Re: [PR] GH-43535: [C++] support the AWS S3 SSE-C encryption [arrow]

Thu, 10 Oct 2024 01:07:13 -0700 


ripplehang commented on code in PR #43601:
URL: https://github.com/apache/arrow/pull/43601#discussion_r1794926939


##########
cpp/src/arrow/filesystem/s3_test_util.cc:
##########
@@ -69,6 +77,40 @@ std::string MinioTestServer::access_key() const { return 
impl_->access_key_; }
 
 std::string MinioTestServer::secret_key() const { return impl_->secret_key_; }
 
+std::string MinioTestServer::ca_path() const {
+  return impl_->temp_dir_ca_->path().ToString();
+}
+
+std::string MinioTestServer::scheme() const { return impl_->scheme_; }
+
+Status MinioTestServer::GenerateCertificateFile() {
+  // create the dedicated folder for certificate file, rather than reuse the 
data
+  // folder, since there is test case to check whether the folder is empty.
+  ARROW_ASSIGN_OR_RAISE(impl_->temp_dir_ca_, 
TemporaryDir::Make("s3fs-test-ca-"));
+
+  ARROW_ASSIGN_OR_RAISE(auto public_crt_file,
+                        PlatformFilename::FromString(ca_path() + 
"/public.crt"));
+  ARROW_ASSIGN_OR_RAISE(auto public_cert_fd, 
FileOpenWritable(public_crt_file));
+  ARROW_RETURN_NOT_OK(FileWrite(public_cert_fd.fd(),
+                                reinterpret_cast<const uint8_t*>(kMinioCert),
+                                strlen(kMinioCert)));
+  ARROW_RETURN_NOT_OK(public_cert_fd.Close());
+
+  ARROW_ASSIGN_OR_RAISE(auto private_key_file,
+                        PlatformFilename::FromString(ca_path() + 
"/private.key"));
+  ARROW_ASSIGN_OR_RAISE(auto private_key_fd, 
FileOpenWritable(private_key_file));
+  ARROW_RETURN_NOT_OK(FileWrite(private_key_fd.fd(),
+                                reinterpret_cast<const 
uint8_t*>(kMinioPrivateKey),
+                                strlen(kMinioPrivateKey)));
+  ARROW_RETURN_NOT_OK(private_key_fd.Close());
+
+  arrow::fs::FileSystemGlobalOptions global_options;
+  global_options.tls_verify_certificates = false;

Review Comment:
   @pitrou Another issue here to set the `ca_file` is, the aws sdk would not 
only verify the certificate file but also verfiy the host if the ca_file is 
set. see 
https://github.com/aws/aws-sdk-cpp/blob/bb7d5a0f991efef6c6cb1f970bc04e0def765704/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp#L758
   however, according to 
https://github.com/apache/arrow/blob/main/cpp/src/arrow/testing/util.cc#L186, 
the actual endpoint name changes in range 127.0.0.0/8, and in my self-signed 
certificate file, I only set the 127.0.0.1 and localhost ad the alt_names, so 
the TLS handshake would fail. 
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to