From 0b8c3d12429b3845292e4a853fa07cee59d31091 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 21 Mar 2023 09:06:56 -0400 Subject: [PATCH 1/6] format kms_kmip_request.c --- kms-message/src/kms_kmip_request.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kms-message/src/kms_kmip_request.c b/kms-message/src/kms_kmip_request.c index 033958019..28deafb84 100644 --- a/kms-message/src/kms_kmip_request.c +++ b/kms-message/src/kms_kmip_request.c @@ -23,7 +23,8 @@ #include static void -copy_writer_buffer (kms_request_t *req, kmip_writer_t *writer) { +copy_writer_buffer (kms_request_t *req, kmip_writer_t *writer) +{ const uint8_t *buf; size_t buflen; @@ -109,7 +110,8 @@ kms_kmip_request_register_secretdata_new (void *reserved, /* 0x01 = Raw */ kmip_writer_write_enumeration (writer, KMIP_TAG_KeyFormatType, 0x01); kmip_writer_begin_struct (writer, KMIP_TAG_KeyValue); - kmip_writer_write_bytes (writer, KMIP_TAG_KeyMaterial, (const char *) data, len); + kmip_writer_write_bytes ( + writer, KMIP_TAG_KeyMaterial, (const char *) data, len); kmip_writer_close_struct (writer); /* KMIP_TAG_KeyValue */ kmip_writer_close_struct (writer); /* KMIP_TAG_KeyBlock */ kmip_writer_close_struct (writer); /* KMIP_TAG_SecretData */ From aa1dfaaec415fced2006f057f299f95fb918ba17 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 21 Mar 2023 09:39:44 -0400 Subject: [PATCH 2/6] fix error checks of `kms_kmip_request.*new` On error, the calls return a `kms_request_t*` with an error attached. --- src/mongocrypt-kms-ctx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/mongocrypt-kms-ctx.c b/src/mongocrypt-kms-ctx.c index ed91d7242..8e709ef3f 100644 --- a/src/mongocrypt-kms-ctx.c +++ b/src/mongocrypt-kms-ctx.c @@ -1646,7 +1646,7 @@ _mongocrypt_kms_ctx_init_kmip_register (mongocrypt_kms_ctx_t *kms_ctx, kms_ctx->req = kms_kmip_request_register_secretdata_new ( NULL /* reserved */, secretdata, secretdata_len); - if (!kms_ctx->req) { + if (kms_request_get_error (kms_ctx->req)) { CLIENT_ERR ("Error creating KMIP register request: %s", kms_request_get_error (kms_ctx->req)); goto done; @@ -1687,7 +1687,7 @@ _mongocrypt_kms_ctx_init_kmip_activate (mongocrypt_kms_ctx_t *kms_ctx, kms_ctx->req = kms_kmip_request_activate_new (NULL /* reserved */, unique_identifier); - if (!kms_ctx->req) { + if (kms_request_get_error (kms_ctx->req)) { CLIENT_ERR ("Error creating KMIP activate request: %s", kms_request_get_error (kms_ctx->req)); goto done; @@ -1728,7 +1728,7 @@ _mongocrypt_kms_ctx_init_kmip_get (mongocrypt_kms_ctx_t *kms_ctx, kms_ctx->req = kms_kmip_request_get_new (NULL /* reserved */, unique_identifier); - if (!kms_ctx->req) { + if (kms_request_get_error (kms_ctx->req)) { CLIENT_ERR ("Error creating KMIP get request: %s", kms_request_get_error (kms_ctx->req)); goto done; From cb2c577c7da98b3eb72cee8824bf73f5bfa77330 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 21 Mar 2023 11:48:06 -0400 Subject: [PATCH 3/6] add `Cryptographic Usage Mask` attribute to KMIP `Register` request --- kms-message/src/kms_kmip_request.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/kms-message/src/kms_kmip_request.c b/kms-message/src/kms_kmip_request.c index 28deafb84..02ad596b6 100644 --- a/kms-message/src/kms_kmip_request.c +++ b/kms-message/src/kms_kmip_request.c @@ -102,6 +102,19 @@ kms_kmip_request_register_secretdata_new (void *reserved, /* 0x07 == SecretData */ kmip_writer_write_enumeration (writer, KMIP_TAG_ObjectType, 0x07); kmip_writer_begin_struct (writer, KMIP_TAG_TemplateAttribute); + // Add required Cryptographic Usage Mask attribute. + { + kmip_writer_begin_struct (writer, KMIP_TAG_Attribute); + const char *cryptographicUsageMaskStr = "Cryptographic Usage Mask"; + kmip_writer_write_string (writer, + KMIP_TAG_AttributeName, + cryptographicUsageMaskStr, + strlen (cryptographicUsageMaskStr)); + // Use 0 because the Secret Data object is not used in cryptographic + // operations on the KMIP server. + kmip_writer_write_integer (writer, KMIP_TAG_AttributeValue, 0); + kmip_writer_close_struct (writer); + } kmip_writer_close_struct (writer); /* KMIP_TAG_TemplateAttribute */ kmip_writer_begin_struct (writer, KMIP_TAG_SecretData); /* 0x01 = Password */ From 234ed674e437177d6613001dd3ebb7b5a10f2e2a Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 21 Mar 2023 11:48:24 -0400 Subject: [PATCH 4/6] change `Key Format Type` from `Raw` to `Opaque`. --- kms-message/src/kms_kmip_request.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kms-message/src/kms_kmip_request.c b/kms-message/src/kms_kmip_request.c index 02ad596b6..67bee57e1 100644 --- a/kms-message/src/kms_kmip_request.c +++ b/kms-message/src/kms_kmip_request.c @@ -120,8 +120,8 @@ kms_kmip_request_register_secretdata_new (void *reserved, /* 0x01 = Password */ kmip_writer_write_enumeration (writer, KMIP_TAG_SecretDataType, 0x02); kmip_writer_begin_struct (writer, KMIP_TAG_KeyBlock); - /* 0x01 = Raw */ - kmip_writer_write_enumeration (writer, KMIP_TAG_KeyFormatType, 0x01); + /* 0x02 = Opaque */ + kmip_writer_write_enumeration (writer, KMIP_TAG_KeyFormatType, 0x02); kmip_writer_begin_struct (writer, KMIP_TAG_KeyValue); kmip_writer_write_bytes ( writer, KMIP_TAG_KeyMaterial, (const char *) data, len); From 5715f40716f4e384140b87de9a21b50bb4e76862 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Tue, 21 Mar 2023 11:50:22 -0400 Subject: [PATCH 5/6] update comments and test data --- kms-message/src/kms_kmip_request.c | 8 +++- kms-message/test/test_kms_kmip_request.c | 51 ++++++++++++++---------- test/test-mongocrypt-kms-ctx.c | 32 +++++++++------ 3 files changed, 55 insertions(+), 36 deletions(-) diff --git a/kms-message/src/kms_kmip_request.c b/kms-message/src/kms_kmip_request.c index 67bee57e1..e76b75ee1 100644 --- a/kms-message/src/kms_kmip_request.c +++ b/kms-message/src/kms_kmip_request.c @@ -55,11 +55,15 @@ kms_kmip_request_register_secretdata_new (void *reserved, + + + - + - + diff --git a/kms-message/test/test_kms_kmip_request.c b/kms-message/test/test_kms_kmip_request.c index 3ecb13763..05b1fdbe3 100644 --- a/kms-message/test/test_kms_kmip_request.c +++ b/kms-message/test/test_kms_kmip_request.c @@ -13,17 +13,20 @@ - + + + - + - + - @@ -33,30 +36,35 @@ value="ffa8cc79e8c3763b0121fcd06bb3488c8bf42c0774604640279b16b264194030eeb083962 */ #define REGISTER_SECRETDATA_REQUEST \ - 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x18, 0x42, 0x00, 0x77, 0x01, \ + 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x50, 0x42, 0x00, 0x77, 0x01, \ 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x69, 0x01, 0x00, 0x00, 0x00, 0x20, \ 0x42, 0x00, 0x6a, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, \ 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x6b, 0x02, 0x00, 0x00, 0x00, 0x04, \ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0d, 0x02, \ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \ - 0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, 0x00, 0xd0, 0x42, 0x00, 0x5c, 0x05, \ + 0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, 0x01, 0x08, 0x42, 0x00, 0x5c, 0x05, \ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, \ - 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x42, 0x00, 0x57, 0x05, \ + 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x42, 0x00, 0x57, 0x05, \ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, \ - 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, \ - 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, 0x04, \ - 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, \ - 0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, \ - 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, \ - 0x00, 0x00, 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, \ - 0xff, 0xa8, 0xcc, 0x79, 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, \ - 0x6b, 0xb3, 0x48, 0x8c, 0x8b, 0xf4, 0x2c, 0x07, 0x74, 0x60, 0x46, 0x40, \ - 0x27, 0x9b, 0x16, 0xb2, 0x64, 0x19, 0x40, 0x30, 0xee, 0xb0, 0x83, 0x96, \ - 0x24, 0x1d, 0xef, 0xcc, 0x4d, 0x32, 0xd1, 0x6e, 0xa8, 0x31, 0xad, 0x77, \ - 0x71, 0x38, 0xf0, 0x8e, 0x2f, 0x98, 0x56, 0x64, 0xc0, 0x04, 0xc2, 0x48, \ - 0x5d, 0x6f, 0x49, 0x91, 0xeb, 0x3d, 0x9e, 0xc3, 0x28, 0x02, 0x53, 0x78, \ - 0x36, 0xa9, 0x06, 0x6b, 0x4e, 0x10, 0xae, 0xb5, 0x6a, 0x5c, 0xcf, 0x6a, \ - 0xa4, 0x69, 0x01, 0xe6, 0x25, 0xe3, 0x40, 0x0c, 0x78, 0x11, 0xd2, 0xec + 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x08, 0x01, \ + 0x00, 0x00, 0x00, 0x30, 0x42, 0x00, 0x0a, 0x07, 0x00, 0x00, 0x00, 0x18, \ + 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x69, \ + 0x63, 0x20, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x4d, 0x61, 0x73, 0x6b, \ + 0x42, 0x00, 0x0b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, \ + 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, \ + 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x80, \ + 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, \ + 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, 0x00, 0x00, 0x00, 0x68, \ + 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, 0xff, 0xa8, 0xcc, 0x79, \ + 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, 0x6b, 0xb3, 0x48, 0x8c, \ + 0x8b, 0xf4, 0x2c, 0x07, 0x74, 0x60, 0x46, 0x40, 0x27, 0x9b, 0x16, 0xb2, \ + 0x64, 0x19, 0x40, 0x30, 0xee, 0xb0, 0x83, 0x96, 0x24, 0x1d, 0xef, 0xcc, \ + 0x4d, 0x32, 0xd1, 0x6e, 0xa8, 0x31, 0xad, 0x77, 0x71, 0x38, 0xf0, 0x8e, \ + 0x2f, 0x98, 0x56, 0x64, 0xc0, 0x04, 0xc2, 0x48, 0x5d, 0x6f, 0x49, 0x91, \ + 0xeb, 0x3d, 0x9e, 0xc3, 0x28, 0x02, 0x53, 0x78, 0x36, 0xa9, 0x06, 0x6b, \ + 0x4e, 0x10, 0xae, 0xb5, 0x6a, 0x5c, 0xcf, 0x6a, 0xa4, 0x69, 0x01, 0xe6, \ + 0x25, 0xe3, 0x40, 0x0c, 0x78, 0x11, 0xd2, 0xec #define REGISTER_SECRETDATA_SECRETDATA \ 0xff, 0xa8, 0xcc, 0x79, 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, \ @@ -93,7 +101,6 @@ kms_kmip_request_register_secretdata_test (void) void kms_kmip_request_register_secretdata_invalid_test (void) { - kms_request_t *req; uint8_t secret_data[KMS_KMIP_REQUEST_SECRETDATA_LENGTH] = {0}; diff --git a/test/test-mongocrypt-kms-ctx.c b/test/test-mongocrypt-kms-ctx.c index 856572c19..f2de808c7 100644 --- a/test/test-mongocrypt-kms-ctx.c +++ b/test/test-mongocrypt-kms-ctx.c @@ -34,11 +34,15 @@ + + + - + @@ -50,29 +54,33 @@ value="0000000000000000000000000000000000000000000000000000000000000000000000000 */ static const uint8_t REGISTER_REQUEST[] = { - 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x18, 0x42, 0x00, 0x77, 0x01, 0x00, + 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x50, 0x42, 0x00, 0x77, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x69, 0x01, 0x00, 0x00, 0x00, 0x20, 0x42, 0x00, 0x6a, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x6b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0d, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, - 0x00, 0xd0, 0x42, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0x03, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xb8, + 0x01, 0x08, 0x42, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x42, 0x00, 0x57, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x07, 0x00, - 0x00, 0x00, 0x00, 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, - 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, - 0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, - 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, 0x00, 0x00, - 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, + 0x08, 0x01, 0x00, 0x00, 0x00, 0x30, 0x42, 0x00, 0x0a, 0x07, 0x00, 0x00, 0x00, + 0x18, 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x69, + 0x63, 0x20, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x4d, 0x61, 0x73, 0x6b, 0x42, + 0x00, 0x0b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, + 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, + 0x42, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, + 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, + 0x45, 0x01, 0x00, 0x00, 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, + 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00}; + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; /* From f676d7cb6a3047b36125370647294d83b3a7b0af Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Wed, 22 Mar 2023 12:54:09 -0400 Subject: [PATCH 6/6] fix comment. SecretDataType used is Seed, not Password --- kms-message/src/kms_kmip_request.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms-message/src/kms_kmip_request.c b/kms-message/src/kms_kmip_request.c index e76b75ee1..c59bff7c5 100644 --- a/kms-message/src/kms_kmip_request.c +++ b/kms-message/src/kms_kmip_request.c @@ -121,7 +121,7 @@ kms_kmip_request_register_secretdata_new (void *reserved, } kmip_writer_close_struct (writer); /* KMIP_TAG_TemplateAttribute */ kmip_writer_begin_struct (writer, KMIP_TAG_SecretData); - /* 0x01 = Password */ + /* 0x02 = Seed */ kmip_writer_write_enumeration (writer, KMIP_TAG_SecretDataType, 0x02); kmip_writer_begin_struct (writer, KMIP_TAG_KeyBlock); /* 0x02 = Opaque */