Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-3449

CSFLE - incorrect binary subtype for UUID on data encryption keys

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Works as Designed
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Client Side Encryption
    • None

    Description

      The createKey() method called to create a data encryption key in client-side field level encryption inserts a document containing details about the key into the keyVault collection. The _id field is assigned a UUID and is referenced by the JSON Schema that provides field encryption instructions.

      According to the CSFLE driver spec, this UUID should be binary type 4:

       https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#keyid

      However, upon retrieval (when querying using binary type 4 UUID), it is displayed as type 3 (legacy UUID, deprecated type).

      E.g.
      Bson query = Filters.eq("_id", new Binary((byte) 4, Base64.getDecoder().decode(base64KeyId)));
      returns a document:

      {"_id": \{"$binary": "+EibT2Og09oc/SPTqXxOvw==", "$type": "03"}

      , "...}
       

      While this does not appear to impact the functionality when using the Java (3.11.0 sync) driver, it may be due to and cause issues for other drivers.

       

      To reproduce, this code can be used to create the data key:

      https://github.com/mongodb/mongo-java-driver/blob/master/driver-sync/src/examples/tour/ClientSideEncryptionSimpleTour.java

      And the query will look something like this (where base64KeyId is the UUID encoded in base64 which is returned from the createKey() method call):

      Bson query = Filters.eq("id", new Binary((byte) 4, Base64._getDecoder().decode(base64KeyId)));

      Document doc = collection.find(query).first(); 

      System.out.println(doc.toJson());

       

      Note/Question: the output also appears to be extended json v1, but the documentation mentions the Java driver should be using v2. Perhaps the default behavior of Document.toJson() is to print v1 even if the underlying representation is v2? https://docs.mongodb.com/manual/reference/mongodb-extended-json/

      Attachments

        Activity

          People

            Unassigned Unassigned
            chris.cho@mongodb.com Christopher Cho
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: