Package com.microsoft.sqlserver.jdbc

Class SQLServerColumnEncryptionAzureKeyVaultProvider

java.lang.Object

com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider

com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider

public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider

Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

Constructor Summary

Constructors

Constructor	Description
SQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential)	Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD.
SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback)	Deprecated, for removal: This API element is subject to removal in a future version.
SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey)	Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key.

Method Summary

Modifier and Type	Method	Description
byte[]	decryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)	Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
byte[]	encryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] columnEncryptionKey)	Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
Duration	getColumnEncryptionKeyCacheTtl()	Returns the time-to-live for items in the columnEncryptionKeyCache.
String	getName()	Returns the name of this key store provider.
void	setColumnEncryptionCacheTtl(Duration duration)	Sets the the time-to-live for items in the columnEncryptionKeyCache.
void	setName(String name)	Sets the name of this key store provider.
byte[]	signColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations)	Sign column master key metadata
boolean	verifyColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations, byte[] signature)	Verify the signature is valid for the column master key

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SQLServerColumnEncryptionAzureKeyVaultProvider

public SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId,
                                                      String clientKey)
                                               throws SQLServerException

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.

Parameters:

clientId - Identifier of the client requesting the token.

clientKey - Secret key of the client requesting the token.

Throws:

SQLServerException - when an error occurs

SQLServerColumnEncryptionAzureKeyVaultProvider

public SQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential)
                                               throws SQLServerException

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.

Parameters:

tokenCredential - The TokenCredential to use to authenticate to Azure Key Vault.

Throws:

SQLServerException - when an error occurs

SQLServerColumnEncryptionAzureKeyVaultProvider

@Deprecated(since="12.1.0",
            forRemoval=true)
public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback)
                                               throws SQLServerException

Deprecated, for removal: This API element is subject to removal in a future version.

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 8.0 version of the driver. Deprecated for removal in next stable release.

Parameters:

authenticationCallback - - Callback function used for authenticating to AAD.

Throws:

SQLServerException - when an error occurs

Method Detail

setName

public void setName(String name)

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Sets the name of this key store provider.

Specified by:

setName in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

name - value to be set for the key store provider.

getName

public String getName()

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Returns the name of this key store provider.

Specified by:

getName in class SQLServerColumnEncryptionKeyStoreProvider

Returns:

the name of this key store provider.

getColumnEncryptionKeyCacheTtl

public Duration getColumnEncryptionKeyCacheTtl()

Returns the time-to-live for items in the columnEncryptionKeyCache.

Overrides:

getColumnEncryptionKeyCacheTtl in class SQLServerColumnEncryptionKeyStoreProvider

Returns:

the time-to-live for items in the columnEncryptionKeyCache.

setColumnEncryptionCacheTtl

public void setColumnEncryptionCacheTtl(Duration duration)

Sets the the time-to-live for items in the columnEncryptionKeyCache.

Overrides:

setColumnEncryptionCacheTtl in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

duration - value to be set for the time-to-live for items in the columnEncryptionKeyCache.

decryptColumnEncryptionKey

public byte[] decryptColumnEncryptionKey(String masterKeyPath,
                                         String encryptionAlgorithm,
                                         byte[] encryptedColumnEncryptionKey)
                                  throws SQLServerException

Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path

Specified by:

decryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - - Complete path of an asymmetric key in AKV

encryptionAlgorithm - - Asymmetric Key Encryption Algorithm

encryptedColumnEncryptionKey - - Encrypted Column Encryption Key

Returns:

Plain text column encryption key

Throws:

SQLServerException - when an error occurs while decrypting the CEK

encryptColumnEncryptionKey

public byte[] encryptColumnEncryptionKey(String masterKeyPath,
                                         String encryptionAlgorithm,
                                         byte[] columnEncryptionKey)
                                  throws SQLServerException

Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.

Specified by:

encryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - - Complete path of an asymmetric key in AKV

encryptionAlgorithm - - Asymmetric Key Encryption Algorithm

columnEncryptionKey - - Plain text column encryption key

Returns:

Encrypted column encryption key

Throws:

SQLServerException - when an error occurs while encrypting the CEK

verifyColumnMasterKeyMetadata

public boolean verifyColumnMasterKeyMetadata(String masterKeyPath,
                                             boolean allowEnclaveComputations,
                                             byte[] signature)
                                      throws SQLServerException

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Verify the signature is valid for the column master key

Specified by:

verifyColumnMasterKeyMetadata in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - column master key path

allowEnclaveComputations - indicates whether the column master key supports enclave computations

signature - signature of the column master key metadata

Returns:

whether the signature is valid for the column master key

Throws:

SQLServerException - when an error occurs while verifying the signature

signColumnMasterKeyMetadata

public byte[] signColumnMasterKeyMetadata(String masterKeyPath,
                                          boolean allowEnclaveComputations)
                                   throws SQLServerException

Sign column master key metadata

Parameters:

masterKeyPath - master key path

allowEnclaveComputations - flag whether to allow enclave computations

Returns:

column master key metadata

Throws:

SQLServerException - when an error occurs