Package com.microsoft.sqlserver.jdbc
Class SQLServerColumnEncryptionAzureKeyVaultProvider
java.lang.Object
com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider
public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider
Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should
be decryptable by this provider and vice versa.
Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath +
ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath.
ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for
troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key
signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.
-
Constructor Summary
ConstructorsConstructorDescriptionSQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential) Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD.SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback) Deprecated, for removal: This API element is subject to removal in a future version.SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey) Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key. -
Method Summary
Modifier and TypeMethodDescriptionbyte[]decryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key pathbyte[]encryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] columnEncryptionKey) Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.Returns the time-to-live for items in the columnEncryptionKeyCache.getName()Returns the name of this key store provider.voidsetColumnEncryptionCacheTtl(Duration duration) Sets the the time-to-live for items in the columnEncryptionKeyCache.voidSets the name of this key store provider.booleanverifyColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations, byte[] signature) Verify the signature is valid for the column master key
-
Constructor Details
-
SQLServerColumnEncryptionAzureKeyVaultProvider
public SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey) throws SQLServerException Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.- Parameters:
clientId- Identifier of the client requesting the token.clientKey- Secret key of the client requesting the token.- Throws:
SQLServerException- when an error occurs
-
SQLServerColumnEncryptionAzureKeyVaultProvider
public SQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential) throws SQLServerException Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.- Parameters:
tokenCredential- The TokenCredential to use to authenticate to Azure Key Vault.- Throws:
SQLServerException- when an error occurs
-
SQLServerColumnEncryptionAzureKeyVaultProvider
@Deprecated(since="12.1.0", forRemoval=true) public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback) throws SQLServerException Deprecated, for removal: This API element is subject to removal in a future version.Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 8.0 version of the driver. Deprecated for removal in next stable release.- Parameters:
authenticationCallback- - Callback function used for authenticating to AAD.- Throws:
SQLServerException- when an error occurs
-
-
Method Details
-
setName
Description copied from class:SQLServerColumnEncryptionKeyStoreProviderSets the name of this key store provider.- Specified by:
setNamein classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
name- value to be set for the key store provider.
-
getName
Description copied from class:SQLServerColumnEncryptionKeyStoreProviderReturns the name of this key store provider.- Specified by:
getNamein classSQLServerColumnEncryptionKeyStoreProvider- Returns:
- the name of this key store provider.
-
getColumnEncryptionKeyCacheTtl
Returns the time-to-live for items in the columnEncryptionKeyCache.- Overrides:
getColumnEncryptionKeyCacheTtlin classSQLServerColumnEncryptionKeyStoreProvider- Returns:
- the time-to-live for items in the columnEncryptionKeyCache.
-
setColumnEncryptionCacheTtl
Sets the the time-to-live for items in the columnEncryptionKeyCache.- Overrides:
setColumnEncryptionCacheTtlin classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
duration- value to be set for the time-to-live for items in the columnEncryptionKeyCache.
-
decryptColumnEncryptionKey
public byte[] decryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) throws SQLServerException Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path- Specified by:
decryptColumnEncryptionKeyin classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
masterKeyPath- - Complete path of an asymmetric key in AKVencryptionAlgorithm- - Asymmetric Key Encryption AlgorithmencryptedColumnEncryptionKey- - Encrypted Column Encryption Key- Returns:
- Plain text column encryption key
- Throws:
SQLServerException- when an error occurs while decrypting the CEK
-
encryptColumnEncryptionKey
public byte[] encryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] columnEncryptionKey) throws SQLServerException Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.- Specified by:
encryptColumnEncryptionKeyin classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
masterKeyPath- - Complete path of an asymmetric key in AKVencryptionAlgorithm- - Asymmetric Key Encryption AlgorithmcolumnEncryptionKey- - Plain text column encryption key- Returns:
- Encrypted column encryption key
- Throws:
SQLServerException- when an error occurs while encrypting the CEK
-
verifyColumnMasterKeyMetadata
public boolean verifyColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations, byte[] signature) throws SQLServerException Description copied from class:SQLServerColumnEncryptionKeyStoreProviderVerify the signature is valid for the column master key- Specified by:
verifyColumnMasterKeyMetadatain classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
masterKeyPath- column master key pathallowEnclaveComputations- indicates whether the column master key supports enclave computationssignature- signature of the column master key metadata- Returns:
- whether the signature is valid for the column master key
- Throws:
SQLServerException- when an error occurs while verifying the signature
-