Package com.microsoft.sqlserver.jdbc

Class SQLServerColumnEncryptionAzureKeyVaultProvider

  • public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider
    Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      byte[] decryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)
      Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
      byte[] encryptColumnEncryptionKey​(java.lang.String masterKeyPath, java.lang.String encryptionAlgorithm, byte[] columnEncryptionKey)
      Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
      java.lang.String getName()
      Returns the name of this key store provider.
      void setName​(java.lang.String name)
      Sets the name of this key store provider.
      boolean verifyColumnMasterKeyMetadata​(java.lang.String masterKeyPath, boolean allowEnclaveComputations, byte[] signature)
      Verify the signature is valid for the column master key

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SQLServerColumnEncryptionAzureKeyVaultProvider

        public SQLServerColumnEncryptionAzureKeyVaultProvider​(java.lang.String clientId,
                                                      java.lang.String clientKey)
                                               throws SQLServerException
        Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.
        Parameters:
        clientId - Identifier of the client requesting the token.
        clientKey - Secret key of the client requesting the token.
        Throws:
        SQLServerException - when an error occurs

      • SQLServerColumnEncryptionAzureKeyVaultProvider

        public SQLServerColumnEncryptionAzureKeyVaultProvider​(com.azure.core.credential.TokenCredential tokenCredential)
                                               throws SQLServerException
        Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.
        Parameters:
        tokenCredential - The TokenCredential to use to authenticate to Azure Key Vault.
        Throws:
        SQLServerException - when an error occurs

      • SQLServerColumnEncryptionAzureKeyVaultProvider

        public SQLServerColumnEncryptionAzureKeyVaultProvider​(SQLServerKeyVaultAuthenticationCallback authenticationCallback)
                                               throws SQLServerException
        Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 8.0 version of the driver. Deprecated for removal in next stable release.
        Parameters:
        authenticationCallback - - Callback function used for authenticating to AAD.
        Throws:
        SQLServerException - when an error occurs

    • Method Detail

      • decryptColumnEncryptionKey

        public byte[] decryptColumnEncryptionKey​(java.lang.String masterKeyPath,
                                         java.lang.String encryptionAlgorithm,
                                         byte[] encryptedColumnEncryptionKey)
                                  throws SQLServerException
        Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
        Specified by:
        decryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider
        Parameters:
        masterKeyPath - - Complete path of an asymmetric key in AKV
        encryptionAlgorithm - - Asymmetric Key Encryption Algorithm
        encryptedColumnEncryptionKey - - Encrypted Column Encryption Key
        Returns:
        Plain text column encryption key
        Throws:
        SQLServerException - when an error occurs while decrypting the CEK

      • encryptColumnEncryptionKey

        public byte[] encryptColumnEncryptionKey​(java.lang.String masterKeyPath,
                                         java.lang.String encryptionAlgorithm,
                                         byte[] columnEncryptionKey)
                                  throws SQLServerException
        Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
        Specified by:
        encryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider
        Parameters:
        masterKeyPath - - Complete path of an asymmetric key in AKV
        encryptionAlgorithm - - Asymmetric Key Encryption Algorithm
        columnEncryptionKey - - Plain text column encryption key
        Returns:
        Encrypted column encryption key
        Throws:
        SQLServerException - when an error occurs while encrypting the CEK

      • verifyColumnMasterKeyMetadata

        public boolean verifyColumnMasterKeyMetadata​(java.lang.String masterKeyPath,
                                             boolean allowEnclaveComputations,
                                             byte[] signature)
                                      throws SQLServerException
        Description copied from class: SQLServerColumnEncryptionKeyStoreProvider
        Verify the signature is valid for the column master key
        Specified by:
        verifyColumnMasterKeyMetadata in class SQLServerColumnEncryptionKeyStoreProvider
        Parameters:
        masterKeyPath - column master key path
        allowEnclaveComputations - indicates whether the column master key supports enclave computations
        signature - signature of the column master key metadata
        Returns:
        whether the signature is valid for the column master key
        Throws:
        SQLServerException - when an error occurs while verifying the signature