GH-47338: [C++][Python] Remove deprecated string-based Parquet encryption methods (#47339)

EnricoMi · web-flow · commit 403ba70f838d · 2025-09-04T15:12:20.000+02:00
### Rationale for this change Passing encryption keys to Parquet via strings is insecure. Users are encouraged to use the `SecureString` based methods introduced in #46017 instead. To enforce this migration, deprecated methods are removed. ### What changes are included in this PR? Remove deprecated string-based methods. ### Are these changes tested? Existing Parquet encryption tests. ### Are there any user-facing changes? C++ user code that passes encryption keys to Parquet is affected and has to be adjusted. Python user code is not affected. **This PR includes breaking changes to public APIs.** * GitHub Issue: #47338 Authored-by: Enrico Minack <github@enrico.minack.dev> Signed-off-by: Antoine Pitrou <antoine@python.org>
diff --git a/cpp/src/parquet/encryption/encryption.cc b/cpp/src/parquet/encryption/encryption.cc
@@ -44,15 +44,10 @@ void StringKeyIdRetriever::PutKey(std::string key_id, SecureString key) {
   key_map_.insert({std::move(key_id), std::move(key)});
 }
 
-SecureString StringKeyIdRetriever::GetKeyById(const std::string& key_id) {
+SecureString StringKeyIdRetriever::GetKey(const std::string& key_id) {
   return key_map_.at(key_id);
 }
 
-ColumnEncryptionProperties::Builder* ColumnEncryptionProperties::Builder::key(
-    std::string column_key) {
-  return key(SecureString(std::move(column_key)));
-}
-
 ColumnEncryptionProperties::Builder* ColumnEncryptionProperties::Builder::key(
     SecureString column_key) {
   if (column_key.empty()) return this;
@@ -94,11 +89,6 @@ FileDecryptionProperties::Builder* FileDecryptionProperties::Builder::column_key
   return this;
 }
 
-FileDecryptionProperties::Builder* FileDecryptionProperties::Builder::footer_key(
-    std::string footer_key) {
-  return this->footer_key(SecureString(std::move(footer_key)));
-}
-
 FileDecryptionProperties::Builder* FileDecryptionProperties::Builder::footer_key(
     SecureString footer_key) {
   if (footer_key.empty()) {
diff --git a/cpp/src/parquet/encryption/encryption.h b/cpp/src/parquet/encryption/encryption.h
@@ -49,22 +49,7 @@ using ColumnPathToEncryptionPropertiesMap =
 class PARQUET_EXPORT DecryptionKeyRetriever {
  public:
   /// \brief Retrieve a key.
-  /// \deprecated Deprecated since 22.0.0.
-  ///             Implement GetKeyById(const std::string&) instead.
-  ARROW_DEPRECATED(
-      "Deprecated in 22.0.0. "
-      "Implement GetKeyById(const std::string&) instead.")
-  virtual std::string GetKey(const std::string& key_id) {
-    throw ParquetException("Not implemented");
-  }
-
-  /// \brief Retrieve a key by its id.
-  virtual ::arrow::util::SecureString GetKeyById(const std::string& key_id) {
-    ARROW_SUPPRESS_DEPRECATION_WARNING
-    auto key = ::arrow::util::SecureString(GetKey(key_id));
-    ARROW_UNSUPPRESS_DEPRECATION_WARNING
-    return key;
-  }
+  virtual ::arrow::util::SecureString GetKey(const std::string& key_id) = 0;
 
   virtual ~DecryptionKeyRetriever() {}
 };
@@ -74,18 +59,16 @@ class PARQUET_EXPORT IntegerKeyIdRetriever : public DecryptionKeyRetriever {
  public:
   void PutKey(uint32_t key_id, ::arrow::util::SecureString key);
 
-  ::arrow::util::SecureString GetKeyById(const std::string& key_id_string) override {
+  ::arrow::util::SecureString GetKey(const std::string& key_id_string) override {
     // key_id_string is string but for IntegerKeyIdRetriever it encodes
     // a native-endian 32 bit unsigned integer key_id
     uint32_t key_id;
     assert(key_id_string.size() == sizeof(key_id));
     memcpy(&key_id, key_id_string.data(), sizeof(key_id));
 
-    return GetKeyById(key_id);
+    return key_map_.at(key_id);
   }
 
-  ::arrow::util::SecureString GetKeyById(uint32_t key_id) { return key_map_.at(key_id); }
-
  private:
   std::map<uint32_t, ::arrow::util::SecureString> key_map_;
 };
@@ -94,7 +77,7 @@ class PARQUET_EXPORT IntegerKeyIdRetriever : public DecryptionKeyRetriever {
 class PARQUET_EXPORT StringKeyIdRetriever : public DecryptionKeyRetriever {
  public:
   void PutKey(std::string key_id, ::arrow::util::SecureString key);
-  ::arrow::util::SecureString GetKeyById(const std::string& key_id) override;
+  ::arrow::util::SecureString GetKey(const std::string& key_id) override;
 
  private:
   std::map<std::string, ::arrow::util::SecureString> key_map_;
@@ -143,11 +126,6 @@ class PARQUET_EXPORT ColumnEncryptionProperties {
     /// be encrypted with the footer key.
     /// keyBytes Key length must be either 16, 24 or 32 bytes.
     /// Caller is responsible for wiping out the input key array.
-    /// \deprecated "Deprecated in 22.0.0. Use key(arrow::util::SecureString) instead."
-    ARROW_DEPRECATED("Deprecated in 22.0.0. Use key(arrow::util::SecureString) instead.")
-    Builder* key(std::string column_key);
-
-    /// \copydoc key(std::string)
     Builder* key(::arrow::util::SecureString column_key);
 
     /// Set a key retrieval metadata.
@@ -259,14 +237,6 @@ class PARQUET_EXPORT FileDecryptionProperties {
     /// will be wiped out (array values set to 0).
     /// Caller is responsible for wiping out the input key array.
     /// param footerKey Key length must be either 16, 24 or 32 bytes.
-    /// \deprecated Deprecated since 22.0.0.
-    ///             Use footer_key(arrow::util::SecureString) instead.
-    ARROW_DEPRECATED(
-        "Deprecated in 22.0.0. "
-        "Use footer_key(arrow::util::SecureString) instead.")
-    Builder* footer_key(std::string footer_key);
-
-    /// \copydoc footer_key(std::string footer_key)
     Builder* footer_key(::arrow::util::SecureString footer_key);
 
     /// Set explicit column keys (decryption properties).
@@ -376,14 +346,6 @@ class PARQUET_EXPORT FileEncryptionProperties {
  public:
   class PARQUET_EXPORT Builder {
    public:
-    /// \deprecated Deprecated since 22.0.0. Use Builder(arrow::util::SecureString)
-    /// instead.
-    ARROW_DEPRECATED(
-        "Deprecated in 22.0.0. "
-        "Use Builder(arrow::util::SecureString) instead")
-    explicit Builder(std::string footer_key)
-        : Builder(::arrow::util::SecureString(std::move(footer_key))) {}
-
     explicit Builder(::arrow::util::SecureString footer_key)
         : parquet_cipher_(kDefaultEncryptionAlgorithm),
           encrypted_footer_(kDefaultEncryptedFooter),
diff --git a/cpp/src/parquet/encryption/file_key_unwrapper.cc b/cpp/src/parquet/encryption/file_key_unwrapper.cc
@@ -69,7 +69,7 @@ FileKeyUnwrapper::FileKeyUnwrapper(
       kms_connection_config.key_access_token(), cache_entry_lifetime_seconds_);
 }
 
-SecureString FileKeyUnwrapper::GetKeyById(const std::string& key_metadata_bytes) {
+SecureString FileKeyUnwrapper::GetKey(const std::string& key_metadata_bytes) {
   // key_metadata is expected to be in UTF8 encoding
   ::arrow::util::InitializeUTF8();
   if (!::arrow::util::ValidateUTF8(
@@ -110,15 +110,15 @@ KeyWithMasterId FileKeyUnwrapper::GetDataEncryptionKey(const KeyMaterial& key_ma
 
   SecureString data_key;
   if (!double_wrapping) {
-    data_key = kms_client->UnWrapKey(encoded_wrapped_dek, master_key_id);
+    data_key = kms_client->UnwrapKey(encoded_wrapped_dek, master_key_id);
   } else {
     // Get Key Encryption Key
     const std::string& encoded_kek_id = key_material.kek_id();
     const std::string& encoded_wrapped_kek = key_material.wrapped_kek();
 
     const SecureString kek_bytes = kek_per_kek_id_->GetOrInsert(
         encoded_kek_id, [kms_client, encoded_wrapped_kek, master_key_id]() {
-          return kms_client->UnWrapKey(encoded_wrapped_kek, master_key_id);
+          return kms_client->UnwrapKey(encoded_wrapped_kek, master_key_id);
         });
 
     // Decrypt the data key
diff --git a/cpp/src/parquet/encryption/file_key_unwrapper.h b/cpp/src/parquet/encryption/file_key_unwrapper.h
@@ -65,7 +65,7 @@ class PARQUET_EXPORT FileKeyUnwrapper : public DecryptionKeyRetriever {
                    std::shared_ptr<FileKeyMaterialStore> key_material_store);
 
   /// Get the data key from key metadata
-  ::arrow::util::SecureString GetKeyById(const std::string& key_metadata_bytes) override;
+  ::arrow::util::SecureString GetKey(const std::string& key_metadata_bytes) override;
 
   /// Get the data key along with the master key id from key material
   KeyWithMasterId GetDataEncryptionKey(const KeyMaterial& key_material);
diff --git a/cpp/src/parquet/encryption/internal_file_decryptor.cc b/cpp/src/parquet/encryption/internal_file_decryptor.cc
@@ -78,7 +78,7 @@ const SecureString& InternalFileDecryptor::GetFooterKey() {
     if (properties_->key_retriever() == nullptr)
       throw ParquetException("No footer key or key retriever");
     try {
-      footer_key_ = properties_->key_retriever()->GetKeyById(footer_key_metadata_);
+      footer_key_ = properties_->key_retriever()->GetKey(footer_key_metadata_);
     } catch (KeyAccessDeniedException& e) {
       std::stringstream ss;
       ss << "Footer key: access denied " << e.what() << "\n";
@@ -117,7 +117,7 @@ SecureString InternalFileDecryptor::GetColumnKey(const std::string& column_path,
   if (column_key.empty() && !column_key_metadata.empty() &&
       properties_->key_retriever() != nullptr) {
     try {
-      column_key = properties_->key_retriever()->GetKeyById(column_key_metadata);
+      column_key = properties_->key_retriever()->GetKey(column_key_metadata);
     } catch (KeyAccessDeniedException& e) {
       std::stringstream ss;
       ss << "HiddenColumnException, path=" + column_path + " " << e.what() << "\n";
diff --git a/cpp/src/parquet/encryption/key_wrapping_test.cc b/cpp/src/parquet/encryption/key_wrapping_test.cc
@@ -86,10 +86,10 @@ class KeyWrappingTest : public ::testing::Test {
     FileKeyUnwrapper unwrapper(&key_toolkit, kms_connection_config_,
                                cache_entry_lifetime_seconds, readable_file_path,
                                file_system);
-    SecureString footer_key = unwrapper.GetKeyById(key_metadata_json_footer);
+    SecureString footer_key = unwrapper.GetKey(key_metadata_json_footer);
     ASSERT_EQ(footer_key, kFooterEncryptionKey);
 
-    SecureString column_key = unwrapper.GetKeyById(key_metadata_json_column);
+    SecureString column_key = unwrapper.GetKey(key_metadata_json_column);
     ASSERT_EQ(column_key, kColumnEncryptionKey1);
   }
 
diff --git a/cpp/src/parquet/encryption/kms_client.h b/cpp/src/parquet/encryption/kms_client.h
@@ -84,42 +84,12 @@ class PARQUET_EXPORT KmsClient {
   ///
   /// Encrypts it with the master key, encodes the result
   /// and potentially adds a KMS-specific metadata.
-  ///
-  /// \deprecated Deprecated since 22.0.0. Implement
-  ///             WrapKey(const SecureString&, const std::string&) instead.
-  ARROW_DEPRECATED(
-      "Deprecated in 22.0.0. "
-      "Implement WrapKey(const SecureString&, const std::string&) instead.")
-  virtual std::string WrapKey(const std::string& key_bytes,
-                              const std::string& master_key_identifier) {
-    throw ParquetException("Not implemented");
-  }
-
-  /// \copydoc WrapKey(const std::string&, const std::string&)
   virtual std::string WrapKey(const ::arrow::util::SecureString& key_bytes,
-                              const std::string& master_key_identifier) {
-    ARROW_SUPPRESS_DEPRECATION_WARNING
-    auto key = WrapKey(std::string(key_bytes.as_view()), master_key_identifier);
-    ARROW_UNSUPPRESS_DEPRECATION_WARNING
-    return key;
-  }
+                              const std::string& master_key_identifier) = 0;
 
   /// \brief Decrypts (unwraps) a key with the master key.
-  /// \deprecated Deprecated since 22.0.0. Implement UnWrapKey instead.
-  ARROW_DEPRECATED("Deprecated in 22.0.0. Implement UnWrapKey instead.")
-  virtual std::string UnwrapKey(const std::string& wrapped_key,
-                                const std::string& master_key_identifier) {
-    throw ParquetException("Not implemented");
-  }
-
-  /// \copydoc UnwrapKey(const std::string&, const std::string&)
-  virtual ::arrow::util::SecureString UnWrapKey(
-      const std::string& wrapped_key, const std::string& master_key_identifier) {
-    ARROW_SUPPRESS_DEPRECATION_WARNING
-    auto key = ::arrow::util::SecureString(UnwrapKey(wrapped_key, master_key_identifier));
-    ARROW_UNSUPPRESS_DEPRECATION_WARNING
-    return key;
-  }
+  virtual ::arrow::util::SecureString UnwrapKey(
+      const std::string& wrapped_key, const std::string& master_key_identifier) = 0;
 
   virtual ~KmsClient() {}
 };
diff --git a/cpp/src/parquet/encryption/local_wrap_kms_client.cc b/cpp/src/parquet/encryption/local_wrap_kms_client.cc
@@ -84,7 +84,7 @@ std::string LocalWrapKmsClient::WrapKey(const SecureString& key_bytes,
   return LocalKeyWrap::CreateSerialized(encrypted_encoded_key);
 }
 
-SecureString LocalWrapKmsClient::UnWrapKey(const std::string& wrapped_key,
+SecureString LocalWrapKmsClient::UnwrapKey(const std::string& wrapped_key,
                                            const std::string& master_key_identifier) {
   LocalKeyWrap key_wrap = LocalKeyWrap::Parse(wrapped_key);
   const std::string& master_key_version = key_wrap.master_key_version();
diff --git a/cpp/src/parquet/encryption/local_wrap_kms_client.h b/cpp/src/parquet/encryption/local_wrap_kms_client.h
@@ -38,7 +38,7 @@ class PARQUET_EXPORT LocalWrapKmsClient : public KmsClient {
   std::string WrapKey(const ::arrow::util::SecureString& key_bytes,
                       const std::string& master_key_identifier) override;
 
-  ::arrow::util::SecureString UnWrapKey(
+  ::arrow::util::SecureString UnwrapKey(
       const std::string& wrapped_key, const std::string& master_key_identifier) override;
 
  protected:
diff --git a/cpp/src/parquet/encryption/properties_test.cc b/cpp/src/parquet/encryption/properties_test.cc
@@ -224,9 +224,9 @@ TEST(TestDecryptionProperties, UseKeyRetriever) {
   std::shared_ptr<parquet::FileDecryptionProperties> props = builder.build();
 
   auto out_key_retriever = props->key_retriever();
-  ASSERT_EQ(kFooterEncryptionKey, out_key_retriever->GetKeyById("kf"));
-  ASSERT_EQ(kColumnEncryptionKey1, out_key_retriever->GetKeyById("kc1"));
-  ASSERT_EQ(kColumnEncryptionKey2, out_key_retriever->GetKeyById("kc2"));
+  ASSERT_EQ(kFooterEncryptionKey, out_key_retriever->GetKey("kf"));
+  ASSERT_EQ(kColumnEncryptionKey1, out_key_retriever->GetKey("kc1"));
+  ASSERT_EQ(kColumnEncryptionKey2, out_key_retriever->GetKey("kc2"));
 }
 
 TEST(TestDecryptionProperties, SupplyAadPrefix) {
diff --git a/cpp/src/parquet/encryption/test_in_memory_kms.cc b/cpp/src/parquet/encryption/test_in_memory_kms.cc
@@ -79,7 +79,7 @@ std::string TestOnlyInServerWrapKms::WrapKey(const SecureString& key_bytes,
   return internal::EncryptKeyLocally(key_bytes, master_key, aad);
 }
 
-SecureString TestOnlyInServerWrapKms::UnWrapKey(
+SecureString TestOnlyInServerWrapKms::UnwrapKey(
     const std::string& wrapped_key, const std::string& master_key_identifier) {
   if (unwrapping_master_key_map_.find(master_key_identifier) ==
       unwrapping_master_key_map_.end()) {
diff --git a/cpp/src/parquet/encryption/test_in_memory_kms.h b/cpp/src/parquet/encryption/test_in_memory_kms.h
@@ -56,7 +56,7 @@ class TestOnlyInServerWrapKms : public KmsClient {
   std::string WrapKey(const ::arrow::util::SecureString& key_bytes,
                       const std::string& master_key_identifier) override;
 
-  ::arrow::util::SecureString UnWrapKey(
+  ::arrow::util::SecureString UnwrapKey(
       const std::string& wrapped_key, const std::string& master_key_identifier) override;
 
   static void StartKeyRotation(
diff --git a/python/pyarrow/_parquet_encryption.pyx b/python/pyarrow/_parquet_encryption.pyx
@@ -20,6 +20,7 @@
 
 from datetime import timedelta
 
+from cpython.bytes cimport PyBytes_FromStringAndSize
 from cython.operator cimport dereference as deref
 
 from pyarrow.includes.common cimport *
@@ -300,20 +301,23 @@ cdef class KmsConnectionConfig(_Weakrefable):
 
 # Callback definitions for CPyKmsClientVtable
 cdef void _cb_wrap_key(
-        handler, const c_string& key_bytes,
+        handler, const CSecureString& key,
         const c_string& master_key_identifier, c_string* out) except *:
+    view = <cpp_string_view>key.as_view()
+    key_bytes = <bytes>PyBytes_FromStringAndSize(view.data(), view.size())
     mkid_str = frombytes(master_key_identifier)
     wrapped_key = handler.wrap_key(key_bytes, mkid_str)
     out[0] = tobytes(wrapped_key)
 
 
 cdef void _cb_unwrap_key(
         handler, const c_string& wrapped_key,
-        const c_string& master_key_identifier, c_string* out) except *:
+        const c_string& master_key_identifier, CSecureString* out) except *:
     mkid_str = frombytes(master_key_identifier)
     wk_str = frombytes(wrapped_key)
     key = handler.unwrap_key(wk_str, mkid_str)
-    out[0] = tobytes(key)
+    cstr = <c_string>tobytes(key)
+    out[0] = CSecureString(move(cstr))
 
 
 cdef class KmsClient(_Weakrefable):
diff --git a/python/pyarrow/includes/libarrow.pxd b/python/pyarrow/includes/libarrow.pxd
@@ -3130,6 +3130,16 @@ cdef extern from "arrow/util/iterator.h" namespace "arrow" nogil:
         RangeIterator end()
     CIterator[T] MakeVectorIterator[T](vector[T] v)
 
+
+cdef extern from "arrow/util/secure_string.h" namespace "arrow" nogil:
+    cdef cppclass CSecureString" arrow::util::SecureString":
+        CSecureString()
+        CSecureString(c_string s)
+        CSecureString(const CSecureString& s)
+        CSecureString(size_t n, char c)
+        cpp_string_view as_view()
+
+
 cdef extern from "arrow/util/thread_pool.h" namespace "arrow" nogil:
     int GetCpuThreadPoolCapacity()
     CStatus SetCpuThreadPoolCapacity(int threads)
diff --git a/python/pyarrow/includes/libparquet_encryption.pxd b/python/pyarrow/includes/libparquet_encryption.pxd
@@ -18,6 +18,7 @@
 # distutils: language = c++
 
