+ * If libmongocrypt was not built with native crypto support, setting crypto hooks is required. + *
+ * + * @return true if libmongocrypt was built with native crypto support + */ + public static native boolean + mongocrypt_is_crypto_available(); /** * Destroy the @ref mongocrypt_t object. @@ -850,9 +886,8 @@ public interface mongocrypt_random_fn extends Callback { /** * Explicit helper method to encrypt a Match Expression or Aggregate Expression. * Contexts created for explicit encryption will not go through mongocryptd. - * Requires query_type to be "rangePreview". - * NOTE: The RangePreview algorithm is experimental only. It is not intended for - * public use. + * Requires query_type to be "range". + * NOTE: "range" is currently unstable API and subject to backwards breaking changes. * * This method expects the passed-in BSON to be of the form: * { "v" : FLE2RangeFindDriverSpec } diff --git a/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CAPIHelper.java b/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CAPIHelper.java index 64c2e47..e836210 100644 --- a/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CAPIHelper.java +++ b/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CAPIHelper.java @@ -70,8 +70,8 @@ static BinaryHolder toBinary(final ByteBuffer buffer) { } static ByteBuffer toByteBuffer(final mongocrypt_binary_t binary) { - Pointer pointer = mongocrypt_binary_data(binary); - int length = mongocrypt_binary_len(binary); + Pointer pointer = binary.data(); + int length = binary.len(); return pointer.getByteBuffer(0, length); } @@ -83,11 +83,11 @@ static byte[] toByteArray(final mongocrypt_binary_t binary) { } static void writeByteArrayToBinary(final mongocrypt_binary_t binary, byte[] bytes) { - if (mongocrypt_binary_len(binary) < bytes.length) { + if (binary.len() < bytes.length) { throw new IllegalArgumentException(format("mongocrypt binary of length %d is not large enough to hold %d bytes", - mongocrypt_binary_len(binary), bytes.length)); + binary.len(), bytes.length)); } - Pointer outPointer = mongocrypt_binary_data(binary); + Pointer outPointer = binary.data(); outPointer.write(0, bytes, 0, bytes.length); } diff --git a/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CipherCallback.java b/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CipherCallback.java index 68abfc0..b10c0f2 100644 --- a/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CipherCallback.java +++ b/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/java/com/mongodb/crypt/capi/CipherCallback.java @@ -24,8 +24,11 @@ import com.sun.jna.Pointer; import javax.crypto.Cipher; +import javax.crypto.NoSuchPaddingException; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; +import java.security.NoSuchAlgorithmException; +import java.util.concurrent.ConcurrentLinkedDeque; import static com.mongodb.crypt.capi.CAPI.MONGOCRYPT_STATUS_ERROR_CLIENT; import static com.mongodb.crypt.capi.CAPI.mongocrypt_status_set; @@ -36,21 +39,24 @@ class CipherCallback implements mongocrypt_crypto_fn { private final String algorithm; private final String transformation; private final int mode; + private final CipherPool cipherPool; CipherCallback(final String algorithm, final String transformation, final int mode) { this.algorithm = algorithm; this.transformation = transformation; this.mode = mode; + this.cipherPool = new CipherPool(); } @Override public boolean crypt(final Pointer ctx, final mongocrypt_binary_t key, final mongocrypt_binary_t iv, final mongocrypt_binary_t in, final mongocrypt_binary_t out, final Pointer bytesWritten, final mongocrypt_status_t status) { + Cipher cipher = null; try { IvParameterSpec ivParameterSpec = new IvParameterSpec(toByteArray(iv)); SecretKeySpec secretKeySpec = new SecretKeySpec(toByteArray(key), algorithm); - Cipher cipher = Cipher.getInstance(transformation); + cipher = cipherPool.get(); cipher.init(mode, secretKeySpec, ivParameterSpec); byte[] result = cipher.doFinal(toByteArray(in)); @@ -61,6 +67,26 @@ public boolean crypt(final Pointer ctx, final mongocrypt_binary_t key, final mon } catch (Exception e) { mongocrypt_status_set(status, MONGOCRYPT_STATUS_ERROR_CLIENT, 0, new cstring(e.toString()), -1); return false; + } finally { + if (cipher != null) { + cipherPool.release(cipher); + } + } + } + + private class CipherPool { + private final ConcurrentLinkedDequeIt is an error to set rangeOptions when the algorithm is not "rangePreview".
+ *It is an error to set rangeOptions when the algorithm is not "range".
* * @param rangeOptions the range options * @return this @@ -202,11 +202,13 @@ private MongoExplicitEncryptOptions(Builder builder) { this.contentionFactor = builder.contentionFactor; this.queryType = builder.queryType; this.rangeOptions = builder.rangeOptions; - if (!(Objects.equals(algorithm, "Indexed") || Objects.equals(algorithm, "RangePreview"))) { + if (!(Objects.equals(algorithm, "Indexed") || Objects.equals(algorithm, "Range"))) { if (contentionFactor != null) { - throw new IllegalStateException("Invalid configuration, contentionFactor can only be set if algorithm is 'Indexed' or 'RangePreview'"); + throw new IllegalStateException( + "Invalid configuration, contentionFactor can only be set if algorithm is 'Indexed' or 'Range'"); } else if (queryType != null) { - throw new IllegalStateException("Invalid configuration, queryType can only be set if algorithm is 'Indexed' or 'RangePreview'"); + throw new IllegalStateException( + "Invalid configuration, queryType can only be set if algorithm is 'Indexed' or 'Range'"); } } } diff --git a/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/resources/META-INF/native-image/jni-config.json b/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/resources/META-INF/native-image/jni-config.json new file mode 100644 index 0000000..44e398c --- /dev/null +++ b/ext/libmongocrypt/libmongocrypt/bindings/java/mongocrypt/src/main/resources/META-INF/native-image/jni-config.json @@ -0,0 +1,180 @@ +[ +{ + "name":"com.mongodb.crypt.capi.CAPI$mongocrypt_crypto_fn", + "methods":[{"name":"crypt","parameterTypes":["com.sun.jna.Pointer","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.sun.jna.Pointer","com.mongodb.crypt.capi.CAPI$mongocrypt_status_t"] }] +}, +{ + "name":"com.mongodb.crypt.capi.CAPI$mongocrypt_hash_fn", + "methods":[{"name":"hash","parameterTypes":["com.sun.jna.Pointer","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_status_t"] }] +}, +{ + "name":"com.mongodb.crypt.capi.CAPI$mongocrypt_hmac_fn", + "methods":[{"name":"hmac","parameterTypes":["com.sun.jna.Pointer","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","com.mongodb.crypt.capi.CAPI$mongocrypt_status_t"] }] +}, +{ + "name":"com.mongodb.crypt.capi.CAPI$mongocrypt_log_fn_t", + "methods":[{"name":"log","parameterTypes":["int","com.mongodb.crypt.capi.CAPI$cstring","int","com.sun.jna.Pointer"] }] +}, +{ + "name":"com.mongodb.crypt.capi.CAPI$mongocrypt_random_fn", + "methods":[{"name":"random","parameterTypes":["com.sun.jna.Pointer","com.mongodb.crypt.capi.CAPI$mongocrypt_binary_t","int","com.mongodb.crypt.capi.CAPI$mongocrypt_status_t"] }] +}, +{ + "name":"com.sun.jna.Callback" +}, +{ + "name":"com.sun.jna.CallbackReference", + "methods":[{"name":"getCallback","parameterTypes":["java.lang.Class","com.sun.jna.Pointer","boolean"] }, {"name":"getFunctionPointer","parameterTypes":["com.sun.jna.Callback","boolean"] }, {"name":"getNativeString","parameterTypes":["java.lang.Object","boolean"] }, {"name":"initializeThread","parameterTypes":["com.sun.jna.Callback","com.sun.jna.CallbackReference$AttachOptions"] }] +}, +{ + "name":"com.sun.jna.CallbackReference$AttachOptions" +}, +{ + "name":"com.sun.jna.FromNativeConverter", + "methods":[{"name":"nativeType","parameterTypes":[] }] +}, +{ + "name":"com.sun.jna.IntegerType", + "fields":[{"name":"value"}] +}, +{ + "name":"com.sun.jna.JNIEnv" +}, +{ + "name":"com.sun.jna.Native", + "methods":[{"name":"dispose","parameterTypes":[] }, {"name":"fromNative","parameterTypes":["com.sun.jna.FromNativeConverter","java.lang.Object","java.lang.reflect.Method"] }, {"name":"fromNative","parameterTypes":["java.lang.Class","java.lang.Object"] }, {"name":"fromNative","parameterTypes":["java.lang.reflect.Method","java.lang.Object"] }, {"name":"nativeType","parameterTypes":["java.lang.Class"] }, {"name":"toNative","parameterTypes":["com.sun.jna.ToNativeConverter","java.lang.Object"] }] +}, +{ + "name":"com.sun.jna.Native$ffi_callback", + "methods":[{"name":"invoke","parameterTypes":["long","long","long"] }] +}, +{ + "name":"com.sun.jna.NativeMapped", + "methods":[{"name":"toNative","parameterTypes":[] }] +}, +{ + "name":"com.sun.jna.Pointer", + "fields":[{"name":"peer"}], + "methods":[{"name":"An internal class to be used by the driver for auto encryption -NOTE: Not meant to be instantiated directly, this is for internal use only.
-The public interface for explicit in-use encryption
-An error indicating that something went wrong specifically with MongoDB Client Encryption
-An error indicating that ClientEncryption.createEncryptedCollection() failed to create data keys
An error indicating that ClientEncryption.createEncryptedCollection() failed to create a collection
An error indicating that mongodb-client-encryption failed to auto-refresh Azure KMS credentials.
-*any serializable BSON value
-BSON.LongA 64 bit integer, represented by the js-bson Long type.
-objectConfiguration options that are used by specific KMS providers during key generation, encryption, and decryption.
-objectA data key as stored in the database.
-stringA string containing the name of a kms provider. Valid options are 'aws', 'azure', 'gcp', 'kmip', or 'local'
-objectThe ClientSession class from the MongoDB Node driver (see https://mongodb.github.io/node-mongodb-native/4.8/classes/ClientSession.html)
-objectThe result of a delete operation from the MongoDB Node driver (see https://mongodb.github.io/node-mongodb-native/4.8/interfaces/DeleteResult.html)
-objectThe BulkWriteResult class from the MongoDB Node driver (https://mongodb.github.io/node-mongodb-native/4.8/classes/BulkWriteResult.html)
-objectThe FindCursor class from the MongoDB Node driver (see https://mongodb.github.io/node-mongodb-native/4.8/classes/FindCursor.html)
-BinaryThe id of an existing dataKey. Is a bson Binary value. -Can be used for ClientEncryption.encrypt, and can be used to directly -query for the data key itself against the key vault namespace.
-functionobjectConfiguration options for making an AWS encryption key
-objectConfiguration options for making a GCP encryption key
-objectConfiguration options for making an Azure encryption key
-objectfunctionobjectmin, max, sparsity, and range must match the values set in the encryptedFields of the destination collection. -For double and decimal128, min/max/precision must all be set, or all be unset.
-objectOptions to provide when encrypting data.
-MongoClient | The client autoEncryption is enabled on |
-| [options] | [AutoEncryptionOptions](#AutoEncrypter..AutoEncryptionOptions) | Optional settings |
-
-Create an AutoEncrypter
-
-**Note**: Do not instantiate this class directly. Rather, supply the relevant options to a MongoClient
-
-**Note**: Supplying `options.schemaMap` provides more security than relying on JSON Schemas obtained from the server.
-It protects against a malicious server advertising a false JSON Schema, which could trick the client into sending unencrypted data that should be encrypted.
-Schemas supplied in the schemaMap only apply to configuring automatic encryption for Client-Side Field Level Encryption.
-Other validation rules in the JSON schema will not be enforced by the driver and will result in an error.
-
-**Example**
-```js
-// Enabling autoEncryption via a MongoClient
-const { MongoClient } = require('mongodb');
-const client = new MongoClient(URL, {
- autoEncryption: {
- kmsProviders: {
- aws: {
- accessKeyId: AWS_ACCESS_KEY,
- secretAccessKey: AWS_SECRET_KEY
- }
- }
- }
-});
-
-await client.connect();
-// From here on, the client will be encrypting / decrypting automatically
-```
-
-
-### *autoEncrypter*.cryptSharedLibVersionInfo
-Return the current libmongocrypt's CSFLE shared library version
-as `{ version: bigint, versionStr: string }`, or `null` if no CSFLE
-shared library was loaded.
-
-
-
-### *autoEncrypter*.askForKMSCredentials()
-Ask the user for KMS credentials.
-
-This returns anything that looks like the kmsProviders original input
-option. It can be empty, and any provider specified here will override
-the original ones.
-
-
-
-### *AutoEncrypter*~logLevel
-The level of severity of the log message
-
-| Value | Level |
-|-------|-------|
-| 0 | Fatal Error |
-| 1 | Error |
-| 2 | Warning |
-| 3 | Info |
-| 4 | Trace |
-
-
-
-### *AutoEncrypter*~AutoEncryptionOptions
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| [keyVaultClient] | MongoClient | A `MongoClient` used to fetch keys from a key vault |
-| [keyVaultNamespace] | string | The namespace where keys are stored in the key vault |
-| [kmsProviders] | [KMSProviders](#KMSProviders) | Configuration options that are used by specific KMS providers during key generation, encryption, and decryption. |
-| [schemaMap] | object | A map of namespaces to a local JSON schema for encryption |
-| [bypassAutoEncryption] | boolean | Allows the user to bypass auto encryption, maintaining implicit decryption |
-| [options.logger] | [logger](#AutoEncrypter..logger) | An optional hook to catch logging messages from the underlying encryption engine |
-| [extraOptions] | [AutoEncryptionExtraOptions](#AutoEncrypter..AutoEncryptionExtraOptions) | Extra options related to the mongocryptd process |
-
-Configuration options for a automatic client encryption.
-
-
-
-### *AutoEncrypter*~AutoEncryptionExtraOptions
-**Properties**
-
-| Name | Type | Default | Description |
-| --- | --- | --- | --- |
-| [mongocryptdURI] | string | | A local process the driver communicates with to determine how to encrypt values in a command. Defaults to "mongodb://%2Fvar%2Fmongocryptd.sock" if domain sockets are available or "mongodb://localhost:27020" otherwise |
-| [mongocryptdBypassSpawn] | boolean | false | If true, autoEncryption will not attempt to spawn a mongocryptd before connecting |
-| [mongocryptdSpawnPath] | string | | The path to the mongocryptd executable on the system |
-| [mongocryptdSpawnArgs] | Array.<string> | | Command line arguments to use when auto-spawning a mongocryptd |
-
-Extra options related to the mongocryptd process
-
-
-
-### *AutoEncrypter*~logger
-
-| Param | Type | Description |
-| --- | --- | --- |
-| level | [logLevel](#AutoEncrypter..logLevel) | The level of logging. |
-| message | string | The message to log |
-
-A callback that is invoked with logging information from
-the underlying C++ Bindings.
-
-
-
-## ClientEncryption
-The public interface for explicit in-use encryption
-
-
-* [ClientEncryption](#ClientEncryption)
-
- * [new ClientEncryption(client, options)](#new_ClientEncryption_new)
-
- * _instance_
- * [.createDataKey(provider, [options], [callback])](#ClientEncryption+createDataKey)
-
- * [.rewrapManyDataKey(filter, [options])](#ClientEncryption+rewrapManyDataKey)
-
- * [.deleteKey(_id)](#ClientEncryption+deleteKey)
-
- * [.getKeys()](#ClientEncryption+getKeys)
-
- * [.getKey(_id)](#ClientEncryption+getKey)
-
- * [.getKeyByAltName(keyAltName)](#ClientEncryption+getKeyByAltName)
-
- * [.addKeyAltName(_id, keyAltName)](#ClientEncryption+addKeyAltName)
-
- * [.removeKeyAltName(_id, keyAltName)](#ClientEncryption+removeKeyAltName)
-
- * [.createEncryptedCollection(db, name, options)](#ClientEncryption+createEncryptedCollection)
-
- * [.encrypt(value, options, [callback])](#ClientEncryption+encrypt)
-
- * [.encryptExpression(expression, options)](#ClientEncryption+encryptExpression)
-
- * [.decrypt(value, callback)](#ClientEncryption+decrypt)
-
- * [.askForKMSCredentials()](#ClientEncryption+askForKMSCredentials)
-
- * _inner_
- * [~decryptCallback](#ClientEncryption..decryptCallback)
-
-
-
-
-### new ClientEncryption(client, options)
-
-| Param | Type | Description |
-| --- | --- | --- |
-| client | MongoClient | The client used for encryption |
-| options | object | Additional settings |
-| options.keyVaultNamespace | string | The namespace of the key vault, used to store encryption keys |
-| options.tlsOptions | object | An object that maps KMS provider names to TLS options. |
-| [options.keyVaultClient] | MongoClient | A `MongoClient` used to fetch keys from a key vault. Defaults to `client` |
-| [options.kmsProviders] | [KMSProviders](#KMSProviders) | options for specific KMS providers to use |
-
-Create a new encryption instance
-
-**Example**
