package localcert

import "github.com/microsoft/go-mssqldb/aecmk/localcert"

Index

Constants 

const (
	PfxKeyProviderName = "pfx"
)

Variables 

var PfxKeyProvider = Provider{AllowedLocations: make([]string, 0), /* contains filtered or unexported fields */}

Types

type InvalidCertificatePathError 

type InvalidCertificatePathError struct {
	// contains filtered or unexported fields
}

InvalidCertificatePathError indicates the provided path could not be used to load a certificate

func (*InvalidCertificatePathError) Error 

func (i *InvalidCertificatePathError) Error() string

func (*InvalidCertificatePathError) Unwrap 

func (i *InvalidCertificatePathError) Unwrap() error

type Provider 

type Provider struct {

	// AllowedLocations constrains which locations the provider will use to find certificates. If empty, all locations are allowed.
	// When presented with a key store path not in the allowed list, the data will be returned still encrypted.
	AllowedLocations []string
	// contains filtered or unexported fields
}

Provider uses local certificates to decrypt CEKs It supports both 'MSSQL_CERTIFICATE_STORE' and 'pfx' key stores. MSSQL_CERTIFICATE_STORE key paths are of the form `storename/storepath/thumbprint` and only supported on Windows clients. pfx key paths are absolute file system paths that are operating system dependent.

func (*Provider) DecryptColumnEncryptionKey 

func (p *Provider) DecryptColumnEncryptionKey(masterKeyPath string, encryptionAlgorithm string, encryptedCek []byte) (decryptedKey []byte)

DecryptColumnEncryptionKey decrypts the specified encrypted value of a column encryption key. The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm.

func (*Provider) EncryptColumnEncryptionKey 

func (p *Provider) EncryptColumnEncryptionKey(masterKeyPath string, encryptionAlgorithm string, cek []byte) []byte

EncryptColumnEncryptionKey encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm.

func (*Provider) KeyLifetime 

func (p *Provider) KeyLifetime() *time.Duration

KeyLifetime is an optional Duration. Keys fetched by this provider will be discarded after their lifetime expires. If it returns nil, the keys will expire based on the value of ColumnEncryptionKeyLifetime. If it returns zero, the keys will not be cached.

func (Provider) SetCertificatePassword 

func (p Provider) SetCertificatePassword(location string, password string)

SetCertificatePassword stores the password associated with the certificate at the given location. If location is empty the given password applies to all certificates that have not been explicitly assigned a value.

func (*Provider) SignColumnMasterKeyMetadata 

func (p *Provider) SignColumnMasterKeyMetadata(masterKeyPath string, allowEnclaveComputations bool) []byte

SignColumnMasterKeyMetadata digitally signs the column master key metadata with the column master key referenced by the masterKeyPath parameter. The input values used to generate the signature should be the specified values of the masterKeyPath and allowEnclaveComputations parameters. May return an empty slice if not supported.

func (*Provider) VerifyColumnMasterKeyMetadata 

func (p *Provider) VerifyColumnMasterKeyMetadata(masterKeyPath string, allowEnclaveComputations bool) *bool

VerifyColumnMasterKeyMetadata verifies the specified signature is valid for the column master key with the specified key path and the specified enclave behavior. Return nil if not supported.

Source Files

keyprovider.go

Version
v1.6.0
Published
Aug 31, 2023
Platform
js/wasm
Imports
16 packages
Last checked
1 hour ago

Tools for package owners.