libmongocrypt-helper 1.8.0.0.1001 → 1.11.0.0.1001

data/ext/libmongocrypt/libmongocrypt/src/mongocrypt-kms-ctx.c

@@ -14,10 +14,14 @@
  * limitations under the License.
  */
 
+#include "kms_message/kms_kmip_request.h"
 #include "mongocrypt-binary-private.h"
 #include "mongocrypt-buffer-private.h"
+#include "mongocrypt-crypto-private.h"
 #include "mongocrypt-ctx-private.h"
+#include "mongocrypt-endpoint-private.h"
 #include "mongocrypt-kms-ctx-private.h"
+#include "mongocrypt-log-private.h"
 #include "mongocrypt-opts-private.h"
 #include "mongocrypt-private.h"
 #include "mongocrypt-status-private.h"
@@ -118,11 +122,16 @@ _set_kms_crypto_hooks(_mongocrypt_crypto_t *crypto, ctx_with_status_t *ctx_with_
 
 static bool is_kms(_kms_request_type_t kms_type) {
     return kms_type == MONGOCRYPT_KMS_KMIP_REGISTER || kms_type == MONGOCRYPT_KMS_KMIP_ACTIVATE
-        || kms_type == MONGOCRYPT_KMS_KMIP_GET;
+        || kms_type == MONGOCRYPT_KMS_KMIP_GET || kms_type == MONGOCRYPT_KMS_KMIP_ENCRYPT
+        || kms_type == MONGOCRYPT_KMS_KMIP_DECRYPT || kms_type == MONGOCRYPT_KMS_KMIP_CREATE;
 }
 
-static void _init_common(mongocrypt_kms_ctx_t *kms, _mongocrypt_log_t *log, _kms_request_type_t kms_type) {
+static void
+_init_common(mongocrypt_kms_ctx_t *kms, _mongocrypt_log_t *log, _kms_request_type_t kms_type, const char *kmsid) {
     BSON_ASSERT_PARAM(kms);
+    BSON_ASSERT_PARAM(kmsid);
+
+    kms->kmsid = bson_strdup(kmsid);
 
     if (is_kms(kms_type)) {
         kms->parser = kms_kmip_response_parser_new(NULL /* reserved */);
@@ -138,8 +147,9 @@ static void _init_common(mongocrypt_kms_ctx_t *kms, _mongocrypt_log_t *log, _kms
 bool _mongocrypt_kms_ctx_init_aws_decrypt(mongocrypt_kms_ctx_t *kms,
                                           _mongocrypt_opts_kms_providers_t *kms_providers,
                                           _mongocrypt_key_doc_t *key,
-                                          _mongocrypt_log_t *log,
-                                          _mongocrypt_crypto_t *crypto) {
+                                          _mongocrypt_crypto_t *crypto,
+                                          const char *kmsid,
+                                          _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
     BSON_ASSERT_PARAM(key);
     BSON_ASSERT_PARAM(kms_providers);
@@ -150,7 +160,7 @@ bool _mongocrypt_kms_ctx_init_aws_decrypt(mongocrypt_kms_ctx_t *kms,
     ctx_with_status_t ctx_with_status;
     bool ret = false;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_AWS_DECRYPT);
+    _init_common(kms, log, MONGOCRYPT_KMS_AWS_DECRYPT, kmsid);
     status = kms->status;
     ctx_with_status.ctx = crypto;
     ctx_with_status.status = mongocrypt_status_new();
@@ -170,17 +180,19 @@ bool _mongocrypt_kms_ctx_init_aws_decrypt(mongocrypt_kms_ctx_t *kms,
         goto done;
     }
 
-    if (0 == (kms_providers->configured_providers & MONGOCRYPT_KMS_PROVIDER_AWS)) {
-        CLIENT_ERR("aws kms not configured");
+    mc_kms_creds_t kc;
+    if (!_mongocrypt_opts_kms_providers_lookup(kms_providers, key->kek.kmsid, &kc)) {
+        CLIENT_ERR("KMS provider `%s` is not configured", key->kek.kmsid);
         goto done;
     }
+    BSON_ASSERT(kc.type == MONGOCRYPT_KMS_PROVIDER_AWS);
 
-    if (!kms_providers->aws.access_key_id) {
+    if (!kc.value.aws.access_key_id) {
         CLIENT_ERR("aws access key id not provided");
         goto done;
     }
 
-    if (!kms_providers->aws.secret_access_key) {
+    if (!kc.value.aws.secret_access_key) {
         CLIENT_ERR("aws secret access key not provided");
         goto done;
     }
@@ -201,8 +213,8 @@ bool _mongocrypt_kms_ctx_init_aws_decrypt(mongocrypt_kms_ctx_t *kms,
         goto done;
     }
 
-    if (kms_providers->aws.session_token) {
-        if (!kms_request_add_header_field(kms->req, "X-Amz-Security-Token", kms_providers->aws.session_token)) {
+    if (kc.value.aws.session_token) {
+        if (!kms_request_add_header_field(kms->req, "X-Amz-Security-Token", kc.value.aws.session_token)) {
             CLIENT_ERR("failed to set session token: %s", kms_request_get_error(kms->req));
             _mongocrypt_status_append(status, ctx_with_status.status);
             goto done;
@@ -230,12 +242,12 @@ bool _mongocrypt_kms_ctx_init_aws_decrypt(mongocrypt_kms_ctx_t *kms,
         goto done;
     }
 
-    if (!kms_request_set_access_key_id(kms->req, kms_providers->aws.access_key_id)) {
+    if (!kms_request_set_access_key_id(kms->req, kc.value.aws.access_key_id)) {
         CLIENT_ERR("failed to set aws access key id: %s", kms_request_get_error(kms->req));
         _mongocrypt_status_append(status, ctx_with_status.status);
         goto done;
     }
-    if (!kms_request_set_secret_key(kms->req, kms_providers->aws.secret_access_key)) {
+    if (!kms_request_set_secret_key(kms->req, kc.value.aws.secret_access_key)) {
         CLIENT_ERR("failed to set aws secret access key: %s", kms_request_get_error(kms->req));
         _mongocrypt_status_append(status, ctx_with_status.status);
         goto done;
@@ -270,8 +282,9 @@ bool _mongocrypt_kms_ctx_init_aws_encrypt(mongocrypt_kms_ctx_t *kms,
                                           _mongocrypt_opts_kms_providers_t *kms_providers,
                                           _mongocrypt_ctx_opts_t *ctx_opts,
                                           _mongocrypt_buffer_t *plaintext_key_material,
-                                          _mongocrypt_log_t *log,
-                                          _mongocrypt_crypto_t *crypto) {
+                                          _mongocrypt_crypto_t *crypto,
+                                          const char *kmsid,
+                                          _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
     BSON_ASSERT_PARAM(ctx_opts);
     BSON_ASSERT_PARAM(kms_providers);
@@ -283,7 +296,7 @@ bool _mongocrypt_kms_ctx_init_aws_encrypt(mongocrypt_kms_ctx_t *kms,
     ctx_with_status_t ctx_with_status;
     bool ret = false;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_AWS_ENCRYPT);
+    _init_common(kms, log, MONGOCRYPT_KMS_AWS_ENCRYPT, kmsid);
     status = kms->status;
     ctx_with_status.ctx = crypto;
     ctx_with_status.status = mongocrypt_status_new();
@@ -303,17 +316,19 @@ bool _mongocrypt_kms_ctx_init_aws_encrypt(mongocrypt_kms_ctx_t *kms,
         goto done;
     }
 
-    if (0 == (kms_providers->configured_providers & MONGOCRYPT_KMS_PROVIDER_AWS)) {
-        CLIENT_ERR("aws kms not configured");
+    mc_kms_creds_t kc;
+    if (!_mongocrypt_opts_kms_providers_lookup(kms_providers, ctx_opts->kek.kmsid, &kc)) {
+        CLIENT_ERR("KMS provider `%s` is not configured", ctx_opts->kek.kmsid);
         goto done;
     }
+    BSON_ASSERT(kc.type == MONGOCRYPT_KMS_PROVIDER_AWS);
 
-    if (!kms_providers->aws.access_key_id) {
+    if (!kc.value.aws.access_key_id) {
         CLIENT_ERR("aws access key id not provided");
         goto done;
     }
 
-    if (!kms_providers->aws.secret_access_key) {
+    if (!kc.value.aws.secret_access_key) {
         CLIENT_ERR("aws secret access key not provided");
         goto done;
     }
@@ -337,8 +352,8 @@ bool _mongocrypt_kms_ctx_init_aws_encrypt(mongocrypt_kms_ctx_t *kms,
         goto done;
     }
 
-    if (kms_providers->aws.session_token) {
-        if (!kms_request_add_header_field(kms->req, "X-Amz-Security-Token", kms_providers->aws.session_token)) {
+    if (kc.value.aws.session_token) {
+        if (!kms_request_add_header_field(kms->req, "X-Amz-Security-Token", kc.value.aws.session_token)) {
             CLIENT_ERR("failed to set session token: %s", kms_request_get_error(kms->req));
             _mongocrypt_status_append(status, ctx_with_status.status);
             goto done;
@@ -366,12 +381,12 @@ bool _mongocrypt_kms_ctx_init_aws_encrypt(mongocrypt_kms_ctx_t *kms,
         goto done;
     }
 
-    if (!kms_request_set_access_key_id(kms->req, kms_providers->aws.access_key_id)) {
+    if (!kms_request_set_access_key_id(kms->req, kc.value.aws.access_key_id)) {
         CLIENT_ERR("failed to set aws access key id: %s", kms_request_get_error(kms->req));
         _mongocrypt_status_append(status, ctx_with_status.status);
         goto done;
     }
-    if (!kms_request_set_secret_key(kms->req, kms_providers->aws.secret_access_key)) {
+    if (!kms_request_set_secret_key(kms->req, kc.value.aws.secret_access_key)) {
         CLIENT_ERR("failed to set aws secret access key: %s", kms_request_get_error(kms->req));
         _mongocrypt_status_append(status, ctx_with_status.status);
         goto done;
@@ -464,6 +479,10 @@ static bool _ctx_done_aws(mongocrypt_kms_ctx_t *kms, const char *json_field) {
     /* Parse out the {en|de}crypted result. */
     http_status = kms_response_parser_status(kms->parser);
     response = kms_response_parser_get_response(kms->parser);
+    if (!response) {
+        CLIENT_ERR("Failed to get response from parser: %s", kms_response_parser_error(kms->parser));
+        goto fail;
+    }
     body = kms_response_get_body(response, &body_len);
 
     if (http_status != 200) {
@@ -541,6 +560,10 @@ static bool _ctx_done_oauth(mongocrypt_kms_ctx_t *kms) {
     /* Parse out the oauth token result (or error). */
     http_status = kms_response_parser_status(kms->parser);
     response = kms_response_parser_get_response(kms->parser);
+    if (!response) {
+        CLIENT_ERR("Failed to get response from parser: %s", kms_response_parser_error(kms->parser));
+        goto fail;
+    }
     body = kms_response_get_body(response, &body_len);
 
     if (body_len == 0) {
@@ -614,6 +637,10 @@ static bool _ctx_done_azure_wrapkey_unwrapkey(mongocrypt_kms_ctx_t *kms) {
     /* Parse out the oauth token result (or error). */
     http_status = kms_response_parser_status(kms->parser);
     response = kms_response_parser_get_response(kms->parser);
+    if (!response) {
+        CLIENT_ERR("Failed to get response from parser: %s", kms_response_parser_error(kms->parser));
+        goto fail;
+    }
     body = kms_response_get_body(response, &body_len);
 
     if (body_len == 0) {
@@ -704,6 +731,10 @@ static bool _ctx_done_gcp(mongocrypt_kms_ctx_t *kms, const char *json_field) {
     /* Parse out the {en|de}crypted result. */
     http_status = kms_response_parser_status(kms->parser);
     response = kms_response_parser_get_response(kms->parser);
+    if (!response) {
+        CLIENT_ERR("Failed to get response from parser: %s", kms_response_parser_error(kms->parser));
+        goto fail;
+    }
     body = kms_response_get_body(response, &body_len);
 
     if (http_status != 200) {
@@ -826,6 +857,144 @@ done:
     return ret;
 }
 
+static bool _ctx_done_kmip_create(mongocrypt_kms_ctx_t *kms_ctx) {
+    BSON_ASSERT_PARAM(kms_ctx);
+
+    kms_response_t *res = NULL;
+
+    mongocrypt_status_t *status = kms_ctx->status;
+    bool ret = false;
+    char *uid;
+
+    res = kms_response_parser_get_response(kms_ctx->parser);
+    if (!res) {
+        CLIENT_ERR("Error getting KMIP response: %s", kms_response_parser_error(kms_ctx->parser));
+        goto done;
+    }
+
+    uid = kms_kmip_response_get_unique_identifier(res);
+    if (!uid) {
+        CLIENT_ERR("Error getting UniqueIdentifer from KMIP Create response: %s", kms_response_get_error(res));
+        goto done;
+    }
+
+    if (!_mongocrypt_buffer_steal_from_string(&kms_ctx->result, uid)) {
+        CLIENT_ERR("Error storing KMS UniqueIdentifer result");
+        bson_free(uid);
+        goto done;
+    }
+    ret = true;
+
+done:
+    kms_response_destroy(res);
+    return ret;
+}
+
+static bool _ctx_done_kmip_encrypt(mongocrypt_kms_ctx_t *kms_ctx) {
+    BSON_ASSERT_PARAM(kms_ctx);
+
+    kms_response_t *res = NULL;
+
+    mongocrypt_status_t *status = kms_ctx->status;
+    bool ret = false;
+    uint8_t *ciphertext;
+    size_t ciphertext_len;
+    uint8_t *iv;
+    size_t iv_len;
+    _mongocrypt_buffer_t data_buf, iv_buf;
+    _mongocrypt_buffer_init(&data_buf);
+    _mongocrypt_buffer_init(&iv_buf);
+
+    res = kms_response_parser_get_response(kms_ctx->parser);
+    if (!res) {
+        CLIENT_ERR("Error getting KMIP response: %s", kms_response_parser_error(kms_ctx->parser));
+        goto done;
+    }
+
+    ciphertext = kms_kmip_response_get_data(res, &ciphertext_len);
+    if (!ciphertext) {
+        CLIENT_ERR("Error getting data from KMIP Encrypt response: %s", kms_response_get_error(res));
+        goto done;
+    }
+
+    iv = kms_kmip_response_get_iv(res, &iv_len);
+    if (!iv) {
+        CLIENT_ERR("Error getting IV from KMIP Encrypt response: %s", kms_response_get_error(res));
+        bson_free(ciphertext);
+        goto done;
+    }
+
+    if (iv_len != MONGOCRYPT_IV_LEN) {
+        CLIENT_ERR("KMIP IV response has unexpected length: %zu", iv_len);
+        bson_free(ciphertext);
+        bson_free(iv);
+        goto done;
+    }
+
+    if (!_mongocrypt_buffer_steal_from_data_and_size(&data_buf, ciphertext, ciphertext_len)) {
+        CLIENT_ERR("Error storing KMS Encrypt result");
+        bson_free(ciphertext);
+        bson_free(iv);
+        goto done;
+    }
+
+    if (!_mongocrypt_buffer_steal_from_data_and_size(&iv_buf, iv, iv_len)) {
+        CLIENT_ERR("Error storing KMS Encrypt IV");
+        bson_free(ciphertext);
+        bson_free(iv);
+        goto done;
+    }
+
+    const _mongocrypt_buffer_t results_buf[2] = {iv_buf, data_buf};
+    if (!_mongocrypt_buffer_concat(&kms_ctx->result, results_buf, 2)) {
+        CLIENT_ERR("Error concatenating IV and ciphertext");
+        goto done;
+    }
+
+    ret = true;
+
+done:
+    kms_response_destroy(res);
+    _mongocrypt_buffer_cleanup(&iv_buf);
+    _mongocrypt_buffer_cleanup(&data_buf);
+    return ret;
+}
+
+static bool _ctx_done_kmip_decrypt(mongocrypt_kms_ctx_t *kms_ctx) {
+    BSON_ASSERT_PARAM(kms_ctx);
+
+    kms_response_t *res = NULL;
+
+    mongocrypt_status_t *status = kms_ctx->status;
+    bool ret = false;
+    uint8_t *ciphertext;
+    size_t ciphertext_len;
+
+    res = kms_response_parser_get_response(kms_ctx->parser);
+    if (!res) {
+        CLIENT_ERR("Error getting KMIP response: %s", kms_response_parser_error(kms_ctx->parser));
+        goto done;
+    }
+
+    ciphertext = kms_kmip_response_get_data(res, &ciphertext_len);
+    if (!ciphertext) {
+        CLIENT_ERR("Error getting data from KMIP Decrypt response: %s", kms_response_get_error(res));
+        goto done;
+    }
+
+    if (!_mongocrypt_buffer_steal_from_data_and_size(&kms_ctx->result, ciphertext, ciphertext_len)) {
+        CLIENT_ERR("Error storing KMS Decrypt result");
+        bson_free(ciphertext);
+        goto done;
+    }
+
+    ret = true;
+
+done:
+    kms_response_destroy(res);
+    return ret;
+}
+
 bool mongocrypt_kms_ctx_feed(mongocrypt_kms_ctx_t *kms, mongocrypt_binary_t *bytes) {
     if (!kms) {
         return false;
@@ -889,6 +1058,9 @@ bool mongocrypt_kms_ctx_feed(mongocrypt_kms_ctx_t *kms, mongocrypt_binary_t *byt
         case MONGOCRYPT_KMS_KMIP_REGISTER: return _ctx_done_kmip_register(kms);
         case MONGOCRYPT_KMS_KMIP_ACTIVATE: return _ctx_done_kmip_activate(kms);
         case MONGOCRYPT_KMS_KMIP_GET: return _ctx_done_kmip_get(kms);
+        case MONGOCRYPT_KMS_KMIP_ENCRYPT: return _ctx_done_kmip_encrypt(kms);
+        case MONGOCRYPT_KMS_KMIP_DECRYPT: return _ctx_done_kmip_decrypt(kms);
+        case MONGOCRYPT_KMS_KMIP_CREATE: return _ctx_done_kmip_create(kms);
         }
     }
     return true;
@@ -948,6 +1120,7 @@ void _mongocrypt_kms_ctx_cleanup(mongocrypt_kms_ctx_t *kms) {
     _mongocrypt_buffer_cleanup(&kms->msg);
     _mongocrypt_buffer_cleanup(&kms->result);
     bson_free(kms->endpoint);
+    bson_free(kms->kmsid);
 }
 
 bool mongocrypt_kms_ctx_message(mongocrypt_kms_ctx_t *kms, mongocrypt_binary_t *msg) {
@@ -979,24 +1152,27 @@ bool mongocrypt_kms_ctx_endpoint(mongocrypt_kms_ctx_t *kms, const char **endpoin
 }
 
