Implement libmongocrypt crypto hooks

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Client Side Encryption
    • None
    • None
    • Go Drivers
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Context

      libmongocrypt GitHub release page only publishes -nocrypto variants for Linux and macOS which omit crypto primitives (AES, HMAC, random) and expect the caller to provide them through the crypto hook API. The Go driver should implement libmongocrypt’s crypto hook API so users can use the published libmongocrypt -nocrypto tarballs on Linux and macOS without building libmongocrypt from source

      At least three drivers currently implement this behavior: Node, Java, C#.

      This is not required for anything other than expanding support scope. It’s unlikely users will want to use tarballs from the published GitHub releases, preferring instead to follow documentation: https://www.mongodb.com/docs/manual/core/csfle/reference/libmongocrypt/

      It is not a goal of this ticket to update CI, albeit a benifit.

      Definition of done

      Implement the 9 crypt callback functions (AES-CBC encrypt/decrypt, AES-CTR encrypt/decrypt, HMAC-SHA-256/512, SHA-256, random, RSA sign) backed by Go's crypto library. These should be non-backwards breaking changes and added to the experimental mongocrypt package.

      Node, Java, and C# don’t appear to directly test these cases (Glean). They just ensure that CSFLE passes using a -nocrypto build variant. In this case, we would update the etc/install-libmongocrypt.sh to download a tarball and add a mongocrypt.pc to the resulting install/libmongocrypt/lib/pkgconfig/ directory using the following template:

      Name: mongocrypt
Description: The libmongocrypt client-side field level encryption library.
Version: <input version, ex: 1.18.2>
Requires: 
Requires.private: <unclear to me, ex: prefix=/var/folders/2g/6b8m_m050_19jzzbj5zpx5y00000gp/T/libmongocrypt-build-1717094356/install/libmongocrypt>
includedir=${prefix}/include/mongocrypt
libdir=${prefix}/lib
Libs: -L${libdir} -lmongocrypt
Cflags: -I${includedir}

      This part will not be necessary once MONGOCRYPT-932 is done.

      Pitfalls

      Users will still have to add their own package config file [unless MONGOCRYPT-932 is done], so this solution still wouldn’t be completely “out-of-the-box”. We should add documentation to the README.md file noting this constraint.

            Assignee:
            Unassigned
            Reporter:
            Preston Vasquez
            None
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: