Package com.microsoft.sqlserver.jdbc
Class SQLServerColumnEncryptionAzureKeyVaultProvider
- java.lang.Object
-
- com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
-
- com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider
-
public class SQLServerColumnEncryptionAzureKeyVaultProvider extends SQLServerColumnEncryptionKeyStoreProvider
Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.
-
-
Constructor Summary
Constructors Constructor Description SQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential)Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD.SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback)Deprecated, for removal: This API element is subject to removal in a future version.SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey)Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description byte[]decryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key pathbyte[]encryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] columnEncryptionKey)Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.DurationgetColumnEncryptionKeyCacheTtl()Returns the time-to-live for items in the columnEncryptionKeyCache.StringgetName()Returns the name of this key store provider.voidsetColumnEncryptionCacheTtl(Duration duration)Sets the the time-to-live for items in the columnEncryptionKeyCache.voidsetName(String name)Sets the name of this key store provider.booleanverifyColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations, byte[] signature)Verify the signature is valid for the column master key
-
-
-
Constructor Detail
-
SQLServerColumnEncryptionAzureKeyVaultProvider
public SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey) throws SQLServerException
Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.- Parameters:
clientId- Identifier of the client requesting the token.clientKey- Secret key of the client requesting the token.- Throws:
SQLServerException- when an error occurs
-
SQLServerColumnEncryptionAzureKeyVaultProvider
public SQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential) throws SQLServerExceptionConstructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.- Parameters:
tokenCredential- The TokenCredential to use to authenticate to Azure Key Vault.- Throws:
SQLServerException- when an error occurs
-
SQLServerColumnEncryptionAzureKeyVaultProvider
@Deprecated(since="12.1.0", forRemoval=true) public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback) throws SQLServerException
Deprecated, for removal: This API element is subject to removal in a future version.Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 8.0 version of the driver. Deprecated for removal in next stable release.- Parameters:
authenticationCallback- - Callback function used for authenticating to AAD.- Throws:
SQLServerException- when an error occurs
-
-
Method Detail
-
setName
public void setName(String name)
Description copied from class:SQLServerColumnEncryptionKeyStoreProviderSets the name of this key store provider.- Specified by:
setNamein classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
name- value to be set for the key store provider.
-
getName
public String getName()
Description copied from class:SQLServerColumnEncryptionKeyStoreProviderReturns the name of this key store provider.- Specified by:
getNamein classSQLServerColumnEncryptionKeyStoreProvider- Returns:
- the name of this key store provider.
-
getColumnEncryptionKeyCacheTtl
public Duration getColumnEncryptionKeyCacheTtl()
Returns the time-to-live for items in the columnEncryptionKeyCache.- Overrides:
getColumnEncryptionKeyCacheTtlin classSQLServerColumnEncryptionKeyStoreProvider- Returns:
- the time-to-live for items in the columnEncryptionKeyCache.
-
setColumnEncryptionCacheTtl
public void setColumnEncryptionCacheTtl(Duration duration)
Sets the the time-to-live for items in the columnEncryptionKeyCache.- Overrides:
setColumnEncryptionCacheTtlin classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
duration- value to be set for the time-to-live for items in the columnEncryptionKeyCache.
-
decryptColumnEncryptionKey
public byte[] decryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) throws SQLServerException
Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path- Specified by:
decryptColumnEncryptionKeyin classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
masterKeyPath- - Complete path of an asymmetric key in AKVencryptionAlgorithm- - Asymmetric Key Encryption AlgorithmencryptedColumnEncryptionKey- - Encrypted Column Encryption Key- Returns:
- Plain text column encryption key
- Throws:
SQLServerException- when an error occurs while decrypting the CEK
-
encryptColumnEncryptionKey
public byte[] encryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] columnEncryptionKey) throws SQLServerException
Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.- Specified by:
encryptColumnEncryptionKeyin classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
masterKeyPath- - Complete path of an asymmetric key in AKVencryptionAlgorithm- - Asymmetric Key Encryption AlgorithmcolumnEncryptionKey- - Plain text column encryption key- Returns:
- Encrypted column encryption key
- Throws:
SQLServerException- when an error occurs while encrypting the CEK
-
verifyColumnMasterKeyMetadata
public boolean verifyColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations, byte[] signature) throws SQLServerException
Description copied from class:SQLServerColumnEncryptionKeyStoreProviderVerify the signature is valid for the column master key- Specified by:
verifyColumnMasterKeyMetadatain classSQLServerColumnEncryptionKeyStoreProvider- Parameters:
masterKeyPath- column master key pathallowEnclaveComputations- indicates whether the column master key supports enclave computationssignature- signature of the column master key metadata- Returns:
- whether the signature is valid for the column master key
- Throws:
SQLServerException- when an error occurs while verifying the signature
-
-