[MONGOCRYPT-530] Implement parsing and decryption of v2 indexed equality values Created: 03/Feb/23  Updated: 28/Oct/23  Resolved: 17/Mar/23

Status: Closed
Project: Libmongocrypt
Component/s: None
Affects Version/s: None
Fix Version/s: 1.8.0, 1.8.0-alpha0

Type: Task Priority: Unknown
Reporter: Erwin Pe Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on MONGOCRYPT-541 Define the QE v2 payload types in mc-... Closed
is depended on by SERVER-73851 Refactor FLEClientCrypto::decryptDocu... Closed
Epic Link: PM-2972
Binding Changes: Not Needed

 Description   

Implement the parsing and decryption of the new FLE2EqualityIndexedValueV2 payload format in libmongocrypt. This is similar to the server-side work done in SERVER-72908.

libmongocrypt handles the parsing and decryption of indexed encrypted values (IEVs) in the _replace_FLE2IndexedEncryptedValue_with_plaintext() function.  This, in turn, calls the following functions that parse & decrypt the payload:

  • mc_FLE2IndexedEncryptedValue_parse() - deserializes the payload
  • mc_FLE2IndexedEncryptedValue_add_S_Key() - decrypts the server-encrypted ciphertext
  • mc_FLE2IndexedEqualityEncryptedValue_add_K_Key() - decrypts the client-encrypted ciphertext

To handle the V2 payload formats, the above functions will have to be changed to handle the new wire format. Specifically:

  • for v2 equality payloads, mc_FLE2IndexedEncryptedValue_parse() will read the S_Key, original BSON type, and the InnerEncrypted blob; however, it must fail if the remainder of the buffer is shorter than one serialized FLE2TagAndEncryptedMetadataBlock.
  • for v2 ranged payloads, mc_FLE2IndexedEncryptedValue_parse() will read the S_Key, original BSON type, edge count, and the InnerEncrypted blob; it must also fail if the remainder of the buffer is shorter than the size of a serialized FLE2TagAndEncryptedMetadataBlock times the edge count.
  • In mc_FLE2IndexedEncryptedValue_add_S_Key(), the logic that parses the counter and the esc/ecc/ecocTokens from the decrypted blob should be removed (the specific function is mc_FLE2IndexedEncryptedValue_decrypt()).
  • In mc_FLE2IndexedEqualityEncryptedValue_add_K_Key(), the decryption of the client-encrypted data will have to use CBC, instead of CTR.


 Comments   
Comment by Githook User [ 20/Mar/23 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: MONGOCRYPT-530 Implement FLE2IndexedEqualityEncryptedValueV2
Branch: shreyaskalyan/MONGOCRYPT-539
https://github.com/mongodb/libmongocrypt/commit/528102f74f9673fee5e3a5a74761ce9e62c3773f

Comment by Githook User [ 17/Mar/23 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: MONGOCRYPT-530 Implement FLE2IndexedEqualityEncryptedValueV2
Branch: master
https://github.com/mongodb/libmongocrypt/commit/528102f74f9673fee5e3a5a74761ce9e62c3773f

Comment by Sara Golemon [ 13/Mar/23 ]

https://github.com/mongodb/libmongocrypt/pull/594

Generated at Thu Feb 08 09:08:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.