[MONGOCRYPT-563] "Cryptographic Usage Mask" not included in KMIP Register request Created: 17/Mar/23 Updated: 28/Oct/23 Resolved: 22/Mar/23 |
|
| Status: | Closed |
| Project: | Libmongocrypt |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.7.3 |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Kevin Albertson | Assignee: | Kevin Albertson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Binding Changes: | Not Needed | ||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
Scope
Background & Motivation4.3 Register lists the "Cryptographic Usage Mask" attribute as REQUIRED. The "Cryptographic Usage Mask" attribute included is not included in the Register request for the SecretData object created by libmongocrypt. It was reported on slack that versions 1.12 and 1.13 of HashiCorp Vault KMIP return an error on the KMIP Register request:
The SecretData is not used for crypto operations within KMIP. It is fetched, then used within libmongocrypt. I expect the "Cryptographic Usage Mask" can be set to 0. 3.14 Cryptographic Usage Mask lists "Cryptographic Usage Mask" in "When implicitly set" for the "Register" operation. 3 Attributes defines "When implicitly set" as "Which operations MAY cause this attribute to be set even if the attribute is not specified in the operation request itself?". HashiCorp Vault may have been implicitly setting this attribute before. And now requires the client to specify it. An enterprise license to HashiCorp Vault is needed to test KMIP with HashiCorp Vault. |
| Comments |
| Comment by Kevin Albertson [ 04/Apr/23 ] |
|
This bug is now fixed and released in libmongocrypt 1.7.3. I also verified that Hashicorp Vault 1.13.1 is no longer impacted by this bug. The fix in libmongocrypt 1.7.3 and may benefit users of Hashicorp Vault 1.12 to 1.13.0. But users impacted by this bug also have the option of upgrading to Hashicorp Vault 1.13.1. |
| Comment by Githook User [ 22/Mar/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
On error, the calls return a `kms_request_t*` with an error attached.
|
| Comment by Githook User [ 22/Mar/23 ] |
|
Author: {'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}Message:
On error, the calls return a `kms_request_t*` with an error attached.
|