 bool _mongocrypt_kms_ctx_init_azure_auth(mongocrypt_kms_ctx_t *kms,
-                                         _mongocrypt_log_t *log,
-                                         _mongocrypt_opts_kms_providers_t *kms_providers,
-                                         _mongocrypt_endpoint_t *key_vault_endpoint) {
+                                         const mc_kms_creds_t *kc,
+                                         _mongocrypt_endpoint_t *key_vault_endpoint,
+                                         const char *kmsid,
+                                         _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
-    BSON_ASSERT_PARAM(kms_providers);
+    BSON_ASSERT_PARAM(kc);
 
     kms_request_opt_t *opt = NULL;
     mongocrypt_status_t *status;
-    _mongocrypt_endpoint_t *identity_platform_endpoint;
+    const _mongocrypt_endpoint_t *identity_platform_endpoint;
     char *scope = NULL;
     const char *hostname;
     char *request_string;
     bool ret = false;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_AZURE_OAUTH);
+    _init_common(kms, log, MONGOCRYPT_KMS_AZURE_OAUTH, kmsid);
     status = kms->status;
 
-    identity_platform_endpoint = kms_providers->azure.identity_platform_endpoint;
+    BSON_ASSERT(kc->type == MONGOCRYPT_KMS_PROVIDER_AZURE);
+
+    identity_platform_endpoint = kc->value.azure.identity_platform_endpoint;
 
     if (identity_platform_endpoint) {
         kms->endpoint = bson_strdup(identity_platform_endpoint->host_and_port);
@@ -1022,9 +1198,9 @@ bool _mongocrypt_kms_ctx_init_azure_auth(mongocrypt_kms_ctx_t *kms,
     kms_request_opt_set_provider(opt, KMS_REQUEST_PROVIDER_AZURE);
     kms->req = kms_azure_request_oauth_new(hostname,
                                            scope,
-                                           kms_providers->azure.tenant_id,
-                                           kms_providers->azure.client_id,
-                                           kms_providers->azure.client_secret,
+                                           kc->value.azure.tenant_id,
+                                           kc->value.azure.client_id,
+                                           kc->value.azure.client_secret,
                                            opt);
     if (kms_request_get_error(kms->req)) {
         CLIENT_ERR("error constructing KMS message: %s", kms_request_get_error(kms->req));
@@ -1049,11 +1225,12 @@ fail:
 }
 
 bool _mongocrypt_kms_ctx_init_azure_wrapkey(mongocrypt_kms_ctx_t *kms,
-                                            _mongocrypt_log_t *log,
                                             _mongocrypt_opts_kms_providers_t *kms_providers,
                                             struct __mongocrypt_ctx_opts_t *ctx_opts,
                                             const char *access_token,
-                                            _mongocrypt_buffer_t *plaintext_key_material) {
+                                            _mongocrypt_buffer_t *plaintext_key_material,
+                                            const char *kmsid,
+                                            _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
     BSON_ASSERT_PARAM(ctx_opts);
     BSON_ASSERT_PARAM(plaintext_key_material);
@@ -1066,7 +1243,7 @@ bool _mongocrypt_kms_ctx_init_azure_wrapkey(mongocrypt_kms_ctx_t *kms,
     char *request_string;
     bool ret = false;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_AZURE_WRAPKEY);
+    _init_common(kms, log, MONGOCRYPT_KMS_AZURE_WRAPKEY, kmsid);
     status = kms->status;
 
     BSON_ASSERT(ctx_opts->kek.provider.azure.key_vault_endpoint);
@@ -1114,6 +1291,7 @@ bool _mongocrypt_kms_ctx_init_azure_unwrapkey(mongocrypt_kms_ctx_t *kms,
                                               _mongocrypt_opts_kms_providers_t *kms_providers,
                                               const char *access_token,
                                               _mongocrypt_key_doc_t *key,
+                                              const char *kmsid,
                                               _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
     BSON_ASSERT_PARAM(key);
@@ -1126,7 +1304,7 @@ bool _mongocrypt_kms_ctx_init_azure_unwrapkey(mongocrypt_kms_ctx_t *kms,
     char *request_string;
     bool ret = false;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_AZURE_UNWRAPKEY);
+    _init_common(kms, log, MONGOCRYPT_KMS_AZURE_UNWRAPKEY, kmsid);
     status = kms->status;
 
     BSON_ASSERT(key->kek.provider.azure.key_vault_endpoint);
@@ -1212,17 +1390,18 @@ static bool _sign_rsaes_pkcs1_v1_5_trampoline(void *ctx,
 }
 
 bool _mongocrypt_kms_ctx_init_gcp_auth(mongocrypt_kms_ctx_t *kms,
-                                       _mongocrypt_log_t *log,
                                        _mongocrypt_opts_t *crypt_opts,
-                                       _mongocrypt_opts_kms_providers_t *kms_providers,
-                                       _mongocrypt_endpoint_t *kms_endpoint) {
+                                       const mc_kms_creds_t *kc,
+                                       _mongocrypt_endpoint_t *kms_endpoint,
+                                       const char *kmsid,
+                                       _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
-    BSON_ASSERT_PARAM(kms_providers);
+    BSON_ASSERT_PARAM(kc);
     BSON_ASSERT_PARAM(crypt_opts);
 
     kms_request_opt_t *opt = NULL;
     mongocrypt_status_t *status;
-    _mongocrypt_endpoint_t *auth_endpoint;
+    const _mongocrypt_endpoint_t *auth_endpoint;
     char *scope = NULL;
     char *audience = NULL;
     const char *hostname;
@@ -1230,12 +1409,14 @@ bool _mongocrypt_kms_ctx_init_gcp_auth(mongocrypt_kms_ctx_t *kms,
     bool ret = false;
     ctx_with_status_t ctx_with_status;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_GCP_OAUTH);
+    _init_common(kms, log, MONGOCRYPT_KMS_GCP_OAUTH, kmsid);
     status = kms->status;
     ctx_with_status.ctx = crypt_opts;
     ctx_with_status.status = mongocrypt_status_new();
 
-    auth_endpoint = kms_providers->gcp.endpoint;
+    BSON_ASSERT(kc->type == MONGOCRYPT_KMS_PROVIDER_GCP);
+
+    auth_endpoint = kc->value.gcp.endpoint;
     if (auth_endpoint) {
         kms->endpoint = bson_strdup(auth_endpoint->host_and_port);
         hostname = auth_endpoint->host;
@@ -1262,11 +1443,11 @@ bool _mongocrypt_kms_ctx_init_gcp_auth(mongocrypt_kms_ctx_t *kms,
         kms_request_opt_set_crypto_hook_sign_rsaes_pkcs1_v1_5(opt, _sign_rsaes_pkcs1_v1_5_trampoline, &ctx_with_status);
     }
     kms->req = kms_gcp_request_oauth_new(hostname,
-                                         kms_providers->gcp.email,
+                                         kc->value.gcp.email,
                                          audience,
                                          scope,
-                                         (const char *)kms_providers->gcp.private_key.data,
-                                         kms_providers->gcp.private_key.len,
+                                         (const char *)kc->value.gcp.private_key.data,
+                                         kc->value.gcp.private_key.len,
                                          opt);
     if (kms_request_get_error(kms->req)) {
         CLIENT_ERR("error constructing KMS message: %s", kms_request_get_error(kms->req));
@@ -1295,11 +1476,12 @@ fail:
 }
 
 bool _mongocrypt_kms_ctx_init_gcp_encrypt(mongocrypt_kms_ctx_t *kms,
-                                          _mongocrypt_log_t *log,
                                           _mongocrypt_opts_kms_providers_t *kms_providers,
                                           struct __mongocrypt_ctx_opts_t *ctx_opts,
                                           const char *access_token,
-                                          _mongocrypt_buffer_t *plaintext_key_material) {
+                                          _mongocrypt_buffer_t *plaintext_key_material,
+                                          const char *kmsid,
+                                          _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
     BSON_ASSERT_PARAM(ctx_opts);
     BSON_ASSERT_PARAM(kms_providers);
@@ -1314,7 +1496,7 @@ bool _mongocrypt_kms_ctx_init_gcp_encrypt(mongocrypt_kms_ctx_t *kms,
     char *request_string;
     bool ret = false;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_GCP_ENCRYPT);
+    _init_common(kms, log, MONGOCRYPT_KMS_GCP_ENCRYPT, kmsid);
     status = kms->status;
 
     if (ctx_opts->kek.provider.gcp.endpoint) {
@@ -1368,6 +1550,7 @@ bool _mongocrypt_kms_ctx_init_gcp_decrypt(mongocrypt_kms_ctx_t *kms,
                                           _mongocrypt_opts_kms_providers_t *kms_providers,
                                           const char *access_token,
                                           _mongocrypt_key_doc_t *key,
+                                          const char *kmsid,
                                           _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms);
     BSON_ASSERT_PARAM(kms_providers);
@@ -1382,7 +1565,7 @@ bool _mongocrypt_kms_ctx_init_gcp_decrypt(mongocrypt_kms_ctx_t *kms,
     char *request_string;
     bool ret = false;
 
-    _init_common(kms, log, MONGOCRYPT_KMS_GCP_DECRYPT);
+    _init_common(kms, log, MONGOCRYPT_KMS_GCP_DECRYPT, kmsid);
     status = kms->status;
 
     if (key->kek.provider.gcp.endpoint) {
@@ -1435,6 +1618,7 @@ bool _mongocrypt_kms_ctx_init_kmip_register(mongocrypt_kms_ctx_t *kms_ctx,
                                             const _mongocrypt_endpoint_t *endpoint,
                                             const uint8_t *secretdata,
                                             uint32_t secretdata_len,
+                                            const char *kmsid,
                                             _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms_ctx);
     BSON_ASSERT_PARAM(endpoint);
@@ -1445,7 +1629,7 @@ bool _mongocrypt_kms_ctx_init_kmip_register(mongocrypt_kms_ctx_t *kms_ctx,
     const uint8_t *reqdata;
     size_t reqlen;
 
-    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_REGISTER);
+    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_REGISTER, kmsid);
     status = kms_ctx->status;
 
     kms_ctx->endpoint = bson_strdup(endpoint->host_and_port);
@@ -1471,6 +1655,7 @@ done:
 bool _mongocrypt_kms_ctx_init_kmip_activate(mongocrypt_kms_ctx_t *kms_ctx,
                                             const _mongocrypt_endpoint_t *endpoint,
                                             const char *unique_identifier,
+                                            const char *kmsid,
                                             _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms_ctx);
     BSON_ASSERT_PARAM(endpoint);
@@ -1481,7 +1666,7 @@ bool _mongocrypt_kms_ctx_init_kmip_activate(mongocrypt_kms_ctx_t *kms_ctx,
     size_t reqlen;
     const uint8_t *reqdata;
 
-    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_ACTIVATE);
+    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_ACTIVATE, kmsid);
     status = kms_ctx->status;
 
     kms_ctx->endpoint = bson_strdup(endpoint->host_and_port);
@@ -1507,6 +1692,7 @@ done:
 bool _mongocrypt_kms_ctx_init_kmip_get(mongocrypt_kms_ctx_t *kms_ctx,
                                        const _mongocrypt_endpoint_t *endpoint,
                                        const char *unique_identifier,
+                                       const char *kmsid,
                                        _mongocrypt_log_t *log) {
     BSON_ASSERT_PARAM(kms_ctx);
     BSON_ASSERT_PARAM(endpoint);
@@ -1517,7 +1703,7 @@ bool _mongocrypt_kms_ctx_init_kmip_get(mongocrypt_kms_ctx_t *kms_ctx,
     size_t reqlen;
     const uint8_t *reqdata;
 
-    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_GET);
+    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_GET, kmsid);
     status = kms_ctx->status;
 
     kms_ctx->endpoint = bson_strdup(endpoint->host_and_port);
@@ -1540,6 +1726,129 @@ done:
     return ret;
 }
 
