Support KMIP as a KMS provider for CSFLE (#813)

Client-side field level encryption can be configured to use
any KMIP-compliant key management server (KMS).

JAVA-4373

Author: jyemin

.evergreen/.evg.yml

@@ -689,6 +689,20 @@ functions:
           cd ${DRIVERS_TOOLS}/.evergreen/csfle
           ./kmstlsvenv/bin/python3 -u kms_http_server.py -v --ca_file ../x509gen/ca.pem --cert_file ../x509gen/${CERT_FILE} --port 8000
 
+  start-kms-kmip-server:
+    - command: shell.exec
+      params:
+        script: |
+          ${PREPARE_SHELL}
+          cd ${DRIVERS_TOOLS}/.evergreen/csfle
+          . ./activate_venv.sh
+    - command: shell.exec
+      params:
+        background: true
+        script: |
+          cd ${DRIVERS_TOOLS}/.evergreen/csfle
+          ./kmstlsvenv/bin/python3 -u kms_kmip_server.py
+
   "run-kms-tls-test":
     - command: shell.exec
       type: test
@@ -807,6 +821,7 @@ tasks:
 
     - name: "test"
       commands:
+        - func: "start-kms-kmip-server"
         - func: "bootstrap mongo-orchestration"
         - func: "run tests"
 
@@ -836,6 +851,7 @@ tasks:
 
     - name: "accept-api-version-2-test"
       commands:
+        - func: "start-kms-kmip-server"
         - func: "bootstrap mongo-orchestration"
           vars:
             ORCHESTRATION_FILE: "versioned-api-testing.json"

.evergreen/run-tests.sh

@@ -47,8 +47,6 @@ RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE:-$0}")"
 ############################################
 
 provision_ssl () {
-  echo "SSL !"
-
   # We generate the keystore and truststore on every run with the certs in the drivers-tools repo
   if [ ! -f client.pkc ]; then
     openssl pkcs12 -CAfile ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem -export -in ${DRIVERS_TOOLS}/.evergreen/x509gen/client.pem -out client.pkc -password pass:bithere
@@ -59,6 +57,9 @@ provision_ssl () {
 
   # We add extra gradle arguments for SSL
   export GRADLE_EXTRA_VARS="-Pssl.enabled=true -Pssl.keyStoreType=pkcs12 -Pssl.keyStore=`pwd`/client.pkc -Pssl.keyStorePassword=bithere -Pssl.trustStoreType=jks -Pssl.trustStore=`pwd`/mongo-truststore -Pssl.trustStorePassword=changeit"
+}
+
+provision_multi_mongos_uri_for_ssl () {
   # Arguments for auth + SSL
   if [ "$AUTH" != "noauth" ] || [ "$TOPOLOGY" == "replica_set" ]; then
     export MONGODB_URI="${MONGODB_URI}&ssl=true&sslInvalidHostNameAllowed=true"
@@ -110,8 +111,11 @@ if [ "$COMPRESSOR" != "" ]; then
      fi
 fi
 
+# Set up keystore/truststore regardless, as they are required for testing KMIP
+provision_ssl
+
 if [ "$SSL" != "nossl" ]; then
-   provision_ssl
+   provision_multi_mongos_uri_for_ssl
 fi
 
 if [ "$SAFE_FOR_MULTI_MONGOS" == "true" ]; then

build.gradle

@@ -47,7 +47,7 @@ ext {
     nettyVersion = '4.1.43.Final'
     snappyVersion = '1.1.4'
     zstdVersion = '1.3.8-3'
-    mongoCryptVersion = '1.2.1'
+    mongoCryptVersion = '1.3.0'
     projectReactorVersion = 'Californium-SR23'
     junitBomVersion = '5.6.2'
     gitVersion = getGitVersion()

driver-core/src/main/com/mongodb/AutoEncryptionSettings.java

@@ -232,7 +232,13 @@ public String getKeyVaultNamespace() {
      * <ul>
      *     <li>email: a String, the service account email to authenticate.</li>
      *     <li>privateKey: a String or byte[], the encoded PKCS#8 encrypted key</li>
-     *     <li>endPoint: optional String, a host with optional port. e.g. "example.com" or "example.com:443".</li>
+     *     <li>endpoint: optional String, a host with optional port. e.g. "example.com" or "example.com:443".</li>
+     * </ul>
+     * <p>
+     * For "kmip", the properties are:
+     * </p>
+     * <ul>
+     *     <li>endpoint: a String, the endpoint as a host with required port. e.g. "example.com:443".</li>
      * </ul>
      * <p>
      * For "local", the properties are:

driver-core/src/main/com/mongodb/ClientEncryptionSettings.java

@@ -166,7 +166,13 @@ public String getKeyVaultNamespace() {
      * <ul>
      *     <li>email: a String, the service account email to authenticate.</li>
      *     <li>privateKey: a String or byte[], the encoded PKCS#8 encrypted key</li>
-     *     <li>endPoint: optional String, a host with optional port. e.g. "example.com" or "example.com:443".</li>
+     *     <li>endpoint: optional String, a host with optional port. e.g. "example.com" or "example.com:443".</li>
+     * </ul>
+     * <p>
+     * For "kmip", the properties are:
+     * </p>
+     * <ul>
+     *     <li>endpoint: a String, the endpoint as a host with required port. e.g. "example.com:443".</li>
      * </ul>
      * <p>
      * For "local", the properties are:

driver-core/src/main/com/mongodb/client/model/vault/DataKeyOptions.java

@@ -100,6 +100,16 @@ public List<String> getKeyAltNames() {
      *   <li>endpoint: an optional String, with the host with optional port. Defaults to "cloudkms.googleapis.com".</li>
      * </ul>
      * <p>
+     * <p>
+     *     If the kmsProvider is "kmip" the master key is required and must contain the following fields:
+     * </p>
+     * <ul>
+     *   <li>keyId: optional String, keyId is the KMIP Unique Identifier to a 96 byte KMIP Secret Data managed object. If keyId is
+     *   omitted, the driver creates a random 96 byte KMIP Secret Data managed object.</li>
+     *   <li>endpoint: a String, the endpoint as a host with required port. e.g. "example.com:443". If endpoint is not provided, it
+     *   defaults to the required endpoint from the KMS providers map.</li>
+     * </ul>
+     * <p>
      * If the kmsProvider is "local" the masterKey is not applicable.
      * </p>
      * @return the master key document