Package com.microsoft.sqlserver.jdbc

Class SQLServerColumnEncryptionAzureKeyVaultProvider

java.lang.Object
com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider
public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider
Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

  • Constructor Summary

    Constructors 
    Constructor Description
    SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback)
    Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD.
    SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback, java.util.concurrent.ExecutorService executorService)
    Deprecated.
    SQLServerColumnEncryptionAzureKeyVaultProvider​(java.lang.String clientId, java.lang.String clientKey)
    Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a client id and client key to authenticate to AAD.

  • Method Summary

    Modifier and Type Method Description
    byte[] decryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)
    Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
    byte[] encryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] columnEncryptionKey)
    Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
    java.lang.String getName()
    Returns the name of this key store provider.
    void setName​(java.lang.String name)
    Sets the name of this key store provider.
    boolean verifyColumnMasterKeyMetadata​(java.lang.String masterKeyPath, boolean allowEnclaveComputations, byte[] signature)
    Verify the signature is valid for the column master key

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SQLServerColumnEncryptionAzureKeyVaultProvider

      public SQLServerColumnEncryptionAzureKeyVaultProvider​(java.lang.String clientId, java.lang.String clientKey) throws SQLServerException
      Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a client id and client key to authenticate to AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.
      Parameters:
      clientId - Identifier of the client requesting the token.
      clientKey - Key of the client requesting the token.
      Throws:
      SQLServerException - when an error occurs

    • SQLServerColumnEncryptionAzureKeyVaultProvider

      @Deprecated public SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback, java.util.concurrent.ExecutorService executorService) throws SQLServerException
      Deprecated.
      Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD and an executor service.. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 6.0 version of the driver. Deprecated for removal in next stable release.
      Parameters:
      authenticationCallback - - Callback function used for authenticating to AAD.
      executorService - - The ExecutorService, previously used to create the keyVaultClient, but not in use anymore. - This parameter can be passed as 'null'
      Throws:
      SQLServerException - when an error occurs

    • SQLServerColumnEncryptionAzureKeyVaultProvider

      public SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback) throws SQLServerException
      Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.
      Parameters:
      authenticationCallback - - Callback function used for authenticating to AAD.
      Throws:
      SQLServerException - when an error occurs

  • Method Details