[SERVER-43409] Support non amazon hosted AWS KMS endpoints Created: 21/Sep/19  Updated: 29/Oct/23  Resolved: 25/Sep/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.2.1, 4.3.1

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.2
Sprint: Security 2019-10-07
Participants:

 Description   

The server's AWS KMS code assumes that any AWS KMS instance it needs to talk to is at kms.<region>.amazonaws.com. Some AWS KMS providers may be hosted at alternate domains.

For testing purposes, we support alternate URLs but we do not generate the signature correctly in these cases since our local mock kms does not validate the signature. The mock_kms server needs to updated to optionally verify the signature to ensure we have correctly implemented support for alternate kms. We can use local.10gen.cc or kms.local.10gen.cc as target hosts.

 

Python Auth Header Calculation:

https://github.com/boto/boto/blob/develop/boto/auth.py



 Comments   
Comment by Githook User [ 11/Oct/19 ]

Author:

{'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto'}

Message: SERVER-43409 Support non amazon hosted AWS KMS endpoints

(cherry picked from commit f893195c8255afdb1914d83ed8a4e7833bea04df)
Branch: v4.2
https://github.com/mongodb/mongo/commit/795f9bc3047184cc27f1643fa7c06bf2386f6218

Comment by Mark Benvenuto [ 25/Sep/19 ]

Users must override the default URL for kms.<region>.amazonaws.com by using the "url" parameter as part of data key creation in order to use non-amazonaws.com URLs

Comment by Githook User [ 25/Sep/19 ]

Author:

{'name': 'Mark Benvenuto', 'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com'}

Message: SERVER-43409 Support non amazon hosted AWS KMS endpoints
Branch: master
https://github.com/mongodb/mongo/commit/f893195c8255afdb1914d83ed8a4e7833bea04df

Generated at Thu Feb 08 05:03:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.