pitrou commented on code in PR #48859:
URL: https://github.com/apache/arrow/pull/48859#discussion_r2707690587
##########
cpp/src/parquet/metadata.cc:
##########
@@ -834,6 +834,43 @@ class FileMetaData::FileMetaDataImpl {
tag, encryption::kGcmTagLength);
}
+ bool VerifySignature(std::span<const uint8_t> serialized_metadata,
+ std::span<const uint8_t> signature) {
+ // Verify decryption properties are set
+ if (file_decryptor_ == nullptr) {
+ throw ParquetException("Decryption not set properly. cannot verify
signature");
+ }
+
+ if (signature.size() != encryption::kGcmTagLength +
encryption::kNonceLength) {
+ throw ParquetInvalidOrCorruptedFileException(
+ "Invalid footer encryption signature (expected ",
+ encryption::kGcmTagLength + encryption::kNonceLength, " bytes, got ",
+ signature.size(), ")");
+ }
+
+ // Encrypt plaintext serialized metadata so as to compute its signature
+ auto nonce = signature.subspan(0, encryption::kNonceLength);
+ auto tag = signature.subspan(encryption::kNonceLength);
+ const SecureString& key = file_decryptor_->GetFooterKey();
+ const std::string& aad =
encryption::CreateFooterAad(file_decryptor_->file_aad());
+
+ auto aes_encryptor =
encryption::AesEncryptor::Make(file_decryptor_->algorithm(),
+
static_cast<int>(key.size()),
+ true, false
/*write_length*/);
+
+ std::shared_ptr<Buffer> encrypted_buffer =
+ AllocateBuffer(file_decryptor_->pool(),
+
aes_encryptor->CiphertextLength(serialized_metadata.size()));
+ int32_t encrypted_len = aes_encryptor->SignedFooterEncrypt(
Review Comment:
(you're right, when the footer is encrypted, checking the signature is part
of the decryption process and we don't need to do it manually)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
