mongo 2.17.3 → 2.18.0.beta1

data/lib/mongo/crypt/data_key_context.rb

@@ -19,7 +19,7 @@ module Mongo
   module Crypt
 
     # A Context object initialized specifically for the purpose of creating
-    # a data key in the key managemenet system.
+    # a data key in the key management system.
     #
     # @api private
     class DataKeyContext < Context
@@ -30,116 +30,19 @@ module Mongo
       #   wraps a mongocrypt_t object used to create a new mongocrypt_ctx_t
       # @param [ Mongo::Crypt::EncryptionIO ] io An object that performs all
       #   driver I/O on behalf of libmongocrypt
-      # @param [ String ] kms_provider The KMS provider to use. Options are
-      #   "aws" and "local".
-      # @param [ Hash ] options Data key creation options.
-      #
-      # @option options [ Hash ] :master_key A Hash of options related to the AWS
-      #   KMS provider option. Required if kms_provider is "aws".
-      #   - :region [ String ] The The AWS region of the master key (required).
-      #   - :key [ String ] The Amazon Resource Name (ARN) of the master key (required).
-      #   - :endpoint [ String ] An alternate host to send KMS requests to (optional).
-      # @option options [ Array<String> ] :key_alt_names An optional array of strings specifying
+      # @param [ Mongo::Crypt::KMS::MasterKeyDocument ] master_key_document The master
+      #   key document that contains master encryption key parameters.
+      # @param [ Array<String> | nil ] key_alt_names An optional array of strings specifying
       #   alternate names for the new data key.
-      def initialize(mongocrypt, io, kms_provider, options={})
+      def initialize(mongocrypt, io, master_key_document, key_alt_names = nil)
         super(mongocrypt, io)
-
-        case kms_provider
-        when 'local'
-          Binding.ctx_setopt_master_key_local(self)
-        when 'aws'
-          unless options
-            raise ArgumentError.new(
-              'When "aws" is specified as the KMS provider, options cannot be nil'
-            )
-          end
-
-          unless options.key?(:master_key)
-            raise ArgumentError.new(
-              'When "aws" is specified as the KMS provider, the options Hash ' +
-              'must contain a key named :master_key with a Hash value in the ' +
-              '{ region: "AWS-REGION", key: "AWS-KEY-ARN" }'
-            )
-          end
-
-          master_key_opts = options[:master_key]
-
-          set_aws_master_key(master_key_opts)
-          set_aws_endpoint(master_key_opts[:endpoint]) if master_key_opts[:endpoint]
-        else
-          raise ArgumentError.new(
-            "#{kms_provider} is an invalid kms provider. " +
-            "Valid options are 'aws' and 'local'"
-          )
-        end
-
-        set_key_alt_names(options[:key_alt_names]) if options[:key_alt_names]
+        Binding.ctx_setopt_key_encryption_key(self, master_key_document.to_document)
+        set_key_alt_names(key_alt_names) if key_alt_names
         initialize_ctx
       end
 
       private
 
-      # Configure the underlying mongocrypt_ctx_t object to accept AWS
-      # KMS options
-      def set_aws_master_key(master_key_opts)
-        unless master_key_opts
-          raise ArgumentError.new('The :master_key option cannot be nil')
-        end
-
-        unless master_key_opts.is_a?(Hash)
-          raise ArgumentError.new(
-            "#{master_key_opts} is an invalid :master_key option. " +
-            "The :master_key option must be a Hash in the format " +
-            "{ region: 'AWS-REGION', key: 'AWS-KEY-ARN' }"
-          )
-        end
-
-        region = master_key_opts[:region]
-        unless region
-          raise ArgumentError.new(
-            'The value of :region option of the :master_key options hash cannot be nil'
-          )
-        end
-
-        unless region.is_a?(String)
-          raise ArgumentError.new(
-            "#{master_key_opts[:region]} is an invalid AWS master_key region. " +
-            "The value of :region option of the :master_key options hash must be a String"
-          )
-        end
-
-        key = master_key_opts[:key]
-        unless key
-          raise ArgumentError.new(
-            'The value of :key option of the :master_key options hash cannot be nil'
-          )
-        end
-
-        unless key.is_a?(String)
-          raise ArgumentError.new(
-            "#{master_key_opts[:key]} is an invalid AWS master_key key. " +
-            "The value of :key option of the :master_key options hash must be a String"
-          )
-        end
-
-        Binding.ctx_setopt_master_key_aws(
-          self,
-          region,
-          key,
-        )
-      end
-
-      def set_aws_endpoint(endpoint)
-        unless endpoint.is_a?(String)
-          raise ArgumentError.new(
-            "#{endpoint} is an invalid AWS master_key endpoint. " +
-            "The value of :endpoint option of the :master_key options hash must be a String"
-          )
-        end
-
-        Binding.ctx_setopt_master_key_aws_endpoint(self, endpoint)
-      end
-
       # Set the alt names option on the context
       def set_key_alt_names(key_alt_names)
         unless key_alt_names.is_a?(Array)

data/lib/mongo/crypt/encryption_io.rb

@@ -38,6 +38,8 @@ module Mongo
       #   defaults to nil.
       # @param [ Mongo::Client ] key_vault_client The client connected to the
       #   key vault collection.
+      # @param [ Mongo::Client | nil ] metadata_client The client to be used to
+      #   obtain collection metadata.
       # @param [ String ] key_vault_namespace The key vault namespace in the format
       #   db_name.collection_name.
       # @param [ Hash ] mongocryptd_options Options related to mongocryptd.
@@ -54,7 +56,7 @@ module Mongo
       #   options are not nil and are in the correct format.
       def initialize(
         client: nil, mongocryptd_client: nil, key_vault_namespace:,
-        key_vault_client:, mongocryptd_options: {}
+        key_vault_client:, metadata_client:, mongocryptd_options: {}
       )
         validate_key_vault_client!(key_vault_client)
         validate_key_vault_namespace!(key_vault_namespace)
@@ -63,6 +65,7 @@ module Mongo
         @mongocryptd_client = mongocryptd_client
         @key_vault_db_name, @key_vault_collection_name = key_vault_namespace.split('.')
         @key_vault_client = key_vault_client
+        @metadata_client = metadata_client
         @options = mongocryptd_options
       end
 
@@ -91,11 +94,11 @@ module Mongo
       #
       # @return [ Hash ] The collection information
       def collection_info(db_name, filter)
-        unless @client
-          raise ArgumentError, 'collection_info requires client to have been passed to the constructor, but it was not'
+        unless @metadata_client
+          raise ArgumentError, 'collection_info requires metadata_client to have been passed to the constructor, but it was not'
         end
 
-        @client.use(db_name).database.list_collections(filter: filter).first
+        @metadata_client.use(db_name).database.list_collections(filter: filter).first
       end
 
       # Send the command to mongocryptd to be marked with intent-to-encrypt markings
@@ -124,16 +127,17 @@ module Mongo
         return response.first
       end
 
-      # Get information about the AWS encryption key and feed it to the the
+      # Get information about the remote KMS encryption key and feed it to the the
       # KmsContext object
       #
       # @param [ Mongo::Crypt::KmsContext ] kms_context A KmsContext object
-      #   corresponding to one AWS KMS data key. Contains information about
+      #   corresponding to one remote KMS data key. Contains information about
       #   the endpoint at which to establish a TLS connection and the message
       #   to send on that connection.
-      def feed_kms(kms_context)
-        with_ssl_socket(kms_context.endpoint) do |ssl_socket|
-
+      # @param [ Hash ] tls_options. TLS options to connect to KMS provider.
+      #   The options are same as for Mongo::Client.
+      def feed_kms(kms_context, tls_options)
+        with_ssl_socket(kms_context.endpoint, tls_options) do |ssl_socket|
           Timeout.timeout(SOCKET_TIMEOUT, Error::SocketTimeoutError,
             'Socket write operation timed out'
           ) do
@@ -242,6 +246,8 @@ module Mongo
       # Provide a TLS socket to be used for KMS calls in a block API
       #
       # @param [ String ] endpoint The URI at which to connect the TLS socket.
+      # @param [ Hash ] tls_options. TLS options to connect to KMS provider.
+      #   The options are same as for Mongo::Client.
       # @yieldparam [ OpenSSL::SSL::SSLSocket ] ssl_socket Yields a TLS socket
       #   connected to the specified endpoint.
       #
@@ -250,59 +256,21 @@ module Mongo
       #
       # @note The socket is always closed when the provided block has finished
       #   executing
-      def with_ssl_socket(endpoint)
-        host, port = endpoint.split(':')
-        port ||= 443 # Default port for AWS KMS API
-
-        # Create TCPSocket and set nodelay option
-        tcp_socket = TCPSocket.open(host, port)
-        begin
-          tcp_socket.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
-
-          ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket)
-          begin
-            # tcp_socket will be closed when ssl_socket is closed
-            ssl_socket.sync_close = true
-            # perform SNI
-            ssl_socket.hostname = "#{host}:#{port}"
-
-            Timeout.timeout(
-              SOCKET_TIMEOUT,
-              Error::SocketTimeoutError,
-              "KMS socket connection timed out after #{SOCKET_TIMEOUT} seconds",
-            ) do
-              ssl_socket.connect
-            end
-
-            yield(ssl_socket)
-          ensure
-            begin
-              Timeout.timeout(
-                SOCKET_TIMEOUT,
-                Error::SocketTimeoutError,
-                'KMS TLS socket close timed out'
-              ) do
-                ssl_socket.sysclose
-              end
-            rescue
-            end
-          end
-        ensure
-          # Still close tcp socket manually in case TLS socket creation
-          # fails.
-          begin
-            Timeout.timeout(
-              SOCKET_TIMEOUT,
-              Error::SocketTimeoutError,
-              'KMS TCP socket close timed out'
-            ) do
-              tcp_socket.close
-            end
-          rescue
-          end
+      def with_ssl_socket(endpoint, tls_options)
+        address = begin
+          host, port = endpoint.split(':')
+          port ||= 443 # All supported KMS APIs use this port by default.
+          Address.new([host, port].join(':'))
         end
+        mongo_socket = address.socket(
+          SOCKET_TIMEOUT,
+          tls_options.merge(ssl: true)
+        )
+        yield(mongo_socket.socket)
       rescue => e
-        raise Error::KmsError, "Error decrypting data key: #{e.class}: #{e.message}"
+        raise Error::KmsError, "Error when connecting to KMS provider: #{e.class}: #{e.message}"
+      ensure
+        mongo_socket&.close
       end
     end
   end

data/lib/mongo/crypt/explicit_encrypter.rb

@@ -29,14 +29,17 @@ module Mongo
       #   to connect to the key vault collection.
       # @param [ String ] key_vault_namespace The namespace of the key vault
       #   collection in the format "db_name.collection_name".
-      # @option options [ Hash ] :kms_providers A hash of key management service
-      #   configuration information. Valid hash keys are :local or :aws. There
-      #   may be more than one KMS provider specified.
-      def initialize(key_vault_client, key_vault_namespace, kms_providers)
-        @crypt_handle = Handle.new(kms_providers)
-
+      # @param [ Crypt::KMS::Credentials ] kms_providers A hash of key management service
+      #   configuration information.
+      # @param [ Hash ] kms_tls_options TLS options to connect to KMS
+      #   providers. Keys of the hash should be KSM provider names; values
+      #   should be hashes of TLS connection options. The options are equivalent
+      #   to TLS connection options of Mongo::Client.
+      def initialize(key_vault_client, key_vault_namespace, kms_providers, kms_tls_options)
+        @crypt_handle = Handle.new(kms_providers, kms_tls_options)
         @encryption_io = EncryptionIO.new(
           key_vault_client: key_vault_client,
+          metadata_client: nil,
           key_vault_namespace: key_vault_namespace
         )
       end
@@ -45,30 +48,19 @@ module Mongo
       # that key in the KMS collection. The generated key is encrypted with
       # the KMS master key.
       #
-      # @param [ String ] kms_provider The KMS provider to use. Valid values are
-      #   "aws" and "local".
-      # @param [ Hash ] options
-      #
-      # @option options [ Hash ] :master_key Information about the AWS master key. Required
-      #   if kms_provider is "aws".
-      #   - :region [ String ] The The AWS region of the master key (required).
-      #   - :key [ String ] The Amazon Resource Name (ARN) of the master key (required).
-      #   - :endpoint [ String ] An alternate host to send KMS requests to (optional).
-      #     endpoint should be a host name with an optional port number separated
-      #     by a colon (e.g. "kms.us-east-1.amazonaws.com" or
-      #     "kms.us-east-1.amazonaws.com:443"). An endpoint in any other format
-      #     will not be properly parsed.
-      # @option options [ Array<String> ] :key_alt_names An optional array of strings specifying
+      # @param [ Mongo::Crypt::KMS::MasterKeyDocument ] master_key_document The master
+      #   key document that contains master encryption key parameters.
+      # @param [ Array<String> | nil ] key_alt_names An optional array of strings specifying
       #   alternate names for the new data key.
       #
       # @return [ BSON::Binary ] The 16-byte UUID of the new data key as a
       #   BSON::Binary object with type :uuid.
-      def create_and_insert_data_key(kms_provider, options)
+      def create_and_insert_data_key(master_key_document, key_alt_names)
         data_key_document = Crypt::DataKeyContext.new(
           @crypt_handle,
           @encryption_io,
-          kms_provider,
-          options
+          master_key_document,
+          key_alt_names
         ).run_state_machine
 
         @encryption_io.insert_data_key(data_key_document).inserted_id
@@ -85,14 +77,24 @@ module Mongo
       # @option options [ String ] :key_alt_name The alternate name for the
       #   encryption key.
       # @option options [ String ] :algorithm The algorithm used to encrypt the value.
-      #   Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
-      #   or "AEAD_AES_256_CBC_HMAC_SHA_512-Random".
+      #   Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
+      #   "AEAD_AES_256_CBC_HMAC_SHA_512-Random", "Indexed", "Unindexed".
+      # @option options [ Integer | nil ] :contention_factor Contention factor
+      #   to be applied if encryption algorithm is set to "Indexed". If not
+      #   provided, it defaults to a value of 0. Contention factor should be set
+      #   only if encryption algorithm is set to "Indexed".
+      # @option options [ Symbol ] query_type Query type to be applied
+      # if encryption algorithm is set to "Indexed". Query type should be set
+      #   only if encryption algorithm is set to "Indexed". The only allowed
+      #   value is :equality.
       #
       # @note The :key_id and :key_alt_name options are mutually exclusive. Only
       #   one is required to perform explicit encryption.
       #
       # @return [ BSON::Binary ] A BSON Binary object of subtype 6 (ciphertext)
       #   representing the encrypted value
+      # @raise [ ArgumentError ] if either contention_factor or query_type
+      #   is set, and algorithm is not "Indexed".
       def encrypt(value, options)
         Crypt::ExplicitEncryptionContext.new(
           @crypt_handle,

data/lib/mongo/crypt/explicit_encryption_context.rb

@@ -38,8 +38,16 @@ module Mongo
       # @option options [ String ] :key_alt_name The alternate name of the data key
       #   that will be used to encrypt the value.
       # @option options [ String ] :algorithm The algorithm used to encrypt the
-      #   value. Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
-      #   or "AEAD_AES_256_CBC_HMAC_SHA_512-Random"
+      #   value. Valid algorithms are "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
+      #   "AEAD_AES_256_CBC_HMAC_SHA_512-Random", "Indexed", "Unindexed".
+      # @option options [ Integer | nil ] :contention_factor Contention factor
+      #   to be applied if encryption algorithm is set to "Indexed". If not
+      #   provided, it defaults to a value of 0. Contention factor should be set
+      #   only if encryption algorithm is set to "Indexed".
+      # @option options [ Symbol ] query_type Query type to be applied
+      # if encryption algorithm is set to "Indexed". Query type should be set
+      #   only if encryption algorithm is set to "Indexed".  The only allowed
+      #   value is :equality.
       #
       # @raise [ ArgumentError|Mongo::Error::CryptError ] If invalid options are provided
       def initialize(mongocrypt, io, doc, options={})
@@ -81,7 +89,27 @@ module Mongo
 
         # Set the algorithm option on the mongocrypt_ctx_t object and raises
         # an exception if the algorithm is invalid.
-        Binding.ctx_setopt_algorithm(self, options[:algorithm])
+        if options[:algorithm] == 'Indexed'
+          if options[:contention_factor]
+            Binding.ctx_setopt_contention_factor(self, options[:contention_factor])
+          end
+          if options[:query_type]
+            Binding.ctx_setopt_query_type(self, options[:query_type])
+          end
+          Binding.ctx_setopt_index_type(self, :equality)
+        else
+          if options[:contention_factor]
+            raise ArgumentError.new(':contention_factor is allowed only for "Indexed" algorithm')
+          end
+          if options[:query_type]
+            raise ArgumentError.new(':query_type is allowed only for "Indexed" algorithm')
+          end
+          if options[:algorithm] == 'Unindexed'
+            Binding.ctx_setopt_index_type(self, :none)
+          else
+            Binding.ctx_setopt_algorithm(self, options[:algorithm])
+          end
+        end
 
         # Initializes the mongocrypt_ctx_t object for explicit encryption and
         # passes in the value to be encrypted.

data/lib/mongo/crypt/handle.rb

@@ -27,19 +27,28 @@ module Mongo
     #
     # @api private
     class Handle
+
       # Creates a new Handle object and initializes it with options
       #
-      # @param [ Hash ] kms_providers A hash of KMS settings. The only supported
-      #   key is currently :local. Local KMS options must be passed in the
-      #   format { local: { key: <master key> } } where the master key is a
-      #   96-byte, base64 encoded string.
-      # @param [ Hash ] options A hash of options
+      # @param [ Crypt::KMS::Credentials ] kms_providers Credentials for KMS providers.
+      #
+      # @param [ Hash ] kms_tls_options TLS options to connect to KMS
+      #   providers. Keys of the hash should be KSM provider names; values
+      #   should be hashes of TLS connection options. The options are equivalent
+      #   to TLS connection options of Mongo::Client.
       #
+      # @param [ Hash ] options A hash of options.
       # @option options [ Hash | nil ] :schema_map A hash representing the JSON schema
       #   of the collection that stores auto encrypted documents.
+      # @option options [ Hash | nil ] :encrypted_fields_map maps a collection
+      #   namespace to an encryptedFields.
+      #   - Note: If a collection is present on both the encryptedFieldsMap
+      #     and schemaMap, an error will be raised.
+      # @option options [ Boolean | nil ] :bypass_query_analysis When true
+      #   disables automatic analysis of outgoing commands.
       # @option options [ Logger ] :logger A Logger object to which libmongocrypt logs
       #   will be sent
-      def initialize(kms_providers, options={})
+      def initialize(kms_providers, kms_tls_options, options={})
         # FFI::AutoPointer uses a custom release strategy to automatically free
         # the pointer once this object goes out of scope
         @mongocrypt = FFI::AutoPointer.new(
@@ -47,15 +56,23 @@ module Mongo
           Binding.method(:mongocrypt_destroy)
         )
 
+        @kms_tls_options =  kms_tls_options
+
         @schema_map = options[:schema_map]
         set_schema_map if @schema_map
 
+        @encrypted_fields_map = options[:encrypted_fields_map]
+        set_encrypted_fields_map if @encrypted_fields_map
+
+        @bypass_query_analysis = options[:bypass_query_analysis]
+        set_bypass_query_analysis if @bypass_query_analysis
+
         @logger = options[:logger]
         set_logger_callback if @logger
 
         set_crypto_hooks
 
-        set_kms_providers(kms_providers)
+        Binding.setopt_kms_providers(self, kms_providers.to_document)
         initialize_mongocrypt
       end
 
@@ -66,6 +83,16 @@ module Mongo
         @mongocrypt
       end
 
+      # Return TLS options for KMS provider. If there are no TLS options set,
+      # empty hash is returned.
+      #
+      # @param [ String ] provider KSM provider name.
+      #
+      # @return [ Hash ] TLS options to connect to KMS provider.
+      def kms_tls_options(provider)
+        @kms_tls_options.fetch(provider, {})
+      end
+
       private
 
       # Set the schema map option on the underlying mongocrypt_t object
@@ -79,6 +106,26 @@ module Mongo
         Binding.setopt_schema_map(self, @schema_map)
       end
 
+      def set_encrypted_fields_map
+        unless @encrypted_fields_map.is_a?(Hash)
+          raise ArgumentError.new(
+            "#{@encrypted_fields_map} is an invalid encrypted_fields_map: must be a Hash or nil"
+          )
+        end
+
+        Binding.setopt_encrypted_field_config_map(self, @encrypted_fields_map)
+      end
+
+      def set_bypass_query_analysis
+        unless [true, false].include?(@bypass_query_analysis)
+          raise ArgumentError.new(
+            "#{@bypass_query_analysis} is an invalid bypass_query_analysis value; must be a Boolean or nil"
+          )
+        end
+
+        Binding.setopt_bypass_query_analysis(self) if @bypass_query_analysis
+      end
+
       # Send the logs from libmongocrypt to the Mongo::Logger
       def set_logger_callback
         @log_callback = Proc.new do |level, msg|
@@ -136,13 +183,13 @@ module Mongo
       # Perform AES encryption or decryption and write the output to the
       # provided mongocrypt_binary_t object.
       def do_aes(key_binary_p, iv_binary_p, input_binary_p, output_binary_p,
-        response_length_p, status_p, decrypt: false)
+        response_length_p, status_p, decrypt: false, mode: :CBC)
         key = Binary.from_pointer(key_binary_p).to_s
         iv = Binary.from_pointer(iv_binary_p).to_s
         input = Binary.from_pointer(input_binary_p).to_s
 
         write_binary_string_and_set_status(output_binary_p, status_p) do
-          output = Hooks.aes(key, iv, input, decrypt: decrypt)
+          output = Hooks.aes(key, iv, input, decrypt: decrypt, mode: mode)
           response_length_p.write_int(output.bytesize)
 
           output
@@ -161,7 +208,19 @@ module Mongo
         end
       end
 
-      # We are buildling libmongocrypt without crypto functions to remove the
+      # Perform signing using RSASSA-PKCS1-v1_5 with SHA256 hash and write
+      # the output to the provided mongocrypt_binary_t object.
+      def do_rsaes_pkcs_signature(key_binary_p, input_binary_p,
+        output_binary_p, status_p)
+        key = Binary.from_pointer(key_binary_p).to_s
+        input = Binary.from_pointer(input_binary_p).to_s
+
+        write_binary_string_and_set_status(output_binary_p, status_p) do
+          Hooks.rsaes_pkcs_signature(key, input)
+        end
+      end
+
+      # We are building libmongocrypt without crypto functions to remove the
       # external dependency on OpenSSL. This method binds native Ruby crypto
       # methods to the underlying mongocrypt_t object so that libmongocrypt can
       # still perform cryptography.
@@ -227,85 +286,49 @@ module Mongo
           @hmac_sha_256,
           @hmac_hash,
         )
-      end
-
-      # Validate the kms_providers option and use it to set the KMS provider
-      # information on the underlying mongocrypt_t object
-      def set_kms_providers(kms_providers)
-        unless kms_providers
-          raise ArgumentError.new("The kms_providers option must not be nil")
-        end
-
-        unless kms_providers.key?(:local) || kms_providers.key?(:aws)
-          raise ArgumentError.new(
-            'The kms_providers option must have one of the following keys: ' +
-            ':aws, :local'
-          )
-        end
-
-        set_kms_providers_local(kms_providers) if kms_providers.key?(:local)
-        set_kms_providers_aws(kms_providers) if kms_providers.key?(:aws)
-      end
 
-    # Validate and set the local KMS provider information on the underlying
-      # mongocrypt_t object and raise an exception if the operation fails
-      def set_kms_providers_local(kms_providers)
-        unless kms_providers[:local][:key] && kms_providers[:local][:key].is_a?(String)
-          raise ArgumentError.new(
-            "The specified local kms_providers option is invalid: " +
-            "#{kms_providers[:local]}. kms_providers with :local key must be " +
-            "in the format: { local: { key: 'MASTER-KEY' } }"
+        @aes_ctr_encrypt = Proc.new do |_, key_binary_p, iv_binary_p, input_binary_p,
+          output_binary_p, response_length_p, status_p|
+          do_aes(
+            key_binary_p,
+            iv_binary_p,
+            input_binary_p,
+            output_binary_p,
+            response_length_p,
+            status_p,
+            mode: :CTR,
           )
         end
 
-        master_key = kms_providers[:local][:key]
-        Binding.setopt_kms_provider_local(self, master_key)
-      end
-
-      # Validate and set the aws KMS provider information on the underlying
-      # mongocrypt_t object and raise an exception if the operation fails
-      def set_kms_providers_aws(kms_providers)
-        unless kms_providers[:aws]
-          raise ArgumentError.new('The :aws KMS provider must not be nil')
-        end
-
-        access_key_id = kms_providers[:aws][:access_key_id]
-        secret_access_key = kms_providers[:aws][:secret_access_key]
-
-        unless kms_providers[:aws].key?(:access_key_id) && 
-            kms_providers[:aws].key?(:secret_access_key)
-          raise ArgumentError.new(
-            "The specified aws kms_providers option is invalid: #{kms_providers[:aws]}. " +
-            "kms_providers with :aws key must be in the format: " +
-            "{ aws: { access_key_id: 'YOUR-ACCESS-KEY-ID', secret_access_key: 'SECRET-ACCESS-KEY' } }"
+        @aes_ctr_decrypt = Proc.new do |_, key_binary_p, iv_binary_p, input_binary_p,
+          output_binary_p, response_length_p, status_p|
+          do_aes(
+            key_binary_p,
+            iv_binary_p,
+            input_binary_p,
+            output_binary_p,
+            response_length_p,
+            status_p,
+            decrypt: true,
+            mode: :CTR,
           )
         end
 
-        %i(access_key_id secret_access_key).each do |key|
-          value = kms_providers[:aws][key]
-          if value.nil?
-            raise ArgumentError.new(
-              "The aws #{key} option must be a String with at least one character; " \
-              "currently have nil"
-            )
-          end
-
-          unless value.is_a?(String)
-            raise ArgumentError.new(
-              "The aws #{key} option must be a String with at least one character; " \
-              "currently have #{value}"
-            )
-          end
+        Binding.setopt_aes_256_ctr(
+          self,
+          @aes_ctr_encrypt,
+          @aes_ctr_decrypt,
+        )
 
-          if value.empty?
-            raise ArgumentError.new(
-              "The aws #{key} option must be a String with at least one character; " \
-              "it is currently an empty string"
-            )
-          end
+        @rsaes_pkcs_signature_cb = Proc.new do |_, key_binary_p, input_binary_p,
+          output_binary_p, status_p|
+          do_rsaes_pkcs_signature(key_binary_p, input_binary_p, output_binary_p, status_p)
         end
 
-        Binding.setopt_kms_provider_aws(self, access_key_id, secret_access_key)
+        Binding.setopt_crypto_hook_sign_rsaes_pkcs1_v1_5(
+          self,
+          @rsaes_pkcs_signature_cb
+        )
       end
 
       # Initialize the underlying mongocrypt_t object and raise an error if the operation fails