      isServer ? outKey : inKey, isServer ? outIv : inIv);
  return new IOStreamPair(cIn, cOut);
}
 

/**
 * Send SASL message and negotiated cipher option to client.
 * 
 * @param out stream to receive message
 * @param payload to send
 * @param option negotiated cipher option
 * @throws IOException for any error
 */
public static void sendSaslMessageAndNegotiatedCipherOption(
    OutputStream out, byte[] payload, CipherOption option) 
        throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    builder.setPayload(ByteString.copyFrom(payload));
  }
  if (option != null) {
    builder.addCipherOption(PBHelper.convert(option));
  }
  
  DataTransferEncryptorMessageProto proto = builder.build();
  proto.writeDelimitedTo(out);
  out.flush();
}
 

private void sendSaslMessage(ChannelHandlerContext ctx, byte[] payload,
    List<CipherOption> options) throws IOException {
  DataTransferEncryptorMessageProto.Builder builder =
      DataTransferEncryptorMessageProto.newBuilder();
  builder.setStatus(DataTransferEncryptorStatus.SUCCESS);
  if (payload != null) {
    BuilderPayloadSetter.wrapAndSetPayload(builder, payload);
  }
  if (options != null) {
    builder.addAllCipherOption(PBHelperClient.convertCipherOptions(options));
  }
  DataTransferEncryptorMessageProto proto = builder.build();
  int size = proto.getSerializedSize();
  size += CodedOutputStream.computeRawVarint32Size(size);
  ByteBuf buf = ctx.alloc().buffer(size);
  proto.writeDelimitedTo(new ByteBufOutputStream(buf));
  ctx.write(buf);
}
 

/**
 * Reads a SASL negotiation message and negotiation cipher options. 
 * 
 * @param in stream to read
 * @param cipherOptions list to store negotiation cipher options
 * @return byte[] SASL negotiation message
 * @throws IOException for any error
 */
public static byte[] readSaslMessageAndNegotiationCipherOptions(
    InputStream in, List<CipherOption> cipherOptions) throws IOException {
  DataTransferEncryptorMessageProto proto =
      DataTransferEncryptorMessageProto.parseFrom(vintPrefixed(in));
  if (proto.getStatus() == DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
    throw new InvalidEncryptionKeyException(proto.getMessage());
  } else if (proto.getStatus() == DataTransferEncryptorStatus.ERROR) {
    throw new IOException(proto.getMessage());
  } else {
    List<CipherOptionProto> optionProtos = proto.getCipherOptionList();
    if (optionProtos != null) {
      for (CipherOptionProto optionProto : optionProtos) {
        cipherOptions.add(PBHelper.convert(optionProto));
      }
    }
    return proto.getPayload().toByteArray();
  }
}
 

/**
 * Decrypt the key and iv of the negotiated cipher option.
 * 
 * @param option negotiated cipher option
 * @param sasl SASL participant representing client
 * @return CipherOption negotiated cipher option which contains the 
 * decrypted key and iv
 * @throws IOException for any error
 */
public static CipherOption unwrap(CipherOption option, SaslParticipant sasl)
    throws IOException {
  if (option != null) {
    byte[] inKey = option.getInKey();
    if (inKey != null) {
      inKey = sasl.unwrap(inKey, 0, inKey.length);
    }
    byte[] outKey = option.getOutKey();
    if (outKey != null) {
      outKey = sasl.unwrap(outKey, 0, outKey.length);
    }
    return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(),
        outKey, option.getOutIv());
  }
  
  return null;
}
 

private List<CipherOption> getCipherOptions() throws IOException {
  // Negotiate cipher suites if configured. Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (StringUtils.isBlank(cipherSuites)) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
      DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  return Collections.singletonList(new CipherOption(CipherSuite.AES_CTR_NOPADDING));
}
 

public static List<CipherOptionProto> convertCipherOptions(
    List<CipherOption> options) {
  if (options != null) {
    List<CipherOptionProto> protos = 
        Lists.newArrayListWithCapacity(options.size());
    for (CipherOption option : options) {
      protos.add(convert(option));
    }
    return protos;
  }
  return null;
}
 

public static List<CipherOption> convertCipherOptionProtos(
    List<CipherOptionProto> protos) {
  if (protos != null) {
    List<CipherOption> options = 
        Lists.newArrayListWithCapacity(protos.size());
    for (CipherOptionProto proto : protos) {
      options.add(convert(proto));
    }
    return options;
  }
  return null;
}
 

private CipherOption getCipherOption(DataTransferEncryptorMessageProto proto,
    boolean isNegotiatedQopPrivacy, SaslClient saslClient) throws IOException {
  List<CipherOption> cipherOptions =
      PBHelperClient.convertCipherOptionProtos(proto.getCipherOptionList());
  if (cipherOptions == null || cipherOptions.isEmpty()) {
    return null;
  }
  CipherOption cipherOption = cipherOptions.get(0);
  return isNegotiatedQopPrivacy ? unwrap(cipherOption, saslClient) : cipherOption;
}
 

private CipherOption unwrap(CipherOption option, SaslClient saslClient) throws IOException {
  byte[] inKey = option.getInKey();
  if (inKey != null) {
    inKey = saslClient.unwrap(inKey, 0, inKey.length);
  }
  byte[] outKey = option.getOutKey();
  if (outKey != null) {
    outKey = saslClient.unwrap(outKey, 0, outKey.length);
  }
  return new CipherOption(option.getCipherSuite(), inKey, option.getInIv(), outKey,
      option.getOutIv());
}
 

/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 

public static List<CipherOption> convertCipherOptionProtos(
    List<CipherOptionProto> protos) {
  if (protos != null) {
    List<CipherOption> options = 
        Lists.newArrayListWithCapacity(protos.size());
    for (CipherOptionProto proto : protos) {
      options.add(convert(proto));
    }
    return options;
  }
  return null;
}
 

public static List<CipherOptionProto> convertCipherOptions(
    List<CipherOption> options) {
  if (options != null) {
    List<CipherOptionProto> protos = 
        Lists.newArrayListWithCapacity(options.size());
    for (CipherOption option : options) {
      protos.add(convert(option));
    }
    return protos;
  }
  return null;
}
 

/**
 * Negotiate a cipher option which server supports.
 * 
 * @param conf the configuration
 * @param options the cipher options which client supports
 * @return CipherOption negotiated cipher option
 */
public static CipherOption negotiateCipherOption(Configuration conf,
    List<CipherOption> options) throws IOException {
  // Negotiate cipher suites if configured.  Currently, the only supported
  // cipher suite is AES/CTR/NoPadding, but the protocol allows multiple
  // values for future expansion.
  String cipherSuites = conf.get(DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY);
  if (cipherSuites == null || cipherSuites.isEmpty()) {
    return null;
  }
  if (!cipherSuites.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
    throw new IOException(String.format("Invalid cipher suite, %s=%s",
        DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, cipherSuites));
  }
  if (options != null) {
    for (CipherOption option : options) {
      CipherSuite suite = option.getCipherSuite();
      if (suite == CipherSuite.AES_CTR_NOPADDING) {
        int keyLen = conf.getInt(
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_KEY,
            DFS_ENCRYPT_DATA_TRANSFER_CIPHER_KEY_BITLENGTH_DEFAULT) / 8;
        CryptoCodec codec = CryptoCodec.getInstance(conf, suite);
        byte[] inKey = new byte[keyLen];
        byte[] inIv = new byte[suite.getAlgorithmBlockSize()];
        byte[] outKey = new byte[keyLen];
        byte[] outIv = new byte[suite.getAlgorithmBlockSize()];
        codec.generateSecureRandom(inKey);
        codec.generateSecureRandom(inIv);
        codec.generateSecureRandom(outKey);
        codec.generateSecureRandom(outIv);
        return new CipherOption(suite, inKey, inIv, outKey, outIv);
      }
    }
  }
  return null;
}
 

/**
 * This method actually executes the server-side SASL handshake.
 *
 * @param underlyingOut connection output stream
 * @param underlyingIn connection input stream
 * @param saslProps properties of SASL negotiation
 * @param callbackHandler for responding to SASL callbacks
 * @return new pair of streams, wrapped after SASL negotiation
 * @throws IOException for any error
 */
private IOStreamPair doSaslHandshake(OutputStream underlyingOut,
    InputStream underlyingIn, Map<String, String> saslProps,
    CallbackHandler callbackHandler) throws IOException {

  DataInputStream in = new DataInputStream(underlyingIn);
  DataOutputStream out = new DataOutputStream(underlyingOut);

  SaslParticipant sasl = SaslParticipant.createServerSaslParticipant(saslProps,
    callbackHandler);

  int magicNumber = in.readInt();
  if (magicNumber != SASL_TRANSFER_MAGIC_NUMBER) {
    throw new InvalidMagicNumberException(magicNumber, 
        dnConf.getEncryptDataTransfer());
  }
  try {
    // step 1
    byte[] remoteResponse = readSaslMessage(in);
    byte[] localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);
    sendSaslMessage(out, localResponse);

    // step 2 (server-side only)
    List<CipherOption> cipherOptions = Lists.newArrayList();
    remoteResponse = readSaslMessageAndNegotiationCipherOptions(
        in, cipherOptions);
    localResponse = sasl.evaluateChallengeOrResponse(remoteResponse);

    // SASL handshake is complete
    checkSaslComplete(sasl, saslProps);

    CipherOption cipherOption = null;
    if (sasl.isNegotiatedQopPrivacy()) {
      // Negotiate a cipher option
      cipherOption = negotiateCipherOption(dnConf.getConf(), cipherOptions);
      if (cipherOption != null) {
        if (LOG.isDebugEnabled()) {
          LOG.debug("Server using cipher suite " + 
              cipherOption.getCipherSuite().getName());
        }
      }
    }

    // If negotiated cipher option is not null, wrap it before sending.
    sendSaslMessageAndNegotiatedCipherOption(out, localResponse, 
        wrap(cipherOption, sasl));

    // If negotiated cipher option is not null, we will use it to create 
    // stream pair.
    return cipherOption != null ? createStreamPair(
        dnConf.getConf(), cipherOption, underlyingOut, underlyingIn, true) : 
          sasl.createStreamPair(out, in);
  } catch (IOException ioe) {
    if (ioe instanceof SaslException &&
        ioe.getCause() != null &&
        ioe.getCause() instanceof InvalidEncryptionKeyException) {
      // This could just be because the client is long-lived and hasn't gotten
      // a new encryption key from the NN in a while. Upon receiving this
      // error, the client will get a new encryption key from the NN and retry
      // connecting to this DN.
      sendInvalidKeySaslErrorMessage(out, ioe.getCause().getMessage());
    } else {
      sendGenericSaslErrorMessage(out, ioe.getMessage());
    }
    throw ioe;
  }
}
 

public SaslResponseWithNegotiatedCipherOption(byte[] payload, 
    CipherOption cipherOption) {
  this.payload = payload;
  this.cipherOption = cipherOption;
}