remove native io types

Author: xanderbailey

crates/iceberg/src/encryption/encrypted_io.rs

@@ -21,7 +21,6 @@ use std::sync::Arc;
 
 use bytes::Bytes;
 
-use super::crypto::SensitiveBytes;
 use super::file_decryptor::AesGcmFileDecryptor;
 use super::file_encryptor::AesGcmFileEncryptor;
 use crate::io::{FileMetadata, FileRead, FileWrite, InputFile, OutputFile};
@@ -89,48 +88,6 @@ impl std::fmt::Debug for EncryptedInputFile {
     }
 }
 
-/// A Parquet Modular Encryption (PME) input file wrapping a plain [`InputFile`].
-///
-/// The Parquet reader handles decryption at the column/page level using the
-/// key material carried by this struct.
-pub struct NativeEncryptedInputFile {
-    inner: InputFile,
-    key_material: NativeKeyMaterial,
-}
-
-impl NativeEncryptedInputFile {
-    /// Creates a new native-encrypted input file.
-    pub fn new(inner: InputFile, key_material: NativeKeyMaterial) -> Self {
-        Self {
-            inner,
-            key_material,
-        }
-    }
-
-    /// Absolute path of the file.
-    pub fn location(&self) -> &str {
-        self.inner.location()
-    }
-
-    /// Returns the native key material for PME decryption.
-    pub fn key_material(&self) -> &NativeKeyMaterial {
-        &self.key_material
-    }
-
-    /// Consumes self and returns the underlying plain input file.
-    pub fn into_inner(self) -> InputFile {
-        self.inner
-    }
-}
-
-impl std::fmt::Debug for NativeEncryptedInputFile {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("NativeEncryptedInputFile")
-            .field("path", &self.inner.location())
-            .finish_non_exhaustive()
-    }
-}
-
 /// An AGS1 stream-encrypted output file wrapping a plain [`OutputFile`].
 ///
 /// Transparently encrypts on write.
@@ -195,95 +152,3 @@ impl std::fmt::Debug for EncryptedOutputFile {
             .finish_non_exhaustive()
     }
 }
-
-/// A Parquet Modular Encryption (PME) output file wrapping a plain [`OutputFile`].
-///
-/// The Parquet writer handles encryption at the column/page level using the
-/// key material carried by this struct.
-pub struct NativeEncryptedOutputFile {
-    inner: OutputFile,
-    key_metadata: Box<[u8]>,
-    key_material: NativeKeyMaterial,
-}
-
-impl NativeEncryptedOutputFile {
-    /// Creates a new native-encrypted output file.
-    pub fn new(
-        inner: OutputFile,
-        key_metadata: Box<[u8]>,
-        key_material: NativeKeyMaterial,
-    ) -> Self {
-        Self {
-            inner,
-            key_metadata,
-            key_material,
-        }
-    }
-
-    /// Returns the key metadata bytes (for storage in manifest/data files).
-    pub fn key_metadata(&self) -> &[u8] {
-        &self.key_metadata
-    }
-
-    /// Absolute path of the file.
-    pub fn location(&self) -> &str {
-        self.inner.location()
-    }
-
-    /// Returns the native key material for PME encryption.
-    pub fn key_material(&self) -> &NativeKeyMaterial {
-        &self.key_material
-    }
-
-    /// Consumes self and returns the underlying plain output file.
-    pub fn into_inner(self) -> OutputFile {
-        self.inner
-    }
-}
-
-impl std::fmt::Debug for NativeEncryptedOutputFile {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("NativeEncryptedOutputFile")
-            .field("path", &self.inner.location())
-            .finish_non_exhaustive()
-    }
-}
-
-/// Plaintext key material for Parquet Modular Encryption (PME).
-///
-/// Carries the DEK and AAD prefix needed by a Parquet reader/writer to
-/// configure `FileEncryptionProperties` / `FileDecryptionProperties`.
-///
-/// Rust equivalent of Java's `NativeEncryptionKeyMetadata` interface.
-pub struct NativeKeyMaterial {
-    dek: SensitiveBytes,
-    /// AAD prefix is not secret — it is stored in plaintext in file metadata
-    /// and used for integrity (authenticated data), not confidentiality.
-    aad_prefix: Box<[u8]>,
-}
-
-impl NativeKeyMaterial {
-    /// Creates a new `NativeKeyMaterial`.
-    pub fn new(dek: SensitiveBytes, aad_prefix: Box<[u8]>) -> Self {
-        Self { dek, aad_prefix }
-    }
-
-    /// Returns the plaintext DEK.
-    pub fn dek(&self) -> &SensitiveBytes {
-        &self.dek
-    }
-
-    /// Returns the AAD prefix.
-    pub fn aad_prefix(&self) -> &[u8] {
-        &self.aad_prefix
-    }
-}
-
-impl std::fmt::Debug for NativeKeyMaterial {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("NativeKeyMaterial")
-            .field("dek", &self.dek)
-            .field("aad_prefix_len", &self.aad_prefix.len())
-            .finish()
-    }
-}

