Re: [PR] GH-43535: [C++] support the AWS S3 SSE-C encryption [arrow]

Wed, 09 Oct 2024 06:02:22 -0700 


ripplehang commented on code in PR #43601:
URL: https://github.com/apache/arrow/pull/43601#discussion_r1793486586


##########
cpp/src/arrow/filesystem/s3_internal.h:
##########
@@ -291,6 +293,47 @@ class ConnectRetryStrategy : public 
Aws::Client::RetryStrategy {
   int32_t max_retry_duration_;
 };
 
+/// \brief calculate the MD5 of the input sse-c key (raw key, not base64 
encoded)
+/// \param sse_customer_key is the input sse key
+/// \return the base64 encoded MD5 for the input key
+inline Result<std::string> CalculateSSECustomerKeyMD5(
+    const std::string& sse_customer_key) {
+  // the key needs to be 256 bits (32 bytes) according to
+  // 
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html#specifying-s3-c-encryption
+  if (sse_customer_key.length() != 32) {
+    return Status::Invalid("32 bytes sse-c key is expected");
+  }
+
+  // Convert the raw binary key to an Aws::String
+  Aws::String sse_customer_key_aws_string(sse_customer_key.data(),
+                                          sse_customer_key.length());
+
+  // Compute the MD5 hash of the raw binary key
+  Aws::Utils::ByteBuffer sse_customer_key_md5 =
+      Aws::Utils::HashingUtils::CalculateMD5(sse_customer_key_aws_string);
+
+  // Base64-encode the MD5 hash
+  return arrow::util::base64_encode(std::string_view(
+      reinterpret_cast<const char*>(sse_customer_key_md5.GetUnderlyingData()),
+      sse_customer_key_md5.GetLength()));
+}
+
+template <typename S3RequestType>
+Status SetSSECustomerKey(S3RequestType& request, const std::string& 
sse_customer_key) {
+  if (sse_customer_key.empty()) {
+    return Status::OK();  // do nothing if the sse_customer_key is not 
configured
+  }
+#ifdef ARROW_S3_SUPPORT_SSEC

Review Comment:
   ok,, i thought about this point previously, since all the call of 
SetSSECustomerKey are in the s3fs.cc, so i just simply define the option in the 
s3fs.cc. so that i could reuse the ARROW_AWS_SDK_VERSION_CHECK macro in the 
s3fs.cc. 
   fine, I could also move the ARROW_AWS_SDK_VERSION_CHECK  into the 
s2_internal.h
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to