package aecmk

go-mssqldb – github.com/microsoft/go-mssqldb/aecmk Index | Files | Directories

import "github.com/microsoft/go-mssqldb/aecmk"

Index ¶

Constants
Variables
func KeyPathNotAllowed(path string, operation Operation) error
func NewError(operation Operation, msg string, err error) error
func RegisterCekProvider(name string, provider ColumnEncryptionKeyProvider) error
type CekProvider

func NewCekProvider(provider ColumnEncryptionKeyProvider) *CekProvider
func (cp *CekProvider) GetDecryptedKey(ctx context.Context, keyPath string, encryptedBytes []byte) (decryptedKey []byte, err error)

type ColumnEncryptionKeyProvider
type ColumnEncryptionKeyProviderMap

func GetGlobalCekProviders() (providers ColumnEncryptionKeyProviderMap)

type Error

func (e *Error) Error() string
func (e *Error) Unwrap() error

type Operation

Constants ¶

const (
	CertificateStoreKeyProvider = "MSSQL_CERTIFICATE_STORE"
	CspKeyProvider              = "MSSQL_CSP_PROVIDER"
	CngKeyProvider              = "MSSQL_CNG_STORE"
	AzureKeyVaultKeyProvider    = "AZURE_KEY_VAULT"
	JavaKeyProvider             = "MSSQL_JAVA_KEYSTORE"
	KeyEncryptionAlgorithm      = "RSA_OAEP"
)

Variables ¶

var ColumnEncryptionKeyLifetime time.Duration = 2 * time.Hour

ColumnEncryptionKeyLifetime is the default lifetime of decrypted Column Encryption Keys in the global cache. The default is 2 hours

Functions ¶

func KeyPathNotAllowed ¶

func KeyPathNotAllowed(path string, operation Operation) error

func NewError ¶

func NewError(operation Operation, msg string, err error) error

func RegisterCekProvider ¶

func RegisterCekProvider(name string, provider ColumnEncryptionKeyProvider) error

RegisterCekProvider adds the named provider to the global provider list

Types ¶

type CekProvider ¶

type CekProvider struct {
	Provider ColumnEncryptionKeyProvider
	// contains filtered or unexported fields
}

func NewCekProvider ¶

func NewCekProvider(provider ColumnEncryptionKeyProvider) *CekProvider

func (*CekProvider) GetDecryptedKey ¶

func (cp *CekProvider) GetDecryptedKey(ctx context.Context, keyPath string, encryptedBytes []byte) (decryptedKey []byte, err error)

type ColumnEncryptionKeyProvider ¶

type ColumnEncryptionKeyProvider interface {
	// DecryptColumnEncryptionKey decrypts the specified encrypted value of a column encryption key.
	// The encrypted value is expected to be encrypted using the column master key with the specified key path and using the specified algorithm.
	DecryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, encryptedCek []byte) ([]byte, error)
	// EncryptColumnEncryptionKey encrypts a column encryption key using the column master key with the specified key path and using the specified algorithm.
	EncryptColumnEncryptionKey(ctx context.Context, masterKeyPath string, encryptionAlgorithm string, cek []byte) ([]byte, error)
	// SignColumnMasterKeyMetadata digitally signs the column master key metadata with the column master key
	// referenced by the masterKeyPath parameter. The input values used to generate the signature should be the
	// specified values of the masterKeyPath and allowEnclaveComputations parameters. May return an empty slice if not supported.
	SignColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) ([]byte, error)
	// VerifyColumnMasterKeyMetadata verifies the specified signature is valid for the column master key
	// with the specified key path and the specified enclave behavior. Return nil if not supported.
	VerifyColumnMasterKeyMetadata(ctx context.Context, masterKeyPath string, allowEnclaveComputations bool) (*bool, error)
	// KeyLifetime is an optional Duration. Keys fetched by this provider will be discarded after their lifetime expires.
	// If it returns nil, the keys will expire based on the value of ColumnEncryptionKeyLifetime.
	// If it returns zero, the keys will not be cached.
	KeyLifetime() *time.Duration
}

ColumnEncryptionKeyProvider is the interface for decrypting and encrypting column encryption keys. It is similar to .Net https://learn.microsoft.com/dotnet/api/microsoft.data.sqlclient.sqlcolumnencryptionkeystoreprovider.

type ColumnEncryptionKeyProviderMap ¶

type ColumnEncryptionKeyProviderMap map[string]*CekProvider

no synchronization on this map. Providers register during init.

func GetGlobalCekProviders ¶

func GetGlobalCekProviders() (providers ColumnEncryptionKeyProviderMap)

GetGlobalCekProviders enumerates all globally registered providers

type Error ¶

type Error struct {
	Operation Operation
	// contains filtered or unexported fields
}

Error is the type of all errors returned by key encryption providers

func (*Error) Error ¶

func (e *Error) Error() string

func (*Error) Unwrap ¶

func (e *Error) Unwrap() error

type Operation ¶

type Operation int

Operation specifies the action that returned an error

const (
	Decryption Operation = iota
	Encryption
	Validation
)

Source Files ¶

error.go keyprovider.go

Directories ¶

Path	Synopsis
aecmk/akv
aecmk/localcert

Version: v1.7.0
Published: Feb 21, 2024
Platform: windows/amd64
Imports: 4 packages
Last checked: 10 minutes ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples