Uploaded image for project: 'Libmongocrypt'
  1. Libmongocrypt
  2. MONGOCRYPT-530

Implement parsing and decryption of v2 indexed equality values

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 1.8.0, 1.8.0-alpha0
    • Affects Version/s: None
    • Component/s: None
    • None

      Implement the parsing and decryption of the new FLE2EqualityIndexedValueV2 payload format in libmongocrypt. This is similar to the server-side work done in SERVER-72908.

      libmongocrypt handles the parsing and decryption of indexed encrypted values (IEVs) in the _replace_FLE2IndexedEncryptedValue_with_plaintext() function.  This, in turn, calls the following functions that parse & decrypt the payload:

      • mc_FLE2IndexedEncryptedValue_parse() - deserializes the payload
      • mc_FLE2IndexedEncryptedValue_add_S_Key() - decrypts the server-encrypted ciphertext
      • mc_FLE2IndexedEqualityEncryptedValue_add_K_Key() - decrypts the client-encrypted ciphertext

      To handle the V2 payload formats, the above functions will have to be changed to handle the new wire format. Specifically:

      • for v2 equality payloads, mc_FLE2IndexedEncryptedValue_parse() will read the S_Key, original BSON type, and the InnerEncrypted blob; however, it must fail if the remainder of the buffer is shorter than one serialized FLE2TagAndEncryptedMetadataBlock.
      • for v2 ranged payloads, mc_FLE2IndexedEncryptedValue_parse() will read the S_Key, original BSON type, edge count, and the InnerEncrypted blob; it must also fail if the remainder of the buffer is shorter than the size of a serialized FLE2TagAndEncryptedMetadataBlock times the edge count.
      • In mc_FLE2IndexedEncryptedValue_add_S_Key(), the logic that parses the counter and the esc/ecc/ecocTokens from the decrypted blob should be removed (the specific function is mc_FLE2IndexedEncryptedValue_decrypt()).
      • In mc_FLE2IndexedEqualityEncryptedValue_add_K_Key(), the decryption of the client-encrypted data will have to use CBC, instead of CTR.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            erwin.pe@mongodb.com Erwin Pe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: