diff --git a/.evergreen/install-mongodb-client-encryption.sh b/.evergreen/install-mongodb-client-encryption.sh index 40b5d7f68e..499af6276b 100644 --- a/.evergreen/install-mongodb-client-encryption.sh +++ b/.evergreen/install-mongodb-client-encryption.sh @@ -9,7 +9,7 @@ if [ -z ${PROJECT_DIRECTORY+omitted} ]; then echo "PROJECT_DIRECTORY is unset" & source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh rm -rf mongodb-client-encryption -git clone https://github.com/baileympearson/mongodb-client-encryption.git -b NODE-7043 +git clone https://github.com/mongodb-js/mongodb-client-encryption.git -b NODE-6297 pushd mongodb-client-encryption node --version diff --git a/src/client-side-encryption/auto_encrypter.ts b/src/client-side-encryption/auto_encrypter.ts index 20cf460896..fc9a9b39c8 100644 --- a/src/client-side-encryption/auto_encrypter.ts +++ b/src/client-side-encryption/auto_encrypter.ts @@ -10,7 +10,6 @@ import { MongoClient, type MongoClientOptions } from '../mongo_client'; import { type Abortable } from '../mongo_types'; import { MongoDBCollectionNamespace } from '../utils'; import { autoSelectSocketOptions } from './client_encryption'; -import * as cryptoCallbacks from './crypto_callbacks'; import { defaultErrorWrapper, MongoCryptInvalidArgumentError } from './errors'; import { MongocryptdManager } from './mongocryptd_manager'; import { @@ -254,7 +253,6 @@ export class AutoEncrypter { } const mongoCryptOptions: MongoCryptOptions = { - cryptoCallbacks, errorWrapper: defaultErrorWrapper }; if (options.schemaMap) { diff --git a/src/client-side-encryption/client_encryption.ts b/src/client-side-encryption/client_encryption.ts index c40b3b8c52..2494a1941b 100644 --- a/src/client-side-encryption/client_encryption.ts +++ b/src/client-side-encryption/client_encryption.ts @@ -25,7 +25,6 @@ import { type CreateCollectionOptions } from '../operations/create_collection'; import { type DeleteResult } from '../operations/delete'; import { type CSOTTimeoutContext, TimeoutContext } from '../timeout'; import { MongoDBCollectionNamespace, resolveTimeoutOptions } from '../utils'; -import * as cryptoCallbacks from './crypto_callbacks'; import { defaultErrorWrapper, MongoCryptCreateDataKeyError, @@ -144,7 +143,6 @@ export class ClientEncryption { const mongoCryptOptions: MongoCryptOptions = { ...options, - cryptoCallbacks, kmsProviders: !Buffer.isBuffer(this._kmsProviders) ? (serialize(this._kmsProviders) as Buffer) : this._kmsProviders, diff --git a/src/client-side-encryption/crypto_callbacks.ts b/src/client-side-encryption/crypto_callbacks.ts deleted file mode 100644 index 1e2f1f7f07..0000000000 --- a/src/client-side-encryption/crypto_callbacks.ts +++ /dev/null @@ -1,87 +0,0 @@ -import * as crypto from 'crypto'; - -type AES256Callback = (key: Buffer, iv: Buffer, input: Buffer, output: Buffer) => number | Error; - -export function makeAES256Hook( - method: 'createCipheriv' | 'createDecipheriv', - mode: 'aes-256-cbc' | 'aes-256-ctr' -): AES256Callback { - return function (key: Buffer, iv: Buffer, input: Buffer, output: Buffer): number | Error { - let result; - - try { - const cipher = crypto[method](mode, key, iv); - cipher.setAutoPadding(false); - result = cipher.update(input); - const final = cipher.final(); - if (final.length > 0) { - result = Buffer.concat([result, final]); - } - } catch (e) { - return e; - } - - result.copy(output); - return result.length; - }; -} - -export function randomHook(buffer: Buffer, count: number): number | Error { - try { - crypto.randomFillSync(buffer, 0, count); - } catch (e) { - return e; - } - return count; -} - -export function sha256Hook(input: Buffer, output: Buffer): number | Error { - let result; - try { - result = crypto.createHash('sha256').update(input).digest(); - } catch (e) { - return e; - } - - result.copy(output); - return result.length; -} - -type HMACHook = (key: Buffer, input: Buffer, output: Buffer) => number | Error; -export function makeHmacHook(algorithm: 'sha512' | 'sha256'): HMACHook { - return (key: Buffer, input: Buffer, output: Buffer): number | Error => { - let result; - try { - result = crypto.createHmac(algorithm, key).update(input).digest(); - } catch (e) { - return e; - } - - result.copy(output); - return result.length; - }; -} - -export function signRsaSha256Hook(key: Buffer, input: Buffer, output: Buffer): number | Error { - let result; - try { - const signer = crypto.createSign('sha256WithRSAEncryption'); - const privateKey = Buffer.from( - `-----BEGIN PRIVATE KEY-----\n${key.toString('base64')}\n-----END PRIVATE KEY-----\n` - ); - - result = signer.update(input).end().sign(privateKey); - } catch (e) { - return e; - } - - result.copy(output); - return result.length; -} - -export const aes256CbcEncryptHook = makeAES256Hook('createCipheriv', 'aes-256-cbc'); -export const aes256CbcDecryptHook = makeAES256Hook('createDecipheriv', 'aes-256-cbc'); -export const aes256CtrEncryptHook = makeAES256Hook('createCipheriv', 'aes-256-ctr'); -export const aes256CtrDecryptHook = makeAES256Hook('createDecipheriv', 'aes-256-ctr'); -export const hmacSha512Hook = makeHmacHook('sha512'); -export const hmacSha256Hook = makeHmacHook('sha256'); diff --git a/test/mongodb.ts b/test/mongodb.ts index 4be7c6d2ce..ec5a7d8ad3 100644 --- a/test/mongodb.ts +++ b/test/mongodb.ts @@ -104,7 +104,6 @@ export * from '../src/bulk/unordered'; export * from '../src/change_stream'; export * from '../src/client-side-encryption/auto_encrypter'; export * from '../src/client-side-encryption/client_encryption'; -export * from '../src/client-side-encryption/crypto_callbacks'; export * from '../src/client-side-encryption/errors'; export * from '../src/client-side-encryption/mongocryptd_manager'; export * from '../src/client-side-encryption/providers/aws'; diff --git a/test/unit/client-side-encryption/client_encryption.test.ts b/test/unit/client-side-encryption/client_encryption.test.ts index c178231139..95bf548be9 100644 --- a/test/unit/client-side-encryption/client_encryption.test.ts +++ b/test/unit/client-side-encryption/client_encryption.test.ts @@ -5,7 +5,6 @@ import { resolve } from 'path'; import * as sinon from 'sinon'; import { ClientEncryption } from '../../../src/client-side-encryption/client_encryption'; -import * as cryptoCallbacks from '../../../src/client-side-encryption/crypto_callbacks'; import { MongoCryptCreateDataKeyError, MongoCryptCreateEncryptedCollectionError @@ -35,66 +34,6 @@ class MockClient { describe('ClientEncryption', function () { this.timeout(12000); - context('with stubbed key material and fixed random source', function () { - const sandbox = sinon.createSandbox(); - - afterEach(() => { - sandbox.restore(); - }); - beforeEach(() => { - const rndData = Buffer.from( - '\x4d\x06\x95\x64\xf5\xa0\x5e\x9e\x35\x23\xb9\x8f\x57\x5a\xcb\x15', - 'latin1' - ); - let rndPos = 0; - sandbox.stub(cryptoCallbacks, 'randomHook').callsFake((buffer, count) => { - if (rndPos + count > rndData.length) { - return new Error('Out of fake random data'); - } - buffer.set(rndData.subarray(rndPos, rndPos + count)); - rndPos += count; - return count; - }); - - // stubbed out for AWS unit testing below - sandbox.stub(StateMachine.prototype, 'fetchKeys').callsFake((client, ns, filter) => { - filter = deserialize(filter); - const keyIds = filter.$or[0]._id.$in.map(key => key.toString('hex')); - const fileNames = keyIds.map(keyId => - resolve(`${__dirname}/data/keys/${keyId.toUpperCase()}-local-document.json`) - ); - const contents = fileNames.map(filename => - EJSON.parse(fs.readFileSync(filename, { encoding: 'utf-8' })) - ); - return Promise.resolve(contents); - }); - }); - - // This exactly matches _test_encrypt_fle2_explicit from the C tests - it('should explicitly encrypt and decrypt with the "local" KMS provider (FLE2, exact result)', function () { - const encryption = new ClientEncryption(new MockClient(), { - keyVaultNamespace: 'client.encryption', - kmsProviders: { local: { key: Buffer.alloc(96) } } - }); - - const encryptOptions = { - keyId: new Binary(Buffer.from('ABCDEFAB123498761234123456789012', 'hex'), 4), - algorithm: 'Unindexed' - }; - - return encryption - .encrypt('value123', encryptOptions) - .then(encrypted => { - expect(encrypted._bsontype).to.equal('Binary'); - expect(encrypted.sub_type).to.equal(6); - return encryption.decrypt(encrypted); - }) - .then(decrypted => { - expect(decrypted).to.equal('value123'); - }); - }); - }); - it('should provide the libmongocrypt version', function () { expect(ClientEncryption.libmongocryptVersion).to.be.a('string'); });