 from pyarrow.includes.common cimport *
+from pyarrow.includes.libarrow cimport CSecureString
 from pyarrow._parquet cimport (ParquetCipher,
                                CFileEncryptionProperties,
                                CFileDecryptionProperties,
@@ -28,10 +29,10 @@ from pyarrow._parquet cimport (ParquetCipher,
 cdef extern from "parquet/encryption/kms_client.h" \
         namespace "parquet::encryption" nogil:
     cdef cppclass CKmsClient" parquet::encryption::KmsClient":
-        c_string WrapKey(const c_string& key_bytes,
+        c_string WrapKey(const CSecureString& key,
                          const c_string& master_key_identifier) except +
-        c_string UnwrapKey(const c_string& wrapped_key,
-                           const c_string& master_key_identifier) except +
+        CSecureString UnwrapKey(const c_string& wrapped_key,
+                                const c_string& master_key_identifier) except +
 
     cdef cppclass CKeyAccessToken" parquet::encryption::KeyAccessToken":
         CKeyAccessToken(const c_string value)
@@ -49,9 +50,9 @@ cdef extern from "parquet/encryption/kms_client.h" \
 # Callbacks for implementing Python kms clients
 # Use typedef to emulate syntax for std::function<void(..)>
 ctypedef void CallbackWrapKey(
-    object, const c_string&, const c_string&, c_string*)
+    object, const CSecureString&, const c_string&, c_string*)
 ctypedef void CallbackUnwrapKey(
-    object, const c_string&, const c_string&, c_string*)
+    object, const c_string&, const c_string&, CSecureString*)
 
 cdef extern from "parquet/encryption/kms_client_factory.h" \
         namespace "parquet::encryption" nogil:
diff --git a/python/pyarrow/src/arrow/python/parquet_encryption.cc b/python/pyarrow/src/arrow/python/parquet_encryption.cc
@@ -30,11 +30,11 @@ PyKmsClient::PyKmsClient(PyObject* handler, PyKmsClientVtable vtable)
 
 PyKmsClient::~PyKmsClient() {}
 
-std::string PyKmsClient::WrapKey(const std::string& key_bytes,
+std::string PyKmsClient::WrapKey(const ::arrow::util::SecureString& key,
                                  const std::string& master_key_identifier) {
   std::string wrapped;
   auto st = SafeCallIntoPython([&]() -> Status {
-    vtable_.wrap_key(handler_.obj(), key_bytes, master_key_identifier, &wrapped);
+    vtable_.wrap_key(handler_.obj(), key, master_key_identifier, &wrapped);
     return CheckPyError();
   });
   if (!st.ok()) {
@@ -43,9 +43,9 @@ std::string PyKmsClient::WrapKey(const std::string& key_bytes,
   return wrapped;
 }
 
-std::string PyKmsClient::UnwrapKey(const std::string& wrapped_key,
-                                   const std::string& master_key_identifier) {
-  std::string unwrapped;
+::arrow::util::SecureString PyKmsClient::UnwrapKey(
+    const std::string& wrapped_key, const std::string& master_key_identifier) {
+  arrow::util::SecureString unwrapped;
   auto st = SafeCallIntoPython([&]() -> Status {
     vtable_.unwrap_key(handler_.obj(), wrapped_key, master_key_identifier, &unwrapped);
     return CheckPyError();
diff --git a/python/pyarrow/src/arrow/python/parquet_encryption.h b/python/pyarrow/src/arrow/python/parquet_encryption.h

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ std::string LocalWrapKmsClient::WrapKey(const SecureString& key_bytes,`
`84`	`84`	`return LocalKeyWrap::CreateSerialized(encrypted_encoded_key);`
`85`	`85`	`}`
`86`	`86`
`87`		`-SecureString LocalWrapKmsClient::UnWrapKey(const std::string& wrapped_key,`
	`87`	`+SecureString LocalWrapKmsClient::UnwrapKey(const std::string& wrapped_key,`
`88`	`88`	`const std::string& master_key_identifier) {`
`89`	`89`	`LocalKeyWrap key_wrap = LocalKeyWrap::Parse(wrapped_key);`
`90`	`90`	`const std::string& master_key_version = key_wrap.master_key_version();`