From 91dea295c43cd1b9c9cf7cd600bb38510bb98808 Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Tue, 7 Oct 2025 17:33:16 -0700 Subject: [PATCH 1/2] Introduce Async API counterparts for AE base class --- .../SqlColumnEncryptionKeyStoreProvider.xml | 82 ++++++++++++++++++- .../SqlColumnEncryptionKeyStoreProvider.cs | 24 ++++++ 2 files changed, 103 insertions(+), 3 deletions(-) diff --git a/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml b/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml index 401258f9e5..5d9c1e2251 100644 --- a/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml +++ b/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml @@ -24,9 +24,26 @@ Decrypts the specified encrypted value of a column encryption key. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm. - Returns . The decrypted column encryption key. + Returns array representing the decrypted column encryption key. + + + The master key path. + + + The encryption algorithm. + + + The encrypted column encryption key. + + + Decrypts the specified encrypted value of a column encryption key asynchronously. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm. + + + Returns a task that returns array representing the decrypted column encryption key on completion. + + The master key path. @@ -41,9 +58,26 @@ Encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm. - Returns . The encrypted column encryption key. + Returns array representing the encrypted column encryption key. + + + The master key path. + + + The encryption algorithm. + + + The plaintext column encryption key. + + + Encrypts a column encryption key asynchronously using the column master key with the specified key path and using the specified algorithm. + + + Returns a task that returns array representing the encrypted column encryption key on completion. + + The column master key path. @@ -55,7 +89,7 @@ When implemented in a derived class, digitally signs the column master key metadata with the column master key referenced by the parameter. The input values used to generate the signature should be the specified values of the and parameters. - The signature of the column master key metadata. + Returns the signature of the column master key metadata. @@ -69,6 +103,31 @@ In all cases. + + + The column master key path. + + + to indicate that the column master key supports enclave computations; otherwise, . + + + When implemented in a derived class, asynchronously digitally signs the column master key metadata with the column master key referenced by the parameter. The input values used to generate the signature should be the specified values of the and parameters. + + + Returns a task that returns the signature of the column master key metadata on completion. + + + + To ensure that the method doesn't break applications that rely on an old API, it throws a exception by default. + + + The method will be used by client tools that generate Column Master Keys (CMK) for customers. must be implemented by the corresponding key store providers that wish to use enclaves with Always Encrypted. + + + + In all cases. + + The column master key path. @@ -86,6 +145,23 @@ When implemented in a derived class, the method is expected to return true if the specified signature is valid, or false if the specified signature is not valid. The default implementation throws `NotImplementedException`. + + + The column master key path. + + + Indicates whether the column master key supports enclave computations. + + + The signature of the column master key metadata. + + + When implemented in a derived class, this method is expected to verify the specified signature is valid for the column master key with the specified key path and the specified enclave behavior asynchronously. The default implementation throws `NotImplementedException`. + + + When implemented in a derived class, the method is expected to return true if the specified signature is valid, or false if the specified signature is not valid. The default implementation throws `NotImplementedException`. + + Gets or sets the lifespan of the decrypted column encryption key in the cache. Once the timespan has elapsed, the decrypted column encryption key is discarded and must be revalidated. diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs index 641e09e8ba..ab0b35c88d 100644 --- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs +++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs @@ -3,6 +3,7 @@ // See the LICENSE file in the project root for more information. using System; +using System.Threading.Tasks; namespace Microsoft.Data.SqlClient { @@ -16,19 +17,42 @@ public abstract class SqlColumnEncryptionKeyStoreProvider /// public abstract byte[] DecryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] encryptedColumnEncryptionKey); + /// + public virtual Task DecryptColumnEncryptionKeyAsync(string masterKeyPath, string encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) + { + throw new NotImplementedException(); + } + /// public abstract byte[] EncryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] columnEncryptionKey); + /// + public virtual Task EncryptColumnEncryptionKeyAsync(string masterKeyPath, string encryptionAlgorithm, byte[] columnEncryptionKey) + { + throw new NotImplementedException(); + } + /// public virtual byte[] SignColumnMasterKeyMetadata(string masterKeyPath, bool allowEnclaveComputations) { throw new NotImplementedException(); } + /// + public virtual Task SignColumnMasterKeyMetadataAsync(string masterKeyPath, bool allowEnclaveComputations) + { + throw new NotImplementedException(); + } /// public virtual bool VerifyColumnMasterKeyMetadata(string masterKeyPath, bool allowEnclaveComputations, byte[] signature) { throw new NotImplementedException(); } + + /// + public virtual Task VerifyColumnMasterKeyMetadataAsync(string masterKeyPath, bool allowEnclaveComputations, byte[] signature) + { + throw new NotImplementedException(); + } } } From 73018a82500f3fc91a821545253e42d3e20bacbd Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Tue, 7 Oct 2025 21:28:11 -0700 Subject: [PATCH 2/2] updates --- .../SqlColumnEncryptionKeyStoreProvider.xml | 8 ++++---- .../SqlColumnEncryptionKeyStoreProvider.cs | 17 +++++------------ 2 files changed, 9 insertions(+), 16 deletions(-) diff --git a/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml b/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml index 5d9c1e2251..52c76f36e0 100644 --- a/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml +++ b/doc/snippets/Microsoft.Data.SqlClient/SqlColumnEncryptionKeyStoreProvider.xml @@ -24,7 +24,7 @@ Decrypts the specified encrypted value of a column encryption key. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm. - Returns array representing the decrypted column encryption key. + Returns array representing the decrypted column encryption key. @@ -41,7 +41,7 @@ Decrypts the specified encrypted value of a column encryption key asynchronously. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm. - Returns a task that returns array representing the decrypted column encryption key on completion. + Returns a task that returns array representing the decrypted column encryption key on completion. @@ -58,7 +58,7 @@ Encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm. - Returns array representing the encrypted column encryption key. + Returns array representing the encrypted column encryption key. @@ -75,7 +75,7 @@ Encrypts a column encryption key asynchronously using the column master key with the specified key path and using the specified algorithm. - Returns a task that returns array representing the encrypted column encryption key on completion. + Returns a task that returns array representing the encrypted column encryption key on completion. diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs index ab0b35c88d..4d2f6d9b5c 100644 --- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs +++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlColumnEncryptionKeyStoreProvider.cs @@ -19,29 +19,24 @@ public abstract class SqlColumnEncryptionKeyStoreProvider /// public virtual Task DecryptColumnEncryptionKeyAsync(string masterKeyPath, string encryptionAlgorithm, byte[] encryptedColumnEncryptionKey) - { - throw new NotImplementedException(); - } + => Task.FromResult(DecryptColumnEncryptionKey(masterKeyPath, encryptionAlgorithm, encryptedColumnEncryptionKey)); /// public abstract byte[] EncryptColumnEncryptionKey(string masterKeyPath, string encryptionAlgorithm, byte[] columnEncryptionKey); /// public virtual Task EncryptColumnEncryptionKeyAsync(string masterKeyPath, string encryptionAlgorithm, byte[] columnEncryptionKey) - { - throw new NotImplementedException(); - } + => Task.FromResult(EncryptColumnEncryptionKey(masterKeyPath, encryptionAlgorithm, columnEncryptionKey)); /// public virtual byte[] SignColumnMasterKeyMetadata(string masterKeyPath, bool allowEnclaveComputations) { throw new NotImplementedException(); } + /// public virtual Task SignColumnMasterKeyMetadataAsync(string masterKeyPath, bool allowEnclaveComputations) - { - throw new NotImplementedException(); - } + => Task.FromResult(SignColumnMasterKeyMetadata(masterKeyPath, allowEnclaveComputations)); /// public virtual bool VerifyColumnMasterKeyMetadata(string masterKeyPath, bool allowEnclaveComputations, byte[] signature) @@ -51,8 +46,6 @@ public virtual bool VerifyColumnMasterKeyMetadata(string masterKeyPath, bool all /// public virtual Task VerifyColumnMasterKeyMetadataAsync(string masterKeyPath, bool allowEnclaveComputations, byte[] signature) - { - throw new NotImplementedException(); - } + => Task.FromResult(VerifyColumnMasterKeyMetadata(masterKeyPath, allowEnclaveComputations, signature)); } }