GH-43535: [C++] support the AWS S3 SSE-C encryption

[ripplehang]

Rationale for this change

What changes are included in this PR?

Extend S3Options to support server-side encryption with customer-provided keys (SSE-C).

Are these changes tested?

Yes

Are there any user-facing changes?

yes, the new member sse_customer_key added for S3Option

• GitHub Issue: [C++] Support the SSE-C(server-side encryption with customer-provided keys) for the AWS s3 filesystem read and write #43535

[github-actions]

⚠️ GitHub issue #43535 has been automatically assigned in GitHub to PR creator.

[ripplehang]

@pitrou @mapleFU @felipecrv can you help to review the PR, Thanks

[pitrou]

I took a quick look and here are some assorted thoughts:

• there are no unit tests
• only the encryption key needs to be on S3Options, not the MD5 and algorithm string (which can be computed on the fly)

[pitrou]

Also, for the other readers wondering, I've found a useful (though possibly outdated?) comparison of S3 encryption options here:
https://www.linkedin.com/pulse/delusion-s3-encryption-benefits-ravi-ivaturi/

[ripplehang]

I took a quick look and here are some assorted thoughts:

@pitrou Thanks for your review, for #1, i would try to add ut for the change, for #2, yes, actually ONLY the Key is needed, that's why i only expose one SetSSECKey function, and three Get function, and private the new added datamember.
do you suggest to only add one datamember for S3Options? but if there is only one memeber, we may needs to calculate everywhere?

[ripplehang]

@pitrou I've submitted another commit to only expose the ssec-key in S3Options, and then calculate the MD5 every time on the fly, can you help to review whether there are other comments? I would try to add the ut if there is no interface change required, Thanks

[ripplehang]

@pitrou Can you help to review the PR again?Thanks

[ripplehang]

@kou @mapleFU can you help to review the change, Thanks

[mapleFU]

I'll take a careful around this weekend

[mapleFU]

Would you mind change to Result<std::string>?

[ripplehang]

ok, I would try to refine the return value for the function.

[mapleFU]

how do this handles error if base64_encoded_key is not valid?

[ripplehang]

From https://github.com/aws/aws-sdk-cpp/blob/ac2da09e6930e3988d1289717e2df5d4b7408f17/src/aws-cpp-sdk-core/source/utils/base64/Base64.cpp#L91-L121, seems this aws util API didn't validate the input properly,but directly calculate the output size and allocate the buffer, so i add the check to ensure every character is the valid character here.
Meanwhile, I also add the related Unit test for the CalculateSSECKeyMD5 to test the different input value.

[mapleFU]

When would this not equal to 256?

[ripplehang]

the expect_input_key_size is exposed via S3Options, so it's possible for this value to be set as any length.

[kou]

Could you fix style by pre-commit run --show-diff-on-failure --color=always --all?

[kou]

Could you use ASSERT_RAISES_WITH_MESSAGES() instead?

[kou]

Why is this needed?

[ripplehang]

I tend to cover the workflow with sse_customer_key nonempty.

[kou]

If we always set sse_custom_key, we can't test no sse_custom_key case.
Can we add a test that uses sse_custom_key instead?

[pitrou]

Indeed, and ideally the SSE-C encryption test would write a file with the encryption key, and check that trying to read it with another key (or with no key at all) fails.

[ripplehang]

@kou Can you help to review and help to trigger the CI again? Meanwhile, I've rebased the main branch,thanks

[ripplehang]

Could you rebase on main?

Could you check S3 filesystem related CI failures?

@kou The reason for the failure is, the minio test server is start with http, while the SSEC-Key would require https.
do you know why the minio server is started with http rather than https? is there any concern for the self-signed certificate?
I tend to start the minio server with self-signed certificate for the new test case only, and keep the current http case unchanged, do you think it's acceptable?Thanks

[pitrou]

I think it's ok to switch the tests to access Minio using HTTPS with a self-signed certificate.

[pitrou]

do you know why the minio server is started with http rather than https?

Just because it was easier :-) No particular reason otherwise.

[kou]

Suggested change

	ASSERT_STREQ(md5.c_str(), "97FTa6lj0hE7lshKdBy61g=="); // valid case
	ASSERT_EQ(md5, "97FTa6lj0hE7lshKdBy61g=="); // valid case

[kou]

We can always use HTTPS Minio.
Can we prepare a self-signed certificate with portable way? (Do we need openssl command for it?)

[kou]

FYI: I created https://github.com/apache/arrow-flight-sql-postgresql/blob/main/dev/prepare-tls.sh for other Arrow related project but this is not for Windows...

[pitrou]

There is no need to generate a self-signed cert everytime, it can just be stored in the repository.

[kou]

In general, it's not a good idea.
If we add it to this repository, someone may report it a security vulnerability. We need to explain that it's not danger.
FYI: GH-6399

(If we don't have another approach, we can use the approach.)

[pitrou]

If someone is silly enough to report a self-signed certificate used for testing purposes as a security vulnerability, then they deserve to be ignored.

CPython has stored a ton of fake certificates in its repository for decades and we don't get any complaints:
https://github.com/python/cpython/tree/main/Lib/test/certdata