CSFLE/QE KMIP support "delegated" protocol

XMLWordPrintableJSON

    • Hide

      DRIVERS-2732:
      Summary of necessary driver changes

      • Use libmongocrypt containing changes for MONGOCRYPT-614. MONGOCRYPT-614 is available in libmongocrypt 1.10.0. Binaries are available in this Evergreen upload-all task to test.
      • Document the new "delegated" option for the KMIP masterKey in ClientEncryption::createDataKey and rewrapManyDataKey methods.
      • C driver required no other changes.

      Commits for syncing spec/prose tests
      (and/or refer to an existing language POC if needed)

      • Spec tests were added in 57b77d8 and amended in dc6eb4c
      • No prose tests
      Show
      DRIVERS-2732 : Summary of necessary driver changes Use libmongocrypt containing changes for MONGOCRYPT-614 . MONGOCRYPT-614 is available in libmongocrypt 1.10.0. Binaries are available in this Evergreen upload-all task to test. Document the new "delegated" option for the KMIP masterKey in ClientEncryption::createDataKey and rewrapManyDataKey methods. C driver required no other changes. Commits for syncing spec/prose tests (and/or refer to an existing language POC if needed) Spec tests were added in 57b77d8 and amended in dc6eb4c No prose tests
    • None
    • Needed
    • Hide

      1. What would you like to communicate to the user about this feature?

      Add the optional boolean delegated option to the KMIP master key. When
      true, the KMIP server performs encryption and decryption of the data
      key, so the key encryption key never leaves the server.

      The crypto is handled by libmongocrypt (>= 1.10). The driver builds the
      KMIP master key document explicitly, so it needs to carry the new field
      through to libmongocrypt and validate it as a boolean.

      Refresh the unified createDataKey and rewrapManyDataKey fixtures from the
      specifications repo to pick up the delegated test cases.

      2. Would you like the user to see examples of the syntax and/or executable code and its output?

      NO

      3. Which versions of the driver/connector does this apply to?

      2.25.0

      Show
      1. What would you like to communicate to the user about this feature? Add the optional boolean delegated option to the KMIP master key. When true, the KMIP server performs encryption and decryption of the data key, so the key encryption key never leaves the server. The crypto is handled by libmongocrypt (>= 1.10). The driver builds the KMIP master key document explicitly, so it needs to carry the new field through to libmongocrypt and validate it as a boolean. Refresh the unified createDataKey and rewrapManyDataKey fixtures from the specifications repo to pick up the delegated test cases. 2. Would you like the user to see examples of the syntax and/or executable code and its output? NO 3. Which versions of the driver/connector does this apply to? 2.25.0
    • None
    • None
    • None
    • None
    • None
    • None

      This ticket was split from DRIVERS-2732, please see that ticket for a detailed description.

            Assignee:
            Dmitry Rybakov
            Reporter:
            TPM Jira Automations Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 1 week
                1w
                Remaining:
                Remaining Estimate - 1 week
                1w
                Logged:
                Time Spent - Not Specified
                Not Specified