[MONGOCRYPT-257] KMS request error message should include information about what failed Created: 17/Jun/20  Updated: 28/Oct/23  Resolved: 05/Jan/21

Status: Closed
Project: Libmongocrypt
Component/s: None
Affects Version/s: None
Fix Version/s: 1.1.0

Type: Bug Priority: Major - P3
Reporter: Shane Harvey Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to MONGOCRYPT-244 ctx_datakey_init returns a vague erro... Backlog

 Description   

When libmongocrypt fails to create a KMS request it sets the status error message to something like "failed to create KMS message". This is great but it does not give us any information about the underlying cause of the failure. For example, if the underlying issues is that a driver crypto callback fails we set a status message to inform libmongocrypt of the error. Instead, libmongocrypt ignores the driver's error message and simply returns "failed to create KMS message":

ERROR: test_decrypt (test.test_mongocrypt.TestMongoCrypt)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 191, in test_decrypt
    self._test_kms_context(ctx)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 136, in _test_kms_context
    ctx.add_mongo_operation_result(bson_data('key-document.json'))
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 286, in add_mongo_operation_result
    self._raise_from_status()
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status
    raise exc
pymongocrypt.errors.MongoCryptError: failed to create KMS message

In some places libmongocrypt helpfully forwards this error along. For example, here the python aes_256_cbc_encrypt callback falls and we include the entire traceback in the error message:

ERROR: test_data_key_creation (test.test_mongocrypt.TestExplicitEncryption)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/test/test_mongocrypt.py", line 337, in test_data_key_creation
    key_alt_names=key_alt_names)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/explicit_encrypter.py", line 112, in create_data_key
    with self.mongocrypt.data_key_context(kms_provider, opts) as ctx:
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 228, in data_key_context
    return DataKeyContext(self._create_context(), kms_provider, opts)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 472, in __init__
    self._raise_from_status()
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/mongocrypt.py", line 269, in _raise_from_status
    raise exc
pymongocrypt.errors.MongoCryptError: Traceback (most recent call last):
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/pymongocrypt/crypto.py", line 53, in aes_256_cbc_encrypt
    backend=default_backend())
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/backends/openssl/backend.py", line 75, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 205, in <module>
    _verify_openssl_version(Binding.lib)
  File "/data/mci/cd24bf86d9fd5adb887acd705b326b10/libmongocrypt/bindings/python/.eggs/cryptography-2.9.2-py3.4-linux-x86_64.egg/cryptography/hazmat/bindings/openssl/binding.py", line 169, in _verify_openssl_version
    "You are linking against OpenSSL 1.0.1, which is no longer "
RuntimeError: You are linking against OpenSSL 1.0.1, which is no longer supported by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.

I think KMS failures should also keep the original error message intact (or include the original error message) similar to data key failures.



 Comments   
Comment by Kevin Albertson [ 04/Jan/21 ]

PR: https://github.com/mongodb/libmongocrypt/pull/151

Comment by Prashant Mital (Inactive) [ 29/Oct/20 ]

Note that in the case mentioned by shane.harvey above the error occurred in this line and the exception generated was:

ValueError('Could not deserialize key data.',)

Comment by Shane Harvey [ 29/Oct/20 ]

This ticket caused some more pain for the python team while implementing GCP/Azure support in PYTHON-2371. We had tests failing with "Failed to create GCP oauth request signature" without a reason. After some debugging we found that our sign_rsaes_pkcs1_v1_5 crypto callback was failing but libmongocrypt ignores the message we fill out in the status:
https://github.com/mongodb/libmongocrypt/blob/90cb575/kms-message/src/kms_gcp_request.c#L98

    if (!req->crypto.sign_rsaes_pkcs1_v1_5 (
           req->crypto.sign_ctx,
           private_key_data,
           private_key_len,
           jwt_header_and_claims_b64url,
           strlen (jwt_header_and_claims_b64url),
           jwt_signature)) {
       KMS_ERROR (req, "Failed to create GCP oauth request signature");
       goto done;
    }

In lieu of actually fixing this issue, could we update the error message to be more direct about what failed like this:

       KMS_ERROR (req, "Failed to create GCP oauth request signature (sign_rsaes_pkcs1_v1_5 crypto hook failed)");

Comment by Dmitry Lukyanov (Inactive) [ 20/Oct/20 ]

I think we need to reconsider the priority of this ticket. In c#, encryption callback will fail on non windows systems if users attempts to use target frameworks less than netcoreapp3.0, which can be pretty often, so it will be good to provide a clear reason why it happens.

Generated at Thu Feb 08 09:08:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.