Uploaded image for project: 'Libmongocrypt'
  1. Libmongocrypt
  2. MONGOCRYPT-257

KMS request error message should include information about what failed

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.1.0
    • Affects Version/s: None
    • Component/s: None
    • None

      When libmongocrypt fails to create a KMS request it sets the status error message to something like "failed to create KMS message". This is great but it does not give us any information about the underlying cause of the failure. For example, if the underlying issues is that a driver crypto callback fails we set a status message to inform libmongocrypt of the error. Instead, libmongocrypt ignores the driver's error message and simply returns "failed to create KMS message":

      ERROR: test_decrypt (test.test_mongocrypt.TestMongoCrypt)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 191, in test_decrypt
    self._test_kms_context(ctx)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 136, in _test_kms_context
    ctx.add_mongo_operation_result(bson_data('key-document.json'))
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 286, in add_mongo_operation_result
    self._raise_from_status()
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status
    raise exc
pymongocrypt.errors.MongoCryptError: failed to create KMS message

      In some places libmongocrypt helpfully forwards this error along. For example, here the python aes_256_cbc_encrypt callback falls and we include the entire traceback in the error message:

      ERROR: test_data_key_creation (test.test_mongocrypt.TestExplicitEncryption)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 337, in test_data_key_creation
    key_alt_names=key_alt_names)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/explicit_encrypter.py", line 112, in create_data_key
    with self.mongocrypt.data_key_context(kms_provider, opts) as ctx:
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 228, in data_key_context
    return DataKeyContext(self._create_context(), kms_provider, opts)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 472, in __init__
    self._raise_from_status()
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status
    raise exc
pymongocrypt.errors.MongoCryptError: Traceback (most recent call last):
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/crypto.py", line 53, in aes_256_cbc_encrypt
    backend=default_backend())
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py", line 75, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 205, in <module>
    _verify_openssl_version(Binding.lib)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 169, in _verify_openssl_version
    "You are linking against OpenSSL 1.0.1, which is no longer "
RuntimeError: You are linking against OpenSSL 1.0.1, which is no longer supported by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.

      I think KMS failures should also keep the original error message intact (or include the original error message) similar to data key failures.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            shane.harvey@mongodb.com Shane Harvey
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: