Package com.microsoft.sqlserver.jdbc

Class SQLServerColumnEncryptionAzureKeyVaultProvider

java.lang.Object

com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionKeyStoreProvider

com.microsoft.sqlserver.jdbc.SQLServerColumnEncryptionAzureKeyVaultProvider

public class SQLServerColumnEncryptionAzureKeyVaultProvider
extends SQLServerColumnEncryptionKeyStoreProvider

Provides implementation similar to certificate store provider. A CEK encrypted with certificate store provider should be decryptable by this provider and vice versa. Envelope Format for the encrypted column encryption key version + keyPathLength + ciphertextLength + keyPath + ciphertext + signature version: A single byte indicating the format version. keyPathLength: Length of the keyPath. ciphertextLength: ciphertext length keyPath: keyPath used to encrypt the column encryption key. This is only used for troubleshooting purposes and is not verified during decryption. ciphertext: Encrypted column encryption key signature: Signature of the entire byte array. Signature is validated before decrypting the column encryption key.

Constructor Summary

Constructors

Constructor	Description
SQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential)	Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD.
SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback)	Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD.
SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey)	Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key.

Method Summary

Modifier and Type	Method	Description
byte[]	decryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] encryptedColumnEncryptionKey)	Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
byte[]	encryptColumnEncryptionKey(String masterKeyPath, String encryptionAlgorithm, byte[] columnEncryptionKey)	Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.
String	getName()	Returns the name of this key store provider.
void	setName(String name)	Sets the name of this key store provider.
boolean	verifyColumnMasterKeyMetadata(String masterKeyPath, boolean allowEnclaveComputations, byte[] signature)	Verify the signature is valid for the column master key

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SQLServerColumnEncryptionAzureKeyVaultProvider

public SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId,
                                                      String clientKey)
                                               throws SQLServerException

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD using the client id and client key. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.

Parameters:

clientId - Identifier of the client requesting the token.

clientKey - Secret key of the client requesting the token.

Throws:

SQLServerException - when an error occurs

SQLServerColumnEncryptionAzureKeyVaultProvider

public SQLServerColumnEncryptionAzureKeyVaultProvider(com.azure.core.credential.TokenCredential tokenCredential)
                                               throws SQLServerException

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider using the provided TokenCredential to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault.

Parameters:

tokenCredential - The TokenCredential to use to authenticate to Azure Key Vault.

Throws:

SQLServerException - when an error occurs

SQLServerColumnEncryptionAzureKeyVaultProvider

public SQLServerColumnEncryptionAzureKeyVaultProvider(SQLServerKeyVaultAuthenticationCallback authenticationCallback)
                                               throws SQLServerException

Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD. This is used by KeyVault client at runtime to authenticate to Azure Key Vault. This constructor is present to maintain backwards compatibility with 8.0 version of the driver. Deprecated for removal in next stable release.

Parameters:

authenticationCallback - - Callback function used for authenticating to AAD.

Throws:

SQLServerException - when an error occurs

Method Detail

setName

public void setName(String name)

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Sets the name of this key store provider.

Specified by:

setName in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

name - value to be set for the key store provider.

getName

public String getName()

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Returns the name of this key store provider.

Specified by:

getName in class SQLServerColumnEncryptionKeyStoreProvider

Returns:

the name of this key store provider.

decryptColumnEncryptionKey

public byte[] decryptColumnEncryptionKey(String masterKeyPath,
                                         String encryptionAlgorithm,
                                         byte[] encryptedColumnEncryptionKey)
                                  throws SQLServerException

Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path

Specified by:

decryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - - Complete path of an asymmetric key in AKV

encryptionAlgorithm - - Asymmetric Key Encryption Algorithm

encryptedColumnEncryptionKey - - Encrypted Column Encryption Key

Returns:

Plain text column encryption key

Throws:

SQLServerException - when an error occurs while decrypting the CEK

encryptColumnEncryptionKey

public byte[] encryptColumnEncryptionKey(String masterKeyPath,
                                         String encryptionAlgorithm,
                                         byte[] columnEncryptionKey)
                                  throws SQLServerException

Encrypts CEK with RSA encryption algorithm using the asymmetric key specified by the key path.

Specified by:

encryptColumnEncryptionKey in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - - Complete path of an asymmetric key in AKV

encryptionAlgorithm - - Asymmetric Key Encryption Algorithm

columnEncryptionKey - - Plain text column encryption key

Returns:

Encrypted column encryption key

Throws:

SQLServerException - when an error occurs while encrypting the CEK

verifyColumnMasterKeyMetadata

public boolean verifyColumnMasterKeyMetadata(String masterKeyPath,
                                             boolean allowEnclaveComputations,
                                             byte[] signature)
                                      throws SQLServerException

Description copied from class: SQLServerColumnEncryptionKeyStoreProvider

Verify the signature is valid for the column master key

Specified by:

verifyColumnMasterKeyMetadata in class SQLServerColumnEncryptionKeyStoreProvider

Parameters:

masterKeyPath - column master key path

allowEnclaveComputations - indicates whether the column master key supports enclave computations

signature - signature of the column master key metadata

Returns:

whether the signature is valid for the column master key

Throws:

SQLServerException - when an error occurs while verifying the signature