Scope

• Include "Cryptographic Usage Mask" in the KMIP Register request

Background & Motivation

4.3 Register lists the "Cryptographic Usage Mask" attribute as REQUIRED.

The "Cryptographic Usage Mask" attribute included is not included in the Register request for the SecretData object created by libmongocrypt.

It was reported on slack that versions 1.12 and 1.13 of HashiCorp Vault KMIP return an error on the KMIP Register request:

Error message: Caused by: com.mongodb.crypt.capi.MongoCryptException: Error getting UniqueIdentifer from KMIP Register response: KMIP response error. Result Status (1): Operation Failed. Result Reason (4): Invalid Message. Result Message: result reason: ResultReasonInvalidMessage; additional message: attribute Cryptographic Usage Mask is missing

The SecretData is not used for crypto operations within KMIP. It is fetched, then used within libmongocrypt. I expect the "Cryptographic Usage Mask" can be set to 0.

3.14 Cryptographic Usage Mask lists "Cryptographic Usage Mask" in "When implicitly set" for the "Register" operation. 3 Attributes defines "When implicitly set" as "Which operations MAY cause this attribute to be set even if the attribute is not specified in the operation request itself?". HashiCorp Vault may have been implicitly setting this attribute before. And now requires the client to specify it.

An enterprise license to HashiCorp Vault is needed to test KMIP with HashiCorp Vault.