-```js
-new ClientEncryption(mongoClient, {
- keyVaultNamespace: 'client.encryption',
- kmsProviders: {
- local: {
- key: masterKey // The master key used for encryption/decryption. A 96-byte long Buffer
- }
- }
-});
-```
-**Example**
-```js
-new ClientEncryption(mongoClient, {
- keyVaultNamespace: 'client.encryption',
- kmsProviders: {
- aws: {
- accessKeyId: AWS_ACCESS_KEY,
- secretAccessKey: AWS_SECRET_KEY
- }
- }
-});
-```
-
-
-### *clientEncryption*.createDataKey(provider, [options], [callback])
-
-| Param | Type | Description |
-| --- | --- | --- |
-| provider | string | The KMS provider used for this data key. Must be `'aws'`, `'azure'`, `'gcp'`, or `'local'` |
-| [options] | object | Options for creating the data key |
-| [options.masterKey] | [AWSEncryptionKeyOptions](#AWSEncryptionKeyOptions) \| [AzureEncryptionKeyOptions](#AzureEncryptionKeyOptions) \| [GCPEncryptionKeyOptions](#GCPEncryptionKeyOptions) | Idenfities a new KMS-specific key used to encrypt the new data key |
-| [options.keyAltNames] | Array.<string> | An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by _id. |
-| [callback] | [ClientEncryptionCreateDataKeyCallback](#ClientEncryptionCreateDataKeyCallback) | Optional callback to invoke when key is created |
-
-Creates a data key used for explicit encryption and inserts it into the key vault namespace
-
-**Returns**: Promise \| void - If no callback is provided, returns a Promise that either resolves with [the id of the created data key](ClientEncryption~dataKeyId), or rejects with an error. If a callback is provided, returns nothing.
-**Example**
-```js
-// Using callbacks to create a local key
-clientEncryption.createDataKey('local', (err, dataKey) => {
- if (err) {
- // This means creating the key failed.
- } else {
- // key creation succeeded
- }
-});
-```
-**Example**
-```js
-// Using async/await to create a local key
-const dataKeyId = await clientEncryption.createDataKey('local');
-```
-**Example**
-```js
-// Using async/await to create an aws key
-const dataKeyId = await clientEncryption.createDataKey('aws', {
- masterKey: {
- region: 'us-east-1',
- key: 'xxxxxxxxxxxxxx' // CMK ARN here
- }
-});
-```
-**Example**
-```js
-// Using async/await to create an aws key with a keyAltName
-const dataKeyId = await clientEncryption.createDataKey('aws', {
- masterKey: {
- region: 'us-east-1',
- key: 'xxxxxxxxxxxxxx' // CMK ARN here
- },
- keyAltNames: [ 'mySpecialKey' ]
-});
-```
-
-
-### *clientEncryption*.rewrapManyDataKey(filter, [options])
-
-| Param | Type | Description |
-| --- | --- | --- |
-| filter | object | A valid MongoDB filter. Any documents matching this filter will be re-wrapped. |
-| [options] | object | |
-| options.provider | [KmsProvider](#KmsProvider) | The KMS provider to use when re-wrapping the data keys. |
-| [options.masterKey] | [AWSEncryptionKeyOptions](#AWSEncryptionKeyOptions) \| [AzureEncryptionKeyOptions](#AzureEncryptionKeyOptions) \| [GCPEncryptionKeyOptions](#GCPEncryptionKeyOptions) | |
-
-Searches the keyvault for any data keys matching the provided filter. If there are matches, rewrapManyDataKey then attempts to re-wrap the data keys using the provided options.
-
-If no matches are found, then no bulk write is performed.
-
-**Example**
-```js
-// rewrapping all data data keys (using a filter that matches all documents)
-const filter = {};
-
-const result = await clientEncryption.rewrapManyDataKey(filter);
-if (result.bulkWriteResult != null) {
- // keys were re-wrapped, results will be available in the bulkWrite object.
-}
-```
-**Example**
-```js
-// attempting to rewrap all data keys with no matches
-const filter = { _id: new Binary() } // assume _id matches no documents in the database
-const result = await clientEncryption.rewrapManyDataKey(filter);
-
-if (result.bulkWriteResult == null) {
- // no keys matched, `bulkWriteResult` does not exist on the result object
-}
-```
-
-
-### *clientEncryption*.deleteKey(_id)
-
-| Param | Type | Description |
-| --- | --- | --- |
-| _id | [ClientEncryptionDataKeyId](#ClientEncryptionDataKeyId) | the id of the document to delete. |
-
-Deletes the key with the provided id from the keyvault, if it exists.
-
-**Returns**: [Promise.<DeleteResult>](#DeleteResult) - Returns a promise that either resolves to a [DeleteResult](#DeleteResult) or rejects with an error.
-**Example**
-```js
-// delete a key by _id
-const id = new Binary(); // id is a bson binary subtype 4 object
-const { deletedCount } = await clientEncryption.deleteKey(id);
-
-if (deletedCount != null && deletedCount > 0) {
- // successful deletion
-}
-```
-
-
-### *clientEncryption*.getKeys()
-Finds all the keys currently stored in the keyvault.
-
-This method will not throw.
-
-**Returns**: [FindCursor](#FindCursor) - a FindCursor over all keys in the keyvault.
-**Example**
-```js
-// fetching all keys
-const keys = await clientEncryption.getKeys().toArray();
-```
-
-
-### *clientEncryption*.getKey(_id)
-
-| Param | Type | Description |
-| --- | --- | --- |
-| _id | [ClientEncryptionDataKeyId](#ClientEncryptionDataKeyId) | the id of the document to delete. |
-
-Finds a key in the keyvault with the specified _id.
-
-**Returns**: [Promise.<DataKey>](#DataKey) - Returns a promise that either resolves to a [DataKey](#DataKey) if a document matches the key or null if no documents
-match the id. The promise rejects with an error if an error is thrown.
-**Example**
-```js
-// getting a key by id
-const id = new Binary(); // id is a bson binary subtype 4 object
-const key = await clientEncryption.getKey(id);
-if (!key) {
- // key is null if there was no matching key
-}
-```
-
-
-### *clientEncryption*.getKeyByAltName(keyAltName)
-
-| Param | Type | Description |
-| --- | --- | --- |
-| keyAltName | string | a keyAltName to search for a key |
-
-Finds a key in the keyvault which has the specified keyAltName.
-
-**Returns**: Promise.<(DataKey\|null)> - Returns a promise that either resolves to a [DataKey](#DataKey) if a document matches the key or null if no documents
-match the keyAltName. The promise rejects with an error if an error is thrown.
-**Example**
-```js
-// get a key by alt name
-const keyAltName = 'keyAltName';
-const key = await clientEncryption.getKeyByAltName(keyAltName);
-if (!key) {
- // key is null if there is no matching key
-}
-```
-
-
-### *clientEncryption*.addKeyAltName(_id, keyAltName)
-
-| Param | Type | Description |
-| --- | --- | --- |
-| _id | [ClientEncryptionDataKeyId](#ClientEncryptionDataKeyId) | The id of the document to update. |
-| keyAltName | string | a keyAltName to search for a key |
-
-Adds a keyAltName to a key identified by the provided _id.
-
-This method resolves to/returns the *old* key value (prior to adding the new altKeyName).
-
-**Returns**: [Promise.<DataKey>](#DataKey) - Returns a promise that either resolves to a [DataKey](#DataKey) if a document matches the key or null if no documents
-match the id. The promise rejects with an error if an error is thrown.
-**Example**
-```js
-// adding an keyAltName to a data key
-const id = new Binary(); // id is a bson binary subtype 4 object
-const keyAltName = 'keyAltName';
-const oldKey = await clientEncryption.addKeyAltName(id, keyAltName);
-if (!oldKey) {
- // null is returned if there is no matching document with an id matching the supplied id
-}
-```
-
-
-### *clientEncryption*.removeKeyAltName(_id, keyAltName)
-
-| Param | Type | Description |
-| --- | --- | --- |
-| _id | [ClientEncryptionDataKeyId](#ClientEncryptionDataKeyId) | The id of the document to update. |
-| keyAltName | string | a keyAltName to search for a key |
-
-Adds a keyAltName to a key identified by the provided _id.
-
-This method resolves to/returns the *old* key value (prior to removing the new altKeyName).
-
-If the removed keyAltName is the last keyAltName for that key, the `altKeyNames` property is unset from the document.
-
-**Returns**: Promise.<(DataKey\|null)> - Returns a promise that either resolves to a [DataKey](#DataKey) if a document matches the key or null if no documents
-match the id. The promise rejects with an error if an error is thrown.
-**Example**
-```js
-// removing a key alt name from a data key
-const id = new Binary(); // id is a bson binary subtype 4 object
-const keyAltName = 'keyAltName';
-const oldKey = await clientEncryption.removeKeyAltName(id, keyAltName);
-
-if (!oldKey) {
- // null is returned if there is no matching document with an id matching the supplied id
-}
-```
-
-
-### *clientEncryption*.createEncryptedCollection(db, name, options)
-**Throws**:
-
-- [MongoCryptCreateDataKeyError](#MongoCryptCreateDataKeyError) - If part way through the process a createDataKey invocation fails, an error will be rejected that has the partial `encryptedFields` that were created.
-- [MongoCryptCreateEncryptedCollectionError](#MongoCryptCreateEncryptedCollectionError) - If creating the collection fails, an error will be rejected that has the entire `encryptedFields` that were created.
-
-**Experimental**: Public Technical Preview
-
-A convenience method for creating an encrypted collection.
-This method will create data keys for any encryptedFields that do not have a `keyId` defined
-and then create a new collection with the full set of encryptedFields.
-
-| Param | Type | Description |
-| --- | --- | --- |
-| db | Db | A Node.js driver Db object with which to create the collection |
-| name | string | The name of the collection to be created |
-| options | object | Options for createDataKey and for createCollection |
-| options.provider | string | KMS provider name |
-| [options.masterKey] | [AWSEncryptionKeyOptions](#AWSEncryptionKeyOptions) \| [AzureEncryptionKeyOptions](#AzureEncryptionKeyOptions) \| [GCPEncryptionKeyOptions](#GCPEncryptionKeyOptions) | masterKey to pass to createDataKey |
-| options.createCollectionOptions | CreateCollectionOptions | options to pass to createCollection, must include `encryptedFields` |
-
-**Returns**: Promise.<{collection: Collection.<TSchema>, encryptedFields: Document}> - - created collection and generated encryptedFields
-
-
-### *clientEncryption*.encrypt(value, options, [callback])
-
-| Param | Type | Description |
-| --- | --- | --- |
-| value | \* | The value that you wish to serialize. Must be of a type that can be serialized into BSON |
-| options | [EncryptOptions](#EncryptOptions) | |
-| [callback] | [ClientEncryptionEncryptCallback](#ClientEncryptionEncryptCallback) | Optional callback to invoke when value is encrypted |
-
-Explicitly encrypt a provided value. Note that either `options.keyId` or `options.keyAltName` must
-be specified. Specifying both `options.keyId` and `options.keyAltName` is considered an error.
-
-**Returns**: Promise \| void - If no callback is provided, returns a Promise that either resolves with the encrypted value, or rejects with an error. If a callback is provided, returns nothing.
-**Example**
-```js
-// Encryption with callback API
-function encryptMyData(value, callback) {
- clientEncryption.createDataKey('local', (err, keyId) => {
- if (err) {
- return callback(err);
- }
- clientEncryption.encrypt(value, { keyId, algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' }, callback);
- });
-}
-```
-**Example**
-```js
-// Encryption with async/await api
-async function encryptMyData(value) {
- const keyId = await clientEncryption.createDataKey('local');
- return clientEncryption.encrypt(value, { keyId, algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' });
-}
-```
-**Example**
-```js
-// Encryption using a keyAltName
-async function encryptMyData(value) {
- await clientEncryption.createDataKey('local', { keyAltNames: 'mySpecialKey' });
- return clientEncryption.encrypt(value, { keyAltName: 'mySpecialKey', algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic' });
-}
-```
-
-
-### *clientEncryption*.encryptExpression(expression, options)
-**Experimental**: The Range algorithm is experimental only. It is not intended for production use. It is subject to breaking changes.
-
-| Param | Type | Description |
-| --- | --- | --- |
-| expression | object | a BSON document of one of the following forms: 1. A Match Expression of this form: `{$and: [{EncryptOptions](#EncryptOptions) | |
-
-Encrypts a Match Expression or Aggregate Expression to query a range index.
-
-Only supported when queryType is "rangePreview" and algorithm is "RangePreview".
-
-**Returns**: Promise.<object> - Returns a Promise that either resolves with the encrypted value or rejects with an error.
-
-
-### *clientEncryption*.decrypt(value, callback)
-
-| Param | Type | Description |
-| --- | --- | --- |
-| value | Buffer \| Binary | An encrypted value |
-| callback | [decryptCallback](#ClientEncryption..decryptCallback) | Optional callback to invoke when value is decrypted |
-
-Explicitly decrypt a provided encrypted value
-
-**Returns**: Promise \| void - If no callback is provided, returns a Promise that either resolves with the decrypted value, or rejects with an error. If a callback is provided, returns nothing.
-**Example**
-```js
-// Decrypting value with callback API
-function decryptMyValue(value, callback) {
- clientEncryption.decrypt(value, callback);
-}
-```
-**Example**
-```js
-// Decrypting value with async/await API
-async function decryptMyValue(value) {
- return clientEncryption.decrypt(value);
-}
-```
-
-
-### *clientEncryption*.askForKMSCredentials()
-Ask the user for KMS credentials.
-
-This returns anything that looks like the kmsProviders original input
-option. It can be empty, and any provider specified here will override
-the original ones.
-
-
-
-### *ClientEncryption*~decryptCallback
-
-| Param | Type | Description |
-| --- | --- | --- |
-| [err] | Error | If present, indicates an error that occurred in the process of decryption |
-| [result] | object | If present, is the decrypted result |
-
-
-
-## MongoCryptError
-An error indicating that something went wrong specifically with MongoDB Client Encryption
-
-
-
-## MongoCryptCreateDataKeyError
-**Experimental**: Public Technical Preview
-An error indicating that `ClientEncryption.createEncryptedCollection()` failed to create data keys
-
-
-
-## MongoCryptCreateEncryptedCollectionError
-**Experimental**: Public Technical Preview
-An error indicating that `ClientEncryption.createEncryptedCollection()` failed to create a collection
-
-
-
-## MongoCryptAzureKMSRequestError
-An error indicating that mongodb-client-encryption failed to auto-refresh Azure KMS credentials.
-
-
-
-### new MongoCryptAzureKMSRequestError(message, body)
-
-| Param | Type |
-| --- | --- |
-| message | string |
-| body | object \| undefined |
-
-
-
-## BSONValue
-any serializable BSON value
-
-
-
-## Long
-A 64 bit integer, represented by the js-bson Long type.
-
-
-
-## KMSProviders
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| [aws] | object | Configuration options for using 'aws' as your KMS provider |
-| [aws.accessKeyId] | string | The access key used for the AWS KMS provider |
-| [aws.secretAccessKey] | string | The secret access key used for the AWS KMS provider |
-| [local] | object | Configuration options for using 'local' as your KMS provider |
-| [local.key] | Buffer | The master key used to encrypt/decrypt data keys. A 96-byte long Buffer. |
-| [azure] | object | Configuration options for using 'azure' as your KMS provider |
-| [azure.tenantId] | string | The tenant ID identifies the organization for the account |
-| [azure.clientId] | string | The client ID to authenticate a registered application |
-| [azure.clientSecret] | string | The client secret to authenticate a registered application |
-| [azure.identityPlatformEndpoint] | string | If present, a host with optional port. E.g. "example.com" or "example.com:443". This is optional, and only needed if customer is using a non-commercial Azure instance (e.g. a government or China account, which use different URLs). Defaults to "login.microsoftonline.com" |
-| [gcp] | object | Configuration options for using 'gcp' as your KMS provider |
-| [gcp.email] | string | The service account email to authenticate |
-| [gcp.privateKey] | string \| Binary | A PKCS#8 encrypted key. This can either be a base64 string or a binary representation |
-| [gcp.endpoint] | string | If present, a host with optional port. E.g. "example.com" or "example.com:443". Defaults to "oauth2.googleapis.com" |
-
-Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.
-
-
-
-## DataKey
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| _id | UUID | A unique identifier for the key. |
-| version | number | A numeric identifier for the schema version of this document. Implicitly 0 if unset. |
-| [keyAltNames] | Array.<string> | Alternate names to search for keys by. Used for a per-document key scenario in support of GDPR scenarios. |
-| keyMaterial | Binary | Encrypted data key material, BinData type General. |
-| creationDate | Date | The datetime the wrapped data key material was imported into the Key Database. |
-| updateDate | Date | The datetime the wrapped data key material was last modified. On initial import, this value will be set to creationDate. |
-| status | number | 0 = enabled, 1 = disabled |
-| masterKey | object | the encrypted master key |
-
-A data key as stored in the database.
