MONGOCRYPT-563 add CryptographicUsageMask to Register request #603
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On error, the calls return a `kms_request_t*` with an error attached.
kkloberdanz
approved these changes
Mar 21, 2023
eramongodb
approved these changes
Mar 22, 2023
markbenvenuto
approved these changes
Mar 22, 2023
kms-message/src/kms_kmip_request.c
Outdated
| } | ||
| kmip_writer_close_struct (writer); /* KMIP_TAG_TemplateAttribute */ | ||
| kmip_writer_begin_struct (writer, KMIP_TAG_SecretData); | ||
| /* 0x01 = Password */ |
kevinAlbs
added a commit
that referenced
this pull request
Mar 22, 2023
* format kms_kmip_request.c * fix error checks of `kms_kmip_request.*new` On error, the calls return a `kms_request_t*` with an error attached. * add `Cryptographic Usage Mask` attribute to KMIP `Register` request * change `Key Format Type` from `Raw` to `Opaque`. * update comments and test data * fix comment. SecretDataType used is Seed, not Password
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Cryptographic Usage Maskattribute to KMIPRegisterrequest.Key Format TypefromRawtoOpaque.kms_kmip_request.*newChanges were verified with this Evergreen patch build of the C driver using this branch of libmongocrypt.
Changes were tested with Vault 1.13.0 and verified to fix the reported error. Vault 1.11.8 and a development version of Vault were tested to ensure no regression.
libmongocrypt changes were verified in this Evergreen patch build.
Background & Motivation
XML comments in the test data was generated with the kmip_dump utility.
Add
Cryptographic Usage Maskattribute to KMIPRegisterrequest.It was reported on slack that versions 1.12 and 1.13 of HashiCorp Vault KMIP return an error on the KMIP Register request:
4.3 Register lists the "Cryptographic Usage Mask" attribute as REQUIRED.
The "Cryptographic Usage Mask" attribute included is not included in the Register request for the SecretData object created by libmongocrypt.
3.14 Cryptographic Usage Mask lists "Cryptographic Usage Mask" in "When implicitly set" for the "Register" operation. 3 Attributes defines "When implicitly set" as "Which operations MAY cause this attribute to be set even if the attribute is not specified in the operation request itself?". I interpret this to mean: the KMIP server may implicitly set the
Cryptographic Usage Mask, but it may not. If the KMIP server does not implicitly setCryptographic Usage Mask,Cryptographic Usage Maskis required in theRequest.Change
Key Format TypefromRawtoOpaque.After adding the
Cryptographic Usage Maskattribute, Vault 1.13 returned this error:2.2.7 Secret Data notes: