From 231c8bd04b1b4adfb508a8407d5b40d614a1d85a Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Wed, 22 Mar 2023 12:56:05 -0400 Subject: [PATCH] MONGOCRYPT-563 add CryptographicUsageMask to Register request (#603) * format kms_kmip_request.c * fix error checks of `kms_kmip_request.*new` On error, the calls return a `kms_request_t*` with an error attached. * add `Cryptographic Usage Mask` attribute to KMIP `Register` request * change `Key Format Type` from `Raw` to `Opaque`. * update comments and test data * fix comment. SecretDataType used is Seed, not Password --- kms-message/src/kms_kmip_request.c | 33 +++++++++++---- kms-message/test/test_kms_kmip_request.c | 51 ++++++++++++++---------- src/mongocrypt-kms-ctx.c | 6 +-- test/test-mongocrypt-kms-ctx.c | 32 +++++++++------ 4 files changed, 78 insertions(+), 44 deletions(-) diff --git a/kms-message/src/kms_kmip_request.c b/kms-message/src/kms_kmip_request.c index 033958019..c59bff7c5 100644 --- a/kms-message/src/kms_kmip_request.c +++ b/kms-message/src/kms_kmip_request.c @@ -23,7 +23,8 @@ #include static void -copy_writer_buffer (kms_request_t *req, kmip_writer_t *writer) { +copy_writer_buffer (kms_request_t *req, kmip_writer_t *writer) +{ const uint8_t *buf; size_t buflen; @@ -54,11 +55,15 @@ kms_kmip_request_register_secretdata_new (void *reserved, + + + - + - + @@ -101,15 +106,29 @@ kms_kmip_request_register_secretdata_new (void *reserved, /* 0x07 == SecretData */ kmip_writer_write_enumeration (writer, KMIP_TAG_ObjectType, 0x07); kmip_writer_begin_struct (writer, KMIP_TAG_TemplateAttribute); + // Add required Cryptographic Usage Mask attribute. + { + kmip_writer_begin_struct (writer, KMIP_TAG_Attribute); + const char *cryptographicUsageMaskStr = "Cryptographic Usage Mask"; + kmip_writer_write_string (writer, + KMIP_TAG_AttributeName, + cryptographicUsageMaskStr, + strlen (cryptographicUsageMaskStr)); + // Use 0 because the Secret Data object is not used in cryptographic + // operations on the KMIP server. + kmip_writer_write_integer (writer, KMIP_TAG_AttributeValue, 0); + kmip_writer_close_struct (writer); + } kmip_writer_close_struct (writer); /* KMIP_TAG_TemplateAttribute */ kmip_writer_begin_struct (writer, KMIP_TAG_SecretData); - /* 0x01 = Password */ + /* 0x02 = Seed */ kmip_writer_write_enumeration (writer, KMIP_TAG_SecretDataType, 0x02); kmip_writer_begin_struct (writer, KMIP_TAG_KeyBlock); - /* 0x01 = Raw */ - kmip_writer_write_enumeration (writer, KMIP_TAG_KeyFormatType, 0x01); + /* 0x02 = Opaque */ + kmip_writer_write_enumeration (writer, KMIP_TAG_KeyFormatType, 0x02); kmip_writer_begin_struct (writer, KMIP_TAG_KeyValue); - kmip_writer_write_bytes (writer, KMIP_TAG_KeyMaterial, (const char *) data, len); + kmip_writer_write_bytes ( + writer, KMIP_TAG_KeyMaterial, (const char *) data, len); kmip_writer_close_struct (writer); /* KMIP_TAG_KeyValue */ kmip_writer_close_struct (writer); /* KMIP_TAG_KeyBlock */ kmip_writer_close_struct (writer); /* KMIP_TAG_SecretData */ diff --git a/kms-message/test/test_kms_kmip_request.c b/kms-message/test/test_kms_kmip_request.c index 3ecb13763..05b1fdbe3 100644 --- a/kms-message/test/test_kms_kmip_request.c +++ b/kms-message/test/test_kms_kmip_request.c @@ -13,17 +13,20 @@ - + + + - + - + - @@ -33,30 +36,35 @@ value="ffa8cc79e8c3763b0121fcd06bb3488c8bf42c0774604640279b16b264194030eeb083962 */ #define REGISTER_SECRETDATA_REQUEST \ - 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x18, 0x42, 0x00, 0x77, 0x01, \ + 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x50, 0x42, 0x00, 0x77, 0x01, \ 