-
-
-
-## KmsProvider
-A string containing the name of a kms provider. Valid options are 'aws', 'azure', 'gcp', 'kmip', or 'local'
-
-
-
-## ClientSession
-The ClientSession class from the MongoDB Node driver (see https://mongodb.github.io/node-mongodb-native/4.8/classes/ClientSession.html)
-
-
-
-## DeleteResult
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| acknowledged | boolean | Indicates whether this write result was acknowledged. If not, then all other members of this result will be undefined. |
-| deletedCount | number | The number of documents that were deleted |
-
-The result of a delete operation from the MongoDB Node driver (see https://mongodb.github.io/node-mongodb-native/4.8/interfaces/DeleteResult.html)
-
-
-
-## BulkWriteResult
-The BulkWriteResult class from the MongoDB Node driver (https://mongodb.github.io/node-mongodb-native/4.8/classes/BulkWriteResult.html)
-
-
-
-## FindCursor
-The FindCursor class from the MongoDB Node driver (see https://mongodb.github.io/node-mongodb-native/4.8/classes/FindCursor.html)
-
-
-
-## ClientEncryptionDataKeyId
-The id of an existing dataKey. Is a bson Binary value.
-Can be used for [ClientEncryption.encrypt](ClientEncryption.encrypt), and can be used to directly
-query for the data key itself against the key vault namespace.
-
-
-
-## ClientEncryptionCreateDataKeyCallback
-
-| Param | Type | Description |
-| --- | --- | --- |
-| [error] | Error | If present, indicates an error that occurred in the creation of the data key |
-| [dataKeyId] | ClientEncryption~dataKeyId | If present, returns the id of the created data key |
-
-
-
-## AWSEncryptionKeyOptions
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| region | string | The AWS region of the KMS |
-| key | string | The Amazon Resource Name (ARN) to the AWS customer master key (CMK) |
-| [endpoint] | string | An alternate host to send KMS requests to. May include port number |
-
-Configuration options for making an AWS encryption key
-
-
-
-## GCPEncryptionKeyOptions
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| projectId | string | GCP project id |
-| location | string | Location name (e.g. "global") |
-| keyRing | string | Key ring name |
-| keyName | string | Key name |
-| [keyVersion] | string | Key version |
-| [endpoint] | string | KMS URL, defaults to `https://www.googleapis.com/auth/cloudkms` |
-
-Configuration options for making a GCP encryption key
-
-
-
-## AzureEncryptionKeyOptions
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| keyName | string | Key name |
-| keyVaultEndpoint | string | Key vault URL, typically `string | Key version |
-
-Configuration options for making an Azure encryption key
-
-
-
-## RewrapManyDataKeyResult
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| [bulkWriteResult] | [BulkWriteResult](#BulkWriteResult) | An optional BulkWriteResult, if any keys were matched and attempted to be re-wrapped. |
-
-
-
-## ClientEncryptionEncryptCallback
-
-| Param | Type | Description |
-| --- | --- | --- |
-| [err] | Error | If present, indicates an error that occurred in the process of encryption |
-| [result] | Buffer | If present, is the encrypted result |
-
-
-
-## RangeOptions
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| min | [BSONValue](#BSONValue) | is required if precision is set. |
-| max | [BSONValue](#BSONValue) | is required if precision is set. |
-| sparsity | BSON.Long | |
-| precision | number \| undefined | (may only be set for double or decimal128). |
-
-min, max, sparsity, and range must match the values set in the encryptedFields of the destination collection.
-For double and decimal128, min/max/precision must all be set, or all be unset.
-
-
-
-## EncryptOptions
-**Properties**
-
-| Name | Type | Description |
-| --- | --- | --- |
-| [keyId] | [ClientEncryptionDataKeyId](#ClientEncryptionDataKeyId) | The id of the Binary dataKey to use for encryption. |
-| [keyAltName] | string | A unique string name corresponding to an already existing dataKey. |
-| [algorithm] | string | The algorithm to use for encryption. Must be either `'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'`, `'AEAD_AES_256_CBC_HMAC_SHA_512-Random'`, `'Indexed'` or `'Unindexed'` |
-| [contentionFactor] | bigint \| number | (experimental) - the contention factor. |
-| queryType | 'equality' \| 'rangePreview' | (experimental) - the query type supported. |
-| [rangeOptions] | [RangeOptions](#RangeOptions) | (experimental) The index options for a Queryable Encryption field supporting "rangePreview" queries. |
-
-Options to provide when encrypting data.
+#### https://github.com/mongodb-js/mongodb-client-encryption
+They can still be found at the same npm package:
+- https://www.npmjs.com/package/mongodb-client-encryption
diff --git a/ext/libmongocrypt/libmongocrypt/bindings/node/binding.gyp b/ext/libmongocrypt/libmongocrypt/bindings/node/binding.gyp
deleted file mode 100644
index 0d85e7a..0000000
--- a/ext/libmongocrypt/libmongocrypt/bindings/node/binding.gyp
+++ /dev/null
@@ -1,79 +0,0 @@
-{
- 'targets': [{
- 'target_name': 'mongocrypt',
- 'include_dirs': [
- "main}}
diff --git a/ext/libmongocrypt/libmongocrypt/bindings/node/etc/build-static.sh b/ext/libmongocrypt/libmongocrypt/bindings/node/etc/build-static.sh
deleted file mode 100755
index 1557085..0000000
--- a/ext/libmongocrypt/libmongocrypt/bindings/node/etc/build-static.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/env bash
-
-set -o errexit
-
-THIS_DIR="$(dirname "${BASH_SOURCE[0]}")"
-. "$THIS_DIR/../../../.evergreen/init.sh"
-
-NODE_DIR="$(abspath "$THIS_DIR/..")"
-
-DEPS_PREFIX="$NODE_DIR/deps"
-BUILD_DIR=$DEPS_PREFIX/tmp
-: "${CMAKE_FLAGS:=}"
-: "${WINDOWS_CMAKE_FLAGS:=}"
-
-# build and install libmongocrypt
-mkdir -p $BUILD_DIR/libmongocrypt-build
-pushd $BUILD_DIR/libmongocrypt-build #./deps/tmp/libmongocrypt-build
-
-CMAKE_FLAGS="-DDISABLE_NATIVE_CRYPTO=1 -DCMAKE_INSTALL_LIBDIR=lib -DENABLE_MORE_WARNINGS_AS_ERRORS=ON"
-if [ "$OS_NAME" == "windows" ]; then
- if [ "${WINDOWS_32BIT-}" != "ON" ]; then
- WINDOWS_CMAKE_FLAGS="-Thost=x64 -A x64 -DENABLE_WINDOWS_STATIC_RUNTIME=ON"
- else
- WINDOWS_CMAKE_FLAGS="-DENABLE_WINDOWS_STATIC_RUNTIME=ON"
- fi
- run_cmake $CMAKE_FLAGS $WINDOWS_CMAKE_FLAGS -DCMAKE_PREFIX_PATH="$(native_path "$DEPS_PREFIX")" -DCMAKE_INSTALL_PREFIX="$(native_path "$DEPS_PREFIX")" "$(native_path "$LIBMONGOCRYPT_DIR")"
-else
- run_cmake $CMAKE_FLAGS -DCMAKE_PREFIX_PATH=$DEPS_PREFIX -DCMAKE_INSTALL_PREFIX=$DEPS_PREFIX -DCMAKE_OSX_DEPLOYMENT_TARGET="10.12" $LIBMONGOCRYPT_DIR
-fi
-
-run_cmake --build . --target install --config RelWithDebInfo
-
-popd #./
-
-# build the `mongodb-client-encryption` addon
-env BUILD_TYPE=static npm install
diff --git a/ext/libmongocrypt/libmongocrypt/bindings/node/index.d.ts b/ext/libmongocrypt/libmongocrypt/bindings/node/index.d.ts
deleted file mode 100644
index f831a20..0000000
--- a/ext/libmongocrypt/libmongocrypt/bindings/node/index.d.ts
+++ /dev/null
@@ -1,641 +0,0 @@
-import type {
- MongoClient,
- BulkWriteResult,
- DeleteResult,
- FindCursor,
- Collection,
- Db,
- CreateCollectionOptions,
- Document,
- Binary,
- Long
-} from 'mongodb';
-
-export type ClientEncryptionDataKeyProvider = 'aws' | 'azure' | 'gcp' | 'local' | 'kmip';
-
-/**
- * The schema for a DataKey in the key vault collection.
- */
-export interface DataKey {
- _id: Binary;
- version?: number;
- keyAltNames?: string[];
- keyMaterial: Binary;
- creationDate: Date;
- updateDate: Date;
- status: number;
- masterKey: Document;
-}
-
-/**
- * An error indicating that something went wrong specifically with MongoDB Client Encryption
- */
-export class MongoCryptError extends Error {
- cause?: Error;
-}
-
-/**
- * @experimental Public Technical Preview
- * An error indicating that `ClientEncryption.createEncryptedCollection()` failed to create a collection
- */
-export class MongoCryptCreateEncryptedCollectionError extends MongoCryptError {
- /**
- * @experimental Public Technical Preview
- * The entire `encryptedFields` that was completed while attempting createEncryptedCollection
- */
- encryptedFields: Document;
- /** The error rejected from db.createCollection() */
- cause: Error;
-}
-
-/**
- * @experimental Public Technical Preview
- * An error indicating that `ClientEncryption.createEncryptedCollection()` failed to create data keys
- */
-export class MongoCryptCreateDataKeyError extends MongoCryptError {
- /**
- * @experimental Public Technical Preview
- * The partial `encryptedFields` that was completed while attempting createEncryptedCollection
- */
- encryptedFields: Document;
- /** The first error encountered when attempting to `createDataKey` */
- cause: Error;
-}
-
-/**
- * An error indicating that mongodb-client-encryption failed to auto-refresh Azure KMS credentials.
- */
-export class MongoCryptAzureKMSRequestError extends MongoCryptError {
- /* The body of the IMDS request that produced the error, if present. */
- body?: Document ;
-}
-
-export class MongoCryptKMSRequestNetworkTimeoutError extends MongoCryptError {}
-
-/**
- * A set of options for specifying a Socks5 proxy.
- */
-export interface ProxyOptions {
- proxyHost: string;
- proxyPort?: number;
- proxyUsername?: string;
- proxyPassword?: string;
-}
-
-export interface ClientEncryptionCreateDataKeyCallback {
- /**
- * @param error If present, indicates an error that occurred in the creation of the data key
- * @param dataKeyId If present, returns the id of the created data key
- */
- (error?: Error, dataKeyId?: Binary): void;
-}
-
-export interface ClientEncryptionEncryptCallback {
- /**
- * @param error If present, indicates an error that occurred in the process of encryption
- * @param result If present, is the encrypted result
- */
- (error?: Error, result?: Binary): void;
-}
-
-export interface ClientEncryptionDecryptCallback {
- /**
- * @param error If present, indicates an error that occurred in the process of decryption
- * @param result If present, is the decrypted result
- */
- (error?: Error, result?: any): void;
-}
-
-/**
- * Configuration options that are used by specific KMS providers during key generation, encryption, and decryption.
- */
-export interface KMSProviders {
- /**
- * Configuration options for using 'aws' as your KMS provider
- */
- aws?:
- | {
- /**
- * The access key used for the AWS KMS provider
- */
- accessKeyId: string;
-
- /**
- * The secret access key used for the AWS KMS provider
- */
- secretAccessKey: string;
-
- /**
- * An optional AWS session token that will be used as the
- * X-Amz-Security-Token header for AWS requests.
- */
- sessionToken?: string;
- }
- | Record