Introduce Async API counterparts for AE base class #3673
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -24,9 +24,37 @@ | |||||
| Decrypts the specified encrypted value of a column encryption key. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm. | ||||||
| </summary> | ||||||
| <returns> | ||||||
| Returns <see cref="T:System.Byte[]" /> array representing the decrypted column encryption key. | ||||||
| </returns> | ||||||
| </DecryptColumnEncryptionKey> | ||||||
| <DecryptColumnEncryptionKeyAsync> | ||||||
| <param name="masterKeyPath"> | ||||||
| The master key path. | ||||||
|
Contributor
There was a problem hiding this comment. What kind of path is this expected to be? Local filesystem, UNC, URL ... ? For example:
Contributor
There was a problem hiding this comment. From SQL Server's perspective, |
||||||
| </param> | ||||||
| <param name="encryptionAlgorithm"> | ||||||
| The encryption algorithm. | ||||||
|
Contributor
There was a problem hiding this comment. What kind of values are expected/accepted here? Is it an opaque string to us? Examples and where they are documented would help.
Contributor
There was a problem hiding this comment. It's a technically-opaque string returned by SQL Server - for the moment, it's always |
||||||
| </param> | ||||||
| <param name="encryptedColumnEncryptionKey"> | ||||||
| The encrypted column encryption key. | ||||||
| </param> | ||||||
| <param name="cancellationToken"> | ||||||
| A token to cancel the asynchronous operation. | ||||||
| </param> | ||||||
| <summary> | ||||||
|
Contributor
There was a problem hiding this comment. Seems weird to put the summary after the arguments. |
||||||
| Decrypts the specified encrypted value of a column encryption key asynchronously. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm. | ||||||
|
Contributor
There was a problem hiding this comment. IMO we should wrap long lines to our standard 100 chars. |
||||||
| </summary> | ||||||
| <returns> | ||||||
| Returns a task that returns <see cref="T:System.Byte[]" /> array representing the decrypted column encryption key on completion. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
| </returns> | ||||||
| <remarks> | ||||||
| <para> | ||||||
| The default implementation calls the synchronous <see cref="M:Microsoft.Data.SqlClient.SqlColumnEncryptionKeyStoreProvider.DecryptColumnEncryptionKey(System.String,System.String,System.Byte[])" /> method and wraps the result in a completed task. If the synchronous method throws, the exception is caught and a faulted task is returned rather than throwing synchronously. | ||||||
| </para> | ||||||
| <para> | ||||||
| The <paramref name="cancellationToken" /> parameter is not observed by the default implementation. Derived classes that perform I/O (such as calls to Azure Key Vault) should override this method with a truly asynchronous implementation that honors the cancellation token. | ||||||
| </para> | ||||||
| </remarks> | ||||||
| </DecryptColumnEncryptionKeyAsync> | ||||||
|
cheenamalhotra marked this conversation as resolved.
|
||||||
| <EncryptColumnEncryptionKey> | ||||||
| <param name="masterKeyPath"> | ||||||
| The master key path. | ||||||
|
|
@@ -41,9 +69,37 @@ | |||||
| Encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm. | ||||||
| </summary> | ||||||
| <returns> | ||||||
| Returns <see cref="T:System.Byte[]" /> array representing the encrypted column encryption key. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
| </returns> | ||||||
| </EncryptColumnEncryptionKey> | ||||||
| <EncryptColumnEncryptionKeyAsync> | ||||||
|
Contributor
There was a problem hiding this comment. Same comments regarding arguments here as with Decrypt above. |
||||||
| <param name="masterKeyPath"> | ||||||
| The master key path. | ||||||
| </param> | ||||||
| <param name="encryptionAlgorithm"> | ||||||
| The encryption algorithm. | ||||||
| </param> | ||||||
| <param name="columnEncryptionKey"> | ||||||
| The plaintext column encryption key. | ||||||
|
Contributor
There was a problem hiding this comment. It's a byte array, so it isn't text, per se. I would suggest: |
||||||
| </param> | ||||||
| <param name="cancellationToken"> | ||||||
| A token to cancel the asynchronous operation. | ||||||
| </param> | ||||||
| <summary> | ||||||
| Encrypts a column encryption key asynchronously using the column master key with the specified key path and using the specified algorithm. | ||||||
| </summary> | ||||||
| <returns> | ||||||
| Returns a task that returns <see cref="T:System.Byte[]" /> array representing the encrypted column encryption key on completion. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
| </returns> | ||||||
| <remarks> | ||||||
| <para> | ||||||
| The default implementation calls the synchronous <see cref="M:Microsoft.Data.SqlClient.SqlColumnEncryptionKeyStoreProvider.EncryptColumnEncryptionKey(System.String,System.String,System.Byte[])" /> method and wraps the result in a completed task. If the synchronous method throws, the exception is caught and a faulted task is returned rather than throwing synchronously. | ||||||
| </para> | ||||||
| <para> | ||||||
| The <paramref name="cancellationToken" /> parameter is not observed by the default implementation. Derived classes that perform I/O (such as calls to Azure Key Vault) should override this method with a truly asynchronous implementation that honors the cancellation token. | ||||||
| </para> | ||||||
| </remarks> | ||||||
| </EncryptColumnEncryptionKeyAsync> | ||||||
| <SignColumnMasterKeyMetadata> | ||||||
| <param name="masterKeyPath"> | ||||||
| The column master key path. | ||||||
|
|
@@ -55,7 +111,7 @@ | |||||
| When implemented in a derived class, digitally signs the column master key metadata with the column master key referenced by the <paramref name="masterKeyPath" /> parameter. The input values used to generate the signature should be the specified values of the <paramref name="masterKeyPath" /> and <paramref name="allowEnclaveComputations" /> parameters. | ||||||
| </summary> | ||||||
| <returns> | ||||||
| Returns the signature of the column master key metadata. | ||||||
| </returns> | ||||||
| <remarks> | ||||||
| <para> | ||||||
|
|
@@ -69,6 +125,34 @@ | |||||
| In all cases. | ||||||
| </exception> | ||||||
| </SignColumnMasterKeyMetadata> | ||||||
| <SignColumnMasterKeyMetadataAsync> | ||||||
| <param name="masterKeyPath"> | ||||||
| The column master key path. | ||||||
|
Contributor
There was a problem hiding this comment. Same comment regarding paths. |
||||||
| </param> | ||||||
| <param name="allowEnclaveComputations"> | ||||||
| <see langword="true" /> to indicate that the column master key supports enclave computations; otherwise, <see langword="false" />. | ||||||
|
Contributor
There was a problem hiding this comment. But what actually happens when I specify true vs false?
Contributor
There was a problem hiding this comment. This is handled within SQL Server. It's only used during enclave-enabled Always Encrypted, and the flag indicates that the key can be passed into the secure enclave. From the view of this part of SqlClient, it's an opaque flag which is designed to be signed. The idea here is that SQL Server's record of the column master key is little more than metadata. This method locates the key material identified by the key path, then signs the metadata that SQL Server holds. SQL Server keeps a record of that signature, and passes it to the client for validation. It forms a trust anchor for cases where SQL Server itself is compromised, but the enclave can't be tampered with: if someone modifies the CMK's key path (to try and force the client to encrypt data with an attacker-specified key) then this validation fails. The attacker can't just recalculate the correct signature because SQL Server doesn't have access to the key material - just its metadata. |
||||||
| </param> | ||||||
| <param name="cancellationToken"> | ||||||
| A token to cancel the asynchronous operation. | ||||||
| </param> | ||||||
| <summary> | ||||||
| When implemented in a derived class, asynchronously digitally signs the column master key metadata with the column master key referenced by the <paramref name="masterKeyPath" /> parameter. The input values used to generate the signature should be the specified values of the <paramref name="masterKeyPath" /> and <paramref name="allowEnclaveComputations" /> parameters. | ||||||
|
Contributor
There was a problem hiding this comment.
I'm not sure what the second sentence is trying to say. It sounds like "We will use the method arguments to do the work", which is obvious. |
||||||
| </summary> | ||||||
| <returns> | ||||||
| Returns a task that returns the signature of the column master key metadata on completion. | ||||||
|
Contributor
There was a problem hiding this comment. What is the format/encoding of the signature? Is it HMAC, SHA256, etc?
Contributor
There was a problem hiding this comment. Strictly speaking, it's opaque. For the builtin providers' purposes, it's an RSA signature of the SHA256 hash of |
||||||
| </returns> | ||||||
| <remarks> | ||||||
| <para> | ||||||
| The default implementation calls the synchronous <see cref="M:Microsoft.Data.SqlClient.SqlColumnEncryptionKeyStoreProvider.SignColumnMasterKeyMetadata(System.String,System.Boolean)" /> method, which throws a <see cref="T:System.NotImplementedException" /> by default. In this case, the returned task will be faulted with <see cref="T:System.NotImplementedException" /> rather than throwing synchronously. | ||||||
| </para> | ||||||
| <para> | ||||||
|
cheenamalhotra marked this conversation as resolved.
|
||||||
| The <paramref name="cancellationToken" /> parameter is not observed by the default implementation. Derived classes that perform I/O should override this method with a truly asynchronous implementation that honors the cancellation token. | ||||||
| </para> | ||||||
| <para> | ||||||
| Key store providers that wish to use enclaves with <see href="https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-database-engine">Always Encrypted</see> should override this method with a truly asynchronous implementation when the signing operation involves I/O. | ||||||
| </para> | ||||||
| </remarks> | ||||||
| </SignColumnMasterKeyMetadataAsync> | ||||||
| <VerifyColumnMasterKeyMetadata> | ||||||
| <param name="masterKeyPath"> | ||||||
| The column master key path. | ||||||
|
|
@@ -86,6 +170,34 @@ | |||||
| When implemented in a derived class, the method is expected to return true if the specified signature is valid, or false if the specified signature is not valid. The default implementation throws `NotImplementedException`. | ||||||
| </returns> | ||||||
| </VerifyColumnMasterKeyMetadata> | ||||||
| <VerifyColumnMasterKeyMetadataAsync> | ||||||
| <param name="masterKeyPath"> | ||||||
| The column master key path. | ||||||
|
Contributor
There was a problem hiding this comment. Same path and enclave comments. |
||||||
| </param> | ||||||
| <param name="allowEnclaveComputations"> | ||||||
| Indicates whether the column master key supports enclave computations. | ||||||
| </param> | ||||||
| <param name="signature"> | ||||||
| The signature of the column master key metadata. | ||||||
|
Contributor
There was a problem hiding this comment. Is this expected to be a byte array returned by Sign() ? Would this accept any format/encoding signature type? |
||||||
| </param> | ||||||
| <param name="cancellationToken"> | ||||||
| A token to cancel the asynchronous operation. | ||||||
| </param> | ||||||
| <summary> | ||||||
| When implemented in a derived class, this method is expected to verify the specified signature is valid for the column master key with the specified key path and the specified enclave behavior asynchronously. The default implementation returns a faulted task with <see cref="T:System.NotImplementedException" />. | ||||||
| </summary> | ||||||
| <returns> | ||||||
| A task that, when completed, returns <see langword="true" /> if the specified signature is valid, or <see langword="false" /> if it is not valid. | ||||||
| </returns> | ||||||
| <remarks> | ||||||
| <para> | ||||||
| The default implementation calls the synchronous <see cref="M:Microsoft.Data.SqlClient.SqlColumnEncryptionKeyStoreProvider.VerifyColumnMasterKeyMetadata(System.String,System.Boolean,System.Byte[])" /> method, which throws a <see cref="T:System.NotImplementedException" /> by default. In this case, the returned task will be faulted with <see cref="T:System.NotImplementedException" /> rather than throwing synchronously. | ||||||
| </para> | ||||||
| <para> | ||||||
| The <paramref name="cancellationToken" /> parameter is not observed by the default implementation. Derived classes that perform I/O should override this method with a truly asynchronous implementation that honors the cancellation token. | ||||||
| </para> | ||||||
| </remarks> | ||||||
| </VerifyColumnMasterKeyMetadataAsync> | ||||||
| <ColumnEncryptionKeyCacheTtl> | ||||||
| <summary> | ||||||
| Gets or sets the lifespan of the decrypted column encryption key in the cache. Once the timespan has elapsed, the decrypted column encryption key is discarded and must be revalidated. | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.