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x69, 0x01, 0x00, 0x00, 0x00, 0x20, \ 0x42, 0x00, 0x6a, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, \ 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x6b, 0x02, 0x00, 0x00, 0x00, 0x04, \ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0d, 0x02, \ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, \ - 0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, 0x00, 0xd0, 0x42, 0x00, 0x5c, 0x05, \ + 0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, 0x01, 0x08, 0x42, 0x00, 0x5c, 0x05, \ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, \ - 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x42, 0x00, 0x57, 0x05, \ + 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x42, 0x00, 0x57, 0x05, \ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, \ - 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, \ - 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, 0x04, \ - 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, \ - 0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, \ - 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, \ - 0x00, 0x00, 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, \ - 0xff, 0xa8, 0xcc, 0x79, 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, \ - 0x6b, 0xb3, 0x48, 0x8c, 0x8b, 0xf4, 0x2c, 0x07, 0x74, 0x60, 0x46, 0x40, \ - 0x27, 0x9b, 0x16, 0xb2, 0x64, 0x19, 0x40, 0x30, 0xee, 0xb0, 0x83, 0x96, \ - 0x24, 0x1d, 0xef, 0xcc, 0x4d, 0x32, 0xd1, 0x6e, 0xa8, 0x31, 0xad, 0x77, \ - 0x71, 0x38, 0xf0, 0x8e, 0x2f, 0x98, 0x56, 0x64, 0xc0, 0x04, 0xc2, 0x48, \ - 0x5d, 0x6f, 0x49, 0x91, 0xeb, 0x3d, 0x9e, 0xc3, 0x28, 0x02, 0x53, 0x78, \ - 0x36, 0xa9, 0x06, 0x6b, 0x4e, 0x10, 0xae, 0xb5, 0x6a, 0x5c, 0xcf, 0x6a, \ - 0xa4, 0x69, 0x01, 0xe6, 0x25, 0xe3, 0x40, 0x0c, 0x78, 0x11, 0xd2, 0xec + 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x08, 0x01, \ + 0x00, 0x00, 0x00, 0x30, 0x42, 0x00, 0x0a, 0x07, 0x00, 0x00, 0x00, 0x18, \ + 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x69, \ + 0x63, 0x20, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x4d, 0x61, 0x73, 0x6b, \ + 0x42, 0x00, 0x0b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, \ + 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, \ + 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, \ + 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x80, \ + 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, \ + 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, 0x00, 0x00, 0x00, 0x68, \ + 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, 0xff, 0xa8, 0xcc, 0x79, \ + 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, 0x6b, 0xb3, 0x48, 0x8c, \ + 0x8b, 0xf4, 0x2c, 0x07, 0x74, 0x60, 0x46, 0x40, 0x27, 0x9b, 0x16, 0xb2, \ + 0x64, 0x19, 0x40, 0x30, 0xee, 0xb0, 0x83, 0x96, 0x24, 0x1d, 0xef, 0xcc, \ + 0x4d, 0x32, 0xd1, 0x6e, 0xa8, 0x31, 0xad, 0x77, 0x71, 0x38, 0xf0, 0x8e, \ + 0x2f, 0x98, 0x56, 0x64, 0xc0, 0x04, 0xc2, 0x48, 0x5d, 0x6f, 0x49, 0x91, \ + 0xeb, 0x3d, 0x9e, 0xc3, 0x28, 0x02, 0x53, 0x78, 0x36, 0xa9, 0x06, 0x6b, \ + 0x4e, 0x10, 0xae, 0xb5, 0x6a, 0x5c, 0xcf, 0x6a, 0xa4, 0x69, 0x01, 0xe6, \ + 0x25, 0xe3, 0x40, 0x0c, 0x78, 0x11, 0xd2, 0xec #define REGISTER_SECRETDATA_SECRETDATA \ 0xff, 0xa8, 0xcc, 0x79, 0xe8, 0xc3, 0x76, 0x3b, 0x01, 0x21, 0xfc, 0xd0, \ @@ -93,7 +101,6 @@ kms_kmip_request_register_secretdata_test (void) void kms_kmip_request_register_secretdata_invalid_test (void) { - kms_request_t *req; uint8_t secret_data[KMS_KMIP_REQUEST_SECRETDATA_LENGTH] = {0}; diff --git a/src/mongocrypt-kms-ctx.c b/src/mongocrypt-kms-ctx.c index ed91d7242..8e709ef3f 100644 --- a/src/mongocrypt-kms-ctx.c +++ b/src/mongocrypt-kms-ctx.c @@ -1646,7 +1646,7 @@ _mongocrypt_kms_ctx_init_kmip_register (mongocrypt_kms_ctx_t *kms_ctx, kms_ctx->req = kms_kmip_request_register_secretdata_new ( NULL /* reserved */, secretdata, secretdata_len); - if (!kms_ctx->req) { + if (kms_request_get_error (kms_ctx->req)) { CLIENT_ERR ("Error creating KMIP register request: %s", kms_request_get_error (kms_ctx->req)); goto done; @@ -1687,7 +1687,7 @@ _mongocrypt_kms_ctx_init_kmip_activate (mongocrypt_kms_ctx_t *kms_ctx, kms_ctx->req = kms_kmip_request_activate_new (NULL /* reserved */, unique_identifier); - if (!kms_ctx->req) { + if (kms_request_get_error (kms_ctx->req)) { CLIENT_ERR ("Error creating KMIP activate request: %s", kms_request_get_error (kms_ctx->req)); goto done; @@ -1728,7 +1728,7 @@ _mongocrypt_kms_ctx_init_kmip_get (mongocrypt_kms_ctx_t *kms_ctx, kms_ctx->req = kms_kmip_request_get_new (NULL /* reserved */, unique_identifier); - if (!kms_ctx->req) { + if (kms_request_get_error (kms_ctx->req)) { CLIENT_ERR ("Error creating KMIP get request: %s", kms_request_get_error (kms_ctx->req)); goto done; diff --git a/test/test-mongocrypt-kms-ctx.c b/test/test-mongocrypt-kms-ctx.c index 856572c19..f2de808c7 100644 --- a/test/test-mongocrypt-kms-ctx.c +++ b/test/test-mongocrypt-kms-ctx.c @@ -34,11 +34,15 @@ + + + - + @@ -50,29 +54,33 @@ value="0000000000000000000000000000000000000000000000000000000000000000000000000 */ static const uint8_t REGISTER_REQUEST[] = { - 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x18, 0x42, 0x00, 0x77, 0x01, 0x00, + 0x42, 0x00, 0x78, 0x01, 0x00, 0x00, 0x01, 0x50, 0x42, 0x00, 0x77, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, 0x69, 0x01, 0x00, 0x00, 0x00, 0x20, 0x42, 0x00, 0x6a, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x6b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0d, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x0f, 0x01, 0x00, 0x00, - 0x00, 0xd0, 0x42, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, - 0x03, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xb8, + 0x01, 0x08, 0x42, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x79, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x42, 0x00, 0x57, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x07, 0x00, - 0x00, 0x00, 0x00, 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, - 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, 0x05, 0x00, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x40, 0x01, - 0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, - 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x45, 0x01, 0x00, 0x00, - 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x42, 0x00, 0x91, 0x01, 0x00, 0x00, 0x00, 0x38, 0x42, 0x00, + 0x08, 0x01, 0x00, 0x00, 0x00, 0x30, 0x42, 0x00, 0x0a, 0x07, 0x00, 0x00, 0x00, + 0x18, 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x69, + 0x63, 0x20, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x4d, 0x61, 0x73, 0x6b, 0x42, + 0x00, 0x0b, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x42, 0x00, 0x85, 0x01, 0x00, 0x00, 0x00, 0x98, 0x42, 0x00, 0x86, + 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, + 0x42, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x80, 0x42, 0x00, 0x42, 0x05, 0x00, + 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, + 0x45, 0x01, 0x00, 0x00, 0x00, 0x68, 0x42, 0x00, 0x43, 0x08, 0x00, 0x00, 0x00, + 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00}; + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; /*