.evergreen/find_cmake.sh

@@ -3,6 +3,14 @@
 # Copied from the mongo-c-driver
 find_cmake ()
 {
+  # Check if on macOS with arm64. Use system cmake. See BUILD-14565.
+  OS_NAME=$(uname -s | tr '[:upper:]' '[:lower:]')
+  MARCH=$(uname -m | tr '[:upper:]' '[:lower:]')
+  if [ "darwin" = "$OS_NAME" -a "arm64" = "$MARCH" ]; then
+      CMAKE=cmake
+      return 0
+  fi
+
   if [ ! -z "$CMAKE" ]; then
     return 0
   elif [ -f "/Applications/cmake-3.2.2-Darwin-x86_64/CMake.app/Contents/bin/cmake" ]; then
@@ -11,7 +19,7 @@ find_cmake ()
     CMAKE="/Applications/Cmake.app/Contents/bin/cmake"
   elif [ -f "/opt/cmake/bin/cmake" ]; then
     CMAKE="/opt/cmake/bin/cmake"
-  elif command -v cmake 2>/dev/null; then
+  elif [ -z "$IGNORE_SYSTEM_CMAKE" ] && command -v cmake 2>/dev/null; then
      CMAKE=cmake
   elif uname -a | grep -iq 'x86_64 GNU/Linux'; then
      curl --retry 5 https://cmake.org/files/v3.11/cmake-3.11.0-Linux-x86_64.tar.gz -sS --max-time 120 --fail --output cmake.tar.gz

.evergreen/setup_environment.sh

@@ -27,7 +27,7 @@ if [ "$OS" == "Windows_NT" ]; then
   ADDITIONAL_CMAKE_FLAGS="-Thost=x64 -A x64"
 else
   chmod u+x ./.evergreen/find_cmake.sh
-  . ./.evergreen/find_cmake.sh
+  IGNORE_SYSTEM_CMAKE=1 . ./.evergreen/find_cmake.sh
 fi
 
 # this needs to be explicitly exported for the nvm install below

CHANGELOG.md

@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.0.0-beta.3](https://github.com/mongodb/libmongocrypt/compare/node-v2.0.0-beta.0...node-v2.0.0-beta.3) (2022-01-31)
+
+## [2.0.0-beta.2](https://github.com/mongodb/libmongocrypt/compare/node-v2.0.0-beta.0...node-v2.0.0-beta.2) (2021-12-22)
+
+## [2.0.0-beta.1](https://github.com/mongodb/libmongocrypt/compare/node-v2.0.0-beta.0...node-v2.0.0-beta.1) (2021-12-21)
+
 ## [2.0.0-beta.0](https://github.com/mongodb/libmongocrypt/compare/node-v1.2.7...node-v2.0.0-beta.0) (2021-10-07)
 
 ### [1.2.7](https://github.com/mongodb/libmongocrypt/compare/node-v1.2.6...node-v1.2.7) (2021-09-14)

etc/build-static.sh

@@ -41,12 +41,21 @@ popd #./deps/tmp
 # build and install libmongocrypt
 pushd libmongocrypt-build #./deps/tmp/libmongocrypt-build
 
-CMAKE_FLAGS="-DDISABLE_NATIVE_CRYPTO=1 -DCMAKE_C_FLAGS=\"-fPIC\" -DCMAKE_INSTALL_LIBDIR=lib "
+if [ "$OS" = "Windows_NT" ]; then
+    # W4996 - POSIX name for this item is deprecated
+    # TODO: add support for clang-cl which is detected as MSVC
+    LIBMONGOCRYPT_CFLAGS="/WX"
+else
+    # GNU, Clang, AppleClang
+    LIBMONGOCRYPT_CFLAGS="-fPIC -Werror"
+fi
+
+CMAKE_FLAGS="-DDISABLE_NATIVE_CRYPTO=1 -DCMAKE_INSTALL_LIBDIR=lib"
 if [ "$OS" == "Windows_NT" ]; then
   WINDOWS_CMAKE_FLAGS="-Thost=x64 -A x64 -DCMAKE_C_FLAGS_RELWITHDEBINFO=\"/MT\""
-  $CMAKE $CMAKE_FLAGS $WINDOWS_CMAKE_FLAGS -DCMAKE_PREFIX_PATH="`cygpath -w $DEPS_PREFIX`" -DCMAKE_INSTALL_PREFIX="`cygpath -w $DEPS_PREFIX`" "`cygpath -w $LIBMONGOCRYPT_DIR`"
+  $CMAKE $CMAKE_FLAGS $WINDOWS_CMAKE_FLAGS -DCMAKE_C_FLAGS="${LIBMONGOCRYPT_CFLAGS}" -DCMAKE_PREFIX_PATH="`cygpath -w $DEPS_PREFIX`" -DCMAKE_INSTALL_PREFIX="`cygpath -w $DEPS_PREFIX`" "`cygpath -w $LIBMONGOCRYPT_DIR`"
 else
-  $CMAKE $CMAKE_FLAGS -DCMAKE_PREFIX_PATH=$DEPS_PREFIX -DCMAKE_INSTALL_PREFIX=$DEPS_PREFIX -DCMAKE_OSX_DEPLOYMENT_TARGET="10.12" $LIBMONGOCRYPT_DIR
+  $CMAKE $CMAKE_FLAGS -DCMAKE_C_FLAGS="${LIBMONGOCRYPT_CFLAGS}" -DCMAKE_PREFIX_PATH=$DEPS_PREFIX -DCMAKE_INSTALL_PREFIX=$DEPS_PREFIX -DCMAKE_OSX_DEPLOYMENT_TARGET="10.12" $LIBMONGOCRYPT_DIR
 fi
 
 $CMAKE --build . --target install --config RelWithDebInfo

index.d.ts

@@ -1,14 +1,24 @@
 import type { Binary } from 'bson';
 import type { MongoClient } from 'mongodb';
 
-export type ClientEncryptionDataKeyProvider = 'aws' | 'azure' | 'gcp' | 'local';
+export type ClientEncryptionDataKeyProvider = 'aws' | 'azure' | 'gcp' | 'local' | 'kmip';
 
 /**
  * An error indicating that something went wrong specifically with MongoDB Client Encryption
  */
 export class MongoCryptError extends Error {
 }
 
+/**
+ * A set of options for specifying a Socks5 proxy.
+ */
+export interface ProxyOptions {
+  proxyHost: string;
+  proxyPort?: number;
+  proxyUsername?: string;
+  proxyPassword?: string;
+}
+
 export interface ClientEncryptionCreateDataKeyCallback {
   /**
    * @param error If present, indicates an error that occurred in the creation of the data key
@@ -69,6 +79,18 @@ export interface KMSProviders {
     key: Buffer | string;
   };
 
+  /**
+   * Configuration options for using 'kmip' as your KMS provider
+   */
+  kmip?: {
+    /**
+     * The output endpoint string.
+     * The endpoint consists of a hostname and port separated by a colon.
+     * E.g. "example.com:123". A port is always present.
+     */
+    endpoint?: string;
+  };
+
   /**
    * Configuration options for using 'azure' as your KMS provider
    */
@@ -119,6 +141,37 @@ export interface KMSProviders {
   }
 }
 
+/**
+ * TLS options to use when connecting. The spec specifically calls out which insecure
+ * tls options are not allowed:
+ *
+ *  - tlsAllowInvalidCertificates
+ *  - tlsAllowInvalidHostnames
+ *  - tlsInsecure
+ *  - tlsDisableOCSPEndpointCheck
+ *  - tlsDisableCertificateRevocationCheck
+ */
+export interface ClientEncryptionTlsOptions {
+  /**
+   * Specifies the location of a local .pem file that contains
+   * either the client's TLS/SSL certificate and key or only the
+   * client's TLS/SSL key when tlsCertificateFile is used to
+   * provide the certificate.
+   */
+  tlsCertificateKeyFile?: string;
+  /**
+   * Specifies the password to de-crypt the tlsCertificateKeyFile.
+   */
+  tlsCertificateKeyFilePassword?: string;
+  /**
+   * Specifies the location of a local .pem file that contains the
+   * root certificate chain from the Certificate Authority.
+   * This file is used to validate the certificate presented by the
+   * KMS provider.
+   */
+  tlsCAFile?: string;
+}
+
 /**
  * Additional settings to provide when creating a new `ClientEncryption` instance.
  */
@@ -137,6 +190,16 @@ export interface ClientEncryptionOptions {
    * Options for specific KMS providers to use
    */
   kmsProviders?: KMSProviders;
+
+  /**
+   * Options for specifying a Socks5 proxy to use for connecting to the KMS.
+   */
+  proxyOptions?: ProxyOptions;
+
+  /**
+   * TLS options for kms providers to use.
+   */
+  tlsOptions?: { [kms in keyof KMSProviders]?: ClientEncryptionTLSOptions };
 }
 
 /**

lib/autoEncrypter.js

@@ -98,13 +98,15 @@ module.exports = function(modules) {
         this._mongocryptdClient = new MongoClient(this._mongocryptdManager.uri, {
           useNewUrlParser: true,
           useUnifiedTopology: true,
-          serverSelectionTimeoutMS: 1000
+          serverSelectionTimeoutMS: 10000
         });
       }
 
       this._keyVaultNamespace = options.keyVaultNamespace || 'admin.datakeys';
       this._keyVaultClient = options.keyVaultClient || client;
       this._metaDataClient = options.metadataClient || client;
+      this._proxyOptions = options.proxyOptions || {};
+      this._tlsOptions = options.tlsOptions || {};
 
       const mongoCryptOptions = {};
       if (options.schemaMap) {
@@ -212,7 +214,12 @@ module.exports = function(modules) {
       context.ns = ns;
       context.document = cmd;
 
-      const stateMachine = new StateMachine(Object.assign({ bson }, options));
+      const stateMachine = new StateMachine({
+        bson,
+        ...options,
+        proxyOptions: this._proxyOptions,
+        tlsOptions: this._tlsOptions
+      });
       stateMachine.execute(this, context, callback);
     }
 
@@ -243,7 +250,12 @@ module.exports = function(modules) {
       // TODO: should this be an accessor from the addon?
       context.id = this._contextCounter++;
 
-      const stateMachine = new StateMachine(Object.assign({ bson }, options));
+      const stateMachine = new StateMachine({
+        bson,
+        ...options,
+        proxyOptions: this._proxyOptions,
+        tlsOptions: this._tlsOptions
+      });
       stateMachine.execute(this, context, callback);
     }
   }

lib/clientEncryption.js

@@ -38,6 +38,7 @@ module.exports = function(modules) {
      * @param {MongoClient} client The client used for encryption
      * @param {object} options Additional settings
      * @param {string} options.keyVaultNamespace The namespace of the key vault, used to store encryption keys
+     * @param {object} options.tlsOptions An object that maps KMS provider names to TLS options.
      * @param {MongoClient} [options.keyVaultClient] A `MongoClient` used to fetch keys from a key vault. Defaults to `client`
      * @param {KMSProviders} [options.kmsProviders] options for specific KMS providers to use
      *
@@ -65,6 +66,8 @@ module.exports = function(modules) {
     constructor(client, options) {
       this._client = client;
       this._bson = options.bson || client.topology.bson;
+      this._proxyOptions = options.proxyOptions;
+      this._tlsOptions = options.tlsOptions;
 
       if (options.keyVaultNamespace == null) {
         throw new TypeError('Missing required option `keyVaultNamespace`');
@@ -198,7 +201,11 @@ module.exports = function(modules) {
 
       const dataKeyBson = bson.serialize(dataKey);
       const context = this._mongoCrypt.makeDataKeyContext(dataKeyBson, { keyAltNames });
-      const stateMachine = new StateMachine({ bson });
+      const stateMachine = new StateMachine({
+        bson,
+        proxyOptions: this._proxyOptions,
+        tlsOptions: this._tlsOptions
+      });
 
       return promiseOrCallback(callback, cb => {
         stateMachine.execute(this, context, (err, dataKey) => {
@@ -290,7 +297,11 @@ module.exports = function(modules) {
         contextOptions.keyAltName = bson.serialize({ keyAltName });
       }
 
-      const stateMachine = new StateMachine({ bson });
+      const stateMachine = new StateMachine({
+        bson,
+        proxyOptions: this._proxyOptions,
+        tlsOptions: this._tlsOptions
+      });
       const context = this._mongoCrypt.makeExplicitEncryptionContext(valueBuffer, contextOptions);
 
       return promiseOrCallback(callback, cb => {
@@ -335,7 +346,11 @@ module.exports = function(modules) {
       const valueBuffer = bson.serialize({ v: value });
       const context = this._mongoCrypt.makeExplicitDecryptionContext(valueBuffer);
 
-      const stateMachine = new StateMachine({ bson });
+      const stateMachine = new StateMachine({
+        bson,
+        proxyOptions: this._proxyOptions,
+        tlsOptions: this._tlsOptions
+      });
 
       return promiseOrCallback(callback, cb => {
         stateMachine.execute(this, context, (err, result) => {