Performance | Use lower-allocation AE primitives in SqlColumnEncryptionCertificateStoreProvider #3660
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ypair Also remove an indentation level and dispose of the intermediary X509Certificate2.
This changes some of the test behaviour: previously, it was calling RSADecrypt and RSAVerifySignature directly. Since these methods no longer exist, we follow the public API (which also calls these methods' equivalent functionality.) This also addresses a TODO: in the test code.
Also ensure that the ref structs implement IDisposable.
paulmedynski
requested changes
Oct 6, 2025
| foreach (CryptoVector cryptoParameter in cryptoParametersListForTest) | ||
| // Convert the PFX into a certificate and install it into the local user's certificate store. | ||
| // We can only do this cross-platform on the CurrentUser store, which matches the baseline data we have. | ||
| Debug.Assert(rsaPfx != null && rsaPfx.Length > 0); |
There was a problem hiding this comment.
Should this be an xUnit Assert() ? Here and below.
There was a problem hiding this comment.
Yes. There were a few other existing instances in the same test, I've changed those too.
...t.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionCertificateStoreProvider.cs
Show resolved
Hide resolved
|
|
||
| // Find the certificate and return | ||
| return GetCertificate(storeLocation, storeName, keyPath, thumbprint, isSystemOp); | ||
| else |
There was a problem hiding this comment.
Unnecessary else here.
| if (!certificate.HasPrivateKey) | ||
| { | ||
| // Close the certificate store | ||
| certificateStore?.Close(); |
There was a problem hiding this comment.
Do we still need to Close()? The X509Store docs don't say whether or not Dispose() includes whatever Close() does.
The source code clearly does though:
So you're good, despite the docs :(
There was a problem hiding this comment.
Yes - backed up by the netfx reference source.
It looks like this was new in net46 though, which might explain the old usage.
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Swap Debug.Assert to xUnit assertions. Add explanatory comment when parsing master key path. Remove redundant else.
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This is my final PR in this set of changes to this area, picking up where #3612 left off. Benchmarks for this PR are located in #3554.
The previous PR used the AlwaysEncrypted primitives in
SqlColumnEncryptionCspProviderandSqlColumnEncryptionCngProvider. This one introduces them toSqlColumnEncryptionCertificateStoreProvider.While verifying this, I also noticed that the
TestRsaCryptoWithNativeBaselinetest was calling private methods using reflection, but that there was a TODO item in the test to use the public API surface instead. I've done this.Issues
PR 1/3: #3554.
PR 2/3: #3612.
PR 3/3: this one.
Testing
As in the previous PR, automated tests pass. I also created an AE-enabled table in SSMS which used a certificate store-based master key and confirmed that I was able to query it and insert records into it.