crates/iceberg/src/encryption/encryption_manager.rs

@@ -36,10 +36,7 @@ use uuid::Uuid;
 const MILLIS_IN_DAY: i64 = 24 * 60 * 60 * 1000;
 
 use super::crypto::{AesGcmCipher, AesKeySize, SecureKey, SensitiveBytes};
-use super::encrypted_io::{
-    EncryptedInputFile, EncryptedOutputFile, NativeEncryptedInputFile, NativeEncryptedOutputFile,
-    NativeKeyMaterial,
-};
+use super::encrypted_io::{EncryptedInputFile, EncryptedOutputFile};
 use super::file_decryptor::AesGcmFileDecryptor;
 use super::file_encryptor::AesGcmFileEncryptor;
 use super::key_metadata::StandardKeyMetadata;
@@ -128,43 +125,15 @@ impl EncryptionManager {
         Ok(EncryptedInputFile::new(input, decryptor))
     }
 
-    /// Encrypt an output file for Parquet Modular Encryption (PME).
+    /// Generate key material for Parquet Modular Encryption (PME).
     ///
-    /// Returns a [`NativeEncryptedOutputFile`] whose key material is available
-    /// for the Parquet writer to configure `FileEncryptionProperties`.
-    pub fn encrypt_native(&self, raw_output: OutputFile) -> Result<NativeEncryptedOutputFile> {
+    /// Returns a [`StandardKeyMetadata`] containing a fresh DEK and AAD prefix.
+    /// The caller should pass this to the Parquet writer to configure
+    /// `FileEncryptionProperties`, and serialize it for storage in the manifest.
+    pub fn generate_native_key_metadata(&self) -> Result<StandardKeyMetadata> {
         let dek = SecureKey::generate(self.key_size);
         let aad_prefix = Self::generate_aad_prefix();
-
-        let key_metadata_bytes = StandardKeyMetadata::new(dek.as_bytes())
-            .with_aad_prefix(&aad_prefix)
-            .encode()?;
-
-        Ok(NativeEncryptedOutputFile::new(
-            raw_output,
-            key_metadata_bytes,
-            NativeKeyMaterial::new(SensitiveBytes::new(dek.as_bytes()), aad_prefix),
-        ))
-    }
-
-    /// Decrypt key metadata for a Parquet Modular Encryption (PME) file.
-    ///
-    /// Returns a [`NativeEncryptedInputFile`] carrying the plaintext DEK
-    /// and AAD prefix for the Parquet reader to configure
-    /// `FileDecryptionProperties`.
-    pub fn decrypt_native(
-        &self,
-        raw_input: InputFile,
-        key_metadata: &[u8],
-    ) -> Result<NativeEncryptedInputFile> {
-        let metadata = StandardKeyMetadata::decode(key_metadata)?;
-        Ok(NativeEncryptedInputFile::new(
-            raw_input,
-            NativeKeyMaterial::new(
-                metadata.encryption_key().clone(),
-                metadata.aad_prefix().unwrap_or_default().into(),
-            ),
-        ))
+        Ok(StandardKeyMetadata::new(dek.as_bytes()).with_aad_prefix(&aad_prefix))
     }
 
     /// Wrap key metadata bytes with a KEK for storage in table metadata.

crates/iceberg/src/encryption/mod.rs

@@ -30,10 +30,7 @@ pub mod kms;
 mod stream;
 
 pub use crypto::{AesGcmCipher, AesKeySize, SecureKey, SensitiveBytes};
-pub use encrypted_io::{
-    EncryptedInputFile, EncryptedOutputFile, NativeEncryptedInputFile, NativeEncryptedOutputFile,
-    NativeKeyMaterial,
-};
+pub use encrypted_io::{EncryptedInputFile, EncryptedOutputFile};
 pub use encryption_manager::EncryptionManager;
 pub use file_decryptor::AesGcmFileDecryptor;
 pub use file_encryptor::AesGcmFileEncryptor;