Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
None
Description
When libmongocrypt fails to create a KMS request it sets the status error message to something like "failed to create KMS message". This is great but it does not give us any information about the underlying cause of the failure. For example, if the underlying issues is that a driver crypto callback fails we set a status message to inform libmongocrypt of the error. Instead, libmongocrypt ignores the driver's error message and simply returns "failed to create KMS message":
ERROR: test_decrypt (test.test_mongocrypt.TestMongoCrypt)
|
---------------------------------------------------------------------- |
Traceback (most recent call last):
|
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 191, in test_decrypt |
self._test_kms_context(ctx) |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 136, in _test_kms_context |
ctx.add_mongo_operation_result(bson_data('key-document.json')) |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 286, in add_mongo_operation_result |
self._raise_from_status() |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status |
raise exc |
pymongocrypt.errors.MongoCryptError: failed to create KMS message
|
In some places libmongocrypt helpfully forwards this error along. For example, here the python aes_256_cbc_encrypt callback falls and we include the entire traceback in the error message:
ERROR: test_data_key_creation (test.test_mongocrypt.TestExplicitEncryption)
|
---------------------------------------------------------------------- |
Traceback (most recent call last):
|
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 337, in test_data_key_creation |
key_alt_names=key_alt_names) |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/explicit_encrypter.py", line 112, in create_data_key |
with self.mongocrypt.data_key_context(kms_provider, opts) as ctx: |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 228, in data_key_context |
return DataKeyContext(self._create_context(), kms_provider, opts) |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 472, in __init__ |
self._raise_from_status() |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status |
raise exc |
pymongocrypt.errors.MongoCryptError: Traceback (most recent call last):
|
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/crypto.py", line 53, in aes_256_cbc_encrypt |
backend=default_backend()) |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/__init__.py", line 15, in default_backend |
from cryptography.hazmat.backends.openssl.backend import backend |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module> |
from cryptography.hazmat.backends.openssl.backend import backend |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py", line 75, in <module> |
from cryptography.hazmat.bindings.openssl import binding |
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 205, in <module> |
_verify_openssl_version(Binding.lib)
|
File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 169, in _verify_openssl_version |
"You are linking against OpenSSL 1.0.1, which is no longer " |
RuntimeError: You are linking against OpenSSL 1.0.1, which is no longer supported by the OpenSSL project. You need to upgrade to a newer version of OpenSSL. |
I think KMS failures should also keep the original error message intact (or include the original error message) similar to data key failures.
Attachments
Issue Links
- is related to
-
MONGOCRYPT-244 ctx_datakey_init returns a vague error if mongocrypt is initialized with empty AWS credentials
-
- Backlog
-