[MONGOCRYPT-563] "Cryptographic Usage Mask" not included in KMIP Register request Created: 17/Mar/23  Updated: 28/Oct/23  Resolved: 22/Mar/23

Status: Closed
Project: Libmongocrypt
Component/s: None
Affects Version/s: None
Fix Version/s: 1.7.3

Type: Bug Priority: Critical - P2
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DRIVERS-2598 Release bindings for libmongocrypt 1.7.3 Closed
Binding Changes: Not Needed
Case:

 Description   

Scope

  • Include "Cryptographic Usage Mask" in the KMIP Register request

Background & Motivation

4.3 Register lists the "Cryptographic Usage Mask" attribute as REQUIRED.

The "Cryptographic Usage Mask" attribute included is not included in the Register request for the SecretData object created by libmongocrypt.

It was reported on slack that versions 1.12 and 1.13 of HashiCorp Vault KMIP return an error on the KMIP Register request:

Error message: Caused by: com.mongodb.crypt.capi.MongoCryptException: Error getting UniqueIdentifer from KMIP Register response: KMIP response error. Result Status (1): Operation Failed. Result Reason (4): Invalid Message. Result Message: result reason: ResultReasonInvalidMessage; additional message: attribute Cryptographic Usage Mask is missing

The SecretData is not used for crypto operations within KMIP. It is fetched, then used within libmongocrypt. I expect the "Cryptographic Usage Mask" can be set to 0.

3.14 Cryptographic Usage Mask lists "Cryptographic Usage Mask" in "When implicitly set" for the "Register" operation. 3 Attributes defines "When implicitly set" as "Which operations MAY cause this attribute to be set even if the attribute is not specified in the operation request itself?". HashiCorp Vault may have been implicitly setting this attribute before. And now requires the client to specify it.

An enterprise license to HashiCorp Vault is needed to test KMIP with HashiCorp Vault.



 Comments   
Comment by Kevin Albertson [ 04/Apr/23 ]

This bug is now fixed and released in libmongocrypt 1.7.3. I also verified that Hashicorp Vault 1.13.1 is no longer impacted by this bug. The fix in libmongocrypt 1.7.3 and may benefit users of Hashicorp Vault 1.12 to 1.13.0. But users impacted by this bug also have the option of upgrading to Hashicorp Vault 1.13.1.

Comment by Githook User [ 22/Mar/23 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: MONGOCRYPT-563 add CryptographicUsageMask to Register request (#603)

  • format kms_kmip_request.c
  • fix error checks of `kms_kmip_request.*new`

On error, the calls return a `kms_request_t*` with an error attached.

  • add `Cryptographic Usage Mask` attribute to KMIP `Register` request
  • change `Key Format Type` from `Raw` to `Opaque`.
  • update comments and test data
Comment by Githook User [ 22/Mar/23 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: MONGOCRYPT-563 add CryptographicUsageMask to Register request (#603)

  • format kms_kmip_request.c
  • fix error checks of `kms_kmip_request.*new`

On error, the calls return a `kms_request_t*` with an error attached.

  • add `Cryptographic Usage Mask` attribute to KMIP `Register` request
  • change `Key Format Type` from `Raw` to `Opaque`.
  • update comments and test data
Generated at Thu Feb 08 09:08:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.