+bool _mongocrypt_kms_ctx_init_kmip_create(mongocrypt_kms_ctx_t *kms_ctx,
+                                          const _mongocrypt_endpoint_t *endpoint,
+                                          const char *kmsid,
+                                          _mongocrypt_log_t *log) {
+    BSON_ASSERT_PARAM(kms_ctx);
+    BSON_ASSERT_PARAM(endpoint);
+    bool ret = false;
+
+    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_CREATE, kmsid);
+    mongocrypt_status_t *status = kms_ctx->status;
+    kms_ctx->endpoint = bson_strdup(endpoint->host_and_port);
+    _mongocrypt_apply_default_port(&kms_ctx->endpoint, DEFAULT_KMIP_PORT);
+
+    kms_ctx->req = kms_kmip_request_create_new(NULL /* reserved */);
+
+    if (kms_request_get_error(kms_ctx->req)) {
+        CLIENT_ERR("Error creating KMIP create request: %s", kms_request_get_error(kms_ctx->req));
+        goto done;
+    }
+
+    size_t reqlen;
+    const uint8_t *reqdata = kms_request_to_bytes(kms_ctx->req, &reqlen);
+    if (!_mongocrypt_buffer_copy_from_data_and_size(&kms_ctx->msg, reqdata, reqlen)) {
+        CLIENT_ERR("Error storing KMS request payload");
+        goto done;
+    }
+
+    ret = true;
+done:
+    return ret;
+}
+
+bool _mongocrypt_kms_ctx_init_kmip_encrypt(mongocrypt_kms_ctx_t *kms_ctx,
+                                           const _mongocrypt_endpoint_t *endpoint,
+                                           const char *unique_identifier,
+                                           const char *kmsid,
+                                           _mongocrypt_buffer_t *plaintext,
+                                           _mongocrypt_log_t *log) {
+    BSON_ASSERT_PARAM(kms_ctx);
+    BSON_ASSERT_PARAM(endpoint);
+    BSON_ASSERT_PARAM(plaintext);
+    bool ret = false;
+
+    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_ENCRYPT, kmsid);
+    mongocrypt_status_t *status = kms_ctx->status;
+    kms_ctx->endpoint = bson_strdup(endpoint->host_and_port);
+    _mongocrypt_apply_default_port(&kms_ctx->endpoint, DEFAULT_KMIP_PORT);
+
+    kms_ctx->req =
+        kms_kmip_request_encrypt_new(NULL /* reserved */, unique_identifier, plaintext->data, plaintext->len);
+
+    if (kms_request_get_error(kms_ctx->req)) {
+        CLIENT_ERR("Error creating KMIP encrypt request: %s", kms_request_get_error(kms_ctx->req));
+        goto done;
+    }
+
+    size_t reqlen;
+    const uint8_t *reqdata = kms_request_to_bytes(kms_ctx->req, &reqlen);
+    if (!_mongocrypt_buffer_copy_from_data_and_size(&kms_ctx->msg, reqdata, reqlen)) {
+        CLIENT_ERR("Error storing KMS request payload");
+        goto done;
+    }
+
+    ret = true;
+done:
+    return ret;
+}
+
+bool _mongocrypt_kms_ctx_init_kmip_decrypt(mongocrypt_kms_ctx_t *kms_ctx,
+                                           const _mongocrypt_endpoint_t *endpoint,
+                                           const char *kmsid,
+                                           _mongocrypt_key_doc_t *key,
+                                           _mongocrypt_log_t *log) {
+    BSON_ASSERT_PARAM(kms_ctx);
+    BSON_ASSERT_PARAM(endpoint);
+    BSON_ASSERT_PARAM(key);
+    bool ret = false;
+
+    _init_common(kms_ctx, log, MONGOCRYPT_KMS_KMIP_DECRYPT, kmsid);
+    mongocrypt_status_t *status = kms_ctx->status;
+    kms_ctx->endpoint = bson_strdup(endpoint->host_and_port);
+    _mongocrypt_apply_default_port(&kms_ctx->endpoint, DEFAULT_KMIP_PORT);
+
+    _mongocrypt_buffer_t iv;
+    if (!_mongocrypt_buffer_from_subrange(&iv, &key->key_material, 0, MONGOCRYPT_IV_LEN)) {
+        CLIENT_ERR("Error getting IV from key material");
+        goto done;
+    }
+    _mongocrypt_buffer_t ciphertext;
+    if (!_mongocrypt_buffer_from_subrange(&ciphertext,
+                                          &key->key_material,
+                                          MONGOCRYPT_IV_LEN,
+                                          key->key_material.len - MONGOCRYPT_IV_LEN)) {
+        CLIENT_ERR("Error getting ciphertext from key material");
+        goto done;
+    }
+
+    BSON_ASSERT(key->kek.kms_provider == MONGOCRYPT_KMS_PROVIDER_KMIP);
+    BSON_ASSERT(key->kek.provider.kmip.delegated);
+    kms_ctx->req = kms_kmip_request_decrypt_new(NULL /* reserved */,
+                                                key->kek.provider.kmip.key_id,
+                                                ciphertext.data,
+                                                ciphertext.len,
+                                                iv.data,
+                                                iv.len);
+
+    if (kms_request_get_error(kms_ctx->req)) {
+        CLIENT_ERR("Error creating KMIP decrypt request: %s", kms_request_get_error(kms_ctx->req));
+        goto done;
+    }
+
+    size_t reqlen;
+    const uint8_t *reqdata = kms_request_to_bytes(kms_ctx->req, &reqlen);
+    if (!_mongocrypt_buffer_copy_from_data_and_size(&kms_ctx->msg, reqdata, reqlen)) {
+        CLIENT_ERR("Error storing KMS request payload");
+        goto done;
+    }
+
+    ret = true;
+done:
+    return ret;
+}
+
 static const char *set_and_ret(const char *what, uint32_t *len) {
     BSON_ASSERT_PARAM(what);
 
@@ -1553,18 +1862,5 @@ const char *mongocrypt_kms_ctx_get_kms_provider(mongocrypt_kms_ctx_t *kms, uint3
     BSON_ASSERT_PARAM(kms);
     /* len is checked in set_and_ret () before it is used */
 
-    switch (kms->req_type) {
-    default: BSON_ASSERT(false && "unknown KMS request type");
-    case MONGOCRYPT_KMS_AWS_ENCRYPT:
-    case MONGOCRYPT_KMS_AWS_DECRYPT: return set_and_ret("aws", len);
-    case MONGOCRYPT_KMS_AZURE_OAUTH:
-    case MONGOCRYPT_KMS_AZURE_WRAPKEY:
-    case MONGOCRYPT_KMS_AZURE_UNWRAPKEY: return set_and_ret("azure", len);
-    case MONGOCRYPT_KMS_GCP_OAUTH:
-    case MONGOCRYPT_KMS_GCP_ENCRYPT:
-    case MONGOCRYPT_KMS_GCP_DECRYPT: return set_and_ret("gcp", len);
-    case MONGOCRYPT_KMS_KMIP_REGISTER:
-    case MONGOCRYPT_KMS_KMIP_ACTIVATE:
-    case MONGOCRYPT_KMS_KMIP_GET: return set_and_ret("kmip", len);
-    }
+    return set_and_ret(kms->kmsid, len);
 }