Package com.microsoft.sqlserver.jdbc

Class SQLServerColumnEncryptionAzureKeyVaultProvider

java.lang.Object
com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider
com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider
public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider
Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

  • Constructor Summary

    Constructors
    Constructor Description
    SQLServerColumnEncryptionAzureKeyVaultProvider​(com.azure.core.credential.TokenCredential tokenCredential)
    Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD.
    SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback)
    Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD.
    SQLServerColumnEncryptionAzureKeyVaultProvider​(java.lang.String clientId, java.lang.String clientKey)
    Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key.

  • Method Summary

    Modifier and Type Method Description
    byte[] decryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)
    Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
    byte[] encryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] columnEncryptionKey)
    Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
    java.lang.String getName()
    Returns the name of this key store provider.
    void setName​(java.lang.String name)
    Sets the name of this key store provider.
    boolean verifyColumnMasterKeyMetadata​(java.lang.String masterKeyPath, boolean allowEnclaveComputations, byte[] signature)
    Verify the signature is valid for the column master key

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SQLServerColumnEncryptionAzureKeyVaultProvider

      public SQLServerColumnEncryptionAzureKeyVaultProvider​(java.lang.String clientId, java.lang.String clientKey) throws SQLServerException
      Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.
      Parameters:
      clientId - Identifier of the client requesting the token.
      clientKey - Secret key of the client requesting the token.
      Throws:
      SQLServerException - when an error occurs

    • SQLServerColumnEncryptionAzureKeyVaultProvider

      public SQLServerColumnEncryptionAzureKeyVaultProvider​(com.azure.core.credential.TokenCredential tokenCredential) throws SQLServerException
      Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.
      Parameters:
      tokenCredential - The TokenCredential to use to authenticate to Azure Key Vault.
      Throws:
      SQLServerException - when an error occurs

    • SQLServerColumnEncryptionAzureKeyVaultProvider

      public SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback) throws SQLServerException
      Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 8.0 version of the driver. Deprecated for removal in next stable release.
      Parameters:
      authenticationCallback - - Callback function used for authenticating to AAD.
      Throws:
      SQLServerException - when an error occurs

  • Method Details

    • setName

      public void setName​(java.lang.String name)
      Description copied from class: SQLServerColumnEncryptionKeyStoreProvider
      Sets the name of this key store provider.
      Specified by:
      setName in class SQLServerColumnEncryptionKeyStoreProvider
      Parameters:
      name - value to be set for the key store provider.

    • getName

      public java.lang.String getName()
      Description copied from class: SQLServerColumnEncryptionKeyStoreProvider
      Returns the name of this key store provider.
      Specified by:
      getName in class SQLServerColumnEncryptionKeyStoreProvider
      Returns:
      the name of this key store provider.

    • decryptColumnEncryptionKey

      public byte[] decryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) throws SQLServerException
      Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
      Specified by:
      decryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider
      Parameters:
      masterKeyPath - - Complete path of an asymmetric key in AKV
      encryptionAlgorithm - - Asymmetric Key Encryption Algorithm
      encryptedColumnEncryptionKey - - Encrypted Column Encryption Key
      Returns:
      Plain text column encryption key
      Throws:
      SQLServerException - when an error occurs while decrypting the CEK

    • encryptColumnEncryptionKey

      public byte[] encryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] columnEncryptionKey) throws SQLServerException
      Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
      Specified by:
      encryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider
      Parameters:
      masterKeyPath - - Complete path of an asymmetric key in AKV
      encryptionAlgorithm - - Asymmetric Key Encryption Algorithm
      columnEncryptionKey - - Plain text column encryption key
      Returns:
      Encrypted column encryption key
      Throws:
      SQLServerException - when an error occurs while encrypting the CEK

    • verifyColumnMasterKeyMetadata

      public boolean verifyColumnMasterKeyMetadata​(java.lang.String masterKeyPath, boolean allowEnclaveComputations, byte[] signature) throws SQLServerException
      Description copied from class: SQLServerColumnEncryptionKeyStoreProvider
      Verify the signature is valid for the column master key
      Specified by:
      verifyColumnMasterKeyMetadata in class SQLServerColumnEncryptionKeyStoreProvider
      Parameters:
      masterKeyPath - column master key path
      allowEnclaveComputations - indicates whether the column master key supports enclave computations
      signature - signature of the column master key metadata
      Returns:
      whether the signature is valid for the column master key
      Throws:
      SQLServerException - when an error occurs while verifying the signature