Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43409

Support non amazon hosted AWS KMS endpoints

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.1, 4.3.1
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.2
    • Sprint:
      Security 2019-10-07

      Description

      The server's AWS KMS code assumes that any AWS KMS instance it needs to talk to is at kms.<region>.amazonaws.com. Some AWS KMS providers may be hosted at alternate domains.

      For testing purposes, we support alternate URLs but we do not generate the signature correctly in these cases since our local mock kms does not validate the signature. The mock_kms server needs to updated to optionally verify the signature to ensure we have correctly implemented support for alternate kms. We can use local.10gen.cc or kms.local.10gen.cc as target hosts.

       

      Python Auth Header Calculation:

      https://github.com/boto/boto/blob/develop/boto/auth.py

        Attachments

          Activity

            People

            Assignee:
            mark.benvenuto Mark Benvenuto
            Reporter:
            mark.benvenuto Mark Benvenuto
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: