-
Type: Task
-
Resolution: Fixed
-
Priority: Unknown
-
Affects Version/s: None
-
Component/s: None
-
None
-
Not Needed
Implement the parsing and decryption of the new FLE2EqualityIndexedValueV2 payload format in libmongocrypt. This is similar to the server-side work done in SERVER-72908.
libmongocrypt handles the parsing and decryption of indexed encrypted values (IEVs) in the _replace_FLE2IndexedEncryptedValue_with_plaintext() function. This, in turn, calls the following functions that parse & decrypt the payload:
- mc_FLE2IndexedEncryptedValue_parse() - deserializes the payload
- mc_FLE2IndexedEncryptedValue_add_S_Key() - decrypts the server-encrypted ciphertext
- mc_FLE2IndexedEqualityEncryptedValue_add_K_Key() - decrypts the client-encrypted ciphertext
To handle the V2 payload formats, the above functions will have to be changed to handle the new wire format. Specifically:
- for v2 equality payloads, mc_FLE2IndexedEncryptedValue_parse() will read the S_Key, original BSON type, and the InnerEncrypted blob; however, it must fail if the remainder of the buffer is shorter than one serialized FLE2TagAndEncryptedMetadataBlock.
- for v2 ranged payloads, mc_FLE2IndexedEncryptedValue_parse() will read the S_Key, original BSON type, edge count, and the InnerEncrypted blob; it must also fail if the remainder of the buffer is shorter than the size of a serialized FLE2TagAndEncryptedMetadataBlock times the edge count.
- In mc_FLE2IndexedEncryptedValue_add_S_Key(), the logic that parses the counter and the esc/ecc/ecocTokens from the decrypted blob should be removed (the specific function is mc_FLE2IndexedEncryptedValue_decrypt()).
- In mc_FLE2IndexedEqualityEncryptedValue_add_K_Key(), the decryption of the client-encrypted data will have to use CBC, instead of CTR.
- depends on
-
MONGOCRYPT-541 Define the QE v2 payload types in mc-fle-blob-subtype-private.h
- Closed
- is depended on by
-
SERVER-73851 Refactor FLEClientCrypto::decryptDocument() once v2 payloads are fully supported in libmongocrypt
- Closed