Skip to content

Merge | SqlCommand Encryption Methods #3676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
benrr101 merged 31 commits into from
Oct 30, 2025
Merged

Merge | SqlCommand Encryption Methods #3676

Changes from 1 commit
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
08f86b6
Merge test behavior overrides
benrr101 Sep 4, 2025
9063c0b
Create encryption partial - the reader partial is getting too big.
benrr101 Sep 4, 2025
85bda18
Merge GetParameterEncryptionDataReader from netcore, update netfx to …
benrr101 Sep 4, 2025
45e568b
Merge GetParameterEncryptionDataReaderAsync from netcore, update netf…
benrr101 Sep 4, 2025
cc242fb
Factor out the second result set read for ReadDescribeEncryptionParam…
benrr101 Sep 5, 2025
d1fbee0
Factor out ReadDescribeEncryptionParameterResults1 from ReadDescribeE…
benrr101 Sep 5, 2025
04ea706
Factor out ReadDescribeEncryptionParameterResults3 from ReadDescribeE…
benrr101 Sep 5, 2025
70ba99f
Repeat factoring out in netcore
benrr101 Sep 5, 2025
db8bd2a
Executive decision: removing debug-only row count - it's to make sure…
benrr101 Sep 5, 2025
2f870c2
Merge ReadDescribeEncryptionParameterResults
benrr101 Sep 5, 2025
31662a0
Merge ShouldCacheEncryptinMetadata, keysToBeSentToEnclave and require…
benrr101 Sep 8, 2025
ee8ce4c
Merge enclavePackage, enclaveAttestationParameters, customData, custo…
benrr101 Sep 8, 2025
ee295ee
Merge ShouldUseEnclaveBasedWorkflow, _customColumnEncryptionKeyStoreP…
benrr101 Sep 8, 2025
cfd3353
Merge _sqlRPCParameterEncryptionRegArray, _currentlyExecutingDescribe…
benrr101 Sep 8, 2025
cd5ce3f
Merge InvalidateEnclaveession, GetEnclaveSessionParameters
benrr101 Sep 8, 2025
f4046b5
Merge ValidateCustomProviders
benrr101 Sep 8, 2025
e0656c3
Merge ResetEncryptionState()
benrr101 Sep 8, 2025
cb34479
Merge PrepareTransparentEncryptionFinallyBlock
benrr101 Sep 8, 2025
6b82413
Merge _rowsAffectedBySpDescribeParameterEncryption and RowsAffectedBy…
benrr101 Sep 9, 2025
588a724
Merge SetColumnEncryptionSetting and _wasBatchModeColumnEncryptionSet…
benrr101 Sep 9, 2025
016756b
Merge GetColumnEncryptionCustomKeyProvidersNames and TryGetColumnEncr…
benrr101 Sep 9, 2025
5bc19f9
Merge TryFetchInputParameterEncryptionInfo
benrr101 Sep 9, 2025
06e0bf1
Merge PrepareDescribeParameterEncryptionRequest
benrr101 Sep 10, 2025
db8b2e7
Merge ClearDescribeParameterEncryptionRequests
benrr101 Sep 11, 2025
0b683cc
Merge _rpcForEncryption, BuildStoredProcedureStatementForColumnEncryp…
benrr101 Sep 11, 2025
dfe729b
Addressing comments from @edwardneal
benrr101 Oct 9, 2025
cdc98bf
Renaming the result set reading methods and applying a bit more clean…
benrr101 Oct 10, 2025
0728917
Merge branch 'main' into dev/russellben/merge/sqlcommand-nocer-encryp…
benrr101 Oct 20, 2025
ca5037e
Probably fixing that bug
benrr101 Oct 22, 2025
8c168c1
Reorder/rename parameter results methods to fit guidelines
benrr101 Oct 27, 2025
3028240
Correcting a few more mistakes
benrr101 Oct 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
150 changes: 9 additions & 141 deletions src/Microsoft.Data.SqlClient/netcore/src/Microsoft/Data/SqlClient/SqlCommand.netcore.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1597,8 +1597,8 @@ private void ReadDescribeEncryptionParameterResults(
bool isRetry)
{
_SqlRPC rpc = null;
int currentOrdinal = -1;
SqlTceCipherInfoEntry cipherInfoEntry;

// @TODO: This should be SqlTceCipherInfoTable
Dictionary<int, SqlTceCipherInfoEntry> columnEncryptionKeyTable = new Dictionary<int, SqlTceCipherInfoEntry>();

Debug.Assert((describeParameterEncryptionRpcOriginalRpcMap != null) == _batchRPCMode,
Expand All @@ -1616,6 +1616,7 @@ private void ReadDescribeEncryptionParameterResults(
// and the corresponding original rpc requests.
bool lookupDictionaryResult;

// @TODO: If this is supposed to read the results of sp_describe_parameter_encryption there should only ever be 2/3 result sets. So no need to loop this.
do
{
if (_batchRPCMode)
Expand All @@ -1629,115 +1630,14 @@ private void ReadDescribeEncryptionParameterResults(
}
}

bool enclaveMetadataExists = true;

// First read the column encryption key list
while (ds.Read())
{

#if DEBUG
rowsAffected++;
#endif

// Column Encryption Key Ordinal.
currentOrdinal = ds.GetInt32((int)DescribeParameterEncryptionResultSet1.KeyOrdinal);
Debug.Assert(currentOrdinal >= 0, "currentOrdinal cannot be negative.");

// Try to see if there was already an entry for the current ordinal.
if (!columnEncryptionKeyTable.TryGetValue(currentOrdinal, out cipherInfoEntry))
{
// If an entry for this ordinal was not found, create an entry in the columnEncryptionKeyTable for this ordinal.
cipherInfoEntry = new SqlTceCipherInfoEntry(currentOrdinal);
columnEncryptionKeyTable.Add(currentOrdinal, cipherInfoEntry);
}

Debug.Assert(!cipherInfoEntry.Equals(default(SqlTceCipherInfoEntry)), "cipherInfoEntry should not be un-initialized.");

// Read the CEK.
byte[] encryptedKey = null;
int encryptedKeyLength = (int)ds.GetBytes((int)DescribeParameterEncryptionResultSet1.EncryptedKey, 0, encryptedKey, 0, 0);
encryptedKey = new byte[encryptedKeyLength];
ds.GetBytes((int)DescribeParameterEncryptionResultSet1.EncryptedKey, 0, encryptedKey, 0, encryptedKeyLength);

// Read the metadata version of the key.
// It should always be 8 bytes.
byte[] keyMdVersion = new byte[8];
ds.GetBytes((int)DescribeParameterEncryptionResultSet1.KeyMdVersion, 0, keyMdVersion, 0, keyMdVersion.Length);

// Validate the provider name
string providerName = ds.GetString((int)DescribeParameterEncryptionResultSet1.ProviderName);

string keyPath = ds.GetString((int)DescribeParameterEncryptionResultSet1.KeyPath);
cipherInfoEntry.Add(encryptedKey: encryptedKey,
databaseId: ds.GetInt32((int)DescribeParameterEncryptionResultSet1.DbId),
cekId: ds.GetInt32((int)DescribeParameterEncryptionResultSet1.KeyId),
cekVersion: ds.GetInt32((int)DescribeParameterEncryptionResultSet1.KeyVersion),
cekMdVersion: keyMdVersion,
keyPath: keyPath,
keyStoreName: providerName,
algorithmName: ds.GetString((int)DescribeParameterEncryptionResultSet1.KeyEncryptionAlgorithm));

bool isRequestedByEnclave = false;

// Servers supporting enclave computations should always
// return a boolean indicating whether the key is required by enclave or not.
if (this._activeConnection.Parser.TceVersionSupported >= TdsEnums.MIN_TCE_VERSION_WITH_ENCLAVE_SUPPORT)
{
isRequestedByEnclave =
ds.GetBoolean((int)DescribeParameterEncryptionResultSet1.IsRequestedByEnclave);
}
else
{
enclaveMetadataExists = false;
}

if (isRequestedByEnclave)
{
if (string.IsNullOrWhiteSpace(this.Connection.EnclaveAttestationUrl) && Connection.AttestationProtocol != SqlConnectionAttestationProtocol.None)
{
throw SQL.NoAttestationUrlSpecifiedForEnclaveBasedQuerySpDescribe(this._activeConnection.Parser.EnclaveType);
}

byte[] keySignature = null;

if (!ds.IsDBNull((int)DescribeParameterEncryptionResultSet1.KeySignature))
{
int keySignatureLength = (int)ds.GetBytes((int)DescribeParameterEncryptionResultSet1.KeySignature, 0, keySignature, 0, 0);
keySignature = new byte[keySignatureLength];
ds.GetBytes((int)DescribeParameterEncryptionResultSet1.KeySignature, 0, keySignature, 0, keySignatureLength);
}

