-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
When libmongocrypt fails to create a KMS request it sets the status error message to something like "failed to create KMS message". This is great but it does not give us any information about the underlying cause of the failure. For example, if the underlying issues is that a driver crypto callback fails we set a status message to inform libmongocrypt of the error. Instead, libmongocrypt ignores the driver's error message and simply returns "failed to create KMS message":
ERROR: test_decrypt (test.test_mongocrypt.TestMongoCrypt) ---------------------------------------------------------------------- Traceback (most recent call last): File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 191, in test_decrypt self._test_kms_context(ctx) File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 136, in _test_kms_context ctx.add_mongo_operation_result(bson_data('key-document.json')) File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 286, in add_mongo_operation_result self._raise_from_status() File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status raise exc pymongocrypt.errors.MongoCryptError: failed to create KMS message
In some places libmongocrypt helpfully forwards this error along. For example, here the python aes_256_cbc_encrypt callback falls and we include the entire traceback in the error message:
ERROR: test_data_key_creation (test.test_mongocrypt.TestExplicitEncryption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 337, in test_data_key_creation key_alt_names=key_alt_names) File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/explicit_encrypter.py", line 112, in create_data_key with self.mongocrypt.data_key_context(kms_provider, opts) as ctx: File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 228, in data_key_context return DataKeyContext(self._create_context(), kms_provider, opts) File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 472, in __init__ self._raise_from_status() File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status raise exc pymongocrypt.errors.MongoCryptError: Traceback (most recent call last): File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/crypto.py", line 53, in aes_256_cbc_encrypt backend=default_backend()) File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/__init__.py", line 15, in default_backend from cryptography.hazmat.backends.openssl.backend import backend File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module> from cryptography.hazmat.backends.openssl.backend import backend File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py", line 75, in <module> from cryptography.hazmat.bindings.openssl import binding File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 205, in <module> _verify_openssl_version(Binding.lib) File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 169, in _verify_openssl_version "You are linking against OpenSSL 1.0.1, which is no longer " RuntimeError: You are linking against OpenSSL 1.0.1, which is no longer supported by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.
I think KMS failures should also keep the original error message intact (or include the original error message) similar to data key failures.
- is related to
-
MONGOCRYPT-244 ctx_datakey_init returns a vague error if mongocrypt is initialized with empty AWS credentials
- Backlog