Package com.microsoft.sqlserver.jdbc

Class SQLServerColumnEncryptionAzureKeyVaultProvider

java.lang.Object

com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider

com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider

public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider

Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

Constructor Summary

Constructors

Constructor	Description
SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback)	Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD.
SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback, ExecutorService executorService)	Deprecated.
SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey)	Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a client id and client key to authenticate to AAD.

Method Summary

Modifier and Type	Method	Description
byte[]	decryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)	Decryptes an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
byte[]	encryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] columnEncryptionKey)	Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
String	getName()	Returns the name of this key store provider.
void	setName(String name)	Sets the name of this key store provider.
boolean	verifyColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations, byte[] signature)	Verify the signature is valid for the column master key

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SQLServerColumnEncryptionAzureKeyVaultProvider

@Deprecated
public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback,
                                                      ExecutorService executorService)
                                               throws SQLServerException

Deprecated.

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD and an executor service.. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 6.0 version of the driver. Deprecated for removal in next stable release.

Parameters:

authenticationCallback - - Callback function used for authenticating to AAD.

executorService - - The ExecutorService, previously used to create the keyVaultClient, but not in use anymore. - This parameter can be passed as 'null'

Throws:

SQLServerException - when an error occurs

SQLServerColumnEncryptionAzureKeyVaultProvider

public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback)
                                               throws SQLServerException

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.

Parameters:

authenticationCallback - - Callback function used for authenticating to AAD.

Throws:

SQLServerException - when an error occurs

SQLServerColumnEncryptionAzureKeyVaultProvider

public SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId,
                                                      String clientKey)
                                               throws SQLServerException

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a client id and client key to authenticate to AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.

Parameters:

clientId - Identifier of the client requesting the token.

clientKey - Key of the client requesting the token.

Throws:

SQLServerException - when an error occurs

Method Detail

setName

public void setName(String name)

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Sets the name of this key store provider.

Specified by:

setName in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

name - value to be set for the key store provider.

getName

public String getName()

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Returns the name of this key store provider.

Specified by:

getName in class SQLServerColumnEncryptionKeyStoreProvider

Returns:

the name of this key store provider.

decryptColumnEncryptionKey

public byte[] decryptColumnEncryptionKey(String masterKeyPath,
                                         String encryptionAlgorithm,
                                         byte[] encryptedColumnEncryptionKey)
                                  throws SQLServerException

Decryptes an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path

Specified by:

decryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - - Complete path of an asymmetric key in AKV

encryptionAlgorithm - - Asymmetric Key Encryption Algorithm

encryptedColumnEncryptionKey - - Encrypted Column Encryption Key

Returns:

Plain text column encryption key

Throws:

SQLServerException - when an error occurs while decrypting the CEK

encryptColumnEncryptionKey

public byte[] encryptColumnEncryptionKey(String masterKeyPath,
                                         String encryptionAlgorithm,
                                         byte[] columnEncryptionKey)
                                  throws SQLServerException

Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.

Specified by:

encryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - - Complete path of an asymmetric key in AKV

encryptionAlgorithm - - Asymmetric Key Encryption Algorithm

columnEncryptionKey - - Plain text column encryption key

Returns:

Encrypted column encryption key

Throws:

SQLServerException - when an error occurs while encrypting the CEK

verifyColumnMasterKeyMetadata

public boolean verifyColumnMasterKeyMetadata(String masterKeyPath,
                                             boolean allowEnclaveComputations,
                                             byte[] signature)
                                      throws SQLServerException

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Verify the signature is valid for the column master key

Specified by:

verifyColumnMasterKeyMetadata in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - column master key path

allowEnclaveComputations - indicates whether the column master key supports enclave computations

signature - signature of the column master key metadata

Returns:

whether the signature is valid for the column master key

Throws:

SQLServerException - when an error occurs while verifying the signature