SqlSecurityUtility.VerifyColumnMasterKeySignature(providerName, keyPath, isRequestedByEnclave, keySignature, _activeConnection, this);

int requestedKey = currentOrdinal;
SqlTceCipherInfoEntry cipherInfo;

// Lookup the key, failing which throw an exception
if (!columnEncryptionKeyTable.TryGetValue(requestedKey, out cipherInfo))
{
throw SQL.InvalidEncryptionKeyOrdinalEnclaveMetadata(requestedKey, columnEncryptionKeyTable.Count);
}

if (keysToBeSentToEnclave == null)
{
keysToBeSentToEnclave = new ConcurrentDictionary<int, SqlTceCipherInfoEntry>();
keysToBeSentToEnclave.TryAdd(currentOrdinal, cipherInfo);
}
else if (!keysToBeSentToEnclave.ContainsKey(currentOrdinal))
{
keysToBeSentToEnclave.TryAdd(currentOrdinal, cipherInfo);
}

requiresEnclaveComputations = true;
}
}

// 1) Read the first result set that contains the column encryption key list
bool enclaveMetadataExists = ReadDescribeEncryptionParameterResults1(ds, columnEncryptionKeyTable);
if (!enclaveMetadataExists && !ds.NextResult())
{
throw SQL.UnexpectedDescribeParamFormatParameterMetadata();
}

// Find the RPC command that generated this tce request
// 2) Find the RPC command that generated this TCE request
if (_batchRPCMode)
{
Debug.Assert(_sqlRPCParameterEncryptionReqArray[resultSetSequenceNumber] != null, "_sqlRPCParameterEncryptionReqArray[resultSetSequenceNumber] should not be null.");
Expand All @@ -1759,7 +1659,7 @@ private void ReadDescribeEncryptionParameterResults(

Debug.Assert(rpc != null, "rpc should not be null here.");

// Read the second result set containing the cipher metadata
// 3) Read the second result set containing the cipher metadata
int receivedMetadataCount = 0;
if (!enclaveMetadataExists || ds.NextResult())
{
Expand Down Expand Up @@ -1790,47 +1690,15 @@ private void ReadDescribeEncryptionParameterResults(
"number of rows received (if received) for describe parameter encryption should be equal to rows affected by describe parameter encryption.");
#endif


// 4) Read the third result set containing enclave attestation information
if (ShouldUseEnclaveBasedWorkflow && (enclaveAttestationParameters != null) && requiresEnclaveComputations)
{
if (!ds.NextResult())
{
throw SQL.UnexpectedDescribeParamFormatAttestationInfo(this._activeConnection.Parser.EnclaveType);
}

bool attestationInfoRead = false;

while (ds.Read())
{
if (attestationInfoRead)
{
throw SQL.MultipleRowsReturnedForAttestationInfo();
}

int attestationInfoLength = (int)ds.GetBytes((int)DescribeParameterEncryptionResultSet3.AttestationInfo, 0, null, 0, 0);
byte[] attestationInfo = new byte[attestationInfoLength];
ds.GetBytes((int)DescribeParameterEncryptionResultSet3.AttestationInfo, 0, attestationInfo, 0, attestationInfoLength);

SqlConnectionAttestationProtocol attestationProtocol = this._activeConnection.AttestationProtocol;
string enclaveType = this._activeConnection.Parser.EnclaveType;

EnclaveDelegate.Instance.CreateEnclaveSession(
attestationProtocol,
enclaveType,
GetEnclaveSessionParameters(),
attestationInfo,
enclaveAttestationParameters,
customData,
customDataLength,
isRetry);
enclaveAttestationParameters = null;
attestationInfoRead = true;
}

if (!attestationInfoRead)
{
throw SQL.AttestationInfoNotReturnedFromSqlServer(this._activeConnection.Parser.EnclaveType, this._activeConnection.EnclaveAttestationUrl);
}
ReadDescribeEncryptionParameterResults3(ds, isRetry);
Comment thread
benrr101 marked this conversation as resolved.
Outdated
}

// The server has responded with encryption related information for this rpc request. So clear the needsFetchParameterEncryptionMetadata flag.
Expand Down