MONGOCRYPT-563 add CryptographicUsageMask to Register request (#603)

* format kms_kmip_request.c * fix error checks of `kms_kmip_request.*new` On error, the calls return a `kms_request_t*` with an error attached. * add `Cryptographic Usage Mask` attribute to KMIP `Register` request * change `Key Format Type` from `Raw` to `Opaque`. * update comments and test data * fix comment. SecretDataType used is Seed, not Password
mongodb · Mar 22, 2023 · 231c8bd · 231c8bd
1 parent 0caa1d3
commit 231c8bd
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 44 deletions.
diff --git a/kms-message/src/kms_kmip_request.c b/kms-message/src/kms_kmip_request.c
@@ -23,7 +23,8 @@
 #include <stdint.h>
 
 static void
-copy_writer_buffer (kms_request_t *req, kmip_writer_t *writer) {
+copy_writer_buffer (kms_request_t *req, kmip_writer_t *writer)
+{
    const uint8_t *buf;
    size_t buflen;
 
@@ -54,11 +55,15 @@ kms_kmip_request_register_secretdata_new (void *reserved,
      <RequestPayload tag="0x420079" type="Structure">
       <ObjectType tag="0x420057" type="Enumeration" value="7"/>
       <TemplateAttribute tag="0x420091" type="Structure">
+       <Attribute tag="0x420008" type="Structure">
+        <AttributeName tag="0x42000a" type="TextString" value="Cryptographic
+   Usage Mask"/> <AttributeValue tag="0x42000b" type="Integer" value="0"/>
+       </Attribute>
       </TemplateAttribute>
       <SecretData tag="0x420085" type="Structure">
-       <SecretDataType tag="0x420086" type="Enumeration" value="1"/>
+       <SecretDataType tag="0x420086" type="Enumeration" value="2"/>
        <KeyBlock tag="0x420040" type="Structure">
-        <KeyFormatType tag="0x420042" type="Enumeration" value="1"/>
+        <KeyFormatType tag="0x420042" type="Enumeration" value="2"/>
         <KeyValue tag="0x420045" type="Structure">
          <KeyMaterial tag="0x420043" type="ByteString" value="..."/>
         </KeyValue>
@@ -101,15 +106,29 @@ kms_kmip_request_register_secretdata_new (void *reserved,
    /* 0x07 == SecretData */
    kmip_writer_write_enumeration (writer, KMIP_TAG_ObjectType, 0x07);
    kmip_writer_begin_struct (writer, KMIP_TAG_TemplateAttribute);
+   // Add required Cryptographic Usage Mask attribute.
+   {
+      kmip_writer_begin_struct (writer, KMIP_TAG_Attribute);
+      const char *cryptographicUsageMaskStr = "Cryptographic Usage Mask";
+      kmip_writer_write_string (writer,
+                                KMIP_TAG_AttributeName,
+                                cryptographicUsageMaskStr,
+                                strlen (cryptographicUsageMaskStr));
+      // Use 0 because the Secret Data object is not used in cryptographic
+      // operations on the KMIP server.
+      kmip_writer_write_integer (writer, KMIP_TAG_AttributeValue, 0);
+      kmip_writer_close_struct (writer);
+   }
    kmip_writer_close_struct (writer); /* KMIP_TAG_TemplateAttribute */
    kmip_writer_begin_struct (writer, KMIP_TAG_SecretData);
-   /* 0x01 = Password */
+   /* 0x02 = Seed */
    kmip_writer_write_enumeration (writer, KMIP_TAG_SecretDataType, 0x02);
    kmip_writer_begin_struct (writer, KMIP_TAG_KeyBlock);
-   /* 0x01 = Raw */
-   kmip_writer_write_enumeration (writer, KMIP_TAG_KeyFormatType, 0x01);
+   /* 0x02 = Opaque */
+   kmip_writer_write_enumeration (writer, KMIP_TAG_KeyFormatType, 0x02);
    kmip_writer_begin_struct (writer, KMIP_TAG_KeyValue);
-   kmip_writer_write_bytes (writer, KMIP_TAG_KeyMaterial, (const char *) data, len);
+   kmip_writer_write_bytes (
+      writer, KMIP_TAG_KeyMaterial, (const char *) data, len);
    kmip_writer_close_struct (writer); /* KMIP_TAG_KeyValue */
    kmip_writer_close_struct (writer); /* KMIP_TAG_KeyBlock */
    kmip_writer_close_struct (writer); /* KMIP_TAG_SecretData */

diff --git a/kms-message/test/test_kms_kmip_request.c b/kms-message/test/test_kms_kmip_request.c
@@ -13,17 +13,20 @@
  </RequestHeader>
  <BatchItem tag="0x42000f" type="Structure">
   <Operation tag="0x42005c" type="Enumeration" value="3"/>
-  <UniqueBatchItemID tag="0x420093" type="ByteString" value="41"/>
   <RequestPayload tag="0x420079" type="Structure">
    <ObjectType tag="0x420057" type="Enumeration" value="7"/>
    <TemplateAttribute tag="0x420091" type="Structure">
+    <Attribute tag="0x420008" type="Structure">
+     <AttributeName tag="0x42000a" type="TextString" value="Cryptographic Usage
+Mask"/> <AttributeValue tag="0x42000b" type="Integer" value="0"/>
+    </Attribute>
    </TemplateAttribute>
    <SecretData tag="0x420085" type="Structure">
-    <SecretDataType tag="0x420086" type="Enumeration" value="1"/>
+    <SecretDataType tag="0x420086" type="Enumeration" value="2"/>
     <KeyBlock tag="0x420040" type="Structure">
-     <KeyFormatType tag="0x420042" type="Enumeration" value="1"/>
+     <KeyFormatType tag="0x420042" type="Enumeration" value="2"/>
      <KeyValue tag="0x420045" type="Structure">
-      <KeyMaterial tag="0x420043" type="ByteString"
+     <KeyMaterial tag="0x420043" type="ByteString"
 value="ffa8cc79e8c3763b0121fcd06bb3488c8bf42c0774604640279b16b264194030eeb08396241defcc4d32d16ea831ad777138f08e2f985664c004c2485d6f4991eb3d9ec32802537836a9066b4e10aeb56a5ccf6aa46901e625e3400c7811d2ec"/>
      </KeyValue>
     </KeyBlock>
@@ -33,30 +36,35 @@ value="ffa8cc79e8c3763b0121fcd06bb3488c8bf42c0774604640279b16b264194030eeb083962
 </RequestMessage>
 */
 #define REGISTER_SECRETDATA_REQUEST                                           \
-   0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x18, 0x42, 0x00, 0x77, 0x01,    \
+   0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x50, 0x42, 0x00, 0x77, 0x01,    \
       0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x69, 0x01, 0x00, 0x00, 0x00, 0x20, \
       0x42, 0x00, 0x6a, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, \
       0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x6b, 0x02, 0x00, 0x00, 0x00, 0x04, \
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0d, 0x02, \
       0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \
-      0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, 0x00, 0xd0, 0x42, 0x00, 0x5c, 0x05, \
+      0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, 0x01, 0x08, 0x42, 0x00, 0x5c, 0x05, \
       0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, \
-      0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x42, 0x00, 0x57, 0x05, \
+      0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x42, 0x00, 0x57, 0x05, \
       0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, \
-      0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, \
-      0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, 0x04, \
-      0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, \
-      0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, \
-      0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, \
-      0x00, 0x00, 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, \
-      0xff, 0xa8, 0xcc, 0x79, 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, \
-      0x6b, 0xb3, 0x48, 0x8c, 0x8b, 0xf4, 0x2c, 0x07, 0x74, 0x60, 0x46, 0x40, \
-      0x27, 0x9b, 0x16, 0xb2, 0x64, 0x19, 0x40, 0x30, 0xee, 0xb0, 0x83, 0x96, \
-      0x24, 0x1d, 0xef, 0xcc, 0x4d, 0x32, 0xd1, 0x6e, 0xa8, 0x31, 0xad, 0x77, \
-      0x71, 0x38, 0xf0, 0x8e, 0x2f, 0x98, 0x56, 0x64, 0xc0, 0x04, 0xc2, 0x48, \
-      0x5d, 0x6f, 0x49, 0x91, 0xeb, 0x3d, 0x9e, 0xc3, 0x28, 0x02, 0x53, 0x78, \
-      0x36, 0xa9, 0x06, 0x6b, 0x4e, 0x10, 0xae, 0xb5, 0x6a, 0x5c, 0xcf, 0x6a, \
-      0xa4, 0x69, 0x01, 0xe6, 0x25, 0xe3, 0x40, 0x0c, 0x78, 0x11, 0xd2, 0xec
+      0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x08, 0x01, \
+      0x00, 0x00, 0x00, 0x30, 0x42, 0x00, 0x0a, 0x07, 0x00, 0x00, 0x00, 0x18, \
+      0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x69, \
+      0x63, 0x20, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x4d, 0x61, 0x73, 0x6b, \
+      0x42, 0x00, 0x0b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, \
+      0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, \
+      0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, \
+      0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x80, \
+      0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, \
+      0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, 0x00, 0x00, 0x00, 0x68, \
+      0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, 0xff, 0xa8, 0xcc, 0x79, \
+      0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, 0x6b, 0xb3, 0x48, 0x8c, \
+      0x8b, 0xf4, 0x2c, 0x07, 0x74, 0x60, 0x46, 0x40, 0x27, 0x9b, 0x16, 0xb2, \
+      0x64, 0x19, 0x40, 0x30, 0xee, 0xb0, 0x83, 0x96, 0x24, 0x1d, 0xef, 0xcc, \
+      0x4d, 0x32, 0xd1, 0x6e, 0xa8, 0x31, 0xad, 0x77, 0x71, 0x38, 0xf0, 0x8e, \
+      0x2f, 0x98, 0x56, 0x64, 0xc0, 0x04, 0xc2, 0x48, 0x5d, 0x6f, 0x49, 0x91, \
+      0xeb, 0x3d, 0x9e, 0xc3, 0x28, 0x02, 0x53, 0x78, 0x36, 0xa9, 0x06, 0x6b, \
+      0x4e, 0x10, 0xae, 0xb5, 0x6a, 0x5c, 0xcf, 0x6a, 0xa4, 0x69, 0x01, 0xe6, \
+      0x25, 0xe3, 0x40, 0x0c, 0x78, 0x11, 0xd2, 0xec
 
 #define REGISTER_SECRETDATA_SECRETDATA                                        \
    0xff, 0xa8, 0xcc, 0x79, 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0,    \
@@ -93,7 +101,6 @@ kms_kmip_request_register_secretdata_test (void)
 void
 kms_kmip_request_register_secretdata_invalid_test (void)
 {
-
    kms_request_t *req;
    uint8_t secret_data[KMS_KMIP_REQUEST_SECRETDATA_LENGTH] = {0};
 

diff --git a/src/mongocrypt-kms-ctx.c b/src/mongocrypt-kms-ctx.c
@@ -1646,7 +1646,7 @@ _mongocrypt_kms_ctx_init_kmip_register (mongocrypt_kms_ctx_t *kms_ctx,
    kms_ctx->req = kms_kmip_request_register_secretdata_new (
       NULL /* reserved */, secretdata, secretdata_len);
 
-   if (!kms_ctx->req) {
+   if (kms_request_get_error (kms_ctx->req)) {
       CLIENT_ERR ("Error creating KMIP register request: %s",
                   kms_request_get_error (kms_ctx->req));
       goto done;
@@ -1687,7 +1687,7 @@ _mongocrypt_kms_ctx_init_kmip_activate (mongocrypt_kms_ctx_t *kms_ctx,
    kms_ctx->req =
       kms_kmip_request_activate_new (NULL /* reserved */, unique_identifier);
 
-   if (!kms_ctx->req) {
+   if (kms_request_get_error (kms_ctx->req)) {
       CLIENT_ERR ("Error creating KMIP activate request: %s",
                   kms_request_get_error (kms_ctx->req));
       goto done;
@@ -1728,7 +1728,7 @@ _mongocrypt_kms_ctx_init_kmip_get (mongocrypt_kms_ctx_t *kms_ctx,
    kms_ctx->req =
       kms_kmip_request_get_new (NULL /* reserved */, unique_identifier);
 
-   if (!kms_ctx->req) {
+   if (kms_request_get_error (kms_ctx->req)) {
       CLIENT_ERR ("Error creating KMIP get request: %s",
                   kms_request_get_error (kms_ctx->req));
       goto done;

diff --git a/test/test-mongocrypt-kms-ctx.c b/test/test-mongocrypt-kms-ctx.c
@@ -34,11 +34,15 @@
   <RequestPayload tag="0x420079" type="Structure">
    <ObjectType tag="0x420057" type="Enumeration" value="7"/>
    <TemplateAttribute tag="0x420091" type="Structure">
+    <Attribute tag="0x420008" type="Structure">
+     <AttributeName tag="0x42000a" type="TextString" value="Cryptographic Usage
+Mask"/> <AttributeValue tag="0x42000b" type="Integer" value="0"/>
+    </Attribute>
    </TemplateAttribute>
    <SecretData tag="0x420085" type="Structure">
     <SecretDataType tag="0x420086" type="Enumeration" value="2"/>
     <KeyBlock tag="0x420040" type="Structure">
-     <KeyFormatType tag="0x420042" type="Enumeration" value="1"/>
+     <KeyFormatType tag="0x420042" type="Enumeration" value="2"/>
      <KeyValue tag="0x420045" type="Structure">
       <KeyMaterial tag="0x420043" type="ByteString"
 value="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"/>
@@ -50,29 +54,33 @@ value="0000000000000000000000000000000000000000000000000000000000000000000000000
 </RequestMessage>
 */
 static const uint8_t REGISTER_REQUEST[] = {
-   0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x18, 0x42, 0x00, 0x77, 0x01, 0x00,
+   0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x50, 0x42, 0x00, 0x77, 0x01, 0x00,
    0x00, 0x00, 0x38, 0x42, 0x00, 0x69, 0x01, 0x00, 0x00, 0x00, 0x20, 0x42, 0x00,
    0x6a, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x00, 0x42, 0x00, 0x6b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0d, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00,
    0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0f, 0x01, 0x00, 0x00,
-   0x00, 0xd0, 0x42, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
-   0x03, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xb8,
+   0x01, 0x08, 0x42, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+   0x03, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xf0,
    0x42, 0x00, 0x57, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x07, 0x00,
-   0x00, 0x00, 0x00, 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00,
-   0x85, 0x01, 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00,
-   0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01,
-   0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00,
-   0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, 0x00, 0x00,
-   0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00,
-   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+   0x00, 0x00, 0x00, 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00,
+   0x08, 0x01, 0x00, 0x00, 0x00, 0x30, 0x42, 0x00, 0x0a, 0x07, 0x00, 0x00, 0x00,
+   0x18, 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x69,
+   0x63, 0x20, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x4d, 0x61, 0x73, 0x6b, 0x42,
+   0x00, 0x0b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+   0x00, 0x00, 0x42, 0x00, 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86,
+   0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+   0x42, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00,
+   0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00,
+   0x45, 0x01, 0x00, 0x00, 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00,
+   0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-   0x00, 0x00};
+   0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
 
 /*
 <ResponseMessage tag="0x42007b" type="Structure">